×
Community Blog RBAC Permission Settings for ACK Registered Cluster Agent Components

RBAC Permission Settings for ACK Registered Cluster Agent Components

This article explains all the RBAC permission settings for different scenarios.

By Liusheng

You can register an ACK cluster to access cluster resources through the access link of the stub<->agent. The permissions for all operations converge to the ServiceAccount used by the ack-cluster-agent component. The default name is ack, and the authorization is the admin permission. You can modify the authorization rules based on your business requirements.

Prerequisites

ack-cluster-agent version has been upgraded to v1.13.1.69-g00e1991-aliyun and above. (Please upgrade on the ACK registered cluster management page.)

Minimized RBAC Permissions Required by Default

The minimum authorization required to register a cluster with ACK is to obtain the node list permission. The authorization rules are listed below:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["ack-agent-config", "provider"]
  verbs: ["get", "list", "watch", "update"]

RBAC Permissions for Component Management

If you want to install or update addon components (such as terway-eniip or logtail-ds), you must temporarily set the ClusterRole/ack-admin permission to the admin permission.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

After the components are installed and upgraded, you can restore to the following minimum permissions.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["ack-agent-config","provider"]
  verbs: ["get","list","watch","update"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["autoscaler-meta"]
  verbs: ["get","list","watch","update"]
- apiGroups: ["*"]
  resources: ["daemonsets", "deployments"]
  resourceNames: ["terway-eniip","security-inspector","ack-cluster-agent","gatekeeper","ack-virtual-node","metrics-server","logtail-ds","resource-controller","aliyun-acr-credential-helper","migrate-controller","ack-kubernetes-cronhpa-controller","tiller-deploy"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["*"]
  resources: ["daemonsets", "deployments"]
  resourceNames: ["cluster-autoscaler"]
  verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
  resources: ["pods","secrets"]
  verbs: ["list"]

RBAC Requirements for the Node Pool / Elastic Node Pool Feature Are Enabled

When you install the terway component or create a node pool, you must temporarily set the permissions of the ClusterRole/ack-admin to the admin permission.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

After the node pool is configured, you can restore to the following minimum permissions.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["ack-agent-config","provider","autoscaler-meta","eni-config"]
  verbs: ["get","list","watch","update"]
- apiGroups: ["*"]
  resources: ["daemonsets", "deployments"]
  resourceNames: ["terway-eniip", "cluster-autoscaler"]
  verbs: ["get", "list", "watch", "update"]
0 0 0
Share on

Alibaba Container Service

154 posts | 28 followers

You may also like

Comments

Alibaba Container Service

154 posts | 28 followers

Related Products