Praktik terbaik untuk otorisasi kluster ACK - Container Service for Kubernetes

Sistem otorisasi Container Service for Kubernetes (ACK) mencakup otorisasi Resource Access Management (RAM) pada lapisan sumber daya dasar dan otorisasi Role-Based Access Control (RBAC) pada lapisan kluster ACK. Peran pengguna yang berbeda memiliki kebutuhan izin yang berbeda pada kedua lapisan ini. Topik ini menjelaskan praktik terbaik otorisasi untuk administrator read-only, insinyur O&M aplikasi, pengembang aplikasi, dan administrator izin.

Sistem otorisasi

Sistem otorisasi ACK terdiri dari otorisasi RAM dan otorisasi RBAC. Otorisasi RAM digunakan untuk memberikan izin atas sumber daya cloud, sedangkan otorisasi RBAC digunakan untuk memberikan izin atas sumber daya Kubernetes dalam suatu kluster. Gambar berikut menunjukkan sistem otorisasi ACK.

Otorisasi RAM: berdasarkan kebijakan sistem dan kebijakan kustom RAM. Sistem otorisasi ini digunakan untuk memberikan izin atas operasi API ACK dan layanan Alibaba Cloud lainnya guna mendukung operasi O&M berikut:
- Membuat, melihat, meningkatkan, dan menghapus kluster.
- Membuat, memodifikasi, dan menskalakan kelompok node.
- Mengelola otorisasi.
- Memantau kluster serta mengumpulkan log dan event.
Otorisasi RBAC: berdasarkan RBAC Kubernetes. Sistem otorisasi ini digunakan untuk memberikan izin atas sumber daya Kubernetes dalam kluster ACK guna mendukung operasi O&M. Dalam sebagian besar kasus, Anda dapat menggunakan otorisasi RBAC untuk memberikan izin menambah, menghapus, memodifikasi, dan mengkueri objek sumber daya Kubernetes berikut:
- Sumber daya beban kerja: Deployment, StatefulSet, DaemonSet, Job, CronJob, Pod, dan ReplicaSet.
- Sumber daya jaringan: Service, Ingress, dan NetworkPolicy.
- Sumber daya penyimpanan: persistent volume (PV), persistent volume claim (PVC), dan StorageClass.
- Namespace, ConfigMap, dan Secret.

Prasyarat

Jika pengguna RAM atau peran RAM melakukan operasi otorisasi alih-alih Akun Alibaba Cloud, Anda harus terlebih dahulu memberikan izin administrator izin kepada pengguna RAM atau peran RAM tersebut agar dapat memberikan izin kepada pengguna RAM atau peran RAM lainnya. Untuk informasi selengkapnya, lihat Menetapkan pengguna RAM atau peran RAM sebagai administrator izin.

Skenario 1: Memberikan izin kepada administrator read-only untuk melihat sumber daya kluster

Berikan izin yang diperlukan kepada pengguna untuk membaca sumber daya Kubernetes di semua namespace.

Berikan izin administrator read-only kepada pengguna RAM atau peran

Berikan izin di konsol
Untuk memberikan izin di konsol, lihat Gunakan RBAC untuk mengotorisasi operasi pada sumber daya dalam kluster.
Contoh otorisasi Alibaba Cloud CLI
Anda dapat memanggil operasi OpenAPI GrantPermissions dan mengatur parameter permintaan role_name untuk memberikan izin admin-view (administrator read-only) kepada pengguna RAM atau peran. Anda juga dapat memanggil operasi DescribeUserPermission untuk mengkueri izin pengguna RAM atau peran.
```
aliyun cs POST /permissions/users/234xxxxxxxx --header "Content-Type=application/json;" --body "[{\"cluster\":\"c24xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\"is_custom\":false,\"role_name\":\"admin-view\",\"role_type\":\"cluster\"}]"
```

Contoh otorisasi Terraform

resource "alicloud_cs_kubernetes_permissions" "default" {
  uid = alicloud_ram_user.user.id
  permissions {
    cluster     = alicloud_cs_managed_kubernetes.default.id
    role_type   = "cluster"
    role_name   = "admin-view"
    namespace   = ""
    is_custom   = false
    is_ram_role = false
  }
}

Skenario 2: Memberikan izin kepada insinyur O&M untuk kluster dan aplikasi dalam kluster

Insinyur O&M perlu mengelola dan memelihara kluster ACK serta sumber daya aplikasi di dalamnya. Oleh karena itu, Anda perlu memberikan izin RAM dan RBAC.

Otorisasi RAM

ACK menyediakan dua kebijakan sistem di RAM: AliyunCSFullAccess dan AliyunCSReadOnlyAccess.

AliyunCSFullAccess memberikan izin baca dan tulis atas semua operasi OpenAPI ACK.
AliyunCSReadOnlyAccess memberikan izin read-only atas semua operasi OpenAPI ACK.

Login ke Konsol RAM dan sambungkan salah satu kebijakan sistem sesuai kebutuhan. Untuk informasi selengkapnya, lihat Memberikan izin kepada pengguna RAM dan Memberikan izin kepada peran RAM.

Jika Anda memerlukan kontrol akses detail halus, Anda dapat membuat kebijakan otorisasi kustom. Untuk informasi selengkapnya, lihat Gunakan RAM untuk memberikan izin akses pada kluster dan sumber daya cloud.

Kode berikut memberikan contoh kebijakan otorisasi RAM untuk skenario ini. Untuk informasi selengkapnya tentang Actions dalam contoh ini, lihat Actions.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cs:GetClusters",
        "cs:ModifyCluster",
        "cs:UpgradeCluster",
        "cs:DescribeClusterDetail",
        "cs:DescribeClusterVuls",
        "cs:DescribeClusterSecuritySummary",
        "cs:DescribeClusterUserKubeconfig",
        "cs:RevokeK8sClusterKubeConfig",
        "cs:CheckControlPlaneLogEnable",
        "cs:DescribeClusterResources",
        "cs:DescribeClusterEvents",
        "cs:DescribeClusterLogs",
        "cs:GetClusterAuditProject",
        "cs:ListClusterChecks",
        "cs:GetClusterCheck",
        "cs:RunClusterCheck",
        "cs:ModifyClusterAudit",
        "cs:DescribeResourcesDeleteProtection", 
        "cs:UpdateResourcesDeleteProtection",
        "cs:DescribeClusterNodePools",
        "cs:DescribeClusterNodePoolDetail",
        "cs:CreateClusterNodePool",
        "cs:ModifyClusterNodePool",
        "cs:UpgradeClusterNodepool",
        "cs:DeleteClusterNodepool",
        "cs:CreateAutoscalingConfig",
        "cs:SyncClusterNodePool",
        "cs:RepairClusterNodePool",
        "cs:AttachInstancesToNodePool",
        "cs:ModifyNodePoolNodeConfig",
        "cs:DescribeClusterNodes",
        "cs:RemoveClusterNodes",
        "cs:RemoveNodePoolNodes",
        "cs:DiagnoseClustersNode",
        "cs:DescribeNodePoolVuls",
        "cs:FixNodePoolVuls",
        "cs:DrainNodes",
        "cs:DescribeClusterAddonMetadata",
        "cs:DescribeClusterAddonsVersion",
        "cs:InstallClusterAddons",
        "cs:UpgradeClusterAddons",
        "cs:ModifyClusterAddon",
        "cs:UnInstallClusterAddons",
        "cs:DescribeClusterAddonInstance",
        "cs:DescribeClusterAddonsUpgradeStatus",
        "cs:DescribeClusterAddonUpgradeStatus",
        "cs:ListClusterComponent",
        "cs:GetClusterComponent",
        "cs:DescribePolicyInstances",
        "cs:DeployPolicyInstance",
        "cs:ModifyPolicyInstance",
        "cs:DeletePolicyInstance",
        "cs:DescribePolicyGovernanceInCluster",
        "cs:DescribePolicyInstancesStatus",
        "cs:UpdateContactGroupForAlert",
        "cs:StartAlert",
        "cs:StopAlert",
        "cs:ListAlertRules",
        "cs:GetAlertHistory",
        "cs:DescribeClusterTasks",
        "cs:GetClusterBasicInfo",
        "cs:ListClusterReportSummary",
        "cs:GetClusterReportSummary",
        "cs:ListReportTaskRule",
        "cs:CreateTrigger",
        "cs:DescribeKubernetesClusterHookTrigger",
        "cs:CreateDiagnose",
        "cs:CreateClusterOverviewReport",
        "cs:GetAIDiagnosisResult",
        "cs:CreateReportTaskRule",
        "cs:CreateClusterReport",
        "cs:GetClusterCheckResult",
        "cs:GetClusterServices",
        "cs:UpdateControlPlaneLog",
        "cs:UpdateClusterName"
      ],
      "Resource": "acs:cs:*:*:cluster/xxxxx"  # Ganti xxxxx dengan ID kluster.
    },
    {
      "Effect": "Allow",
      "Action": [
        "cs:DescribeSubAccountHelmPermission",
        "cs:CheckServiceRole",
        "cs:DeleteTriggerHook",
        "cs:QueryAlertContact",
        "cs:QueryAlertContactGroup",
        "cs:AddOrUpdateAlertContact",
        "cs:AddOrUpdateAlertContactGroup",
        "cs:DeleteAlertContact",
        "cs:DeleteAlertContactGroup",
        "cs:DescribeKubernetesVersionMetadata",
        "cs:ListOperationPlans",
        "cs:DescribeClusterEndpoints",
        "cs:DescribeTaskInfo",
        "cs:DescribeEvents",
        "cs:DescribeUserQuota",
        "cs:DescribeTasks",
        "cs:PauseTask",
        "cs:CancelTask",
        "cs:DescribeAddons",
        "cs:DeleteReportTaskRule",
        "cs:CreateSessionMessage",
        "cs:DescribePolicies",
        "cs:DescribePolicyDetails"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "vpc:DescribeVSwitches",
        "vpc:DescribeVpcs",
        "vpc:DescribeEipAddresses"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "kms:ListKeys",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "arms:ListDashboards",
        "arms:InstallAddon"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "cloudshell:CreateEnvironment",
        "cloudshell:AttachStorage",
        "cloudshell:DetachStorage",
        "cloudshell:CreateSession"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ess:DescribeScalingActivities",
        "ess:DescribeScalingActivityDetail",
        "ess:DescribeLifecycleActions"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "oos:ListExecutions",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ecs:DescribeKeyPairs",
        "ecs:DescribeInstances",
        "ecs:DescribeSecurityGroups",
        "ecs:DescribeImages",
        "ecs:DescribePrice"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "cr:ListInstance",
        "cr:ListInstanceDomain",
        "cr:ListRepository",
        "cr:ListArtifactTag"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": "ram:GetRole",
      "Resource": "acs:ram:*:*:role/aliyuncisdefaultrole"
    },
    {
      "Effect": "Allow",
      "Action": [
        "log:GetDashboard",
        "log:GetSavedSearch",
        "log:GetLogStore",
        "log:GetIndex",
        "log:UpdateIndex",
        "log:GetLogStoreLogs",
        "log:CreateDashboardSharing",
        "log:ListProject",
        "log:GetProjectLogs",
        "log:GetResourceRecord",
        "log:CreateResourceRecord",
        "log:UpdateResourceRecord"
      ],
      "Resource": "*"
    }
  ]
}

Untuk informasi selengkapnya tentang OpenAPI ACK, lihat [Perubahan Produk] Pengumuman mengenai optimasi autentikasi OpenAPI Container Service dan Ikhtisar API.

Otorisasi RBAC

Setelah memberikan izin RAM, Anda juga harus memberikan izin RBAC pada kluster yang sesuai kepada pengguna RAM atau peran RAM. ACK menyediakan lima peran prasetel di lapisan kluster.

Login ke Konsol ACK. Di panel navigasi kiri, klik Authorizations.
Di halaman Authorizations, pilih tab RAM User atau RAM Roles. Temukan objek otorisasi yang ingin Anda kelola dan klik Modify Permissions di kolom Tindakan.
Di panel yang muncul, klik + Add Permissions, atur izin untuk kluster target dan namespace-nya menjadi O&M Engineer, lalu klik Submit Authorization untuk menyelesaikan konfigurasi.

Setelah menyambungkan peran prasetel, ACK secara otomatis membuat instance ClusterRoleBinding di kluster yang sesuai dengan identitas objek otorisasi. Kode berikut menunjukkan izin RBAC dari peran insinyur O&M prasetel.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cs:ops
rules:
- apiGroups: [""]
  resources:  ["pods", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
  resources:  ["configmaps", "endpoints", "persistentvolumeclaims", "replicationcontrollers", "replicationcontrollers/scale", "secrets", "serviceaccounts", "services", "services/proxy"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
  resources:  ["bindings", "events", "limitranges", "namespaces/status", "replicationcontrollers/status", "pods/log", "pods/status", "resourcequotas", "resourcequotas/status", "componentstatuses"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources:  ["namespaces", "nodes", "persistentvolumes"]
  verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["coordination.k8s.io"]
  resources:  ["leases"]
  verbs: ["get"]
- apiGroups: ["apps"]
  resources:  ["daemonsets", "deployments", "deployments/rollback", "deployments/scale", "replicasets", "replicasets/scale", "statefulsets"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["autoscaling"]
  resources:  ["horizontalpodautoscalers"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["batch"]
  resources:  ["cronjobs", "jobs"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["extensions"]
  resources:  ["daemonsets", "deployments", "deployments/rollback", "deployments/scale","ingresses","replicasets", "replicasets/scale", "replicationcontrollers/scale"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["networking.k8s.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["servicecatalog.k8s.io"]
  resources:  ["clusterserviceclasses", "clusterserviceplans", "clusterservicebrokers", "serviceinstances", "servicebindings"]
  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["servicecatalog.k8s.io"]
  resources:  ["clusterservicebrokers/status", "clusterserviceclasses/status", "clusterserviceplans/status", "serviceinstances/status", "serviceinstances/reference", "servicebindings/status"]
  verbs: ["update"]
- apiGroups: ["storage.k8s.io"]
  resources:  ["storageclasses"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["alicloud.com"]
  resources:  ["*"]
  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["policy"]
  resources:  ["poddisruptionbudgets"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["metrics.k8s.io"]
  resources: ["pods", "nodes"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["networking.istio.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["config.istio.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["rbac.istio.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["istio.alibabacloud.com"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["authentication.istio.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["log.alibabacloud.com"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["monitoring.kiali.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["kiali.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
  resources: ["customresourcedefinitions"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["serving.knative.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["eventing.knative.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["messaging.knative.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["sources.eventing.knative.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["tekton.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["alert.alibabacloud.com"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]

Jika Anda memerlukan kontrol akses RBAC detail halus, Anda dapat membuat instance ClusterRole kustom. Untuk informasi selengkapnya, lihat dokumentasi Kubernetes RBAC. Kemudian, di halaman Pengelolaan Izin Konsol Container Service for Kubernetes, pilih Custom Role dan pilih nama ClusterRole kustom dari daftar tarik-turun. Untuk informasi selengkapnya, lihat Gunakan RBAC kustom untuk membatasi operasi pada sumber daya dalam kluster.

Skenario 3: Memberikan izin kepada pengembang aplikasi dalam kluster

Pengembang hanya memerlukan izin untuk mengelola objek sumber daya Kubernetes dalam kluster ACK (otorisasi RBAC) dan izin read-only untuk kluster target (otorisasi RAM). Pengembang tidak memerlukan izin akses ke sumber daya cloud.

Penting

Sebelum memberikan izin RBAC, objek otorisasi harus memiliki setidaknya izin read-only pada kluster target (otorisasi RAM).

Otorisasi RAM
Di Konsol RAM, buat kebijakan kustom dan sambungkan kebijakan tersebut ke pengguna RAM atau peran RAM target. Untuk informasi selengkapnya, lihat Gunakan RAM untuk memberikan izin akses pada kluster dan sumber daya cloud. Kode berikut menunjukkan isi kebijakan kustom:
```
{
  "Statement": [
    {
      "Action": [
        "cs:GetClusters",
        "cs:DescribeClusterDetail",
        "cs:GetClusterAuditProject",
        "cs:DescribeResourcesDeleteProtection"
      ],
      "Resource": "acs:cs:*:*:cluster/xxxxx",   # Ganti ini dengan ID kluster aktual.
      "Effect": "Allow"
    }
  ],
  "Version": "1"
}
```
Catatan
Untuk memberikan izin read-only pada semua kluster kepada objek otorisasi, Anda dapat menyambungkan kebijakan sistem AliyunCSReadOnlyAccess yang disediakan oleh ACK ke objek tersebut.

Otorisasi RBAC

Login ke Konsol ACK. Di panel navigasi kiri, klik Authorizations.
Di halaman Authorizations, pilih tab RAM User atau RAM Roles. Temukan objek otorisasi yang ingin Anda kelola dan klik Modify Permissions di kolom Tindakan.
Di panel yang muncul, klik + Add Permissions, atur izin untuk kluster target dan namespace-nya menjadi Developer, lalu klik Submit Authorization untuk menyelesaikan konfigurasi.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cs:ns:dev
rules:
- apiGroups: [""]
  resources:  ["pods", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
  resources:  ["configmaps", "endpoints", "persistentvolumeclaims", "replicationcontrollers", "replicationcontrollers/scale", "secrets", "serviceaccounts", "services", "services/proxy"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
  resources:  ["events", "replicationcontrollers/status", "pods/log", "pods/status"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
  resources:  ["daemonsets", "deployments", "deployments/rollback", "deployments/scale", "replicasets", "replicasets/scale", "statefulsets"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["autoscaling"]
  resources:  ["horizontalpodautoscalers"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["batch"]
  resources:  ["cronjobs", "jobs"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["extensions"]
  resources:  ["daemonsets", "deployments", "deployments/rollback", "deployments/scale","ingresses","replicasets", "replicasets/scale", "replicationcontrollers/scale"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["networking.k8s.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["servicecatalog.k8s.io"]
  resources:  ["clusterserviceclasses", "clusterserviceplans", "clusterservicebrokers", "serviceinstances", "servicebindings"]
  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["servicecatalog.k8s.io"]
  resources:  ["clusterservicebrokers/status", "clusterserviceclasses/status", "clusterserviceplans/status", "serviceinstances/status", "serviceinstances/reference", "servicebindings/status"]
  verbs: ["update"]
- apiGroups: ["alicloud.com"]
  resources:  ["*"]
  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["policy"]
  resources:  ["poddisruptionbudgets"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["networking.istio.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["config.istio.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["rbac.istio.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["istio.alibabacloud.com"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["authentication.istio.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["log.alibabacloud.com"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["monitoring.kiali.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["kiali.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
  resources: ["customresourcedefinitions"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["serving.knative.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["eventing.knative.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["messaging.knative.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["sources.eventing.knative.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["tekton.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["alert.alibabacloud.com"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]

Skenario 4: Memberikan izin kepada administrator izin untuk aplikasi dalam kluster

Administrator izin perlu mengelola izin RBAC pengguna RAM atau peran RAM lainnya. Secara default, pengguna RAM atau peran RAM tidak memiliki izin untuk memberikan izin RBAC kepada pengguna RAM atau peran RAM lainnya. Ketika administrator izin membuka halaman Pengelolaan Izin di Konsol Container Service for Kubernetes, jika muncul pesan Pengguna RAM saat ini tidak memiliki izin pengelolaan izin. Hubungi Akun Alibaba Cloud Anda atau administrator izin untuk memberikan izin tersebut., ini menunjukkan bahwa administrator tersebut kekurangan otorisasi RAM yang diperlukan atau otorisasi administrator RBAC untuk kluster.

Otorisasi RAM
Pastikan administrator izin diberikan izin RAM yang diperlukan. Kebijakan tersebut harus mencakup izin untuk melakukan operasi berikut:
- Menampilkan daftar pengguna RAM atau peran RAM lainnya.
- Menampilkan konfigurasi izin RBAC Kubernetes pengguna RAM atau peran RAM tertentu.
- Memberikan izin RBAC Kubernetes.
Login ke Konsol RAM dan berikan izin RAM yang diperlukan kepada pengguna RAM atau peran RAM tertentu. Untuk informasi selengkapnya, lihat Gunakan RAM untuk memberikan izin akses pada kluster dan sumber daya cloud. Kode berikut memberikan contoh kebijakan RAM kustom.
```
{
  "Statement": [
    {
      "Action": [
        "ram:ListRoles",
        "ram:ListUserBasicInfos",
        "cs:GetClusters",
        "cs:DescribeUserPermission",
        "cs:DescribeClusterDetail",
        "cs:GrantPermissions",
        "cs:UpdateUserPermissions",
        "cs:GetClusterAuditProject",
        "cs:DescribeResourcesDeleteProtection",
        "cs:UpdateResourcesDeleteProtection",
        "cs:DescribeClusterAddonUpgradeStatus"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ],
  "Version": "1"
}
```
Otorisasi RBAC
1. Login ke Konsol ACK. Di panel navigasi kiri, klik Authorizations.
2. Di halaman Authorizations, pilih tab RAM User atau RAM Roles. Temukan objek otorisasi yang ingin Anda kelola dan klik Modify Permissions di kolom Tindakan.
3. Di panel yang muncul, klik Add Permissions, atur izin untuk kluster target dan namespace-nya menjadi Administrator atau peran kustom cluster-admin, lalu klik Submit Authorization untuk menyelesaikan konfigurasi.
Catatan
Secara default, Akun Alibaba Cloud dan pembuat kluster diberikan peran cluster-admin. Peran ini memberikan izin akses atas semua objek sumber daya Kubernetes dalam kluster.

Setelah memberikan izin RAM dan RBAC di atas kepada administrator izin, administrator tersebut dapat mengelola izin RBAC pengguna RAM atau peran RAM lainnya dalam cakupan yang ditentukan. Untuk informasi selengkapnya, lihat Gunakan RBAC untuk mengotorisasi operasi pada sumber daya dalam kluster.