By Liusheng
You can register an ACK cluster to access cluster resources through the access link of the stub<->agent. The permissions for all operations converge to the ServiceAccount used by the ack-cluster-agent component. The default name is ack, and the authorization is the admin permission. You can modify the authorization rules based on your business requirements.
ack-cluster-agent version has been upgraded to v1.13.1.69-g00e1991-aliyun and above. (Please upgrade on the ACK registered cluster management page.)
The minimum authorization required to register a cluster with ACK is to obtain the node list permission. The authorization rules are listed below:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["ack-agent-config", "provider"]
verbs: ["get", "list", "watch", "update"]
If you want to install or update addon components (such as terway-eniip or logtail-ds), you must temporarily set the ClusterRole/ack-admin permission to the admin permission.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
After the components are installed and upgraded, you can restore to the following minimum permissions.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["ack-agent-config","provider"]
verbs: ["get","list","watch","update"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["autoscaler-meta"]
verbs: ["get","list","watch","update"]
- apiGroups: ["*"]
resources: ["daemonsets", "deployments"]
resourceNames: ["terway-eniip","security-inspector","ack-cluster-agent","gatekeeper","ack-virtual-node","metrics-server","logtail-ds","resource-controller","aliyun-acr-credential-helper","migrate-controller","ack-kubernetes-cronhpa-controller","tiller-deploy"]
verbs: ["get", "list", "watch"]
- apiGroups: ["*"]
resources: ["daemonsets", "deployments"]
resourceNames: ["cluster-autoscaler"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["pods","secrets"]
verbs: ["list"]
When you install the terway component or create a node pool, you must temporarily set the permissions of the ClusterRole/ack-admin to the admin permission.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
After the node pool is configured, you can restore to the following minimum permissions.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["ack-agent-config","provider","autoscaler-meta","eni-config"]
verbs: ["get","list","watch","update"]
- apiGroups: ["*"]
resources: ["daemonsets", "deployments"]
resourceNames: ["terway-eniip", "cluster-autoscaler"]
verbs: ["get", "list", "watch", "update"]
154 posts | 28 followers
FollowAlibaba Cloud Native - October 16, 2023
Alibaba Container Service - May 16, 2024
Alibaba Container Service - April 28, 2020
Alibaba Container Service - August 10, 2023
Alibaba Container Service - August 10, 2023
Alibaba Cloud Native - May 23, 2023
154 posts | 28 followers
FollowAlibaba Cloud Container Service for Kubernetes is a fully managed cloud container management service that supports native Kubernetes and integrates with other Alibaba Cloud products.
Learn MoreProvides a control plane to allow users to manage Kubernetes clusters that run based on different infrastructure resources
Learn MoreAccelerate and secure the development, deployment, and management of containerized applications cost-effectively.
Learn MoreA secure image hosting platform providing containerized image lifecycle management
Learn MoreMore Posts by Alibaba Container Service