Step 1: Install and configure ack-ram-tool
Run one of the following commands to install and configure ack-ram-tool in an operating system.
View the command for installing and configuring ack-ram-tool in Darwin_arm64
cd /tmp
wget https://ack-ram-tool.oss-cn-hangzhou.aliyuncs.com/dist/v0.18.0/ack-ram-tool_0.18.0_Darwin_arm64.tar.gz
tar zxvf ack-ram-tool_0.18.0_Darwin_arm64.tar.gz
cp ack-ram-tool /usr/local/bin
ack-ram-tool version
View the command for installing and configuring ack-ram-tool in Darwin_x86_64
cd /tmp
wget https://ack-ram-tool.oss-cn-hangzhou.aliyuncs.com/dist/v0.18.0/ack-ram-tool_0.18.0_Darwin_x86_64.tar.gz
tar zxvf ack-ram-tool_0.18.0_Darwin_x86_64.tar.gz
cp ack-ram-tool /usr/local/bin
ack-ram-tool version
View the command for installing and configuring ack-ram-tool in Linux_arm64
cd /tmp
wget https://ack-ram-tool.oss-cn-hangzhou.aliyuncs.com/dist/v0.18.0/ack-ram-tool_0.18.0_Linux_arm64.tar.gz
tar zxvf ack-ram-tool_0.18.0_Linux_arm64.tar.gz
cp ack-ram-tool /usr/local/bin
ack-ram-tool version
View the command for installing and configuring ack-ram-tool in Linux_x86_64
cd /tmp
wget https://ack-ram-tool.oss-cn-hangzhou.aliyuncs.com/dist/v0.18.0/ack-ram-tool_0.18.0_Linux_x86_64.tar.gz
tar zxvf ack-ram-tool_0.18.0_Linux_x86_64.tar.gz
cp ack-ram-tool /usr/local/bin
ack-ram-tool version
You can use one of the following methods to configure the credentials that are required by ack-ram-tool.
Automatically read the credentials from the following environment variables.
ALIBABA_CLOUD_ACCESS_KEY_ID
ALIBABA_CLOUD_ACCESS_KEY_SECRET
ALIBABA_CLOUD_SECURITY_TOKEN. For more information about how to obtain SECURITY_TOKEN, see What is STS?.
Read the credentials from the configuration file ~/.aliyun/config.json of the aliyun CLI. For more information, see Configure credential.
Step 2: Grant permissions to the credentials used by ack-ram-tool
The credentials used by ack-ram-tool require RAM permissions and RBAC permissions.
Use the following policy to grant permissions to a RAM user. For more information, see Grant permissions to RAM users.
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cs:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ram:ListUsers",
"ram:ListRoles"
],
"Resource": "*"
}
]
}
Perform the following steps to grant RBAC administrator permissions to a RAM user:
Log on to the ACK console. In the left-side navigation pane, click Authorizations.
On the Authorizations page, click the RAM Users tab, find the RAM user that you want to manage, and then click Modify Permissions to open the Permission Management panel.
Click Add Permissions, specify Clusters and Namespace, set Permission Management to Administrator, and then click Submit.
Step 3: Query the RBAC bindings of the specified RAM users and RAM roles in a cluster
You can run the ack-ram-tool rbac scan-user-permissions command to query the RBAC bindings of the specified RAM users and RAM roles in a cluster.
Query only the RBAC bindings of the deleted RAM users and RAM roles
Run the following command to query the RBAC bindings of RAM users and RAM roles that have been deleted in the cluster:
ack-ram-tool rbac scan-user-permissions -c <Cluster ID>
Expected output:
2023-12-12T15:34:37+08:00 INFO start to scan users and bindings for cluster c401890df511a4362bf24bece4da****
2023-12-12T15:34:43+08:00 WARN by default, only deleted users are included. Use the --all-users flag to include all users
UID UserType UserName Binding
30086537005566**** (deleted) RamRole ClusterRoleBinding/-/30086537005566****-clusterrolebinding
24320678733226**** (deleted) RamUser ClusterRoleBinding/-/24320678733226****-clusterrolebinding
The following table describes the UserType parameter.
Value of UserType | Description |
RamRole | RAM role |
RamUser | RAM user |
Root | Alibaba Cloud account |
Query the RBAC bindings of all RAM users and RAM roles
Run the following command to query the RBAC bindings of all RAM users and RAM roles:
ack-ram-tool rbac scan-user-permissions --all-users -c <Cluster ID>
Expected output:
2023-12-12T15:36:00+08:00 INFO Start to scan users and bindings for cluster c401890df511a4362bf24bece4da6****
UID UserType UserName Binding
30032484611590**** (deleted) RamRole ClusterRoleBinding/-/30032484611590****-clusterrolebinding
20492499986425**** (deleted) RamUser ClusterRoleBinding/-/20492499986425****-clusterrolebinding
27203272572548**** RamUser scan ClusterRoleBinding/-/27203272572548****-clusterrolebinding
113802571552**** Root ClusterRoleBinding/-/113802571552****-cluster-admin-clusterrolebinding
29068913515444**** RamUser test-ack-ram-check ClusterRoleBinding/-/29068913515444****-clusterrolebinding
Query the RBAC bindings for all clusters that belong to the current Alibaba Cloud account
Run the following command to query the RBAC bindings for all clusters that belong to the current Alibaba Cloud account:
ack-ram-tool rbac scan-user-permissions -c all
Expected output:
2023-12-12T16:44:55+08:00 INFO start to scan users and bindings for all clusters
2023-12-12T16:44:55+08:00 INFO start to get all clusters, users and roles
2023-12-12T16:44:58+08:00 INFO ---- c401890df511a4362bf24bece4da6**** (test-pro111323223) ----
2023-12-12T16:44:58+08:00 INFO [c401890df511a4362bf24bece4da6****] start to scan bindings for cluster c401890df511a4362bf24bece4da6****
2023-12-12T16:45:00+08:00 WARN [c401890df511a4362bf24bece4da6****] by default, only deleted users are included. Use the --all-users flag to include all users
ClusterId: c401890df511a4362bf24bece4da6****
UID UserType UserName Binding
30086537005566**** (deleted) RamRole ClusterRoleBinding/-/30086537005566****-clusterrolebinding
20492499986425**** (deleted) RamUser ClusterRoleBinding/-/20492499986425****-clusterrolebinding
2023-12-12T16:45:00+08:00 INFO ---- c137a979dec21472c8279c903cfc**** (test-pro) ----
2023-12-12T16:45:00+08:00 INFO [c137a979dec21472c8279c903cfce****] start to scan bindings for cluster c137a979dec21472c8279c903cfce****
2023-12-12T16:45:01+08:00 WARN [c137a979dec21472c8279c903cfce****] by default, only deleted users are included. Use the --all-users flag to include all users
ClusterId: c137a979dec21472c8279c903cfce****
UID UserType UserName Binding
30086537005566**** (deleted) RamRole ClusterRoleBinding/-/30086537005566****-clusterrolebinding
24320678733226**** (deleted) RamUser ClusterRoleBinding/-/24320678733226****-clusterrolebinding
Step 4: Delete the RBAC bindings of the specified RAM users and RAM roles in a cluster and delete kubeconfig files
You can run the ack-ram-tool rbac cleanup-user-permissions command to delete the RBAC bindings of the specified RAM users and roles in a cluster and delete kubeconfig files.
Important If the log displays this user has been active in the past 7 days, the RAM user or RAM role accessed the cluster within the previous seven days. Proceed with caution when you perform this step.
Before ack-ram-tool deletes RBAC binding JSON files, it creates backups for the RBAC binding JSON files in the folder named after the cluster ID.
Revoke the permissions of a RAM user or RAM role on a single cluster
Run the following command to revoke the permissions of a RAM user or RAM role on a single cluster.
You can run the ack-ram-tool rbac scan-user-permissions -c <Cluster ID> command to obtain the value of <UID>.
ack-ram-tool rbac cleanup-user-permissions -c <Cluster ID> -u <UID>
Expected output:
Click to view details
2023-12-12T18:17:10+08:00 INFO start to scan users and bindings
2023-12-12T18:17:15+08:00 WARN we will clean up RBAC bindings as follows:
UID UserType UserName Binding
25908395708943**** RamUser ack-admin ClusterRoleBinding/-/25908395708943****-clusterrolebinding
2023-12-12T18:17:15+08:00 WARN we will clean up kubeconfig permissions for users as follows:
UID: 25908395708943****
2023-12-12T18:17:15+08:00 INFO start to check cluster audit log for user 25908395708943****
2023-12-12T18:17:16+08:00 WARN this user has been active in the past 7 days, and the last activity time was: 2023-12-12T10:27:56+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c137a979dec21472c8279c903cfce****
sls logstore: audit-c137a979dec21472c8279c903cfce****
last activity: 2023-12-12T10:27:56+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76e****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T18:17:37+08:00 INFO start to backup binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding
2023-12-12T18:17:38+08:00 INFO the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c137a979dec21472c8279c903cfce****/ClusterRoleBinding--25908395708943****-clusterrolebinding.json
2023-12-12T18:17:38+08:00 INFO start to clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T18:17:38+08:00 INFO finished clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T18:17:38+08:00 INFO all bindings and permissions have been cleaned up
Revoke the permissions of a RAM user or RAM role on all clusters
Run the following command to delete the RBAC bindings of a RAM user or RAM role for all clusters that belong to the current Alibaba Cloud account and delete kubeconfig files:
ack-ram-tool rbac cleanup-user-permissions -c all -u <UID>
Expected output:
Click to view details
2023-12-12T19:28:23+08:00 INFO start to scan users and bindings for all clusters
2023-12-12T19:28:23+08:00 INFO start to get all clusters, users and roles
2023-12-12T19:28:24+08:00 INFO ---- c401890df511a4362bf24bece4da6**** (test-pro111323223) ----
2023-12-12T19:28:24+08:00 INFO [c401890df511a4362bf24bece4da6****] start to clean up bindings and permissions for cluster c401890df511a4362bf24bece4da6****
2023-12-12T19:28:24+08:00 INFO [c401890df511a4362bf24bece4da6****] start to scan users and bindings
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] we will clean up RBAC bindings as follows:
UID UserType UserName Binding
25908395708943**** RamUser ack-admin ClusterRoleBinding/-/25908395708943****-clusterrolebinding
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] we will clean up kubeconfig permissions for users as follows:
UID: 259083957089437690
2023-12-12T19:28:25+08:00 INFO [c401890df511a4362bf24bece4da6****] start to check cluster audit log for user 25908395708943****
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] this user has been active in the past 7 days, and the last activity time was: 2023-12-12T10:27:56+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c401890df511a4362bf24bece4da****
sls logstore: audit-c401890df511a4362bf24bece4da6****
last activity: 2023-12-12T10:27:56+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] start to backup binding ClusterRoleBinding/-/25908395708943**** -clusterrolebinding
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c401890df511a4362bf24bece4da6**** /ClusterRoleBinding--259083957089437XXX-clusterrolebinding.json
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] start to clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] finished clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] all bindings and permissions have been cleaned up
2023-12-12T19:28:49+08:00 INFO ---- c137a979dec21472c8279c903cfce**** (test-pro) ----
2023-12-12T19:28:49+08:00 INFO [c137a979dec21472c8279c903cfce****] start to clean up bindings and permissions for cluster c137a979dec21472c8279c903cfce****
2023-12-12T19:28:49+08:00 INFO [c137a979dec21472c8279c903cfce****] start to scan users and bindings
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] we will clean up RBAC bindings as follows:
UID UserType UserName Binding
25908395708943**** RamUser ack-admin ClusterRoleBinding/-/25908395708943**** -clusterrolebinding
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] we will clean up kubeconfig permissions for users as follows:
UID: 25908395708943****
2023-12-12T19:28:51+08:00 INFO [c137a979dec21472c8279c903cfce****] start to check cluster audit log for user 25908395708943****
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] this user has been active in the past 7 days, and the last activity time was: 2023-12-12T17:55:50+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c137a979dec21472c8279c903cfce****
sls logstore: audit-c137a979dec21472c8279c903cfce****
last activity: 2023-12-12T17:55:50+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] start to backup binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c137a979dec21472c8279c903cfce**** /ClusterRoleBinding--25908395708943**** -clusterrolebinding.json
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] start to clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] finished clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] all bindings and permissions have been cleaned up