All Products
Search

This Product

    Microservices Engine:Grant permissions to MSE Ingress Controller in ACK clusters

    Document Center

    Microservices Engine:Grant permissions to MSE Ingress Controller in ACK clusters

    Last Updated:Jan 12, 2024

    If you want to use Microservices Engine (MSE) Ingress gateways to access services in Container Service for Kubernetes (ACK) clusters, you must grant related permissions to MSE Ingress Controller in the clusters. This topic describes how to grant permissions to MSE Ingress Controller in an ACK cluster.

    Grant permissions to MSE Ingress Controller in an ACK managed cluster

    You can use one of the following methods to grant permissions to MSE Ingress Controller in an ACK managed cluster:

    • If you need to use MSE Ingress Controller in an existing ACK managed cluster, use Method 1.

    • If you determine to use MSE Ingress Controller when you create an ACK managed cluster, use Method 2.

    Method 1: Grant permissions to MSE Ingress Controller on the Add-ons page

    When you install MSE Ingress Controller on the Add-ons page, permission verification is automatically implemented. If the error message "Failed to pass the precheck." appears, perform the following steps to grant permissions:

    1. Move the pointer over the error message "Failed to pass the precheck.", and click View Report.

      image.png

    2. On the Report page, click the red box in the Error column. Then, click the link in the panel that appears.

      image.png

    3. On the RAM Quick Authorization page, click Authorize.

    4. Reinstall MSE Ingress Controller.

    Method 2: Grant permissions to MSE Ingress Controller when you create a cluster

    1. When you install MSE Ingress Controller during the cluster creation process, check the status displayed for MSE Ingress Authorization Check in the Dependency Check section in the Confirm Order step. If Failed is displayed for MSE Ingress Authorization Check, click Authorize Now.

      image.png

    2. On the RAM Quick Authorization page, click Authorize.

    3. Return to the Confirm Order step, and click Re-check. If the check is passed, click Create Cluster.

    Grant permissions to MSE Ingress Controller in an ACK dedicated cluster

    1. Log on to the ACK console.

    2. In the left-side navigation pane, click Clusters. Then, click the name of the cluster that you want to manage.

    3. On the cluster details page, click the Cluster Resources tab. On the Cluster Resources tab, click the hyperlink next to Worker RAM Role.

    4. In the Resource Access Management (RAM) console, attach the AliyunMSEFullAccess policy to the worker RAM role.

      1. On the Permissions tab of the role details page, click Grant Permission.

      2. In the Select Policy section of the Grant Permission panel, click the System Policy tab. Then, enter a policy name in the input field to perform a fuzzy search.

        For example, you can enter mse to search for AliyunMSEFullAccess.添加权限

      3. Click AliyunMSEFullAccess to add the policy to the Selected list. Then, click OK.

      You can check whether the AliyunMSEFullAccess policy is attached to the role in the policy list, as shown in the following figure.授权成功

    5. Find the ack-mse-ingress-controller application in the mse-ingress-controller namespace of the destination cluster, and click More in the Actions column. In the list that appears, select Redeploy. Then, click OK.

      重新部署

      After the application is redeployed, click the ack-mse-ingress-controller application to confirm that the pod of the application is in the Running state.Running

    (Optional) Create a Simple Log Service policy and attach the policy to the worker RAM role of the cluster

    If you want to activate Simple Log Service for the MSE cloud-native gateway by using an MseIngressConfig, you must grant permissions on Simple Log Service to the worker RAM role on the Cluster Resources tab.

    1. Log on to the RAM console by using an Alibaba Cloud account or a RAM user that has administrative rights.

    2. In the left-side navigation pane, choose Permissions > Policies

    3. On the Policies page, click Create Policy.

    4. On the Create Policy page, click the JSON tab, enter the following policy content, and then click Next to edit policy information. 

      {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "log:CloseProductDataCollection",
                "log:OpenProductDataCollection",
                "log:GetProductDataCollection"
            ],
            "Resource": [
                "acs:mse:*:*:instance/*",
                "acs:log:*:*:project/*/logstore/mse_*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": "ram:PassRole",
            "Resource": "acs:ram::*:role/aliyunserviceroleforslsaudit",
            "Effect": "Allow"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "audit.log.aliyuncs.com"
                }
            }
        }
    ]
}

    5. Specify the Name and Description fields.

    6. Click OK.

    7. Attach the created policy to the worker RAM role on the Cluster Resources tab.

      1. Log on to the ACK console.

      2. In the left-side navigation pane, click Clusters. On the Clusters page, click the cluster name.

      3. On the cluster details page, click the Cluster Resources tab. Then, click the link next to Worker RAM Role.

      4. Grant the permissions on Simple Log Service to the worker RAM role in the RAM console.

        1. On the Permissions tab of the role details page, click Grant Permission.

        2. In the Grant Permission panel, click the Custom Policy tab in the Select Policy section, and then enter the policy name in the input field to perform a fuzzy search.

          Note

          The policy name is the name that you specified in Step 5.

          SLS授权

        3. Click the policy name and click OK.

    Grant permissions to MSE Ingress Controller in an ACK Serverless cluster

    You can use one of the following methods to grant permissions to MSE Ingress Controller in an ACK Serverless cluster:

    • If you need to use MSE Ingress Controller in an existing ACK Serverless cluster, use Method 1.

    • If you determine to use MSE Ingress Controller when you create an ACK Serverless cluster, use Method 2.

    Method 1: Grant permissions to MSE Ingress Controller on the Add-ons page

    When you install MSE Ingress Controller on the Add-ons page, permission verification is automatically implemented. If the error message "Failed to pass the precheck." appears, perform the following steps to grant permissions:

    1. Move the pointer over the error message "Failed to pass the precheck.", and click View Report.

      image.png

    2. On the Report page, click the red box in the Error column. Then, click the link in the panel that appears.

      image.png

    3. On the RAM Quick Authorization page, click Authorize.

    4. Reinstall MSE Ingress Controller.

    Method 2: Grant permissions to MSE Ingress Controller when you create a cluster

    1. When you install MSE Ingress Controller during the cluster creation process, check the status displayed for MSE Ingress Authorization Check in the Dependency Check section in the Confirm Order step. If Failed is displayed for MSE Ingress Authorization Check, click Authorize Now.

      image.png

    2. On the RAM Quick Authorization page, click Authorize.

    3. Return to the Confirm Order step, and click Re-check. If the check is passed, click Create Cluster.

    What to do next

    For more information about how to use an MSE Ingress gateway to access services in an ACK cluster, see Use MSE Ingresses to access applications in ACK clusters.