Container Service for Kubernetes (ACK) provides the Kubernetes-native role-based access control (RBAC) mechanism. RBAC allows you to grant different permissions on Kubernetes resources in the same cluster to different users. After you create the MSE service-linked role AliyunServiceRoleForMSE, it is automatically associated with the RBAC role mse-aliyunserviceroleformse-clusterrole. This enables MSE to access ACK cluster resources based on the RBAC permissions that correspond to the service-linked role. This can meet the necessary cluster resource access requirements of MSE.
RBAC permission policy of the MSE service-linked role
By default, the RBAC role is not automatically created for an ACK cluster. After you create the MSE service-linked role and access the ACK cluster, MSE triggers to create the RBAC role and associates it with the service-linked role.
This RBAC role is only used for minimal permission access to specified MSE features and will not affect your RBAC permission assignment.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: mse-aliyunserviceroleformse-clusterrole
rules:
# base
- apiGroups: [""]
resources: ["pods", "nodes", "services", "namespaces", "endpoints", "secrets", "configmaps"]
verbs: ["get", "watch", "list"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
# ingress
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses", "ingressclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
# Use for Kubernetes Service APIs
- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
resources: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
resources: ["*"]
verbs: ["*"]
# CRD
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
# istio
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries" ]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries/status" ]
- apiGroups: [""]
resources: ["services", "namespaces"]
verbs: ["get", "list", "watch", "create"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create"]
- apiGroups: [ "mse.alibabacloud.com" ]
resources: [ "mseingressconfigs", "mseingressconfigs/status"]
verbs: [ "get", "watch", "list" ]
- apiGroups: [ "events.k8s.io" ]
resources: [ "events"]
verbs: [ "get", "watch", "list" ]Grant permissions to prohibit MSE from accessing ACK clusters
Method 1
You can prohibit MSE from accessing clusters by modifying the RBAC role. Perform the following steps:
Log on to the ACK console with your Alibaba Cloud account. In the left-side navigation pane, click Clusters. On the Clusters page, click the name of the desired cluster.
In the left-side navigation pane, choose Security > Role.
On the Role page, click the Cluster Role tab, enter mse-aliyunserviceroleformse-clusterrole in the search box, and click the search icon.
In the Actions column of mse-aliyunserviceroleformse-clusterrole, click Edit YAML. In the panel that appears, add the annotation configuration
inner.service.alibabacloud.com/user-customized: trueto the YAML code, and delete all permissions in the rules field.apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: inner.service.alibabacloud.com/user-customized: true name: mse-aliyunserviceroleformse-clusterrole rules:[]
Method 2
You can prohibit MSE from accessing clusters by deleting AliyunServiceRoleForMSE.