ACK One GitOps對關聯集群的操作許可權,由系統預設建立的ClusterRole ack-mc:argocd-ackone-dev 所包含的RBAC許可權控制,預設許可權不可修改。如果您需要更細粒度的許可權控制,例如,控制GitOps對關聯集群中的Pod只有建立和查看許可權,您可通過自訂建立ClusterRole並指定相關的RBAC許可權來實現自訂許可權控制。本文為您介紹GitOps的預設許可權及如何自訂GitOps的操作許可權。
背景資訊
ACK One的Fleet執行個體添加關聯集群時,系統會自動建立預設的 ServiceAccountargocd-ackone-sa 和 ClusterRoleack-mc:argocd-ackone-dev,並將ClusterRole綁定到ServiceAccount。GitOps通過ack-mc:argocd-ackone-dev預設包含的RBAC許可權實現對關聯集群的許可權控制。
此外,您也可以自訂GitOps的RBAC許可權。這需要您在關聯集群中建立自訂的ClusterRole/Role,並通過ClusterRoleBinding 或 RoleBinding 將這些許可權綁定到預設的 ServiceAccount argocd-ackone-sa 上,從而實現對叢集資源的精細控制。
配置GitOps操作關聯集群的RBAC許可權
使用以下YAML內容樣本建立自訂的ClusterRole。
說明ClusterRole的
name:由您自訂填寫。rules中的內容即
apiGroups、resources和verbs需要您根據實際許可權範圍自訂修改。
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: <your ClusterRole name> rules: - apiGroups: - "" resources: - pods - configmaps - endpoints verbs: - create - delete使用以下YAML內容樣本建立ClusterRoleBinding,將您自訂建立的ClusterRole綁定到系統預設的ServiceAccount
argocd-ackone-sa上,為argocd-ackone-sa授予自訂的RBAC許可權。說明ClusterRole的
name:必須填寫為您在上一步自訂建立的ClusterRole的名稱。ServiceAccount的
name:必須為argocd-ackone-sa,請勿修改。apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: <ClusterRoleBinding name> roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: <your ClusterRole name> subjects: - kind: ServiceAccount name: argocd-ackone-sa namespace: ack-multiple-clusters
GitOps預設許可權說明
系統預設建立的ClusterRole ack-mc:argocd-ackone-dev所包含的RBAC許可權如下:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-mc:argocd-ackone-dev
rules:
- apiGroups:
- ""
resources:
- pods
- configmaps
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
- namespaces
- bindings
- limitranges
- resourcequotas
- persistentvolumes
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- events
- namespaces/status
- replicationcontrollers/status
- pods/status
- pods/log
- resourcequotas/status
verbs:
- get
- list
- watch
- patch
- update
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- ingresses
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- metrics.k8s.io
resources:
- pods
verbs:
- get
- watch
- list
- apiGroups:
- networking.k8s.io
resources:
- '*'
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
- apiGroups:
- alicloud.com
resources:
- '*'
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- log.alibabacloud.com
resources:
- '*'
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- create
- watch
- patch
- update
- delete
- deletecollection
- apiGroups:
- serving.knative.dev
resources:
- '*'
verbs:
- get
- list
- create
- watch
- patch
- update
- delete
- deletecollection
- apiGroups:
- eventing.knative.dev
resources:
- '*'
verbs:
- get
- list
- create
- watch
- patch
- update
- delete
- deletecollection
- apiGroups:
- messaging.knative.dev
resources:
- '*'
verbs:
- get
- list
- create
- watch
- patch
- update
- delete
- deletecollection
- apiGroups:
- sources.eventing.knative.dev
resources:
- '*'
verbs:
- get
- list
- create
- watch
- patch
- update
- delete
- deletecollection
- apiGroups:
- alert.alibabacloud.com
resources:
- '*'
verbs:
- get
- list
- create
- watch
- patch
- update
- delete
- deletecollection
- apiGroups:
- alibabacloud.com
resources:
- externalsecrets
- secretstores
verbs:
- '*'
- apiGroups:
- apps.kruise.io
- policy.kruise.io
- rollouts.kruise.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- argoproj.io
resources:
- analysisruns
- analysistemplates
- clusteranalysistemplates
- experiments
- rollouts
verbs:
- '*'
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
- mutatingwebhookconfigurations
verbs:
- '*'
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- '*'