Kluster Kubernetes eksternal yang terdaftar ke Container Service for Kubernetes (ACK) menggunakan komponen ACK Stub dan ack-cluster-agent untuk mengakses sumber daya kluster. Akses ini bergantung pada izin yang diberikan kepada ServiceAccount yang digunakan oleh ack-cluster-agent. Saat menginstal ack-cluster-agent, ServiceAccount bernama "ack" secara otomatis dibuat. Anda dapat memberikan izin kontrol akses berbasis peran (RBAC) dalam mode terbatas atau mode administrator sesuai dengan kebutuhan Anda. Topik ini menjelaskan izin RBAC yang diperlukan oleh komponen ack-cluster-agent dalam kluster terdaftar.
Prasyarat
Versi komponen ack-cluster-agent 1.13.1.105-g8ee9abb-aliyun atau lebih baru telah diinstal. Untuk informasi lebih lanjut, lihat Kelola Komponen.
Izin RBAC dalam mode terbatas
Secara default, kluster terdaftar memerlukan setidaknya izin RBAC untuk akses baca ConfigMap dari ack-cluster-agent. Contoh berikut menunjukkan cara memberikan izin RBAC:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ack-agent-create-cm-role
namespace: kube-system
labels:
ack/creator: "ack"
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ack-agent-update-cm-role
namespace: kube-system
labels:
ack/creator: "ack"
rules:
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- ack-agent-config
- provider
verbs:
- update
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ack-agent-read-cm-role
namespace: kube-public
labels:
ack/creator: "ack"
rules:
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- kube-root-ca.crt
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ack-agent-create-cm-rolebinding
namespace: kube-system
labels:
ack/creator: "ack"
subjects:
- kind: ServiceAccount
name: ack
namespace: kube-system
roleRef:
kind: Role
name: ack-agent-create-cm-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ack-agent-update-cm-rolebinding
namespace: kube-system
labels:
ack/creator: "ack"
subjects:
- kind: ServiceAccount
name: ack
namespace: kube-system
roleRef:
kind: Role
name: ack-agent-update-cm-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ack-agent-read-cm-rolebinding
namespace: kube-public
labels:
ack/creator: "ack"
subjects:
- kind: ServiceAccount
name: ack
namespace: kube-system
roleRef:
kind: Role
name: ack-agent-read-cm-role
apiGroup: rbac.authorization.k8s.io
---Dalam mode terbatas, beberapa fitur di konsol tidak tersedia. Sebagai contoh, Anda tidak dapat melihat beban kerja dalam kluster. Namun, Anda dapat menggunakan onectl untuk menginstal komponen dan menggunakan layanan terkait di konsol, seperti Managed Service for Prometheus dan Simple Log Service.
Saat menggunakan onectl untuk mengelola komponen, kluster tempat komponen ack-cluster-agent diterapkan diberikan izin administrator sementara, dan izin tersebut akan dicabut ketika pengelolaan komponen selesai atau terganggu. Untuk informasi lebih lanjut, lihat Gunakan onectl untuk Mengelola Kluster Terdaftar.
RBAC permissions in administrator mode
Dalam mode administrator, kluster terdaftar diberikan izin administrator. Contoh berikut menunjukkan cara memberikan izin administrator kepada kluster terdaftar:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]Dalam mode administrator, semua fitur di konsol tersedia.
Izin RBAC yang diperlukan untuk pengelolaan komponen
Saat menginstal atau memperbarui komponen, seperti terway-eniip atau logtail-ds, Anda harus terlebih dahulu memberikan izin administrator kepada ClusterRole bernama ack-admin.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]Setelah menginstal atau memperbarui komponen, kembalikan ClusterRole ke izin paling minimal.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["ack-agent-config","provider"]
verbs: ["get","list","watch","update"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["autoscaler-meta"]
verbs: ["get","list","watch","update"]
- apiGroups: ["*"]
resources: ["daemonsets", "deployments"]
resourceNames: ["terway-eniip","security-inspector","ack-cluster-agent","gatekeeper","ack-virtual-node","metrics-server","logtail-ds","resource-controller","aliyun-acr-credential-helper","migrate-controller","ack-kubernetes-cronhpa-controller","tiller-deploy"]
verbs: ["get", "list", "watch"]
- apiGroups: ["*"]
resources: ["daemonsets", "deployments"]
resourceNames: ["cluster-autoscaler"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["pods","secrets"]
verbs: ["list"]Izin RBAC yang diperlukan untuk membuat node pool atau node pool elastis
Saat menginstal Terway atau membuat node pool, Anda harus terlebih dahulu memberikan izin administrator kepada ClusterRole bernama ack-admin.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]Setelah menginstal Terway atau membuat node pool, kembalikan ClusterRole ke izin paling minimal.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["ack-agent-config","provider","autoscaler-meta","eni-config"]
verbs: ["get","list","watch","update"]
- apiGroups: ["*"]
resources: ["daemonsets", "deployments"]
resourceNames: ["terway-eniip", "cluster-autoscaler"]
verbs: ["get", "list", "watch", "update"]Izin RBAC yang diperlukan untuk menanyakan log setelah Simple Log Service diaktifkan
Setelah Simple Log Service diaktifkan dalam kluster terdaftar, Anda perlu memberikan izin RBAC berikut untuk menanyakan log terkait di konsol ACK:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-agent-role-log
labels:
ack/creator: "ack"
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get","list","watch"]
- apiGroups: ["apps"]
resources: ["daemonsets", "deployments"]
resourceNames: ["alibaba-log-controller", "logtail-ds", "kube-proxy-master"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["alibaba-log-configuration"]
verbs: ["get","list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ack-agent-binding-log
labels:
ack/creator: "ack"
subjects:
- kind: ServiceAccount
name: ack
namespace: kube-system
roleRef:
kind: ClusterRole
name: ack-agent-role-log
apiGroup: rbac.authorization.k8s.ioIzin RBAC untuk mode hanya-baca
Izin hanya-baca digunakan untuk melihat sumber daya terkait Kubernetes di konsol ACK.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-readonly-clusterrole
rules:
- apiGroups:
- ""
resources:
- nodes
- namespaces
- pods
- pods/log
- pods/exec
- configmaps
- endpoints
- events
- limitranges
- persistentvolumeclaims
- podtemplates
- replicationcontrollers
- resourcequotas
- serviceaccounts
- services
verbs:
- get
- list
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- statefulsets
- replicasets
verbs:
- get
- list
- apiGroups:
- batch
resources:
- jobs
- cronjobs
verbs:
- get
- list
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- apiGroups:
- events.k8s.io
resources:
- events
verbs:
- get
- list
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- ingresses
- networkpolicies
- replicasets
verbs:
- get
- list
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- get
- list
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- get
- list
- apiGroups:
- storage.k8s.io
resources:
- csistoragecapacities
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ack-readonly-clusterrolebinding
labels:
ack/creator: "ack"
subjects:
- kind: ServiceAccount
name: ack
namespace: kube-system
roleRef:
kind: ClusterRole
name: ack-readonly-clusterrole
apiGroup: rbac.authorization.k8s.io