為阿里雲雲產品配置訪問ACK叢集的RBAC許可權 - Container Service for Kubernetes

ACK支援基於Kubernetes原生的RBAC（Role-Based Access Control）授權機制。RBAC授權支援為不同使用者賦予同一叢集內的Kubernetes資源不同的操作許可權。其他阿里雲產品訪問ACK叢集時，您可以為雲端服務綁定指定的RBAC角色，使得相關雲端服務通過服務角色所對應的RBAC許可權訪問叢集內部資源，從而實現叢集資源許可權的隔離和許可權最小化。

注意事項

預設情況下，ACK叢集不會主動建立雲端服務RBAC角色，只有在您授權相關雲產品的服務角色並使用雲端服務指定功能時，由相關雲端服務觸發建立RBAC角色及授權綁定操作。
雲產品指定的RBAC角色綁定名稱格式固定為：${服務英文縮寫}-${服務角色名稱}-clusterrolebinding 或 ${服務英文縮寫}-${服務角色名稱}-rolebinding。
本文提供的RBAC角色僅用於雲產品指定功能的最小化許可權訪問，不會影響您正常業務的RBAC授權。
您可以開啟叢集API Server審計日誌，並在審計日誌中根據RBAC角色綁定的subjects欄位確定綁定的對象名稱，然後通過對象名稱檢索指定雲產品對叢集內資源訪問的審計日誌。具體操作，請參見使用叢集API Server審計功能。

雲產品服務角色權限原則

當您為雲產品授予下表中指定的雲產品服務角色後，雲產品預設會根據表格中服務角色對應的RBAC許可權訪問Container ServiceACK叢集的資源。

說明

下表中，許可權作用範圍列表示該許可權生效的範圍，可能為叢集層級（cluster）或命名空間層級（namespace）。

自訂雲產品訪問ACK叢集的RBAC許可權

如果您需要自訂阿里雲產品對ACK叢集資源的操作許可權，可通過配置指定阿里雲產品在叢集中對應的ClusterRole實現。您需要在ClusterRole中添加Annotation inner.service.alibabacloud.com/user-customized: "true"，並在rules欄位下自訂權限原則。樣本如下。

重要

對指定RBAC角色的自訂修改可能會影響對應雲產品相關功能的正常使用，請充分驗證功能並謹慎使用。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    inner.service.alibabacloud.com/user-customized: "true"
  name: test-aliyunserviceroleforarms-clusterrole
rules:
- apiGroups:
  - test
  resources:
  - '*'
  verbs:
  - '*'
...

配置禁止雲產品訪問ACK叢集的許可權

參見自訂雲產品訪問ACK叢集的RBAC許可權，在指定雲產品對應的ClusterRole中增加Annotation inner.service.alibabacloud.com/user-customized: "true: ，同時刪除rules欄位下所有許可權，即可清除雲產品對ACK叢集的所有存取權限。
在RAM控制台上刪除雲產品對應的RAM服務角色，也可以禁止該雲產品對ACK叢集進行訪問。具體操作，請參見刪除RAM角色。

雲產品	服務角色名稱	許可權作用範圍	RBAC權限原則
應用即時監控服務ARMS	arms-aliyunserviceroleforarms-clusterrolebinding	cluster	arms-aliyunserviceroleforarms-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: arms-aliyunserviceroleforarms-clusterrole rules: - apiGroups: ["vector.oam.dev"] resources: [""] verbs: [""] - apiGroups: ["o11y.aliyun.dev"] resources: [""] verbs: [""] - apiGroups: [""] resources: ["pods","replicationcontrollers","podtemplates", "nodes", "services","events","persistentvolumes","persistentvolumeclaims","componentstatuses","bindings", "namespaces","endpoints", "configmaps", "secrets", "resourcequotas", "serviceaccounts","pods/log","services/proxy"] verbs: [""] - apiGroups: [""] resources: ["nodes/metrics"] verbs: ["get"] - apiGroups: [""] resources: ["limitranges"] verbs: ["list", "watch"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] verbs: ["get", "list", "watch"] - apiGroups: ["extensions"] resources: ["ingresses"] verbs: ["list", "watch"] - apiGroups: ["batch"] resources: ["cronjobs", "jobs"] verbs: ["list", "watch"] - apiGroups: ["autoscaling"] resources: ["horizontalpodautoscalers"] verbs: ["list", "watch"] - apiGroups: ["policy"] resources: ["poddisruptionbudgets"] verbs: ["list", "watch"] - apiGroups: ["certificates.k8s.io"] resources: ["certificatesigningrequests"] verbs: ["list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses","volumeattachments"] verbs: ["get", "list", "watch"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "list", "watch"] - apiGroups: ["apps","extensions"] resources: ["deployments", "daemonsets", "statefulsets","replicasets","networkpolicies"] verbs: [""] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: [""] - apiGroups: ["monitoring.coreos.com"] resources: ["alertmanagers","podmonitors","prometheuses","prometheuses/finalizers","alertmanagers/finalizers","servicemonitors","prometheusrules","probes"] verbs: [""] - apiGroups: ["monitor.aliyun.com"] resources: ["alicloudpromrules","alicloudpromrules/status"] verbs: [""] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["rolebindings","roles","clusterroles","clusterrolebindings"] verbs: [""] - apiGroups: ["networking.k8s.io"] resources: ["networkpolicies","ingresses","ingressclasses"] verbs: [""] - apiGroups: ["apps.kruise.io"] resources: ["statefulsets"] verbs: [""] - apiGroups: ["nsm.alibabacloud.com"] resources: ["networkservices"] verbs: [""] - nonResourceURLs: - "/metrics" verbs: - get - apiGroups: [""] resources: ["serviceaccounts/token"] verbs: ["create"] - apiGroups: ["log.alibabacloud.com"] resources: [""] verbs: [""] - apiGroups: ["telemetry.alibabacloud.com"] resources: [""] verbs: ["*"] - apiGroups: ["discovery.k8s.io"] resources: ["endpointslices"] verbs: ["get", "list", "watch"]
開源巨量資料開發平台E-MapReduce	emr-aliyunemronackdefaultrole-clusterrolebinding	cluster	emr-aliyunemronackdefaultrole-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: emr-aliyunemronackdefaultrole-clusterrole rules: - apiGroups: [""] resources: ["pods", "nodes", "services", "namespaces", "endpoints", "configmaps", "secrets", "resourcequotas", "serviceaccounts","persistentvolumes","persistentvolumeclaims"] verbs: [""] - apiGroups: ["apps"] resources: ["deployments", "daemonsets", "statefulsets"] verbs: [""] - apiGroups: ["extensions"] resources: ["ingresses"] verbs: [""] - apiGroups: ["networking.k8s.io"] resources: ["ingresses"] verbs: [""] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: [""] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["clusterroles", "clusterrolebindings", "roles", "rolebindings"] verbs: [""] - apiGroups: ["sparkoperator.k8s.io"] resources: [""] verbs: [""] - apiGroups: ["flink.apache.org"] resources: [""] verbs: [""]
阿里雲Security Center	sas-aliyunserviceroleforsas-clusterrolebinding	cluster	sas-aliyunserviceroleforsas-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: sas-aliyunserviceroleforsas-clusterrole rules: - apiGroups: [""] resources: ["secrets"] verbs: ["create"] - apiGroups: [""] resources: ["secrets"] resourceNames: ["policygovernance-yundun-config"] verbs: ["get", "update", "patch"] - apiGroups: [""] resources: ["services","pods"] verbs: ["list"] - apiGroups: ["extensions"] resources: ["ingresses"] verbs: ["list"] - apiGroups: ["networking.k8s.io"] resources: ["ingresses"] verbs: ["list"]
雲資料庫Tair	tair-aliyunserviceroleforkvstore-clusterrolebinding	cluster	tair-aliyunserviceroleforkvstore-clusterrole `apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: tair-aliyunserviceroleforkvstore-clusterrole rules: - apiGroups: - "" resources: - nodes verbs: - get - list - apiGroups: - admissionregistration.k8s.io resources: - validatingwebhookconfigurations - mutatingwebhookconfigurations verbs: - get - list`
雲資料庫Tair	tair-aliyunserviceroleforkvstore-clusterrolebinding	ack-tair namespace	tair-aliyunserviceroleforkvstore-role apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: tair-aliyunserviceroleforkvstore-role namespace: ack-tair rules: - apiGroups: - batch resources: - jobs verbs: - get - list - create - delete - apiGroups: - "" resources: - events verbs: - create - patch - get - list - apiGroups: - apps resources: - statefulsets verbs: - create - delete - get - list - patch - update - apiGroups: - apps resources: - deployments verbs: - create - delete - get - list - patch - update - apiGroups: - "" resources: - configmaps verbs: - create - delete - get - list - patch - update - apiGroups: - "" resources: - pods verbs: - create - delete - get - list - patch - update - apiGroups: - "" resources: - pods/exec - pods/portforward - pods/proxy verbs: - create - get - apiGroups: - "" resources: - services verbs: - create - delete - get - list - patch - update - apiGroups: - "" resources: - services/proxy verbs: - create - get - apiGroups: - tair.alibabacloud.com resources: - tairclusters verbs: - create - delete - get - list - patch - update - watch - apiGroups: - tair.alibabacloud.com resources: - tairclusters/finalizers verbs: - update - apiGroups: - tair.alibabacloud.com resources: - tairclusters/status verbs: - get - patch - update - apiGroups: - "" resources: - persistentvolumeclaims verbs: - create - delete - get - list - patch - update - apiGroups: - "" resources: - persistentvolumeclaims/status verbs: - get - apiGroups: - scheduling.sigs.k8s.io resources: - reserveresourcesets verbs: - create - delete - get - list - patch - update - watch
Enterprise Distributed Application Service	edas-aliyunedasdefaultrole-clusterrolebinding	cluster	edas-aliyunedasdefaultrole-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: edas-aliyunedasdefaultrole-clusterrole rules: - apiGroups: [ "" ] resources: [ "nodes", "nodes/stats" ] verbs: [ "get", "list", "watch" ] - apiGroups: [ "" ] resources: [ "pods", "pods/exec", "pods/log", "pods/status", "limitranges", "services", "services/proxy", "namespaces", "endpoints", "configmaps", "secrets", "bindings", "resourcequotas", "serviceaccounts", "componentstatuses", "events", "persistentvolumeclaims", "persistentvolumes", "replicationcontrollers","podtemplates" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "apps" ] resources: [ "deployments","daemonsets","statefulsets","replicasets","deployments/scale","statefulsets/scale","statefulsets/status","deployments/status","controllerrevisions" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "extensions" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: ["batch"] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["apiregistration.k8s.io"] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["rbac.authorization.k8s.io"] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [ "events.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: ["apiextensions.k8s.io"] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["edas.aliyun.oam.com"] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["autoscaling"] resources: [""] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: ["oam-domain.alibabacloud.com" ] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["core.oam.dev"] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["flagger.app"] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [ "keda.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "log.alibabacloud.com" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "clm.cloudnativeapp.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "monitoring.coreos.com" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "admissionregistration.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "extension.oam.dev" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "authentication.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: ["discovery.k8s.io"] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [ "networking.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "scheduling.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "scheduling.sigs.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "snapshot.storage.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "storage.alibabacloud.com" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "storage.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "certificates.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "flowcontrol.apiserver.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "policy" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "authorization.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "external.metrics.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - nonResourceURLs: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "keda.sh" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "alibabacloud.com" ] resources: [ "albconfigs" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "autoscaling.alibabacloud.com" ] resources: [ "advancedhorizontalpodautoscalers" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "metrics.alibabacloud.com" ] resources: [ "" ] verbs: [ "get", "list", "watch" ] - apiGroups: [ "metrics.k8s.io" ] resources: [ "pods","nodes" ] verbs: [ "get", "list", "watch" ] - apiGroups: [ "coordination.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "apps.kruise.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "edas.alibabacloud.com" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "istio.aliyun.cloud.com" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "nacos.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
雲資料庫RDS	aliyunmybasecpaasdefaultrole-clusterrolebinding	cluster	rds-aliyunmybasecpaasdefaultrole-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: rds-aliyunmybasecpaasdefaultrole-clusterrole rules: - apiGroups: - '' resources: - nodes - namespaces - resourcequotas - limitranges - nodes/metrics - replicationcontrollers - nodes/proxy verbs: - list - get - watch - apiGroups: - '' resources: - services - configmaps - secrets - pods - pods/log - pods/exec - endpoints - persistentvolumes - persistentvolumeclaims - events verbs: - '' - apiGroups: - '' resources: - serviceaccounts verbs: - list - get - watch - create - apiGroups: - '' resourceNames: - mybase-operator - polardbx-operator - pre-install-kibana-kibana - filebeat-filebeat - post-delete-kibana-kibana resources: - serviceaccounts verbs: - '' - apiGroups: - '' resources: - namespaces verbs: - patch - list - create - watch - get - apiGroups: - coordination.k8s.io resources: - leases verbs: - '' - apiGroups: - apps resources: - deployments - daemonsets - statefulsets - controllerrevisions - replicasets verbs: - '' - apiGroups: - apps resourceNames: - filebeat-filebeat - logstash-logstash - kibana-kibana - elasticsearch-master resources: - deployments - daemonsets - statefulsets - replicasets verbs: - '' - apiGroups: - batch resources: - jobs - cronjobs verbs: - '' - apiGroups: - extensions resources: - ingresses verbs: - list - get - watch - apiGroups: - extensions resources: - deployments - daemonsets - statefulsets - controllerrevisions - replicasets verbs: - '' - apiGroups: - networking.k8s.io resources: - ingresses verbs: - list - get - watch - apiGroups: - events.k8s.io resources: - events verbs: - '' - apiGroups: - rbac.authorization.k8s.io resources: - clusterroles - clusterrolebindings - roles - rolebindings verbs: - list - get - watch - create - apiGroups: - rbac.authorization.k8s.io resourceNames: - mybase-operator - polardbx-operator - polardbx-controller-manager - mybase-monitoring - filebeat-filebeat-role - filebeat-filebeat-role-binding - filebeat-filebeat-cluster-role - filebeat-filebeat-cluster-role-binding - pre-install-kibana-kibana - post-delete-kibana-kibana resources: - clusterroles - clusterrolebindings - roles - rolebindings verbs: - '' - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - list - get - watch - create - apiGroups: - apiextensions.k8s.io resourceNames: - mybaseappinstancebackuppolicies.apps.k8s.mybase.aliyun.com - mybaseappdefinitions.apps.k8s.mybase.aliyun.com - mybaseappinstanceops.apps.k8s.mybase.aliyun.com - mybaseappinstances.apps.k8s.mybase.aliyun.com - polardbxbackupbinlogs.polardbx.aliyun.com - polardbxbackups.polardbx.aliyun.com - polardbxbackupschedules.polardbx.aliyun.com - polardbxclusterknobs.polardbx.aliyun.com - polardbxclusters.polardbx.aliyun.com - polardbxlogcollectors.polardbx.aliyun.com - polardbxmonitors.polardbx.aliyun.com - polardbxparameters.polardbx.aliyun.com - polardbxparametertemplates.polardbx.aliyun.com - systemtasks.polardbx.aliyun.com - xstorebackups.polardbx.aliyun.com - xstorefollowers.polardbx.aliyun.com - xstores.polardbx.aliyun.com resources: - customresourcedefinitions verbs: - '' - apiGroups: - monitoring.coreos.com resources: - '' verbs: - '' - apiGroups: - apps.k8s.mybase.aliyun.com resources: - '' verbs: - '' - apiGroups: - polardbx.aliyun.com resources: - '' verbs: - '' - apiGroups: - v1.admission.polardbx.aliyun.com resources: - '' verbs: - '' - apiGroups: - apiregistration.k8s.io resources: - apiservices verbs: - list - get - watch - create - apiGroups: - apiregistration.k8s.io resourceNames: - v1.admission.polardbx.aliyun.com resources: - apiservices verbs: - '' - apiGroups: - admissionregistration.k8s.io resources: - mutatingwebhookconfigurations - validatingwebhookconfigurations verbs: - list - get - watch - create - apiGroups: - admissionregistration.k8s.io resourceNames: - polardbxcluster-mutate.polardbx.aliyun.com - polardbxcluster-validate.polardbx.aliyun.com resources: - mutatingwebhookconfigurations - validatingwebhookconfigurations verbs: - '*' - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - list - get - watch - apiGroups: - policy resources: - poddisruptionbudgets verbs: - update - delete - patch - create - list - get - watch - nonResourceURLs: - /metrics verbs: - get
CloudMonitor	aliyunserviceroleforcloudmonitor-clusterrolebinding	cluster	cloudmonitor-aliyunserviceroleforcloudmonitor-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cloudmonitor-aliyunserviceroleforcloudmonitor-clusterrole rules: - apiGroups: ["vector.oam.dev"] resources: [""] verbs: [""] - apiGroups: ["o11y.aliyun.dev"] resources: [""] verbs: [""] - apiGroups: [""] resources: ["pods","replicationcontrollers","podtemplates", "nodes", "services","events","persistentvolumes","persistentvolumeclaims","componentstatuses","bindings", "namespaces","endpoints", "configmaps", "secrets", "resourcequotas", "serviceaccounts","pods/log","services/proxy"] verbs: [""] - apiGroups: [""] resources: ["nodes/metrics"] verbs: ["get"] - apiGroups: [""] resources: ["limitranges"] verbs: ["list", "watch"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] verbs: ["get", "list", "watch"] - apiGroups: ["extensions"] resources: ["ingresses"] verbs: ["list", "watch"] - apiGroups: ["batch"] resources: ["cronjobs", "jobs"] verbs: ["list", "watch"] - apiGroups: ["autoscaling"] resources: ["horizontalpodautoscalers"] verbs: ["list", "watch"] - apiGroups: ["policy"] resources: ["poddisruptionbudgets"] verbs: ["list", "watch"] - apiGroups: ["certificates.k8s.io"] resources: ["certificatesigningrequests"] verbs: ["list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses","volumeattachments"] verbs: ["get", "list", "watch"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "list", "watch"] - apiGroups: ["apps","extensions"] resources: ["deployments", "daemonsets", "statefulsets","replicasets","networkpolicies"] verbs: [""] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: [""] - apiGroups: ["monitoring.coreos.com"] resources: ["alertmanagers","podmonitors","prometheuses","prometheuses/finalizers","alertmanagers/finalizers","servicemonitors","prometheusrules","probes"] verbs: [""] - apiGroups: ["monitor.aliyun.com"] resources: ["alicloudpromrules","alicloudpromrules/status"] verbs: [""] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["rolebindings","roles","clusterroles","clusterrolebindings"] verbs: [""] - apiGroups: ["networking.k8s.io"] resources: ["networkpolicies","ingresses","ingressclasses"] verbs: [""] - apiGroups: ["apps.kruise.io"] resources: ["statefulsets"] verbs: [""] - apiGroups: ["nsm.alibabacloud.com"] resources: ["networkservices"] verbs: [""] - nonResourceURLs: - "/metrics" verbs: - get - apiGroups: [""] resources: ["serviceaccounts/token"] verbs: ["create"] - apiGroups: ["log.alibabacloud.com"] resources: [""] verbs: [""] - apiGroups: ["telemetry.alibabacloud.com"] resources: [""] verbs: ["*"]
微服務引擎MSE	mse-aliyunserviceroleformse-clusterrolebinding	cluster	mse-aliyunserviceroleformse-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: mse-aliyunserviceroleformse-clusterrole rules: # base - apiGroups: [""] resources: ["pods", "nodes", "services", "namespaces", "endpoints", "secrets", "configmaps"] verbs: ["get", "watch", "list"] - apiGroups: ["discovery.k8s.io"] resources: ["endpointslices"] verbs: ["get", "list", "watch"] # ingress - apiGroups: ["networking.k8s.io"] resources: ["ingresses", "ingressclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["networking.k8s.io"] resources: ["ingresses/status"] verbs: [""] # Use for Kubernetes Service APIs - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] resources: [""] verbs: ["get", "watch", "list"] - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] resources: [""] verbs: [""] # CRD - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] # istio - apiGroups: ["networking.istio.io"] verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] resources: [ "workloadentries" ] - apiGroups: ["networking.istio.io"] verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] resources: [ "workloadentries/status" ] # demo - apiGroups: [""] resources: ["services", "namespaces"] verbs: ["get", "list", "watch", "create"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list", "watch", "create"]
微服務引擎MSE	mse-aliyunserviceroleformsediagnosis-clusterrolebinding	cluster	mse-aliyunserviceroleformsediagnosis-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: mse-aliyunserviceroleformsediagnosis-clusterrole rules: # base - apiGroups: [ "" ] resources: [ "nodes", "nodes/stats" ] verbs: [ "get", "watch" ] - apiGroups: [ "" ] resources: [ "pods", "pods/exec", "pods/log", "pods/status", "services", "services/proxy", "namespaces", "endpoints", "configmaps", "componentstatuses", "events","podtemplates" ] verbs: [ "get", "watch", "create"] - apiGroups: [ "apps" ] resources: [ "deployments","daemonsets","statefulsets","replicasets","statefulsets/status","deployments/status" ] verbs: [ "get", "watch", "create"]
API Gateway	apig-aliyunservicerolefornativeapigw-clusterrolebinding	cluster	apig-aliyunservicerolefornativeapigw-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: apig-aliyunservicerolefornativeapigw-clusterrole rules: # base - apiGroups: [""] resources: ["pods", "nodes", "services", "namespaces", "endpoints", "secrets", "configmaps"] verbs: ["get", "watch", "list"] - apiGroups: ["discovery.k8s.io"] resources: ["endpointslices"] verbs: ["get", "list", "watch"] # ingress - apiGroups: ["networking.k8s.io"] resources: ["ingresses", "ingressclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["networking.k8s.io"] resources: ["ingresses/status"] verbs: [""] # Use for Kubernetes Service APIs - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] resources: [""] verbs: ["get", "watch", "list"] - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] resources: [""] verbs: [""] # CRD - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] # istio - apiGroups: ["networking.istio.io"] verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] resources: [ "workloadentries" ] - apiGroups: ["networking.istio.io"] verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] resources: [ "workloadentries/status" ] # demo - apiGroups: [""] resources: ["services", "namespaces"] verbs: ["get", "list", "watch", "create"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list", "watch", "create"]
Log ServiceSLS	sls-aliyunserviceroleforslsaudit-clusterrolebinding	cluster	sls-aliyunserviceroleforslsaudit-role `apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: sls-aliyunserviceroleforslsaudit-role rules: - apiGroups: - "" resources: - "" verbs: - get - list - watch - apiGroups: - "*" resources: - namespaces - deployments - serviceaccounts - clusterroles - clusterrolebindings - daemonsets - services - aliyunlogconfigs verbs: - create - patch - delete - nonResourceURLs: - /metrics verbs: - get`
檢索分析服務Elasticsearch版	elasticsearch-aliyunserviceroleforelasticsearchcollector-rolebinding	captain-system namespace	elasticsearch-aliyunserviceroleforelasticsearchcollector-role apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: elasticsearch-aliyunserviceroleforelasticsearchcollector-role namespace: captain-system rules: - apiGroups: - "" resources: - pods/attach - pods/exec - pods/portforward - pods/proxy - secrets - services/proxy verbs: - get - list - watch - apiGroups: - "" resources: - serviceaccounts verbs: - impersonate - apiGroups: - "" resources: - pods - pods/attach - pods/exec - pods/portforward - pods/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" resources: - configmaps - endpoints - persistentvolumeclaims - replicationcontrollers - replicationcontrollers/scale - secrets - serviceaccounts - services - services/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - apps resources: - daemonsets - deployments - deployments/rollback - deployments/scale - replicasets - replicasets/scale - statefulsets - statefulsets/scale verbs: - create - delete - deletecollection - patch - update - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - create - delete - deletecollection - patch - update - apiGroups: - batch resources: - cronjobs - jobs verbs: - create - delete - deletecollection - patch - update - apiGroups: - extensions resources: - daemonsets - deployments - deployments/rollback - deployments/scale - ingresses - networkpolicies - replicasets - replicasets/scale - replicationcontrollers/scale verbs: - create - delete - deletecollection - patch - update - apiGroups: - policy resources: - poddisruptionbudgets verbs: - create - delete - deletecollection - patch - update - apiGroups: - networking.k8s.io resources: - ingresses - networkpolicies verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" resources: - configmaps - endpoints - persistentvolumeclaims - persistentvolumeclaims/status - pods - replicationcontrollers - replicationcontrollers/scale - serviceaccounts - services - services/status verbs: - get - list - watch - apiGroups: - "" resources: - bindings - events - limitranges - namespaces/status - pods/log - pods/status - replicationcontrollers/status - resourcequotas - resourcequotas/status verbs: - get - list - watch - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - apps resources: - controllerrevisions - daemonsets - daemonsets/status - deployments - deployments/scale - deployments/status - replicasets - replicasets/scale - replicasets/status - statefulsets - statefulsets/scale - statefulsets/status verbs: - get - list - watch - apiGroups: - autoscaling resources: - horizontalpodautoscalers - horizontalpodautoscalers/status verbs: - get - list - watch - apiGroups: - batch resources: - cronjobs - cronjobs/status - jobs - jobs/status verbs: - get - list - watch - apiGroups: - extensions resources: - daemonsets - daemonsets/status - deployments - deployments/scale - deployments/status - ingresses - ingresses/status - networkpolicies - replicasets - replicasets/scale - replicasets/status - replicationcontrollers/scale verbs: - get - list - watch - apiGroups: - policy resources: - poddisruptionbudgets - poddisruptionbudgets/status verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses - ingresses/status - networkpolicies verbs: - get - list - watch - apiGroups: - authorization.k8s.io resources: - localsubjectaccessreviews verbs: - create - apiGroups: - rbac.authorization.k8s.io resources: - rolebindings - roles verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - app.alauda.io resources: - helmrequests verbs: - create - delete - deletecollection - get - list - patch - update - watch
	elasticsearch-aliyunserviceroleforelasticsearchcollector-rolebinding	logging namespace	elasticsearch-aliyunserviceroleforelasticsearchcollector-role apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: elasticsearch-aliyunserviceroleforelasticsearchcollector-role namespace: logging rules: - apiGroups: - "" resources: - pods/attach - pods/exec - pods/portforward - pods/proxy - secrets - services/proxy verbs: - get - list - watch - apiGroups: - "" resources: - serviceaccounts verbs: - impersonate - apiGroups: - "" resources: - pods - pods/attach - pods/exec - pods/portforward - pods/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" resources: - configmaps - endpoints - persistentvolumeclaims - replicationcontrollers - replicationcontrollers/scale - secrets - serviceaccounts - services - services/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - apps resources: - daemonsets - deployments - deployments/rollback - deployments/scale - replicasets - replicasets/scale - statefulsets - statefulsets/scale verbs: - create - delete - deletecollection - patch - update - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - create - delete - deletecollection - patch - update - apiGroups: - batch resources: - cronjobs - jobs verbs: - create - delete - deletecollection - patch - update - apiGroups: - extensions resources: - daemonsets - deployments - deployments/rollback - deployments/scale - ingresses - networkpolicies - replicasets - replicasets/scale - replicationcontrollers/scale verbs: - create - delete - deletecollection - patch - update - apiGroups: - policy resources: - poddisruptionbudgets verbs: - create - delete - deletecollection - patch - update - apiGroups: - networking.k8s.io resources: - ingresses - networkpolicies verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" resources: - configmaps - endpoints - persistentvolumeclaims - persistentvolumeclaims/status - pods - replicationcontrollers - replicationcontrollers/scale - serviceaccounts - services - services/status verbs: - get - list - watch - apiGroups: - "" resources: - bindings - events - limitranges - namespaces/status - pods/log - pods/status - replicationcontrollers/status - resourcequotas - resourcequotas/status verbs: - get - list - watch - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - apps resources: - controllerrevisions - daemonsets - daemonsets/status - deployments - deployments/scale - deployments/status - replicasets - replicasets/scale - replicasets/status - statefulsets - statefulsets/scale - statefulsets/status verbs: - get - list - watch - apiGroups: - autoscaling resources: - horizontalpodautoscalers - horizontalpodautoscalers/status verbs: - get - list - watch - apiGroups: - batch resources: - cronjobs - cronjobs/status - jobs - jobs/status verbs: - get - list - watch - apiGroups: - extensions resources: - daemonsets - daemonsets/status - deployments - deployments/scale - deployments/status - ingresses - ingresses/status - networkpolicies - replicasets - replicasets/scale - replicasets/status - replicationcontrollers/scale verbs: - get - list - watch - apiGroups: - policy resources: - poddisruptionbudgets - poddisruptionbudgets/status verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses - ingresses/status - networkpolicies verbs: - get - list - watch - apiGroups: - authorization.k8s.io resources: - localsubjectaccessreviews verbs: - create - apiGroups: - rbac.authorization.k8s.io resources: - rolebindings - roles verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - app.alauda.io resources: - helmrequests - releases verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - elasticsearch.kubernetes.aliyun.com resources: - logcollectors - indexlifecyclebindings - indexlifecyclepolicies verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - beat.kubernetes.aliyun.com resources: - beats verbs: - create - delete - deletecollection - get - list - patch - update - watch
	elasticsearch-aliyunserviceroleforelasticsearchcollector-clusterrolebinding	cluster	elasticsearch-aliyunserviceroleforelasticsearchcollector-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: elasticsearch-aliyunserviceroleforelasticsearchcollector-clusterrole rules: - apiGroups: [""] resources: ["pods", "nodes", "services", "namespaces", "endpoints", "configmaps", "secrets"] verbs: ["get", "list", "watch", "patch", "update", "create"] - apiGroups: ["apps"] resources: ["replicasets"] verbs: ["get", "list", "watch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["app.alauda.io"] resources: ["helmrequests"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
人工智慧平台PAI	pai-aliyunpaidlcdefaultrole-clusterrolebinding	cluster	pai-aliyunpaidlcdefaultrole-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: pai-aliyunpaidlcdefaultrole-clusterrole rules: - apiGroups: [ "" ] resources: [ "secrets", "secrets/status", "services", "namespaces", "endpoints", "serviceaccounts", "configmaps/status", "persistentvolumes", "persistentvolumes/status", "events", "events/status", "persistentvolumeclaims", "pods", "pods/log", "replicationcontrollers", "bindings", "limitranges", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy", "services/proxy"] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "" ] resources: [ "serviceaccounts" ] verbs: [ "impersonate" ] - apiGroups: [ "" ] resources: [ "configmaps", "pods", "services", "secrets", "endpoints", "configmaps" ] verbs: [ "" ] - apiGroups: [ "" ] resources: [ "pods/status","pods/binding", "namespaces/status", "persistentvolumeclaims/status", "replicationcontrollers/scale", "replicationcontrollers/status", "resourcequotas", "resourcequotas/status", "services/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "" ] resources: [ "nodes", "nodes/status" ] verbs: [ "create", "delete", "update", "get", "list", "watch", "patch", "deletecollection" ] - apiGroups: [ "apps" ] resources: [ "statefulsets", "daemonsets", "deployments", "controllerrevisions", "replicasets" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "apps" ] resources: [ "statefulsets/status", "daemonsets/status", "deployments/scale", "deployments/status", "replicasets/scale", "replicasets/status", "statefulsets/scale", "deployments/rollback" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "rbac.authorization.k8s.io" ] resources: [ "clusterrolebindings", "clusterroles", "roles", "roles/status", "rolebindings", "rolebindings/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "authentication.k8s.io" ] resources: [ "tokenreviews" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "authorization.k8s.io" ] resources: [ "subjectaccessreviews" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "admissionregistration.k8s.io" ] resources: [ "mutatingwebhookconfigurations", "validatingwebhookconfigurations" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "networking.k8s.io" ] resources: [ "ingresses", "ingresses/status", "networkpolicies" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "apiextensions.k8s.io" ] resources: [ "customresourcedefinitions" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "batch" ] resources: [ "jobs", "cronjobs", "jobs/status", "cronjobs/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "batch/v1" ] resources: [ "jobs" ] verbs: [ "get", "create", "list", "watch", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "autoscaling" ] resources: [ "horizontalpodautoscalers", "horizontalpodautoscalers/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "coordination.k8s.io" ] resources: [ "leases", "leases/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "coordination.k8s.io" ] resources: [ "leases" ] verbs: [ "" ] - apiGroups: [ "data.fluid.io" ] resources: [ "datasets", "datasets/status", "jindoruntimes", "jindoruntimes/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "extensions" ] resources: [ "replicasets", "replicasets/status", "daemonsets", "daemonsets/status", "deployments", "deployments/scale", "deployments/status", "deployments/rollback", "ingresses", "ingresses/status", "networkpolicies", "replicasets/scale", "replicationcontrollers/scale" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "metrics.k8s.io" ] resources: [ "nodes", "pods" ] verbs: [ "get", "list", "watch" ] - apiGroups: [ "kubeflow.org" ] resources: [ "tfjobs", "pytorchjobs", "tfjobs/status", "pytorchjobs/status", "mpijobs", "mpijobs/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "xdl.kubedl.io" ] resources: [ "xdljobs", "xdljobs/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "xgboostjob.kubeflow.org" ] resources: [ "xgboostjobs", "xgboostjobs/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "events.k8s.io" ] resources: [ "events" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "policy" ] resources: [ "poddisruptionbudgets", "poddisruptionbudgets/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "apps.kruise.io" ] resources: [ "statefulsets" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "scheduling.alibabacloud.com" ] resources: [ "gpudevices", "allocgroups", "allocgroups/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "gputopology.kubedl.io" ] resources: [ "gputopologies" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "storage.k8s.io" ] resources: [ "storageclasses", "csinodes", "volumeattachments" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "scheduling.k8s.io" ] resources: [ "priorityclasses" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "scheduling.x-k8s.io" ] resources: [ "queueunits", "queueunits/status", "queues" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "scheduling.sigs.k8s.io" ] resources: [ "elasticquotatrees" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "certificates.k8s.io" ] resources: [ "certificatesigningrequests", "certificatesigningrequests/approval", "signers" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection", "approve" ] - apiGroups: [ "discovery.k8s.io" ] resources: [ "endpointslices" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "monitoring.coreos.com" ] resources: [ "servicemonitors" ] verbs: [ "get", "create", "list", "watch", "update", "patch", "delete", "deletecollection"] - apiGroups: [ "inference.kubedl.io" ] resources: [ "elasticbatchjobs", "elasticbatchjobs/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "gateway.solo.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "argoproj.io" ] resources: [ "clusterworkflowtemplates", "clusterworkflowtemplates/finalizers", "cronworkflows", "cronworkflows/finalizers", "workflows", "workflows/finalizers", "workflowtemplates", "workflowtemplates/finalizers" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "paiflow.alibaba-inc.com" ] resources: [ "clusterworkflowtemplates", "clusterworkflowtemplates/finalizers", "cronworkflows", "cronworkflows/finalizers", "workflows", "workflows/finalizers", "workflowtemplates", "workflowtemplates/finalizers", "workfloweventbindings", "workfloweventbindings/finalizers" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "dlc.alibaba.com" ] resources: [ "datasources", "datasources/status", "dlcinstanceresourcepatches", "dlcinstanceresourcepatches/status", "dlcinstances", "dlcinstances/status", "resourcegroups", "resourcegroups/status", "tensorboards", "tensorboards/status"] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "eas.alibaba-inc.k8s.io" ] resources: [ "resourcemigrations", "resourcemigrations/status", "tenantresources", "tenantresources/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "paiflow.pai.alibaba-inc.com" ] resources: [ "aiworkspaces" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "gloo.solo.io", "enterprise.gloo.solo.io", "graphql.gloo.solo.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "ratelimit.solo.io" ] resources: [ "ratelimitconfigs","ratelimitconfigs/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "dsw.alibaba.com" ] resources: [ "dswinstances", "dswinstances/status", "idleinstancecullers", "idleinstancecullers/status", "images", "images/status", "notebooks", "notebooks/status", "credentials", "credentials/status", "nasvolumes", "nasvolumes/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "training.pai.alibaba-inc.com" ] resources: [ "trainingjobs", "trainingjobs/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: ["scheduling.sigs.k8s.io"] resources: ["podgroups"] verbs: ["get", "delete"]
雲原生應用組裝平台	bizworks-aliyunserviceroleforbizworks-clusterrolebinding	cluster	該角色許可權為最高許可權，可安裝任意Helm Chart。 bizworks-aliyunserviceroleforbizworks-clusterrole `apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: bizworks-aliyunserviceroleforbizworks-clusterrole rules: - apiGroups: - '' resources: - '' verbs: - '' - nonResourceURLs: - '' verbs: - '*'`