Gunakan ack-ram-tool untuk membersihkan izin pengguna-Container Service for Kubernetes-Alibaba Cloud

ack-ram-tool adalah alat command-line yang disediakan oleh Container Service for Kubernetes untuk membantu Anda mengelola izin RAM dan RBAC dalam Container Service for Kubernetes. Ketika seorang pengguna meninggalkan organisasi Anda atau izinnya perlu diubah, Anda dapat menggunakan ack-ram-tool untuk segera mencabut izin pengguna tersebut dari Container Service for Kubernetes guna mengurangi risiko keamanan.

Langkah 1: Instal ack-ram-tool

Unduh client ack-ram-tool sesuai OS dan arsitektur Anda.
Jalankan perintah berikut untuk memberikan izin eksekusi pada program client:
```
chmod +x ./ack-ram-tool
```
Jalankan perintah berikut untuk memindahkan file ack-ram-tool ke direktori dalam PATH sistem Anda:
```
mkdir -p $HOME/bin && cp ./ack-ram-tool $HOME/bin/ack-ram-tool && export PATH=$HOME/bin:$PATH
```
(Opsional) Jalankan perintah berikut untuk menyimpan konfigurasi PATH secara permanen di ~/.bash_profile:
```
echo 'export PATH=$HOME/bin:$PATH' >> ~/.bash_profile
```
Jalankan perintah berikut untuk memverifikasi instalasi. Perintah ini harus mengembalikan versi client.
```
ack-ram-tool version
```

Langkah 2: Konfigurasikan kredensial Alibaba Cloud

RAM User dan pengguna CloudSSO dapat mengonfigurasi Credentials mereka untuk mengakses sumber daya cloud menggunakan salah satu metode berikut.

Catatan

Jika variabel lingkungan terkait kredensial tersedia di lingkungan Anda, ack-ram-tool akan menggunakannya secara default. Untuk mengabaikan variabel lingkungan ini, tambahkan flag --ignore-env-credentials saat menjalankan perintah ack-ram-tool. Untuk informasi lebih lanjut tentang variabel lingkungan terkait kredensial yang didukung oleh ack-ram-tool, lihat Credentials.

RAM user

Client ack-ram-tool menggunakan Credentials Alibaba Cloud yang dikonfigurasi secara lokal untuk melakukan autentikasi dengan RAM.

Untuk informasi lebih lanjut tentang cara mengonfigurasi Credentials akses, lihat Alibaba Cloud CLI.

Pengguna CloudSSO

Untuk pengguna CloudSSO, Anda dapat menggunakan acs-sso, alat CLI yang disediakan oleh CloudSSO, untuk login dan mendapatkan Credentials guna mengakses sumber daya cloud. Untuk informasi lebih lanjut tentang acs-sso, lihat Gunakan CLI untuk login ke CloudSSO dan mengakses sumber daya Alibaba Cloud. Alibaba Cloud CLI mendukung mode external, yang memungkinkan Anda mendapatkan Credentials secara dinamis dengan menjalankan perintah eksternal. Jalankan perintah berikut untuk mengonfigurasi login otomatis CloudSSO dan pengambilan kredensial di mesin lokal Anda.

aliyun configure --mode External --profile sso

Configuring profile 'sso' in 'External' authenticate mode...
Process Command [acs-sso login --profile sso]:
Default Region Id [cn-shanghai]:
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en:
Saving profile[sso] ...Done.


Configure Done!!!
..............888888888888888888888 ........=8888888888888888888D=..............
...........88888888888888888888888 ..........D8888888888888888888888I...........
.........,8888888888888ZI: ...........................=Z88D8888888888D..........
.........+88888888 ..........................................88888888D..........
.........+88888888 .......Welcome to use Alibaba Cloud.......O8888888D..........
.........+88888888 ............. ************* ..............O8888888D..........
.........+88888888 .... Command Line Interface(Reloaded) ....O8888888D..........
.........+88888888...........................................88888888D..........
..........D888888888888DO+. ..........................?ND8888888888888888888D..........
...........O8888888888888888888888...........D8888888888888888888888=...........
............ .:D8888888888888888888.........78888888888888888888O ..............

Langkah 3: Konfigurasikan izin untuk kredensial

Kredensial akses yang digunakan oleh ack-ram-tool memerlukan izin RAM dan izin RBAC kluster.

Berikan izin berikut kepada RAM user. Untuk informasi selengkapnya, lihat Mengelola izin pengguna RAM.

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cs:*"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ram:ListUsers",
        "ram:ListRoles"
      ],
      "Resource": "*"
    }
  ]
}

Berikan izin administrator RBAC kepada RAM user untuk kluster tersebut.
1. Login ke Konsol ACK. Di panel navigasi kiri, klik Authorizations.
2. Di halaman Authorizations, klik tab RAM User, temukan RAM user yang dituju, lalu klik Modify Permissions di kolom Actions untuk membuka halaman Permission Management.
3. Klik Add Permissions, pilih Cluster dan Namespace yang dituju, atur Permission Management menjadi Administrator, lalu klik Submit.

Langkah 4: Kueri binding RBAC untuk pengguna RAM

Anda dapat menjalankan perintah ack-ram-tool rbac scan-user-permissions untuk mengkueri binding RBAC untuk pengguna RAM tertentu di kluster yang dituju.

Kueri binding untuk pengguna dan peran yang telah dihapus

Jalankan perintah berikut untuk melihat binding RBAC untuk pengguna RAM dan peran RAM yang telah dihapus di kluster.

ack-ram-tool rbac scan-user-permissions -c <cluster ID>

Output yang diharapkan:

2023-12-12T15:34:37+08:00 INFO start to scan users and bindings for cluster c401890df511a4362bf24bece4da****
2023-12-12T15:34:43+08:00 WARN by default, only deleted users are included. Use the --all-users flag to include all users
UID                           UserType  UserName  Binding                                                    
30086537005566**** (deleted)  RamRole             ClusterRoleBinding/-/30086537005566****-clusterrolebinding  
24320678733226**** (deleted)  RamUser             ClusterRoleBinding/-/24320678733226****-clusterrolebinding

Tabel berikut menjelaskan parameter UserType.

UserType	Description
RamRole	Peran RAM
RamUser	Pengguna RAM
Root	Akun Alibaba Cloud

Semua pengguna dan peran

Jalankan perintah berikut untuk melihat binding RBAC untuk semua pengguna RAM dan peran RAM.

ack-ram-tool rbac scan-user-permissions --all-users -c <cluster ID>

Output yang diharapkan:

2023-12-12T15:36:00+08:00 INFO Start to scan users and bindings for cluster c401890df511a4362bf24bece4da6****
UID                           UserType  UserName                   Binding                                                                
30032484611590**** (deleted)  RamRole                              ClusterRoleBinding/-/30032484611590****-clusterrolebinding              
20492499986425**** (deleted)  RamUser                              ClusterRoleBinding/-/20492499986425****-clusterrolebinding              
27203272572548****            RamUser   scan                       ClusterRoleBinding/-/27203272572548****-clusterrolebinding        
113802571552****              Root                                 ClusterRoleBinding/-/113802571552****-cluster-admin-clusterrolebinding  
29068913515444****            RamUser   test-ack-ram-check         ClusterRoleBinding/-/29068913515444****-clusterrolebinding

Semua kluster

Jalankan perintah berikut untuk melihat binding RBAC untuk semua kluster dalam Akun Alibaba Cloud Anda.

ack-ram-tool rbac scan-user-permissions -c all

Output yang diharapkan:

2023-12-12T16:44:55+08:00 INFO start to scan users and bindings for all clusters
2023-12-12T16:44:55+08:00 INFO start to get all clusters, users and roles
2023-12-12T16:44:58+08:00 INFO ---- c401890df511a4362bf24bece4da6**** (test-pro111323223) ----
2023-12-12T16:44:58+08:00 INFO [c401890df511a4362bf24bece4da6****] start to scan bindings for cluster c401890df511a4362bf24bece4da6****
2023-12-12T16:45:00+08:00 WARN [c401890df511a4362bf24bece4da6****] by default, only deleted users are included. Use the --all-users flag to include all users
ClusterId: c401890df511a4362bf24bece4da6****
UID                           UserType  UserName  Binding                                                    
30086537005566**** (deleted)  RamRole             ClusterRoleBinding/-/30086537005566****-clusterrolebinding  
20492499986425**** (deleted)  RamUser             ClusterRoleBinding/-/20492499986425****-clusterrolebinding  
2023-12-12T16:45:00+08:00 INFO ---- c137a979dec21472c8279c903cfc**** (test-pro) ----
2023-12-12T16:45:00+08:00 INFO [c137a979dec21472c8279c903cfce****] start to scan bindings for cluster c137a979dec21472c8279c903cfce****
2023-12-12T16:45:01+08:00 WARN [c137a979dec21472c8279c903cfce****] by default, only deleted users are included. Use the --all-users flag to include all users
ClusterId: c137a979dec21472c8279c903cfce****
UID                           UserType  UserName  Binding                                                    
30086537005566**** (deleted)  RamRole             ClusterRoleBinding/-/30086537005566****-clusterrolebinding  
24320678733226**** (deleted)  RamUser             ClusterRoleBinding/-/24320678733226****-clusterrolebinding

Langkah 5: Bersihkan izin

Anda dapat menjalankan perintah ack-ram-tool rbac cleanup-user-permissions untuk membersihkan binding RBAC untuk pengguna RAM atau peran RAM tertentu di kluster yang dituju dan mencabut kubeconfig pengguna tersebut.

Penting

Jika log berisi pesan this user has been active in the past 7 days, artinya pengguna RAM atau peran RAM yang dituju telah mengakses kluster dalam tujuh hari terakhir. Lakukan tindakan ini dengan hati-hati.
Sebelum melakukan pembersihan, ack-ram-tool menyimpan cadangan file JSON asli dari setiap binding yang akan dihapus ke folder di direktori saat ini yang diberi nama sesuai ID kluster.

Bersihkan izin di satu kluster

Jalankan perintah berikut untuk membersihkan izin untuk pengguna RAM atau peran RAM tertentu di satu kluster.

Untuk mendapatkan <UID> untuk perintah berikut, jalankan perintah ack-ram-tool rbac scan-user-permissions -c <cluster ID>.

ack-ram-tool rbac cleanup-user-permissions -c <cluster ID> -u <UID>

Output yang diharapkan:

Detail

2023-12-12T18:17:10+08:00 INFO start to scan users and bindings
2023-12-12T18:17:15+08:00 WARN we will clean up RBAC bindings as follows:
UID                 UserType  UserName   Binding                                                    
25908395708943****  RamUser   ack-admin  ClusterRoleBinding/-/25908395708943****-clusterrolebinding  
2023-12-12T18:17:15+08:00 WARN we will clean up kubeconfig permissions for users as follows:
UID: 25908395708943****
2023-12-12T18:17:15+08:00 INFO start to check cluster audit log for user 25908395708943****
2023-12-12T18:17:16+08:00 WARN this user has been active in the past 7 days, and the last activity time was: 2023-12-12T10:27:56+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c137a979dec21472c8279c903cfce****
sls logstore: audit-c137a979dec21472c8279c903cfce****
last activity: 2023-12-12T10:27:56+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76e****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T18:17:37+08:00 INFO start to backup binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding
2023-12-12T18:17:38+08:00 INFO the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c137a979dec21472c8279c903cfce****/ClusterRoleBinding--25908395708943****-clusterrolebinding.json
2023-12-12T18:17:38+08:00 INFO start to clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T18:17:38+08:00 INFO finished clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T18:17:38+08:00 INFO all bindings and permissions have been cleaned up

Bersihkan izin di semua kluster

Jalankan perintah berikut untuk membersihkan binding RBAC untuk pengguna RAM atau peran RAM tertentu di semua kluster dalam Akun Alibaba Cloud Anda dan mencabut kubeconfig mereka.

ack-ram-tool rbac cleanup-user-permissions -c all -u <UID>

Output yang diharapkan:

Detail

2023-12-12T19:28:23+08:00 INFO start to scan users and bindings for all clusters
2023-12-12T19:28:23+08:00 INFO start to get all clusters, users and roles
2023-12-12T19:28:24+08:00 INFO ---- c401890df511a4362bf24bece4da6**** (test-pro111323223) ----
2023-12-12T19:28:24+08:00 INFO [c401890df511a4362bf24bece4da6****] start to clean up bindings and permissions for cluster c401890df511a4362bf24bece4da6**** 
2023-12-12T19:28:24+08:00 INFO [c401890df511a4362bf24bece4da6****] start to scan users and bindings
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] we will clean up RBAC bindings as follows:
UID                 UserType  UserName   Binding                                                    
25908395708943****  RamUser   ack-admin  ClusterRoleBinding/-/25908395708943****-clusterrolebinding  
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] we will clean up kubeconfig permissions for users as follows:
UID: 259083957089437690
2023-12-12T19:28:25+08:00 INFO [c401890df511a4362bf24bece4da6****] start to check cluster audit log for user 25908395708943**** 
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] this user has been active in the past 7 days, and the last activity time was: 2023-12-12T10:27:56+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c401890df511a4362bf24bece4da****  
sls logstore: audit-c401890df511a4362bf24bece4da6**** 
last activity: 2023-12-12T10:27:56+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] start to backup binding ClusterRoleBinding/-/25908395708943**** -clusterrolebinding
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c401890df511a4362bf24bece4da6**** /ClusterRoleBinding--259083957089437XXX-clusterrolebinding.json
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] start to clean up kubeconfig permissions for uid 25908395708943**** 
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] finished clean up kubeconfig permissions for uid 25908395708943**** 
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] all bindings and permissions have been cleaned up
2023-12-12T19:28:49+08:00 INFO ---- c137a979dec21472c8279c903cfce****  (test-pro) ----
2023-12-12T19:28:49+08:00 INFO [c137a979dec21472c8279c903cfce****] start to clean up bindings and permissions for cluster c137a979dec21472c8279c903cfce**** 
2023-12-12T19:28:49+08:00 INFO [c137a979dec21472c8279c903cfce****] start to scan users and bindings
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] we will clean up RBAC bindings as follows:
UID                 UserType  UserName   Binding                                                    
25908395708943****   RamUser   ack-admin  ClusterRoleBinding/-/25908395708943**** -clusterrolebinding  
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] we will clean up kubeconfig permissions for users as follows:
UID: 25908395708943**** 
2023-12-12T19:28:51+08:00 INFO [c137a979dec21472c8279c903cfce****] start to check cluster audit log for user 25908395708943**** 
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] this user has been active in the past 7 days, and the last activity time was: 2023-12-12T17:55:50+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c137a979dec21472c8279c903cfce**** 
sls logstore: audit-c137a979dec21472c8279c903cfce**** 
last activity: 2023-12-12T17:55:50+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] start to backup binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c137a979dec21472c8279c903cfce**** /ClusterRoleBinding--25908395708943**** -clusterrolebinding.json
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] start to clean up kubeconfig permissions for uid 25908395708943**** 
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] finished clean up kubeconfig permissions for uid 25908395708943**** 
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] all bindings and permissions have been cleaned up

Referensi

Untuk mempelajari cara mengelola kubeconfig, lihat Hapus file kubeconfig.