If you want to use API operations to manage an Alibaba Cloud Service Mesh (ASM) instance, you can use the kubectl client to connect to the ASM instance.
Background information
kubectl is a command-line tool of Kubernetes. You can use kubectl to manage Kubernetes clusters, containerized applications deployed in Kubernetes clusters, and ASM instances.
Based on the role-based access control (RBAC) mode of Kubernetes, ASM provides predefined
RBAC roles with different permissions on an ASM instance. You can assign roles with
the following permissions to users as required:
- The permissions to manage namespaces on the control plane, including the permissions to perform the create, delete, get, list, patch, update, and watch operations.
- The permissions to manage Istio resources, including the permissions to perform the create, delete, get, list, patch, update, and watch operations.
- The permissions to manage
istiogateways.istio.alibabacloud.com
resources for deploying ingress gateways, including the permissions to perform the create, delete, get, list, patch, update, and watch operations. - The read-only permissions on
istio.alibabacloud.com
resources, including the permissions to perform the get and list operations.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: istio-admin
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- config.istio.io
- networking.istio.io
- authentication.istio.io
- rbac.istio.io
- security.istio.io
resources: ["*"]
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- istio.alibabacloud.com
resources: ["istiogateways"]
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- istio.alibabacloud.com
resources: ["*"]
verbs:
- get
- list