全部產品
Search

搜尋本產品

    Container Service for Kubernetes:Agent組件有哪些RBAC許可權要求

    文件中心

    Container Service for Kubernetes:Agent組件有哪些RBAC許可權要求

    更新時間:Jan 11, 2025

    註冊叢集通過Stub組件和ack-cluster-agent訪問鏈路訪問叢集資源,所有操作許可權收斂於ack-cluster-agent組件所使用的ServiceAccount。安裝ack-cluster-agent組件時,會預設部署名為ack的ServiceAccount,同時有受限模式和管理員模式兩種許可權模式可供選擇,您可以根據需求更改RBAC授權規則。本文介紹註冊叢集ack-cluster-agent組件的RBAC許可權。

    前提條件

    已安裝ack-cluster-agent組件,且版本為1.13.1.105-g8ee9abb-aliyun及以上。詳細操作,請參見管理組件

    受限模式的RBAC許可權

    受限模式下,註冊叢集預設要求的最小授權為Agent相關ConfigMap讀許可權,授權規則如下所示。

    ---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ack-agent-create-cm-role
  namespace: kube-system
  labels:
    ack/creator: "ack"
rules:
- apiGroups: 
  - ""
  resources: 
  - configmaps
  verbs: 
  - create 
---  
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ack-agent-update-cm-role
  namespace: kube-system
  labels:
    ack/creator: "ack"
rules:
- apiGroups: 
  - ""
  resources: 
  - configmaps
  resourceNames: 
  - ack-agent-config
  - provider
  verbs: 
  - update
  - get
  
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ack-agent-read-cm-role
  namespace: kube-public
  labels:
    ack/creator: "ack"
rules:
- apiGroups: 
  - ""
  resources: 
  - configmaps
  resourceNames: 
  - kube-root-ca.crt 
  verbs: 
  - get

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ack-agent-create-cm-rolebinding
  namespace: kube-system
  labels:
    ack/creator: "ack"
subjects:
- kind: ServiceAccount
  name: ack
  namespace: kube-system
roleRef:
  kind: Role
  name: ack-agent-create-cm-role
  apiGroup: rbac.authorization.k8s.io
---  
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ack-agent-update-cm-rolebinding
  namespace: kube-system
  labels:
    ack/creator: "ack"
subjects:
- kind: ServiceAccount
  name: ack
  namespace: kube-system
roleRef:
  kind: Role
  name: ack-agent-update-cm-role
  apiGroup: rbac.authorization.k8s.io    
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ack-agent-read-cm-rolebinding
  namespace: kube-public
  labels:
    ack/creator: "ack"
subjects:
- kind: ServiceAccount
  name: ack
  namespace: kube-system
roleRef:
  kind: Role
  name: ack-agent-read-cm-role
  apiGroup: rbac.authorization.k8s.io  
---

    受限模式下,控制台功能將受到限制,例如,無法查看叢集中的工作負載。但可以使用onectl安裝組件,並在控制台中使用,例如Prometheus監控服務、Log Service等。

    使用onectl管理組件時,onectl將賦予Agent叢集臨時管理員權限,並在組件管理操作完成或被中斷後,取消Agent叢集的管理員權限。更多資訊,請參見通過onectl管理註冊叢集

    管理員模式的RBAC許可權

    管理員模式下,註冊叢集擁有叢集的管理員權限,授權規則如下所示。

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

    管理員模式下,控制台的所有功能均可正常使用。

    組件管理所需的RBAC許可權

    安裝或更新群組件時,例如terway-eniip或logtail-ds等組件,您需要臨時將名為ack-admin的ClusterRole使用權限設定為admin許可權。

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

    組件安裝或升級完成後,可將許可權恢複至以下最小許可權。

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["ack-agent-config","provider"]
  verbs: ["get","list","watch","update"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["autoscaler-meta"]
  verbs: ["get","list","watch","update"]
- apiGroups: ["*"]
  resources: ["daemonsets", "deployments"]
  resourceNames: ["terway-eniip","security-inspector","ack-cluster-agent","gatekeeper","ack-virtual-node","metrics-server","logtail-ds","resource-controller","aliyun-acr-credential-helper","migrate-controller","ack-kubernetes-cronhpa-controller","tiller-deploy"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["*"]
  resources: ["daemonsets", "deployments"]
  resourceNames: ["cluster-autoscaler"]
  verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
  resources: ["pods","secrets"]
  verbs: ["list"]

    僅啟用節點池或彈性節點池功能所需的RBAC許可權

    安裝Terway組件或建立節點池時,您需要臨時將名為ack-admin的ClusterRole使用權限設定為admin許可權。

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

    節點池配置完成後,可將許可權恢複至以下最小許可權。

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["ack-agent-config","provider","autoscaler-meta","eni-config"]
  verbs: ["get","list","watch","update"]
- apiGroups: ["*"]
  resources: ["daemonsets", "deployments"]
  resourceNames: ["terway-eniip", "cluster-autoscaler"]
  verbs: ["get", "list", "watch", "update"]

    開啟Log Service後查詢日誌所需的RBAC許可權

    註冊叢集開始Log Service功能後,若您需要在ACK控制台查詢相關日誌,需要設定以下許可權。

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-agent-role-log
  labels:
    ack/creator: "ack"
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get","list","watch"]
- apiGroups: ["apps"]
  resources: ["daemonsets", "deployments"]
  resourceNames: ["alibaba-log-controller", "logtail-ds", "kube-proxy-master"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["alibaba-log-configuration"]
  verbs: ["get","list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ack-agent-binding-log
  labels:
    ack/creator: "ack"
subjects:
- kind: ServiceAccount
  name: ack
  namespace: kube-system
roleRef:
  kind: ClusterRole
  name: ack-agent-role-log
  apiGroup: rbac.authorization.k8s.io

    唯讀RBAC許可權

    用於使用者在阿里雲控制台查看Kubernetes的相關資源。

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-readonly-clusterrole
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  - namespaces
  - pods
  - pods/log
  - pods/exec
  - configmaps
  - endpoints
  - events
  - limitranges
  - persistentvolumeclaims
  - podtemplates
  - replicationcontrollers
  - resourcequotas
  - serviceaccounts
  - services
  verbs:
  - get
  - list
- apiGroups:
  - apps
  resources:
  - deployments
  - daemonsets
  - statefulsets
  - replicasets
  verbs:
  - get
  - list
- apiGroups:
  - batch
  resources:
  - jobs
  - cronjobs
  verbs:
  - get
  - list
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - get
  - list
- apiGroups:
  - discovery.k8s.io
  resources:
  - endpointslices
  verbs:
  - get
  - list
- apiGroups:
  - events.k8s.io
  resources:
  - events
  verbs:
  - get
  - list
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - deployments
  - ingresses
  - networkpolicies
  - replicasets
  verbs:
  - get
  - list
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  - networkpolicies
  verbs:
  - get
  - list
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - get
  - list
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - rolebindings
  - roles
  verbs:
  - get
  - list
- apiGroups:
  - storage.k8s.io
  resources:
  - csistoragecapacities
  verbs:
  - get
  - list

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ack-readonly-clusterrolebinding
  labels:
    ack/creator: "ack"
subjects:
- kind: ServiceAccount
  name: ack
  namespace: kube-system
roleRef:
  kind: ClusterRole
  name: ack-readonly-clusterrole
  apiGroup: rbac.authorization.k8s.io