全部产品
Search

搜索本产品

    Container Service for Kubernetes:Gunakan ack-ram-tool untuk membersihkan izin pengguna tertentu dalam kluster

    文档中心

    Container Service for Kubernetes:Gunakan ack-ram-tool untuk membersihkan izin pengguna tertentu dalam kluster

    更新时间:Jan 31, 2026

    ack-ram-tool adalah command-line interface (CLI) yang disediakan oleh Container Service for Kubernetes untuk membantu Anda mengelola izin Resource Access Management (RAM) dan Role-Based Access Control (RBAC) pada kluster Anda. Ketika pengguna meninggalkan organisasi atau izin mereka berubah, gunakan ack-ram-tool untuk segera mencabut izin pengguna yang telah dihapus dari kluster Anda dan mencegah risiko keamanan.

    Langkah 1: Instal ack-ram-tool

    1. Unduh klien ack-ram-tool sesuai arsitektur lingkungan Anda.

    2. Jalankan perintah berikut untuk memberikan izin eksekusi pada program klien.

      chmod +x ./ack-ram-tool

    3. Jalankan perintah berikut untuk menyalin file ack-ram-tool ke direktori yang termasuk dalam PATH sistem.

      mkdir -p $HOME/bin && cp ./ack-ram-tool $HOME/bin/ack-ram-tool && export PATH=$HOME/bin:$PATH

    4. (Opsional) Jalankan perintah berikut untuk membuat konfigurasi PATH untuk $HOME/bin bersifat persisten.

      echo 'export PATH=$HOME/bin:$PATH' >> ~/.bash_profile

    5. Jalankan perintah berikut untuk memeriksa versi klien. Jika nomor versi dikembalikan, klien ack-ram-tool telah berhasil diinstal.

      ack-ram-tool version

    Langkah 2: Konfigurasikan kredensial Alibaba Cloud

    Pengguna RAM Alibaba Cloud dan pengguna SSO dapat mengonfigurasi serta memperoleh kredensial akses ke sumber daya cloud menggunakan metode berikut.

    Catatan

    Jika lingkungan Anda saat ini memiliki variabel lingkungan terkait kredensial akses, ack-ram-tool akan memprioritaskan kredensial yang dikonfigurasi dalam variabel tersebut. Anda dapat menambahkan parameter --ignore-env-credentials saat menjalankan perintah ack-ram-tool untuk mengabaikannya. Untuk informasi lebih lanjut tentang variabel lingkungan terkait kredensial yang didukung oleh ack-ram-tool, lihat Credentials.

    RAM users

    Klien ack-ram-tool bergantung pada kredensial kunci Alibaba Cloud yang dikonfigurasi secara lokal untuk mengakses RAM guna melakukan otentikasi identitas.

    Untuk informasi lebih lanjut tentang cara mengonfigurasi kredensial akses, lihat Alibaba Cloud CLI.

    SSO users

    Untuk pengguna Alibaba CloudSSO, Anda dapat menggunakan tool command-line interface (CLI) acs-sso yang disediakan oleh layanan CloudSSO untuk login dan memperoleh kredensial akses ke sumber daya cloud. Untuk informasi lebih lanjut tentang acs-sso, lihat Use the CLI to log on to CloudSSO and access Alibaba Cloud resources. Tool Alibaba Cloud CLI mendukung mode external, yang memungkinkan Anda memperoleh kredensial sumber daya secara dinamis dengan menjalankan tool baris perintah eksternal. Jalankan perintah berikut untuk login ke CloudSSO dan mengonfigurasi kredensial secara otomatis di mesin lokal Anda.

    aliyun configure --mode External --profile sso

Configuring profile 'sso' in 'External' authenticate mode...
Process Command [acs-sso login --profile sso]:
Default Region Id [cn-shanghai]:
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en:
Saving profile[sso] ...Done.


Configure Done!!!
..............8888888888888888888888 ........=8888888888888888888D=..............
...........88888888888888888888888 ..........D8888888888888888888888I...........
.........,8888888888888ZI: ...........................=Z88D8888888888D..........
.........+88888888 ..........................................88888888D..........
.........+88888888 .......Welcome to use Alibaba Cloud.......O8888888D..........
.........+88888888 ............. ************* ..............O8888888D..........
.........+88888888 .... Command Line Interface(Reloaded) ....O8888888D..........
.........+88888888...........................................88888888D..........
..........D888888888888DO+. ..........................?ND8888888888888888888888D..........
...........O8888888888888888888888...........D8888888888888888888888=...........
............ .:D8888888888888888888.........78888888888888888888O ..............

    Langkah 3: Konfigurasikan izin yang diperlukan untuk kredensial akses ack-ram-tool

    Kredensial akses yang digunakan oleh ack-ram-tool memerlukan izin RAM dan izin RBAC kluster.

    1. Berikan izin berikut kepada pengguna RAM. Untuk informasi lebih lanjut, lihat Manage the permissions of a RAM user.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cs:*"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ram:ListUsers",
        "ram:ListRoles"
      ],
      "Resource": "*"
    }
  ]
}

    2. Berikan izin administratif RBAC kluster kepada pengguna RAM tersebut.

      1. Login ke ACK console. Pada panel navigasi kiri, pilih Authorizations.

      2. Pada halaman Authorization, klik tab RAM Users. Temukan pengguna RAM yang ingin Anda tambahkan, klik Manage Permissions di kolom kanan, lalu buka halaman Permission Management.

      3. Klik Add Permissions. Pilih Cluster dan Namespace. Atur Permission Management menjadi Administrator, lalu klik Submit Authorization.

    Langkah 4: Kueri binding RBAC pengguna RAM tertentu dalam kluster

    Anda dapat menjalankan perintah ack-ram-tool rbac scan-user-permissions untuk mengkueri informasi binding RBAC pengguna RAM tertentu dalam kluster tujuan.

    Kueri hanya binding RBAC pengguna dan role RAM yang telah dihapus

    Jalankan perintah berikut untuk melihat informasi binding RBAC pengguna dan role RAM yang telah dihapus dalam kluster.

    ack-ram-tool rbac scan-user-permissions -c <cluster_ID>

    Output yang diharapkan:

    2023-12-12T15:34:37+08:00 INFO start to scan users and bindings for cluster c401890df511a4362bf24bece4da****
2023-12-12T15:34:43+08:00 WARN by default, only deleted users are included. Use the --all-users flag to include all users
UID                           UserType  UserName  Binding                                                    
30086537005566**** (deleted)  RamRole             ClusterRoleBinding/-/30086537005566****-clusterrolebinding  
24320678733226**** (deleted)  RamUser             ClusterRoleBinding/-/24320678733226****-clusterrolebinding

    Tabel berikut menjelaskan parameter UserType.

    Nilai UserType

    Deskripsi

    RamRole

    RAM role

    RamUser

    RAM user

    Root

    Alibaba Cloud account

    Kueri binding RBAC semua pengguna dan role RAM

    Jalankan perintah berikut untuk melihat informasi binding RBAC semua pengguna dan role RAM.

    ack-ram-tool rbac scan-user-permissions --all-users -c <cluster_ID>

    Output yang diharapkan:

    2023-12-12T15:36:00+08:00 INFO Start to scan users and bindings for cluster c401890df511a4362bf24bece4da6****
UID                           UserType  UserName                   Binding                                                                
30032484611590**** (deleted)  RamRole                              ClusterRoleBinding/-/30032484611590****-clusterrolebinding              
20492499986425**** (deleted)  RamUser                              ClusterRoleBinding/-/20492499986425****-clusterrolebinding              
27203272572548****            RamUser   scan                       ClusterRoleBinding/-/27203272572548****-clusterrolebinding        
113802571552****              Root                                 ClusterRoleBinding/-/113802571552****-cluster-admin-clusterrolebinding  
29068913515444****            RamUser   test-ack-ram-check         ClusterRoleBinding/-/29068913515444****-clusterrolebinding

    Kueri binding RBAC untuk semua kluster di bawah Akun Alibaba Cloud saat ini

    Jalankan perintah berikut untuk melihat informasi binding RBAC untuk semua kluster di bawah Akun Alibaba Cloud saat ini.

    ack-ram-tool rbac scan-user-permissions -c all

    Output yang diharapkan:

    2023-12-12T16:44:55+08:00 INFO start to scan users and bindings for all clusters
2023-12-12T16:44:55+08:00 INFO start to get all clusters, users and roles
2023-12-12T16:44:58+08:00 INFO ---- c401890df511a4362bf24bece4da6**** (test-pro111323223) ----
2023-12-12T16:44:58+08:00 INFO [c401890df511a4362bf24bece4da6****] start to scan bindings for cluster c401890df511a4362bf24bece4da6****
2023-12-12T16:45:00+08:00 WARN [c401890df511a4362bf24bece4da6****] by default, only deleted users are included. Use the --all-users flag to include all users
ClusterId: c401890df511a4362bf24bece4da6****
UID                           UserType  UserName  Binding                                                    
30086537005566**** (deleted)  RamRole             ClusterRoleBinding/-/30086537005566****-clusterrolebinding  
20492499986425**** (deleted)  RamUser             ClusterRoleBinding/-/20492499986425****-clusterrolebinding  
2023-12-12T16:45:00+08:00 INFO ---- c137a979dec21472c8279c903cfc**** (test-pro) ----
2023-12-12T16:45:00+08:00 INFO [c137a979dec21472c8279c903cfce****] start to scan bindings for cluster c137a979dec21472c8279c903cfce****
2023-12-12T16:45:01+08:00 WARN [c137a979dec21472c8279c903cfce****] by default, only deleted users are included. Use the --all-users flag to include all users
ClusterId: c137a979dec21472c8279c903cfce****
UID                           UserType  UserName  Binding                                                    
30086537005566**** (deleted)  RamRole             ClusterRoleBinding/-/30086537005566****-clusterrolebinding  
24320678733226**** (deleted)  RamUser             ClusterRoleBinding/-/24320678733226****-clusterrolebinding

    Langkah 5: Bersihkan binding RBAC pengguna RAM atau role RAM tertentu dan purge izin kubeconfig

    Anda dapat menjalankan perintah ack-ram-tool rbac cleanup-user-permissions untuk membersihkan binding RBAC pengguna RAM atau role RAM tertentu dalam kluster tujuan dan purge kubeconfig pengguna tersebut.

    Penting

    • Jika log berisi this user has been active in the past 7 days, artinya pengguna RAM atau role RAM tujuan memiliki catatan akses kluster dalam 7 hari terakhir. Lakukan dengan hati-hati.

    • Sebelum operasi pembersihan, ack-ram-tool akan mencadangkan file JSON asli dari binding yang akan dihapus ke folder bernama sesuai ID kluster di direktori saat ini.

    Bersihkan izin pengguna RAM atau role RAM dalam satu kluster

    Jalankan perintah berikut untuk membersihkan izin pengguna RAM atau role RAM tertentu dalam satu kluster.

    Untuk memperoleh <UID> dalam perintah berikut, jalankan perintah ack-ram-tool rbac scan-user-permissions -c <cluster_ID>.

    ack-ram-tool rbac cleanup-user-permissions -c <cluster_ID> -u <UID>

    Output yang diharapkan:

    Expand to view the expected output

    2023-12-12T18:17:10+08:00 INFO start to scan users and bindings
2023-12-12T18:17:15+08:00 WARN we will clean up RBAC bindings as follows:
UID                 UserType  UserName   Binding                                                    
25908395708943****  RamUser   ack-admin  ClusterRoleBinding/-/25908395708943****-clusterrolebinding  
2023-12-12T18:17:15+08:00 WARN we will clean up kubeconfig permissions for users as follows:
UID: 25908395708943****
2023-12-12T18:17:15+08:00 INFO start to check cluster audit log for user 25908395708943****
2023-12-12T18:17:16+08:00 WARN this user has been active in the past 7 days, and the last activity time was: 2023-12-12T10:27:56+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c137a979dec21472c8279c903cfce****
sls logstore: audit-c137a979dec21472c8279c903cfce****
last activity: 2023-12-12T10:27:56+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76e****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T18:17:37+08:00 INFO start to backup binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding
2023-12-12T18:17:38+08:00 INFO the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c137a979dec21472c8279c903cfce****/ClusterRoleBinding--25908395708943****-clusterrolebinding.json
2023-12-12T18:17:38+08:00 INFO start to clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T18:17:38+08:00 INFO finished clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T18:17:38+08:00 INFO all bindings and permissions have been cleaned up

    Bersihkan izin pengguna RAM atau role RAM dalam semua kluster

    Jalankan perintah berikut untuk membersihkan binding RBAC pengguna RAM atau role tertentu dalam semua kluster di bawah Akun Alibaba Cloud saat ini dan purge kubeconfig mereka.

    ack-ram-tool rbac cleanup-user-permissions -c all -u <UID>

    Output yang diharapkan:

    Expand to view the expected output

    2023-12-12T19:28:23+08:00 INFO start to scan users and bindings for all clusters
2023-12-12T19:28:23+08:00 INFO start to get all clusters, users and roles
2023-12-12T19:28:24+08:00 INFO ---- c401890df511a4362bf24bece4da6**** (test-pro111323223) ----
2023-12-12T19:28:24+08:00 INFO [c401890df511a4362bf24bece4da6****] start to clean up bindings and permissions for cluster c401890df511a4362bf24bece4da6**** 
2023-12-12T19:28:24+08:00 INFO [c401890df511a4362bf24bece4da6****] start to scan users and bindings
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] we will clean up RBAC bindings as follows:
UID                 UserType  UserName   Binding                                                    
25908395708943****  RamUser   ack-admin  ClusterRoleBinding/-/25908395708943****-clusterrolebinding  
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] we will clean up kubeconfig permissions for users as follows:
UID: 259083957089437690
2023-12-12T19:28:25+08:00 INFO [c401890df511a4362bf24bece4da6****] start to check cluster audit log for user 25908395708943**** 
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] this user has been active in the past 7 days, and the last activity time was: 2023-12-12T10:27:56+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c401890df511a4362bf24bece4da****  
sls logstore: audit-c401890df511a4362bf24bece4da6**** 
last activity: 2023-12-12T10:27:56+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] start to backup binding ClusterRoleBinding/-/25908395708943**** -clusterrolebinding
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c401890df511a4362bf24bece4da6**** /ClusterRoleBinding--259083957089437XXX-clusterrolebinding.json
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] start to clean up kubeconfig permissions for uid 25908395708943**** 
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] finished clean up kubeconfig permissions for uid 25908395708943**** 
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] all bindings and permissions have been cleaned up
2023-12-12T19:28:49+08:00 INFO ---- c137a979dec21472c8279c903cfce****  (test-pro) ----
2023-12-12T19:28:49+08:00 INFO [c137a979dec21472c8279c903cfce****] start to clean up bindings and permissions for cluster c137a979dec21472c8279c903cfce**** 
2023-12-12T19:28:49+08:00 INFO [c137a979dec21472c8279c903cfce****] start to scan users and bindings
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] we will clean up RBAC bindings as follows:
UID                 UserType  UserName   Binding                                                    
25908395708943****   RamUser   ack-admin  ClusterRoleBinding/-/25908395708943**** -clusterrolebinding  
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] we will clean up kubeconfig permissions for users as follows:
UID: 25908395708943**** 
2023-12-12T19:28:51+08:00 INFO [c137a979dec21472c8279c903cfce****] start to check cluster audit log for user 25908395708943**** 
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] this user has been active in the past 7 days, and the last activity time was: 2023-12-12T17:55:50+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c137a979dec21472c8279c903cfce**** 
sls logstore: audit-c137a979dec21472c8279c903cfce**** 
last activity: 2023-12-12T17:55:50+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] start to backup binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c137a979dec21472c8279c903cfce**** /ClusterRoleBinding--25908395708943**** -clusterrolebinding.json
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] start to clean up kubeconfig permissions for uid 25908395708943**** 
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] finished clean up kubeconfig permissions for uid 25908395708943**** 
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] all bindings and permissions have been cleaned up

    Referensi

    Untuk informasi lebih lanjut tentang cara mengelola kubeconfig, lihat Purge a kubeconfig.