Container Compute Service (ACS) menggunakan model otorisasi dua lapis: Resource Access Management (RAM) mengontrol akses ke sumber daya cloud, sedangkan Role-Based Access Control (RBAC) mengontrol akses ke sumber daya Kubernetes dalam kluster. Topik ini mencakup praktik terbaik otorisasi untuk lima jenis peran: pengelola sumber daya perusahaan, administrator kluster Kubernetes, insinyur O&M kluster dan aplikasi, developer aplikasi, serta administrator izin.
Cara kerja sistem otorisasi
Kluster ACS merupakan jenis kluster Serverless Container Service for Kubernetes (ACK). Semua operasi O&M kluster—seperti membuat, melihat, dan menghapus kluster; mengelola RBAC; serta memantau log dan event—dilakukan melalui API ACK. Setiap pihak berwenang yang perlu mengelola kluster harus memiliki izin API ACK terkait yang diberikan melalui RAM.
Otorisasi RBAC kemudian mengatur apa yang dapat dilakukan pihak tersebut di dalam kluster: membuat, menghapus, memodifikasi, atau melihat sumber daya Kubernetes seperti beban kerja (Deployment, StatefulSet, Job, CronJob, Pod, ReplicaSet, HorizontalPodAutoscaler (HPA)), sumber daya jaringan (Service, Ingress, NetworkPolicy), sumber daya penyimpanan (Persistent Volume (PV), Persistent Volume Claim (PVC), StorageClass), dan sumber daya tingkat namespace (namespace, ConfigMap, Secret).
Selalu berikan izin RAM sebelum memberikan izin RBAC.
Tentukan skenario Anda
Identifikasi peran yang perlu Anda otorisasi, lalu buka bagian yang sesuai:
| Peran | Kapan Anda memerlukannya | Buka |
|---|---|---|
| Insinyur O&M | Pihak yang berwenang perlu mengelola kluster ACS (membuat, upgrade, menghapus) dan mengoperasikan sumber daya aplikasi di dalamnya. | Skenario 1: Insinyur O&M |
| Developer aplikasi | Pihak yang berwenang perlu mengoperasikan sumber daya Kubernetes di dalam kluster tetapi tidak mengelola kluster itu sendiri. | Skenario 2: Developer aplikasi |
| Administrator izin | Pihak yang berwenang perlu mengelola otorisasi RBAC untuk Pengguna RAM atau Peran RAM lainnya. | Skenario 3: Administrator izin |
Kebijakan default sistem
ACS menyediakan kebijakan otorisasi sistem berikut untuk penyiapan cepat.
Kebijakan default sistem memberikan izin luas—akses baca atau tulis ke semua operasi OpenAPI ACK dan ACS. Gunakan kebijakan ini dengan hati-hati, dan lebih baik gunakan kebijakan kustom yang dibatasi pada ARN kluster tertentu jika Anda memerlukan izin yang lebih sempit.
| Kebijakan | Apa yang diberikan |
|---|---|
| AliyunAccFullAccess | Izin manajemen penuh untuk ACS |
| AliyunAccReadOnlyAccess | Izin read-only untuk ACS |
| AliyunCSFullAccess | Izin manajemen penuh untuk ACK, termasuk semua kluster ACS |
| AliyunCSReadOnlyAccess | Izin read-only untuk ACK, termasuk semua kluster ACS |
AliyunAccFullAccess
{
"Statement": [
{
"Effect": "Allow",
"Action": "acc:*",
"Resource": "*"
}
],
"Version": "1"
}AliyunAccReadOnlyAccess
{
"Version": "1",
"Statement": [
{
"Action": [
"acc:Describe*",
"acc:CheckServiceRole"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunCSFullAccess
{
"Version": "1",
"Statement": [
{
"Action": "cs:*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:PassRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:Service": "cs.aliyuncs.com"
}
}
}
]
}AliyunCSReadOnlyAccess
{
"Version": "1",
"Statement": [
{
"Action": [
"cs:CheckServiceRole",
"cs:Get*",
"cs:List*",
"cs:Describe*"
],
"Resource": "*",
"Effect": "Allow"
}
]
}Peran RBAC yang telah ditentukan
ACK menyediakan empat peran RBAC tingkat kluster yang telah ditentukan. Setelah Anda menyambungkan peran yang telah ditentukan, ACS secara otomatis membuat ClusterRoleBinding di kluster yang memetakan Pengguna RAM atau Peran RAM ke peran tersebut.
Akun Alibaba Cloud (akun root) dan pembuat kluster secara default terikat ke peran cluster-admin dan memiliki akses penuh ke semua objek sumber daya Kubernetes di kluster.
| Peran | Apa yang diberikan | Apa yang dikecualikan |
|---|---|---|
| Administrator | Baca dan tulis pada semua sumber daya di semua namespace | — |
| Insinyur O&M | Baca dan tulis pada sumber daya Kubernetes yang terlihat di konsol di semua namespace; read-only pada node, PV, namespace, dan kuota sumber daya | Akses tulis ke infrastruktur tingkat kluster (node, PV). Pembatasan ini mencegah penghapusan infrastruktur bersama secara tidak sengaja. |
| Developer | Baca dan tulis pada sumber daya Kubernetes yang terlihat di konsol di semua atau namespace tertentu | Akses ke node, PV, namespace, atau kuota sumber daya. Developer dapat mengelola beban kerja aplikasi tanpa memengaruhi infrastruktur kluster. |
| Pengguna terbatas | Read-only pada sumber daya Kubernetes yang terlihat di konsol di semua atau namespace tertentu | Akses tulis ke sumber daya apa pun |
Praktik terbaik otorisasi
Skenario 1: Insinyur O&M
Insinyur O&M mengelola kluster ACS dan mengoperasikan sumber daya aplikasi di dalamnya. Peran ini memerlukan otorisasi RAM dan otorisasi RBAC.
Langkah 1: Berikan izin RAM
Sambungkan salah satu kebijakan sistem berikut melalui Konsol RAM, atau buat kebijakan kustom untuk kontrol detail halus.
-
AliyunCSFullAccess— akses baca dan tulis ke semua operasi OpenAPI ACK -
AliyunCSReadOnlyAccess— akses read-only ke semua operasi OpenAPI ACK
Untuk petunjuk, lihat Konsol RAMBerikan izin kepada Pengguna RAM dan Berikan izin kepada Peran RAM.
Kedua kebijakan sistem berlaku untuk semua kluster ACK, termasuk kluster ACS. Untuk izin spesifik kluster, buat kebijakan kustom yang dibatasi pada acs:cs:*:*:cluster/<yourclusterID>.
Contoh berikut memberikan izin yang diperlukan untuk mengelola kluster ACS tertentu, termasuk membuat kluster, melihat detail kluster, mengelola addon, dan memantau log.
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"acc:DescribeCommodityStatus",
"acc:CheckServiceRole",
"acc:DescribeCloudProducts",
"acc:DescribeRegions",
"acc:DescribeZones",
"acc:GetInstancePrice",
"acc:RecommendZones"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "bssapi:GetPayAsYouGoPrice",
"Resource": "*"
},
{
"Action": "ecs:DescribePrice",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ram:GetRole",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"cs:CreateCluster",
"cs:DescribeAddons",
"cs:DescribeUserQuota",
"cs:DescribeTasks",
"cs:ListClusterAddonInstances"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"cs:GetClusters",
"cs:DescribeClustersV1",
"cs:DescribeClusterUserKubeconfig",
"cs:DescribeClusterResources",
"cs:DescribeUserQuota",
"cs:DescribeClusterLogs",
"cs:ModifyCluster",
"cs:UpgradeCluster",
"cs:GetUpgradeStatus",
"cs:ResumeUpgradeCluster",
"cs:PauseClusterUpgrade",
"cs:CancelClusterUpgrade",
"cs:InstallClusterAddons",
"cs:UpgradeClusterAddons",
"cs:DescribeClusterAddonsUpgradeStatus",
"cs:UnInstallClusterAddons",
"cs:DeleteCluster",
"cs:DescribeClusterDetail",
"cs:GetClusterAuditProject",
"cs:DescribeClusterAddonsVersion",
"cs:DescribeClusterTasks",
"cs:DescribeClusterEvents",
"cs:DescribeEvents",
"cs:ListClusterReportSummary",
"cs:GetClusterBasicInfo",
"cs:ListReportTaskRule",
"cs:CreateReportTaskRule",
"cs:CheckControlPlaneLogEnable",
"cs:CreateClusterCheck"
],
"Effect": "Allow",
"Resource": "acs:cs:*:*:cluster/<yourclusterID>"
},
{
"Action": [
"cs:CheckServiceRole",
"cs:DescribeKubernetesVersionMetadata"
],
"Effect": "Allow",
"Resource": "acs:cs:*:*:cluster/*"
},
{
"Action": [
"log:ListProject"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"vpc:ListEnhanhcedNatGatewayAvailableZones",
"vpc:DescribeEipAddresses",
"vpc:DescribeVSwitches"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}Ganti <yourclusterID> dengan ID kluster ACS Anda.
Untuk detail OpenAPI ACK, lihat \[Perubahan Produk\] Pengumuman tentang optimalisasi autentikasi OpenAPI untuk Container Service dan Ikhtisar API.
Langkah 2: Berikan izin RBAC
-
Di Konsol Container Compute Service, klik Authorizations pada panel navigasi kiri.
-
Pada tab RAM Users atau RAM Roles, temukan objek otorisasi dan klik Modify Permissions.
-
Di kotak dialog, klik Add Permissions, atur peran untuk kluster dan namespace target menjadi O&M engineer, lalu klik Submit.
Untuk kontrol RBAC detail halus, buat ClusterRole kustom (lihat RBAC), lalu pada halaman Authorizations pilih Custom dan pilih nama ClusterRole dari daftar drop-down. Untuk informasi selengkapnya, lihat Buat kebijakan otorisasi RBAC kustom.
Peran O&M engineer yang telah ditentukan (cs:ops) memberikan izin ClusterRole berikut:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cs:ops
rules:
- apiGroups: [""]
resources: ["pods", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
resources: ["configmaps", "endpoints", "persistentvolumeclaims", "replicationcontrollers", "replicationcontrollers/scale", "secrets", "serviceaccounts", "services", "services/proxy"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
resources: ["bindings", "events", "limitranges", "namespaces/status", "replicationcontrollers/status", "pods/log", "pods/status", "resourcequotas", "resourcequotas/status", "componentstatuses"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["namespaces", "nodes", "persistentvolumes"]
verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get"]
- apiGroups: ["apps"]
resources: ["daemonsets", "deployments", "deployments/rollback", "deployments/scale", "replicasets", "replicasets/scale", "statefulsets"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["autoscaling"]
resources: ["horizontalpodautoscalers"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["batch"]
resources: ["cronjobs", "jobs"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["extensions"]
resources: ["daemonsets", "deployments", "deployments/rollback", "deployments/scale","ingresses","replicasets", "replicasets/scale", "replicationcontrollers/scale"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["*"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["servicecatalog.k8s.io"]
resources: ["clusterserviceclasses", "clusterserviceplans", "clusterservicebrokers", "serviceinstances", "servicebindings"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["servicecatalog.k8s.io"]
resources: ["clusterservicebrokers/status", "clusterserviceclasses/status", "clusterserviceplans/status", "serviceinstances/status", "serviceinstances/reference", "servicebindings/status",]
verbs: ["update"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["alicloud.com"]
resources: ["*"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["policy"]
resources: ["poddisruptionbudgets"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["metrics.k8s.io"]
resources: ["pods"]
verbs: ["get", "watch", "list"]
- apiGroups: ["networking.istio.io"]
resources: ["*"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["config.istio.io"]
resources: ["*"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["rbac.istio.io"]
resources: ["*"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["istio.alibabacloud.com"]
resources: ["*"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["authentication.istio.io"]
resources: ["*"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["log.alibabacloud.com"]
resources: ["*"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["monitoring.kiali.io"]
resources: ["*"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["kiali.io"]
resources: ["*"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["serving.knative.dev"]
resources: ["*"]
verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["eventing.knative.dev"]
resources: ["*"]
verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["messaging.knative.dev"]
resources: ["*"]
verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["sources.eventing.knative.dev"]
resources: ["*"]
verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["tekton.dev"]
resources: ["*"]
verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["alert.alibabacloud.com"]
resources: ["*"]
verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]Skenario 2: Developer aplikasi
Developer aplikasi mengoperasikan sumber daya Kubernetes di dalam kluster tetapi tidak mengelola kluster itu sendiri. Peran ini hanya memerlukan izin RAM read-only pada kluster tertentu, ditambah otorisasi RBAC.
Sebelum memberikan izin RBAC, objek otorisasi harus memiliki setidaknya izin RAM read-only pada kluster target. Jangan gunakan AliyunCSReadOnlyAccess untuk tujuan ini—kebijakan tersebut memberikan akses read-only ke semua kluster ACK dan cakupannya lebih luas daripada yang diperlukan. Gunakan kebijakan kustom yang menentukan ARN kluster sebagai gantinya.
Langkah 1: Berikan izin RAM
Buat kebijakan kustom yang dibatasi pada ARN kluster tertentu dan sambungkan ke Pengguna RAM atau Peran RAM melalui Konsol RAM. Untuk petunjuk, lihat Berikan izin RAM kepada Pengguna RAM atau Peran RAM.
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"acc:DescribeCommodityStatus",
"acc:CheckServiceRole",
"acc:DescribeCloudProducts",
"acc:DescribeRegions",
"acc:DescribeZones",
"acc:GetInstancePrice",
"acc:RecommendZones"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "bssapi:GetPayAsYouGoPrice",
"Resource": "*"
},
{
"Action": [
"cs:Get*",
"cs:List*",
"cs:Check*",
"cs:Describe*"
],
"Effect": "Allow",
"Resource": [
"acs:cs:*:*:cluster/<yourclusterID>"
]
},
{
"Action": [
"vpc:ListEnhanhcedNatGatewayAvailableZones",
"vpc:DescribeEipAddresses"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}Ganti <yourclusterID> dengan ID kluster ACS Anda.
Langkah 2: Berikan izin RBAC
-
Di Konsol Container Compute Service, klik Authorizations di panel navigasi kiri.
-
Pada tab RAM Users atau RAM Roles, temukan objek otorisasi dan klik Modify Permissions.
-
Di kotak dialog, klik Add Permissions, atur peran untuk kluster dan namespace target menjadi Developer, lalu klik Submit.
Setelah Anda menyambungkan peran yang telah ditentukan, ACS secara otomatis membuat ClusterRoleBinding untuk objek otorisasi tersebut. Peran developer yang telah ditentukan (cs:ns:dev) memberikan izin ClusterRole berikut:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cs:ns:dev
rules:
- apiGroups: [""]
resources: ["pods", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
resources: ["configmaps", "endpoints", "persistentvolumeclaims", "replicationcontrollers", "replicationcontrollers/scale", "secrets", "serviceaccounts", "services", "services/proxy"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
resources: ["events", "replicationcontrollers/status", "pods/log", "pods/status"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["daemonsets", "deployments", "deployments/rollback", "deployments/scale", "replicasets", "replicasets/scale", "statefulsets"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["autoscaling"]
resources: ["horizontalpodautoscalers"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["batch"]
resources: ["cronjobs", "jobs"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["extensions"]
resources: ["daemonsets", "deployments", "deployments/rollback", "deployments/scale","ingresses","replicasets", "replicasets/scale", "replicationcontrollers/scale"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["*"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["servicecatalog.k8s.io"]
resources: ["clusterserviceclasses", "clusterserviceplans", "clusterservicebrokers", "serviceinstances", "servicebindings"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["servicecatalog.k8s.io"]
resources: ["clusterservicebrokers/status", "clusterserviceclasses/status", "clusterserviceplans/status", "serviceinstances/status", "serviceinstances/reference", "servicebindings/status",]
verbs: ["update"]
- apiGroups: ["alicloud.com"]
resources: ["*"]
verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["policy"]
resources: ["poddisruptionbudgets"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["networking.istio.io"]
resources: ["*"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["config.istio.io"]
resources: ["*"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["rbac.istio.io"]
resources: ["*"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["istio.alibabacloud.com"]
resources: ["*"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["authentication.istio.io"]
resources: ["*"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["log.alibabacloud.com"]
resources: ["*"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["monitoring.kiali.io"]
resources: ["*"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["kiali.io"]
resources: ["*"]
verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["serving.knative.dev"]
resources: ["*"]
verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["eventing.knative.dev"]
resources: ["*"]
verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["messaging.knative.dev"]
resources: ["*"]
verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["sources.eventing.knative.dev"]
resources: ["*"]
verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["tekton.dev"]
resources: ["*"]
verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["alert.alibabacloud.com"]
resources: ["*"]
verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]Skenario 3: Administrator izin
Administrator izin mengelola otorisasi RBAC untuk Pengguna RAM atau Peran RAM lainnya. Secara default, Pengguna RAM dan Peran RAM tidak memiliki izin untuk memberikan izin RBAC kepada pihak lain.
Jika Pengguna RAM membuka halaman Authorizations di Konsol Container Compute Service dan melihat pesan "Akun Pengguna RAM saat ini tidak memiliki izin untuk mengelola otorisasi. Hubungi pemilik Akun Alibaba Cloud atau Pengguna RAM yang berwenang untuk meminta izin", berarti pengguna tersebut belum memiliki izin administrator RAM atau RBAC yang diperlukan.
Langkah 1: Berikan izin RAM
Administrator izin memerlukan izin RAM untuk melakukan hal-hal berikut:
-
Menampilkan daftar Pengguna RAM atau Peran RAM lainnya
-
Menyambungkan kebijakan otorisasi RAM ke Pengguna RAM atau Peran RAM tertentu
-
Menampilkan konfigurasi izin RBAC Kubernetes dari Pengguna RAM atau Peran RAM tertentu
-
Melakukan otorisasi RBAC Kubernetes
Gunakan Konsol RAM untuk menyambungkan kebijakan kustom yang mencakup izin-izin ini. Untuk petunjuk, lihat Berikan izin RAM kepada Pengguna RAM atau Peran RAM.
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"acc:DescribeCommodityStatus",
"acc:CheckServiceRole",
"acc:DescribeCloudProducts",
"acc:DescribeRegions",
"acc:DescribeZones",
"acc:GetInstancePrice",
"acc:RecommendZones"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "bssapi:GetPayAsYouGoPrice",
"Resource": "*"
},
{
"Action": [
"ram:Get*",
"ram:List*",
"cs:GetUserPermissions",
"cs:GetSubUsers",
"cs:GrantPermission",
"cs:CheckServiceRole"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ram:AttachPolicyToUser",
"ram:AttachPolicyToRole"
],
"Effect": "Allow",
"Resource": [
"acs:ram:*:*:policy/xxxx",
"acs:*:*:*:user/*"
]
},
{
"Action": [
"vpc:ListEnhanhcedNatGatewayAvailableZones",
"vpc:DescribeEipAddresses"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "1"
}Pada acs:ram:*:*:policy/xxxx, ganti xxxx dengan nama kebijakan RAM yang ingin Anda izinkan agar administrator dapat menyambungkannya. Jika Anda menggunakan *, administrator dapat menyambungkan kebijakan RAM apa pun.
Langkah 2: Berikan izin RBAC
-
Di Konsol Container Compute Service, klik Authorizations di panel navigasi kiri.
-
Pada tab RAM Users atau RAM Roles, temukan objek otorisasi dan klik Modify Permissions.
-
Di kotak dialog, klik Add Permissions, atur peran untuk kluster dan namespace target menjadi Administrator atau peran kustom cluster-admin, lalu klik Submit.
Setelah Anda memberikan izin RAM dan RBAC ini, administrator izin dapat mengelola otorisasi RBAC untuk Pengguna RAM atau Peran RAM lainnya dalam cakupan yang ditentukan. Untuk informasi selengkapnya, lihat Berikan izin RAM kepada Pengguna RAM atau Peran RAM.
Referensi aksi otorisasi
Tabel berikut menjelaskan aksi otorisasi utama yang digunakan dalam contoh kebijakan di atas.
| Aksi | Deskripsi |
|---|---|
acc:CheckServiceRole |
Memeriksa apakah akun telah mengizinkan produk untuk mengasumsikan ServiceRole guna mengakses sumber daya cloud |
acc:DescribeCommodityStatus |
Memeriksa apakah ACS telah diaktifkan untuk akun |
bssapi:GetPayAsYouGoPrice |
Menanyakan harga produk bayar sesuai penggunaan |
ram:ListUserBasicInfos |
Menanyakan informasi dasar untuk semua Pengguna RAM |
ram:ListRoles |
Menanyakan informasi dasar untuk semua Peran RAM |
1. Untuk deskripsi lengkap aksi otorisasi ACK, lihat Informasi otorisasi. 2. Sebelum menulis kebijakan otorisasi, ikuti Prinsip Hak Istimewa Minimum (PoLP) dan verifikasi aksi yang didukung dalam dokumentasi produk. Lihat Informasi otorisasi. 3. Jika Anda tidak menentukan ID kluster target dan mengatur cakupan otorisasi ke *, Anda memberikan izin untuk mengoperasikan semua kluster ACK, kecuali kluster ACS. Berikan izin ini dengan hati-hati.