This topic describes how to minimize the permissions of the worker role of a Container Service for Kubernetes (ACK) Pro cluster after you migrate workloads from an ACK dedicated cluster to the ACK Pro cluster.
Prerequisites
Workloads are migrated from an ACK dedicated cluster to an ACK Pro cluster. For more information, see Hot migration from ACK dedicated clusters to ACK Pro clusters.
Step 1: Create a RAM policy that provides the minimum permissions required by the cluster
If cluster-autoscaler and aliyun-acr-credential-helper are installed in your cluster, you cannot revoke all Resource Access Management (RAM) policies that are attached to the worker role of your cluster. In this case, you must create a custom RAM policy that provides the minimum permissions required by the components. For more information, see Create a custom policy.
The following content describes the permissions required by cluster-autoscaler: For more information, see Auto scaling of nodes.
{ "Version": "1", "Statement": [ { "Action": [ "ess:DescribeScalingGroups", "ess:DescribeScalingInstances", "ess:DescribeScalingActivities", "ess:DescribeScalingConfigurations", "ess:DescribeScalingRules", "ess:DescribeScheduledTasks", "ess:DescribeLifecycleHooks", "ess:DescribeNotificationConfigurations", "ess:DescribeNotificationTypes", "ess:DescribeRegions", "ess:CreateScalingRule", "ess:ModifyScalingGroup", "ess:RemoveInstances", "ess:ExecuteScalingRule", "ess:ModifyScalingRule", "ess:DeleteScalingRule", "ecs:DescribeInstanceTypes", "ess:DetachInstances", "ess:CompleteLifecycleAction", "ess:ScaleWithAdjustment", "vpc:DescribeVSwitches", "cs:DeleteClusterNodes", "cs:DescribeClusterNodes", "cs:DescribeClusterNodePools", "cs:DescribeClusterNodePoolDetail", "ecs:DescribeImages" ], "Resource": [ "*" ], "Effect": "Allow" } ] }The following content describes the permissions required by aliyun-acr-credential-helper: For more information, see Use the aliyun-acr-credential-helper component to pull images without using a secret.
{ "Action": [ "cr:GetAuthorizationToken", "cr:ListInstanceEndpoint", "cr:PullRepository" ], "Resource": "*", "Effect": "Allow" }
If your workloads need to assume the worker role to call the API operations of Alibaba Cloud services, retain the required permissions for the worker role. If the Kubernetes version of the ACK Pro cluster is 1.22 or later, you can use the RAM Roles for Service Accounts (RRSA) feature to authorize pods to access different cloud services. For more information, see Use RRSA to authorize different pods to access different cloud services.
Step 2: Revoke the RAM policies attached to the worker role of the ACK dedicated cluster
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the ACK dedicated cluster. On the cluster details page, click the Cluster Resources tab. Click the role name on the right side of Worker RAM Role to go to the RAM console.
Optional: Create a custom RAM policy that provides the permissions required by your cluster and attach the policy to the worker role of your cluster. For more information, see Create custom policies and Grant permissions to a RAM role.
If you need to retain specific permissions for the worker role, create a custom RAM policy that provides the permissions and attach the policy to the worker role. If you do not need to retain permissions, skip this step.
On the Permissions tab of the role details page, find the RAM policies that you want to revoke and click Revoke Permission in the Actions column. In the Revoke Permission message, click Revoke Permission.
ImportantTo avoid affecting components that rely on the permissions of the worker role, we recommend that you do not delete the worker role. If you accidentally revoked a required RAM policy, you can click Grant Permission to attach the policy to the RAM role again.
Run the following command to check whether the system components of your cluster run as normal:
kubectl get po -n kube-systemIf all components are in the Running state, the components run as normal.