By Liusheng
You can register an ACK cluster to access cluster resources through the access link of the stub<->agent. The permissions for all operations converge to the ServiceAccount used by the ack-cluster-agent component. The default name is ack, and the authorization is the admin permission. You can modify the authorization rules based on your business requirements.
ack-cluster-agent version has been upgraded to v1.13.1.69-g00e1991-aliyun and above. (Please upgrade on the ACK registered cluster management page.)
The minimum authorization required to register a cluster with ACK is to obtain the node list permission. The authorization rules are listed below:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["ack-agent-config", "provider"]
verbs: ["get", "list", "watch", "update"]If you want to install or update addon components (such as terway-eniip or logtail-ds), you must temporarily set the ClusterRole/ack-admin permission to the admin permission.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]After the components are installed and upgraded, you can restore to the following minimum permissions.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["ack-agent-config","provider"]
verbs: ["get","list","watch","update"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["autoscaler-meta"]
verbs: ["get","list","watch","update"]
- apiGroups: ["*"]
resources: ["daemonsets", "deployments"]
resourceNames: ["terway-eniip","security-inspector","ack-cluster-agent","gatekeeper","ack-virtual-node","metrics-server","logtail-ds","resource-controller","aliyun-acr-credential-helper","migrate-controller","ack-kubernetes-cronhpa-controller","tiller-deploy"]
verbs: ["get", "list", "watch"]
- apiGroups: ["*"]
resources: ["daemonsets", "deployments"]
resourceNames: ["cluster-autoscaler"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["pods","secrets"]
verbs: ["list"]When you install the terway component or create a node pool, you must temporarily set the permissions of the ClusterRole/ack-admin to the admin permission.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]After the node pool is configured, you can restore to the following minimum permissions.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["ack-agent-config","provider","autoscaler-meta","eni-config"]
verbs: ["get","list","watch","update"]
- apiGroups: ["*"]
resources: ["daemonsets", "deployments"]
resourceNames: ["terway-eniip", "cluster-autoscaler"]
verbs: ["get", "list", "watch", "update"]
107 posts | 26 followers
FollowAlibaba Container Service - April 28, 2020
Alibaba Cloud Native - May 23, 2023
Alibaba Developer - April 22, 2021
Alibaba Developer - June 22, 2020
Alibaba Cloud Native Community - June 21, 2022
三辰 - July 6, 2020
107 posts | 26 followers
Follow
Container Service for Kubernetes
Alibaba Cloud Container Service for Kubernetes is a fully managed cloud container management service that supports native Kubernetes and integrates with other Alibaba Cloud products.
Learn More
ACK One
Provides a control plane to allow users to manage Kubernetes clusters that run based on different infrastructure resources
Learn More
Cloud-Native Applications Management Solution
Accelerate and secure the development, deployment, and management of containerized applications cost-effectively.
Learn More
Elastic High Performance Computing Solution
High Performance Computing (HPC) and AI technology helps scientific research institutions to perform viral gene sequencing, conduct new drug research and development, and shorten the research and development cycle.
Learn MoreMore Posts by Alibaba Container Service