The operations that Distributed Cloud Container Platform for Kubernetes (ACK One) GitOps can perform on associated clusters are controlled by the role-based access control (RBAC) permissions defined in the ClusterRole ack-mc:argocd-ackone-dev, which is created by the system by default. These default permissions cannot be modified. To control permissions in a fine-grained manner, for example, to allow ACK One GitOps only to create and view pods within the specified associated cluster, you can create a ClusterRole and specify proper RBAC permissions to it. This topic describes the default permissions of ACK One GitOps and how to customize the permissions of ACK One GitOps.
Background information
When a cluster is associated with an ACK One Fleet instance, a default ServiceAccount argocd-ackone-sa and a default ClusterRole ack-mc:argocd-ackone-dev are created in the associated cluster, and the ClusterRole is bound to the ServiceAccount. ACK One GitOps controls the associated cluster based on the RBAC permissions included in ack-mc:argocd-ackone-dev by default.
You can also customize RBAC permissions for ACK One GitOps. This requires creating custom ClusterRoles/Roles in the associated clusters, and binding them to the default ServiceAccount argocd-ackone-sa through ClusterRoleBindings or RoleBindings, thereby achieving fine-grained control over cluster resources.
Configure RBAC permissions on clusters associated with ACK One GitOps
Use the following YAML template to create a custom ClusterRole:
Notenameof ClusterRole: Enter a custom name.Modify the rules, which include
apiGroups,resources, andverbs, based on your actual needs.
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: <your ClusterRole name> rules: - apiGroups: - "" resources: - pods - configmaps - endpoints verbs: - create - deleteUse the following YAML template to create a ClusterRoleBinding, bind the ClusterRole to the default ServiceAccount
argocd-ackone-sa, and grant custom RBAC permissions toargocd-ackone-sa.Notenameof ClusterRole: You must enter the name of the ClusterRole that you created in the previous step.nameof ServiceAccount: The name must beargocd-ackone-sa. Do not modify the value.apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: <ClusterRoleBinding name> roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: <your ClusterRole name> subjects: - kind: ServiceAccount name: argocd-ackone-sa namespace: ack-multiple-clusters
ACK One GitOps default permissions
The default ClusterRole ack-mc:argocd-ackone-dev created by the system contains the following RBAC permissions:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-mc:argocd-ackone-dev
rules:
- apiGroups:
- ""
resources:
- pods
- configmaps
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
- namespaces
- bindings
- limitranges
- resourcequotas
- persistentvolumes
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- events
- namespaces/status
- replicationcontrollers/status
- pods/status
- pods/log
- resourcequotas/status
verbs:
- get
- list
- watch
- patch
- update
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- ingresses
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- metrics.k8s.io
resources:
- pods
verbs:
- get
- watch
- list
- apiGroups:
- networking.k8s.io
resources:
- '*'
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
- apiGroups:
- alicloud.com
resources:
- '*'
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- log.alibabacloud.com
resources:
- '*'
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- create
- watch
- patch
- update
- delete
- deletecollection
- apiGroups:
- serving.knative.dev
resources:
- '*'
verbs:
- get
- list
- create
- watch
- patch
- update
- delete
- deletecollection
- apiGroups:
- eventing.knative.dev
resources:
- '*'
verbs:
- get
- list
- create
- watch
- patch
- update
- delete
- deletecollection
- apiGroups:
- messaging.knative.dev
resources:
- '*'
verbs:
- get
- list
- create
- watch
- patch
- update
- delete
- deletecollection
- apiGroups:
- sources.eventing.knative.dev
resources:
- '*'
verbs:
- get
- list
- create
- watch
- patch
- update
- delete
- deletecollection
- apiGroups:
- alert.alibabacloud.com
resources:
- '*'
verbs:
- get
- list
- create
- watch
- patch
- update
- delete
- deletecollection
- apiGroups:
- alibabacloud.com
resources:
- externalsecrets
- secretstores
verbs:
- '*'
- apiGroups:
- apps.kruise.io
- policy.kruise.io
- rollouts.kruise.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- argoproj.io
resources:
- analysisruns
- analysistemplates
- clusteranalysistemplates
- experiments
- rollouts
verbs:
- '*'
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
- mutatingwebhookconfigurations
verbs:
- '*'
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- '*'