Skip to main content

Error Guides

Updated Mar 11, 2022 ·

Error: Cannot connect to the Docker daemon

In case you encounter this message when you test Docker for the first time:

docker: Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?

To resolve this, start the docker service and docker daemon,

sudo systemctl start docker
sudo systemctl enable docker
sudo systemctl status docker
sudo dockerd

You can checkout this Stackoverflow discussion to know more.

Error: Cannot View Kubernetes Nodes

You might get the following error when checking the EKS cluster through the AWS Console.

Your current user or role does not have access to Kubernetes objects on this EKS cluster

Cause

You might be using two different IAM user accounts:

  • IAM-user1 - you originally use this to log-in to the AWS Management Console
  • IAM-user2 - this is the new user you created and generated the access key

In the terminal, you set up the CLI access to connect to your AWS resources by editing the credentials file.

vim ~/.aws/credentials

Check the identity.

aws sts get-caller-identity

If the user returned is the same as the user currently logged-in the AWS Management Console, then you shouldn't have any issue.

If they're different users, then that means the user in the CLI (this is the user you used to create the EKS cluster) has different permissions from the user logged in the console.

Solution 1

Before anything else, run the command below to make sure you are connected to the correct EKS cluster (if you have multiple clusters). The cluster with the '*' under the CURRENT column is the cluster that you are currently accessing.

$ kubectl config get-contexts

CURRENT   NAME                                                  CLUSTER                                     AUTHINFO                                              NAMESPACE
*         k8s-admin@eksops-managed.ap-southeast-1.eksctl.io     eksops-managed.ap-southeast-1.eksctl.io     k8s-admin@eksops-managed.ap-southeast-1.eksctl.io
          k8s-admin@eksops-unmanaged.ap-southeast-1.eksctl.io   eksops-unmanaged.ap-southeast-1.eksctl.io   k8s-admin@eksops-unmanaged.ap-southeast-1.eksctl.io

Edit the ConfigMap. Add the mapUsers block with your userarn.

kubectl edit configmap aws-auth -n kube-system 
apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::12345678900:role/eksctl-exyz-managed-nodegroup-e-NodeInstanceRole-1OOHCL1LJM327
      username: system:node:{{EC2PrivateDNSName}}
  mapUsers: |
    - userarn: arn:aws:iam::12345678900:user/johnsmith
      groups:
      - system:masters

Solution 2

You may try to log-in to the console using the same identity that you used in the CLI. If error still appeared, you may need to attach the inline policy to the group.

In the next page, choose the JSON tab and enter the following policy. Make sure to replace 111122223333 with your account ID.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eks:ListFargateProfiles",
                "eks:DescribeNodegroup",
                "eks:ListNodegroups",
                "eks:ListUpdates",
                "eks:AccessKubernetesApi",
                "eks:ListAddons",
                "eks:DescribeCluster",
                "eks:DescribeAddonVersions",
                "eks:ListClusters",
                "eks:ListIdentityProviderConfigs",
                "iam:ListRoles"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "ssm:GetParameter",
            "Resource": "arn:aws:ssm:*:111122223333:parameter/*"
        }
    ]
}

Click Review Policy, then in the next page, create a name for the policy. Click Create Policy.

Next, create a rolebinding. If you need to change the Kubernetes group name, namespace, permissions, or any other configuration in the file, then download the file and edit it before applying it to your cluster

curl -o eks-console-full-access.yaml https://s3.us-west-2.amazonaws.com/amazon-eks/docs/eks-console-full-access.yaml
curl -o eks-console-restricted-access.yaml https://s3.us-west-2.amazonaws.com/amazon-eks/docs/eks-console-restricted-access.yaml

You can apply any of the two YAML files.

kubectl apply -f eks-console-full-access.yaml
kubectl apply -f eks-console-restricted-access.yaml

Next, map the IAM user or role to the Kubernetes user or group in the aws-auth ConfigMap using eksctl.

export MYCLUSTER=<put-name-of-the-cluster-here> 
export MYREGION=<put-region-code-here> 
export MYACCOUNTID=<put-account-id-here>
export MYUSER=<put-user-id-here>

View the current mappings.

eksctl get iamidentitymapping --cluster $MYCLUSTER --region=$MYREGION

Add a mapping for a role.

eksctl create iamidentitymapping \
    --cluster $MYCLUSTER \
    --region=$MYREGION \
    --arn arn:aws:iam::$MYACCOUNTID:role/my-console-viewer-role \
    --group eks-console-dashboard-full-access-group \
    --no-duplicate-arns

Add a mapping for a user.

eksctl create iamidentitymapping \
    --cluster $MYCLUSTER \
    --region=$MYREGION \
    --arn arn:aws:iam::$MYACCOUNTID:user/$MYUSER \
    --group eks-console-dashboard-restricted-access-group \
    --no-duplicate-arns

To learn more, check out these links: