All Products
Search
Document Center

Container Service for Kubernetes:RBAC permissions required by the ack-cluster-agent component

Last Updated:Dec 12, 2024

External Kubernetes clusters registered to Container Service for Kubernetes (ACK) use the ACK Stub and ack-cluster-agent components to access cluster resources. The access to cluster resources relies on the permissions granted to the ServiceAccount used by ack-cluster-agent. When you install ack-cluster-agent, a ServiceAccount named ack is automatically created. You can grant role-based access control (RBAC) permissions in restricted mode or normal mode to the ServiceAccount based on your requirements. This topic describes the RBAC permissions required by the ack-cluster-agent component in a registered cluster.

Prerequisites

ack-cluster-agent 1.13.1.69-g00e1991-aliyun or later is installed. For more information about how to update components, see Manage components.

RBAC permissions in restricted mode

By default, registered clusters require at least the RBAC permissions of read access to ConfigMap of ack-cluster-agent. The following example shows how to grant the RBAC permissions:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-agent-role-configmap
  labels:
    ack/creator: "ack"
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  resourceNames:
  - ack-agent-config
  - provider
  verbs:
  - get
  - watch
  - update
  - list

In restricted mode, some features in the console are unavailable. For example, you cannot view the workloads in a cluster. However, you can use onectl to install components and use corresponding services in the console, such as Managed Service for Prometheus and Simple Log Service.

When you use onectl to manage components, the cluster where the ack-cluster-agent component is deployed is granted temporary administrator permissions, and these permissions will be revoked when component management is completed or interrupted. For more information, see Use onectl to manage registered clusters.

RBAC permissions in normal mode

In normal mode, the registered cluster is granted administrator permissions. The following example shows how to grant administrator permissions to the registered cluster.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

In normal mode, all features in the console are available.

RBAC permissions required for component management

When you install or update components, such as terway-eniip or logtail-ds, you must first grant administrator permissions to the ClusterRole named ack-admin.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

After you install or update components, restore the ClusterRole to the least permissions.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["ack-agent-config","provider"]
  verbs: ["get","list","watch","update"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["autoscaler-meta"]
  verbs: ["get","list","watch","update"]
- apiGroups: ["*"]
  resources: ["daemonsets", "deployments"]
  resourceNames: ["terway-eniip","security-inspector","ack-cluster-agent","gatekeeper","ack-virtual-node","metrics-server","logtail-ds","resource-controller","aliyun-acr-credential-helper","migrate-controller","ack-kubernetes-cronhpa-controller","tiller-deploy"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["*"]
  resources: ["daemonsets", "deployments"]
  resourceNames: ["cluster-autoscaler"]
  verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
  resources: ["pods","secrets"]
  verbs: ["list"]

RBAC permissions required for creating node pools or elastic node pools

When you install Terway or create node pools, you must first grant administrator permissions to the ClusterRole named ack-admin.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

After you install Terway or create node pools, restore the ClusterRole to the least permissions.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["ack-agent-config","provider","autoscaler-meta","eni-config"]
  verbs: ["get","list","watch","update"]
- apiGroups: ["*"]
  resources: ["daemonsets", "deployments"]
  resourceNames: ["terway-eniip", "cluster-autoscaler"]
  verbs: ["get", "list", "watch", "update"]

RBAC permissions required for querying logs after Simple Log Service is enabled

After Simple Log Service is enabled in the registered cluster, you need to grant the following RBAC permissions to query the relevant logs in the ACK console.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-agent-role-log
  labels:
    ack/creator: "ack"
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get","list","watch"]
- apiGroups: ["apps"]
  resources: ["daemonsets", "deployments"]
  resourceNames: ["alibaba-log-controller", "logtail-ds", "kube-proxy-master"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["alibaba-log-configuration"]
  verbs: ["get","list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ack-agent-binding-log
  labels:
    ack/creator: "ack"
subjects:
- kind: ServiceAccount
  name: ack
  namespace: kube-system
roleRef:
  kind: ClusterRole
  name: ack-agent-role-log
  apiGroup: rbac.authorization.k8s.io