清理叢集使用者的許可權 - Container Service for Kubernetes

ack-ram-tool是Container Service for Kubernetes為輔助您管理叢集RAM和RBAC許可權提供的命令列工具。當使用者離職或許可權需要變更時，通過ack-ram-tool工具您可以及時清理叢集中已刪除使用者的許可權，避免安全風險。

步驟一：安裝ack-ram-tool

根據指定環境的架構類型，下載ack-ram-tool用戶端。
執行以下命令，授予用戶端程式的執行許可權。
```
chmod +x ./ack-ram-tool
```

執行以下命令，將ack-ram-tool檔案拷貝至系統PATH指定目錄。

mkdir -p $HOME/bin && cp ./ack-ram-tool $HOME/bin/ack-ram-tool && export PATH=$HOME/bin:$PATH

（可選）執行以下命令，持久化$HOME/bin中的PATH配置。
```
echo 'export PATH=$HOME/bin:$PATH' >> ~/.bash_profile
```
執行以下命令，查看是否能夠返回用戶端組件對應的版本，以驗證ack-ram-tool用戶端組件是否安裝成功。
```
ack-ram-tool version
```

步驟二：配置阿里雲憑據

阿里雲RAM使用者和SSO使用者可通過以下方式配置擷取雲資源的訪問憑據。

說明

如果當前環境中存在訪問憑據相關的環境變數，ack-ram-tool將優先使用環境變數中配置的訪問憑據。您可以通過在執行ack-ram-tool命令時增加參數--ignore-env-credentials的方式忽略這些環境變數。關於ack-ram-tool支援的憑據相關環境變數，請參見Credentials。

RAM使用者

ack-ram-tool用戶端依賴本地配置的阿里雲金鑰認證訪問RAM進行身份認證。

關於配置資源訪問憑證的具體操作，請參見阿里雲CLI。

SSO使用者

對於阿里雲雲SSO的使用者，可以通過使用雲SSO服務提供的CLI工具acs-sso完成登入，並擷取雲資源訪問憑據。關於acs-sso更多資訊，請參見使用CLI登入雲SSO並訪問阿里雲資源。阿里雲CLI工具中支援external模式，可實現通過執行外部命令列工具的方式動態擷取資源憑據。通過執行如下命令，在本地完成雲SSO登入和憑據的自動化配置。

aliyun configure --mode External --profile sso

Configuring profile 'sso' in 'External' authenticate mode...
Process Command [acs-sso login --profile sso]:
Default Region Id [cn-shanghai]:
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en:
Saving profile[sso] ...Done.


Configure Done!!!
..............888888888888888888888 ........=8888888888888888888D=..............
...........88888888888888888888888 ..........D8888888888888888888888I...........
.........,8888888888888ZI: ...........................=Z88D8888888888D..........
.........+88888888 ..........................................88888888D..........
.........+88888888 .......Welcome to use Alibaba Cloud.......O8888888D..........
.........+88888888 ............. ************* ..............O8888888D..........
.........+88888888 .... Command Line Interface(Reloaded) ....O8888888D..........
.........+88888888...........................................88888888D..........
..........D888888888888DO+. ..........................?ND888888888888D..........
...........O8888888888888888888888...........D8888888888888888888888=...........
............ .:D8888888888888888888.........78888888888888888888O ..............

步驟三：配置ack-ram-tool訪問憑據所需的許可權

ack-ram-tool使用的訪問憑據需要擁有RAM許可權和叢集的RBAC許可權。

為RAM使用者授予如下許可權。具體操作，請參見管理RAM使用者的許可權。

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cs:*"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ram:ListUsers",
        "ram:ListRoles"
      ],
      "Resource": "*"
    }
  ]
}

為RAM使用者授予叢集的RBAC管理員權限。
1. 登入Container Service管理主控台，在左側導覽列選擇授權管理。
2. 在授權管理頁面，單擊RAM 使用者頁簽，找到待添加的RAM使用者，單擊右側的系統管理權限，進入許可權管理頁面。
3. 單擊添加許可權，選擇叢集和命名空間，選擇許可權管理為管理員的許可權，然後單擊提交授權。

步驟四：查詢叢集內指定RAM使用者的RBAC Binding

您可以通過ack-ram-tool rbac scan-user-permissions命令，查詢目的地組群內指定RAM使用者的RBAC Binding資訊。

僅查詢已刪除的RAM使用者和角色的RBAC Binding

執行以下命令，查看叢集內已刪除的RAM使用者和角色的RBAC Binding資訊。

ack-ram-tool rbac scan-user-permissions -c <叢集ID>

預期輸出：

2023-12-12T15:34:37+08:00 INFO start to scan users and bindings for cluster c401890df511a4362bf24bece4da****
2023-12-12T15:34:43+08:00 WARN by default, only deleted users are included. Use the --all-users flag to include all users
UID                           UserType  UserName  Binding                                                    
30086537005566**** (deleted)  RamRole             ClusterRoleBinding/-/30086537005566****-clusterrolebinding  
24320678733226**** (deleted)  RamUser             ClusterRoleBinding/-/24320678733226****-clusterrolebinding

UserType的參數說明如下：

UserType的值	說明
RamRole	RAM角色
RamUser	RAM使用者
Root	阿里雲帳號（主帳號）

查詢所有RAM使用者和角色的RBAC Binding

執行以下命令，查看所有RAM使用者和角色的RBAC Binding資訊。

ack-ram-tool rbac scan-user-permissions --all-users -c <叢集ID>

預期輸出：

2023-12-12T15:36:00+08:00 INFO Start to scan users and bindings for cluster c401890df511a4362bf24bece4da6****
UID                           UserType  UserName                   Binding                                                                
30032484611590**** (deleted)  RamRole                              ClusterRoleBinding/-/30032484611590****-clusterrolebinding              
20492499986425**** (deleted)  RamUser                              ClusterRoleBinding/-/20492499986425****-clusterrolebinding              
27203272572548****            RamUser   scan                       ClusterRoleBinding/-/27203272572548****-clusterrolebinding        
113802571552****              Root                                 ClusterRoleBinding/-/113802571552****-cluster-admin-clusterrolebinding  
29068913515444****            RamUser   test-ack-ram-check         ClusterRoleBinding/-/29068913515444****-clusterrolebinding

查詢當前阿里雲帳號下所有叢集的RBAC Binding

執行以下命令，查看當前阿里雲帳號下所有叢集的RBAC Binding資訊。

ack-ram-tool rbac scan-user-permissions -c all

預期輸出：

2023-12-12T16:44:55+08:00 INFO start to scan users and bindings for all clusters
2023-12-12T16:44:55+08:00 INFO start to get all clusters, users and roles
2023-12-12T16:44:58+08:00 INFO ---- c401890df511a4362bf24bece4da6**** (test-pro111323223) ----
2023-12-12T16:44:58+08:00 INFO [c401890df511a4362bf24bece4da6****] start to scan bindings for cluster c401890df511a4362bf24bece4da6****
2023-12-12T16:45:00+08:00 WARN [c401890df511a4362bf24bece4da6****] by default, only deleted users are included. Use the --all-users flag to include all users
ClusterId: c401890df511a4362bf24bece4da6****
UID                           UserType  UserName  Binding                                                    
30086537005566**** (deleted)  RamRole             ClusterRoleBinding/-/30086537005566****-clusterrolebinding  
20492499986425**** (deleted)  RamUser             ClusterRoleBinding/-/20492499986425****-clusterrolebinding  
2023-12-12T16:45:00+08:00 INFO ---- c137a979dec21472c8279c903cfc**** (test-pro) ----
2023-12-12T16:45:00+08:00 INFO [c137a979dec21472c8279c903cfce****] start to scan bindings for cluster c137a979dec21472c8279c903cfce****
2023-12-12T16:45:01+08:00 WARN [c137a979dec21472c8279c903cfce****] by default, only deleted users are included. Use the --all-users flag to include all users
ClusterId: c137a979dec21472c8279c903cfce****
UID                           UserType  UserName  Binding                                                    
30086537005566**** (deleted)  RamRole             ClusterRoleBinding/-/30086537005566****-clusterrolebinding  
24320678733226**** (deleted)  RamUser             ClusterRoleBinding/-/24320678733226****-clusterrolebinding

步驟五：清理叢集內指定RAM使用者或RAM角色的RBAC Binding並清除KubeConfig許可權

您可以通過ack-ram-tool rbac cleanup-user-permissions命令，清理目的地組群內指定RAM使用者或RAM角色的RBAC Binding以及清除該使用者的KubeConfig。

重要

當日誌中出現this user has been active in the past 7 days時，表明目標RAM使用者或RAM角色最近7天內有叢集訪問記錄，請謹慎操作。
執行清理操作前，ack-ram-tool工具會在目前的目錄下以叢集ID命名的檔案夾中備份待刪除的Binding原始JSON檔案。

清理RAM使用者或RAM角色在單個叢集中的許可權

執行以下命令，清理指定RAM使用者或RAM角色在單個叢集中的許可權。

以下命令列中的<UID>，您可以通過ack-ram-tool rbac scan-user-permissions -c <叢集ID>命令擷取。

ack-ram-tool rbac cleanup-user-permissions -c <叢集ID> -u <UID>

預期輸出：

展開查看預期輸出

2023-12-12T18:17:10+08:00 INFO start to scan users and bindings
2023-12-12T18:17:15+08:00 WARN we will clean up RBAC bindings as follows:
UID                 UserType  UserName   Binding                                                    
25908395708943****  RamUser   ack-admin  ClusterRoleBinding/-/25908395708943****-clusterrolebinding  
2023-12-12T18:17:15+08:00 WARN we will clean up kubeconfig permissions for users as follows:
UID: 25908395708943****
2023-12-12T18:17:15+08:00 INFO start to check cluster audit log for user 25908395708943****
2023-12-12T18:17:16+08:00 WARN this user has been active in the past 7 days, and the last activity time was: 2023-12-12T10:27:56+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c137a979dec21472c8279c903cfce****
sls logstore: audit-c137a979dec21472c8279c903cfce****
last activity: 2023-12-12T10:27:56+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76e****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T18:17:37+08:00 INFO start to backup binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding
2023-12-12T18:17:38+08:00 INFO the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c137a979dec21472c8279c903cfce****/ClusterRoleBinding--25908395708943****-clusterrolebinding.json
2023-12-12T18:17:38+08:00 INFO start to clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T18:17:38+08:00 INFO finished clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T18:17:38+08:00 INFO all bindings and permissions have been cleaned up

清理RAM使用者或RAM角色在所有叢集中的許可權

執行以下命令，清理指定RAM使用者或角色在當前阿里雲帳號下所有叢集中的RBAC Binding，並清除其KubeConfig。

ack-ram-tool rbac cleanup-user-permissions -c all -u <UID>

預期輸出：

展開查看預期輸出

2023-12-12T19:28:23+08:00 INFO start to scan users and bindings for all clusters
2023-12-12T19:28:23+08:00 INFO start to get all clusters, users and roles
2023-12-12T19:28:24+08:00 INFO ---- c401890df511a4362bf24bece4da6**** (test-pro111323223) ----
2023-12-12T19:28:24+08:00 INFO [c401890df511a4362bf24bece4da6****] start to clean up bindings and permissions for cluster c401890df511a4362bf24bece4da6**** 
2023-12-12T19:28:24+08:00 INFO [c401890df511a4362bf24bece4da6****] start to scan users and bindings
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] we will clean up RBAC bindings as follows:
UID                 UserType  UserName   Binding                                                    
25908395708943****  RamUser   ack-admin  ClusterRoleBinding/-/25908395708943****-clusterrolebinding  
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] we will clean up kubeconfig permissions for users as follows:
UID: 259083957089437690
2023-12-12T19:28:25+08:00 INFO [c401890df511a4362bf24bece4da6****] start to check cluster audit log for user 25908395708943**** 
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] this user has been active in the past 7 days, and the last activity time was: 2023-12-12T10:27:56+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c401890df511a4362bf24bece4da****  
sls logstore: audit-c401890df511a4362bf24bece4da6**** 
last activity: 2023-12-12T10:27:56+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] start to backup binding ClusterRoleBinding/-/25908395708943**** -clusterrolebinding
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c401890df511a4362bf24bece4da6**** /ClusterRoleBinding--259083957089437XXX-clusterrolebinding.json
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] start to clean up kubeconfig permissions for uid 25908395708943**** 
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] finished clean up kubeconfig permissions for uid 25908395708943**** 
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] all bindings and permissions have been cleaned up
2023-12-12T19:28:49+08:00 INFO ---- c137a979dec21472c8279c903cfce****  (test-pro) ----
2023-12-12T19:28:49+08:00 INFO [c137a979dec21472c8279c903cfce****] start to clean up bindings and permissions for cluster c137a979dec21472c8279c903cfce**** 
2023-12-12T19:28:49+08:00 INFO [c137a979dec21472c8279c903cfce****] start to scan users and bindings
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] we will clean up RBAC bindings as follows:
UID                 UserType  UserName   Binding                                                    
25908395708943****   RamUser   ack-admin  ClusterRoleBinding/-/25908395708943**** -clusterrolebinding  
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] we will clean up kubeconfig permissions for users as follows:
UID: 25908395708943**** 
2023-12-12T19:28:51+08:00 INFO [c137a979dec21472c8279c903cfce****] start to check cluster audit log for user 25908395708943**** 
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] this user has been active in the past 7 days, and the last activity time was: 2023-12-12T17:55:50+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c137a979dec21472c8279c903cfce**** 
sls logstore: audit-c137a979dec21472c8279c903cfce**** 
last activity: 2023-12-12T17:55:50+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] start to backup binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c137a979dec21472c8279c903cfce**** /ClusterRoleBinding--25908395708943**** -clusterrolebinding.json
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] start to clean up kubeconfig permissions for uid 25908395708943**** 
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] finished clean up kubeconfig permissions for uid 25908395708943**** 
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] all bindings and permissions have been cleaned up

Container Service for Kubernetes：通過ack-ram-tool清理叢集中指定使用者的許可權

步驟一：安裝ack-ram-tool

步驟二：配置阿里雲憑據

RAM使用者

SSO使用者

步驟三：配置ack-ram-tool訪問憑據所需的許可權

步驟四：查詢叢集內指定RAM使用者的RBAC Binding

僅查詢已刪除的RAM使用者和角色的RBAC Binding

查詢所有RAM使用者和角色的RBAC Binding

查詢當前阿里雲帳號下所有叢集的RBAC Binding

步驟五：清理叢集內指定RAM使用者或RAM角色的RBAC Binding並清除KubeConfig許可權

清理RAM使用者或RAM角色在單個叢集中的許可權

清理RAM使用者或RAM角色在所有叢集中的許可權

相關文檔