Fhyujk

Can a person refuse a presidential pardon?

What is 6÷2×(1+2) =?

How to prevent users from executing commands through browser URL

Avoiding morning and evening handshakes

Injecting creativity into a cookbook

What's a good word to describe a public place that looks like it wouldn't be rough?

How to say "Brexit" in Latin?

If I delete my router's history can my ISP still provide it to my parents?

Can I write a book of my D&D game?

What are the differences between a+i and &a[i] for pointer arithmetic in C++?

How do you funnel food off a cutting board?

Am I a Rude Number?

Is a debit card dangerous in my situation?

How do Chazal know that the descendants of a Mamzer may never marry into the general populace?

How to avoid being sexist when trying to employ someone to function in a very sexist environment?

Can we use the stored gravitational potential energy of a building to produce power?

Which password policy is more secure: one password of length 9 vs. two passwords each of length 8?

Can a hotel cancel a confirmed reservation?

Why would the Pakistan airspace closure cancel flights not headed to Pakistan itself?

Why do stocks necessarily drop during a recession?

Why avoid shared user accounts?

Porting Linux to another platform requirements

Unable to list services in AWS EKS

How to prevent cleaner from hanging my lock screen in Ubuntu 16.04

Unable to list services in AWS EKS

How to “switch role” in aws-cli?Accessing kubernetes (hosted via google container engine) securely using kubectl from a remote serverissue in installing ambassador over kuberneteskubectl cannot authenticate with AWS EKSHorizontalPodAutoscaling on Amazon EKSKops / Kubernetes: No context set in kubecfg, name is requiredAWS could not get token: AccessDenied: User: ARN is not authorized to perform: sts:AssumeRole on resource: Role:ARNAmazon EKS: how to configure S3 access for worker nodes?Install and Set Up kubectl - KubernetesDeploying MongoDB in kubernetes does not create pods/services on DigitalOcean KubernetesContainer runtime/kubelet failures on EKS cluster nodes

3

1

I'm setting up my first Kubernetes EKS cluster by following the Getting Started guide but I can't get past the step that verifies access with kubectl get svc. Instead of the list of services I'm getting:

error: the server doesn't have a resource type "svc"

I've got the aws-iam-authenticator in place, I've got the correct access and secret key for a user that has AWS Admin privileges, I checked everything I could think of yet can't figure out what's causing the error.

amazon-web-services kubernetes containers

share|improve this question

edited 5 hours ago

MLu

8,58212142

asked 6 hours ago

KeepLearningKeepLearning

162

New contributor

KeepLearning is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  By any chance did you create the EKS cluster using cross-account role?
  
  – MLu
  4 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes I did. Does that make a difference?
  
  – KeepLearning
  4 hours ago
  

  
  
  
  

add a comment | 

3

1

I'm setting up my first Kubernetes EKS cluster by following the Getting Started guide but I can't get past the step that verifies access with kubectl get svc. Instead of the list of services I'm getting:

error: the server doesn't have a resource type "svc"

I've got the aws-iam-authenticator in place, I've got the correct access and secret key for a user that has AWS Admin privileges, I checked everything I could think of yet can't figure out what's causing the error.

amazon-web-services kubernetes containers

share|improve this question

edited 5 hours ago

MLu

8,58212142

asked 6 hours ago

KeepLearningKeepLearning

162

New contributor

KeepLearning is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  By any chance did you create the EKS cluster using cross-account role?
  
  – MLu
  4 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Yes I did. Does that make a difference?
  
  – KeepLearning
  4 hours ago
  

  
  
  
  

add a comment | 

I'm setting up my first Kubernetes EKS cluster by following the Getting Started guide but I can't get past the step that verifies access with kubectl get svc. Instead of the list of services I'm getting:

error: the server doesn't have a resource type "svc"

I've got the aws-iam-authenticator in place, I've got the correct access and secret key for a user that has AWS Admin privileges, I checked everything I could think of yet can't figure out what's causing the error.

amazon-web-services kubernetes containers

share|improve this question

edited 5 hours ago

MLu

8,58212142

asked 6 hours ago

KeepLearningKeepLearning

162

New contributor

KeepLearning is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

error: the server doesn't have a resource type "svc"

share|improve this question

edited 5 hours ago

MLu

8,58212142

asked 6 hours ago

KeepLearningKeepLearning

162

New contributor

KeepLearning is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited 5 hours ago

MLu

8,58212142

asked 6 hours ago

KeepLearningKeepLearning

162

New contributor

KeepLearning is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

edited 5 hours ago

MLu

8,58212142

edited 5 hours ago

MLu

8,58212142

asked 6 hours ago

KeepLearningKeepLearning

162

New contributor

KeepLearning is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 6 hours ago

KeepLearningKeepLearning

162

1 Answer
1

active

oldest

votes

3

Make sure you use kubectl with the the exact same IAM User / Role that you used to create the EKS cluster? Only that IAM User / Role is given system:masters privilege in Kubernetes. If you use a different role you'll see this error, even if that other role has Administrator permissions in its IAM Policy.

---

For example if you created the EKS cluster while logged in with cross-account IAM Role and now you're trying to use it with a different IAM User it won't work.

You can add more IAM users to EKS later but for start you'll have to use the IAM role that created the cluster. For example if you log into some company-login account and the switch role to company-prod account with role Admin you'll have to update the kubeconfig accordingly:

users:

- name: arn:aws:eks:ap-southeast-2:{company-prod-id}:cluster/{cluster-name}

  user:

    exec:

      apiVersion: client.authentication.k8s.io/v1alpha1

      command: aws-iam-authenticator

      args:

      - token

      - -i

      - cluster-name

      - -r                                          <<< Add this

      - arn:aws:iam::{company-prod-id}:role/Admin   <<< And this

      env:

      - name: AWS_PROFILE

        value: company-login-profile                <<< Must be your login account

Alternatively you can create a cross-account profile for aws-cli as described here: How to “switch role” in aws-cli? In that case you won't need the -r arn:...:role/Admin in kubeconfig as it's already done in ~/.aws/credentials.

Once the role stuff is fixed you should be able to run kubectl get svc.

---

Once the above works you can Add more IAM Users and IAM Roles to EKS / Kubernetes. I suggest you create a dedicated role like, e.g. EKSAdmin and require your IAM users to assume that in order to manage the cluster.

Hope that helps :)

share|improve this answer

answered 4 hours ago

MLuMLu

8,58212142

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

KeepLearning is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f956265%2funable-to-list-services-in-aws-eks%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

3

Make sure you use kubectl with the the exact same IAM User / Role that you used to create the EKS cluster? Only that IAM User / Role is given system:masters privilege in Kubernetes. If you use a different role you'll see this error, even if that other role has Administrator permissions in its IAM Policy.

---

For example if you created the EKS cluster while logged in with cross-account IAM Role and now you're trying to use it with a different IAM User it won't work.

You can add more IAM users to EKS later but for start you'll have to use the IAM role that created the cluster. For example if you log into some company-login account and the switch role to company-prod account with role Admin you'll have to update the kubeconfig accordingly:

users:

- name: arn:aws:eks:ap-southeast-2:{company-prod-id}:cluster/{cluster-name}

  user:

    exec:

      apiVersion: client.authentication.k8s.io/v1alpha1

      command: aws-iam-authenticator

      args:

      - token

      - -i

      - cluster-name

      - -r                                          <<< Add this

      - arn:aws:iam::{company-prod-id}:role/Admin   <<< And this

      env:

      - name: AWS_PROFILE

        value: company-login-profile                <<< Must be your login account

Alternatively you can create a cross-account profile for aws-cli as described here: How to “switch role” in aws-cli? In that case you won't need the -r arn:...:role/Admin in kubeconfig as it's already done in ~/.aws/credentials.

Once the role stuff is fixed you should be able to run kubectl get svc.

---

Once the above works you can Add more IAM Users and IAM Roles to EKS / Kubernetes. I suggest you create a dedicated role like, e.g. EKSAdmin and require your IAM users to assume that in order to manage the cluster.

Hope that helps :)

share|improve this answer

answered 4 hours ago

MLuMLu

8,58212142

add a comment | 

3

Make sure you use kubectl with the the exact same IAM User / Role that you used to create the EKS cluster? Only that IAM User / Role is given system:masters privilege in Kubernetes. If you use a different role you'll see this error, even if that other role has Administrator permissions in its IAM Policy.

---

For example if you created the EKS cluster while logged in with cross-account IAM Role and now you're trying to use it with a different IAM User it won't work.

You can add more IAM users to EKS later but for start you'll have to use the IAM role that created the cluster. For example if you log into some company-login account and the switch role to company-prod account with role Admin you'll have to update the kubeconfig accordingly:

users:

- name: arn:aws:eks:ap-southeast-2:{company-prod-id}:cluster/{cluster-name}

  user:

    exec:

      apiVersion: client.authentication.k8s.io/v1alpha1

      command: aws-iam-authenticator

      args:

      - token

      - -i

      - cluster-name

      - -r                                          <<< Add this

      - arn:aws:iam::{company-prod-id}:role/Admin   <<< And this

      env:

      - name: AWS_PROFILE

        value: company-login-profile                <<< Must be your login account

Alternatively you can create a cross-account profile for aws-cli as described here: How to “switch role” in aws-cli? In that case you won't need the -r arn:...:role/Admin in kubeconfig as it's already done in ~/.aws/credentials.

Once the role stuff is fixed you should be able to run kubectl get svc.

---

Once the above works you can Add more IAM Users and IAM Roles to EKS / Kubernetes. I suggest you create a dedicated role like, e.g. EKSAdmin and require your IAM users to assume that in order to manage the cluster.

Hope that helps :)

share|improve this answer

answered 4 hours ago

MLuMLu

8,58212142

add a comment | 

Make sure you use kubectl with the the exact same IAM User / Role that you used to create the EKS cluster? Only that IAM User / Role is given system:masters privilege in Kubernetes. If you use a different role you'll see this error, even if that other role has Administrator permissions in its IAM Policy.

---

For example if you created the EKS cluster while logged in with cross-account IAM Role and now you're trying to use it with a different IAM User it won't work.

You can add more IAM users to EKS later but for start you'll have to use the IAM role that created the cluster. For example if you log into some company-login account and the switch role to company-prod account with role Admin you'll have to update the kubeconfig accordingly:

users:

- name: arn:aws:eks:ap-southeast-2:{company-prod-id}:cluster/{cluster-name}

  user:

    exec:

      apiVersion: client.authentication.k8s.io/v1alpha1

      command: aws-iam-authenticator

      args:

      - token

      - -i

      - cluster-name

      - -r                                          <<< Add this

      - arn:aws:iam::{company-prod-id}:role/Admin   <<< And this

      env:

      - name: AWS_PROFILE

        value: company-login-profile                <<< Must be your login account

Alternatively you can create a cross-account profile for aws-cli as described here: How to “switch role” in aws-cli? In that case you won't need the -r arn:...:role/Admin in kubeconfig as it's already done in ~/.aws/credentials.

Once the role stuff is fixed you should be able to run kubectl get svc.

---

Once the above works you can Add more IAM Users and IAM Roles to EKS / Kubernetes. I suggest you create a dedicated role like, e.g. EKSAdmin and require your IAM users to assume that in order to manage the cluster.

Hope that helps :)

share|improve this answer

answered 4 hours ago

MLuMLu

8,58212142

users:

- name: arn:aws:eks:ap-southeast-2:{company-prod-id}:cluster/{cluster-name}

  user:

    exec:

      apiVersion: client.authentication.k8s.io/v1alpha1

      command: aws-iam-authenticator

      args:

      - token

      - -i

      - cluster-name

      - -r                                          <<< Add this

      - arn:aws:iam::{company-prod-id}:role/Admin   <<< And this

      env:

      - name: AWS_PROFILE

        value: company-login-profile                <<< Must be your login account

share|improve this answer

answered 4 hours ago

MLuMLu

8,58212142

answered 4 hours ago

MLuMLu

8,58212142

answered 4 hours ago

MLuMLu

8,58212142