External Kubernetes clusters registered to Container Service for Kubernetes (ACK) use the ACK Stub and ack-cluster-agent components to access cluster resources. The access to cluster resources relies on the permissions granted to the ServiceAccount used by ack-cluster-agent. When you install ack-cluster-agent, a ServiceAccount named ack is automatically created. You can grant role-based access control (RBAC) permissions in restricted mode or normal mode to the ServiceAccount based on your requirements. This topic describes the RBAC permissions required by the ack-cluster-agent component in a registered cluster.
Prerequisites
ack-cluster-agent 1.13.1.69-g00e1991-aliyun or later is installed. For more information about how to update components, see Manage components.
RBAC permissions in restricted mode
By default, registered clusters require at least the RBAC permissions of read access to ConfigMap of ack-cluster-agent. The following example shows how to grant the RBAC permissions:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-agent-role-configmap
labels:
ack/creator: "ack"
rules:
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- ack-agent-config
- provider
verbs:
- get
- watch
- update
- list
In restricted mode, some features in the console are unavailable. For example, you cannot view the workloads in a cluster. However, you can use onectl to install components and use corresponding services in the console, such as Managed Service for Prometheus and Simple Log Service.
When you use onectl to manage components, the cluster where the ack-cluster-agent component is deployed is granted temporary administrator permissions, and these permissions will be revoked when component management is completed or interrupted. For more information, see Use onectl to manage registered clusters.
RBAC permissions in normal mode
In normal mode, the registered cluster is granted administrator permissions. The following example shows how to grant administrator permissions to the registered cluster.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
In normal mode, all features in the console are available.
RBAC permissions required for component management
When you install or update components, such as terway-eniip or logtail-ds, you must first grant administrator permissions to the ClusterRole named ack-admin.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
After you install or update components, restore the ClusterRole to the least permissions.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["ack-agent-config","provider"]
verbs: ["get","list","watch","update"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["autoscaler-meta"]
verbs: ["get","list","watch","update"]
- apiGroups: ["*"]
resources: ["daemonsets", "deployments"]
resourceNames: ["terway-eniip","security-inspector","ack-cluster-agent","gatekeeper","ack-virtual-node","metrics-server","logtail-ds","resource-controller","aliyun-acr-credential-helper","migrate-controller","ack-kubernetes-cronhpa-controller","tiller-deploy"]
verbs: ["get", "list", "watch"]
- apiGroups: ["*"]
resources: ["daemonsets", "deployments"]
resourceNames: ["cluster-autoscaler"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["pods","secrets"]
verbs: ["list"]
RBAC permissions required for creating node pools or elastic node pools
When you install Terway or create node pools, you must first grant administrator permissions to the ClusterRole named ack-admin.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
After you install Terway or create node pools, restore the ClusterRole to the least permissions.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["ack-agent-config","provider","autoscaler-meta","eni-config"]
verbs: ["get","list","watch","update"]
- apiGroups: ["*"]
resources: ["daemonsets", "deployments"]
resourceNames: ["terway-eniip", "cluster-autoscaler"]
verbs: ["get", "list", "watch", "update"]
RBAC permissions required for querying logs after Simple Log Service is enabled
After Simple Log Service is enabled in the registered cluster, you need to grant the following RBAC permissions to query the relevant logs in the ACK console.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-agent-role-log
labels:
ack/creator: "ack"
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get","list","watch"]
- apiGroups: ["apps"]
resources: ["daemonsets", "deployments"]
resourceNames: ["alibaba-log-controller", "logtail-ds", "kube-proxy-master"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["alibaba-log-configuration"]
verbs: ["get","list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ack-agent-binding-log
labels:
ack/creator: "ack"
subjects:
- kind: ServiceAccount
name: ack
namespace: kube-system
roleRef:
kind: ClusterRole
name: ack-agent-role-log
apiGroup: rbac.authorization.k8s.io