容器服务ACK的授权体系包含对基础资源层的RAM授权和对ACK集群层的RBAC授权,不同用户角色在这两个层面都具有不同的权限要求。本文介绍针对集群与应用运维人员、应用开发人员、以及权限管理人员三类对象的授权最佳实践。
授权体系
容器服务ACK的授权体系包含对基础资源层的RAM授权以及对集群层的RBAC授权。授权体系如下图所示。
RAM授权:基于RAM系统策略或自定义策略的授权,属于云资源维度的授权,通过RAM授权,您可以获取容器服务ACK产品及其所依赖阿里云云产品的OpenAPI操作权限,对集群进行如下运维操作:
集群:创建、查看、升级、删除
节点池:创建、修改、扩缩容
授权管理
集群监控、日志、事件
RBAC授权:基于Kubernetes RBAC的授权,属于集群内部资源维度的授权,通过RBAC授权,可以让不同的用户拥有操作不同Kubernetes资源的操作权限。主要包括对以下Kubernetes对象资源的增删改查操作:
工作负载:Deployment、StatefulSet、DaemonSet、Job、CronJob、Pod、ReplicaSet等
网络:Service、Ingress、NetworkPolicy等
存储:PV、PVC、StorageClass等
Namespace、ConfigMap 、Secrets等
场景一:授权对象为集群与集群内应用的运维人员
授权对象需要管理和运维ACK集群所需的必要权限,同时有ACK集群内应用资源对象的运维需求。因此授权流程包含RAM授权和RBAC授权。
RAM授权
容器服务ACK在RAM侧提供了AliyunCSFullAccess和AliyunCSReadOnlyAccess两个系统策略。
AliyunCSFullAccess包含了容器服务ACK全部OpenAPI的读写访问权限。
AliyunCSReadOnlyAccess包含了容器服务ACK全部OpenAPI的只读访问权限。
如果您有细粒度权限控制的需求,可以自定义授权策略。具体操作,请参见使用RAM授予集群及云资源访问权限。
此场景下,RAM授权策略示例如下所示。示例中Action的说明,请参见Action说明。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "cs:GetClusters", "cs:ModifyCluster", "cs:UpgradeCluster", "cs:DescribeClusterDetail", "cs:DescribeClusterVuls", "cs:DescribeClusterSecuritySummary", "cs:DescribeClusterUserKubeconfig", "cs:RevokeK8sClusterKubeConfig", "cs:CheckControlPlaneLogEnable", "cs:DescribeClusterResources", "cs:DescribeClusterEvents", "cs:DescribeClusterLogs", "cs:GetClusterAuditProject", "cs:ListClusterChecks", "cs:GetClusterCheck", "cs:RunClusterCheck", "cs:ModifyClusterAudit", "cs:DescribeResourcesDeleteProtection", "cs:UpdateResourcesDeleteProtection", "cs:DescribeClusterNodePools", "cs:DescribeClusterNodePoolDetail", "cs:CreateClusterNodePool", "cs:ModifyClusterNodePool", "cs:UpgradeClusterNodepool", "cs:DeleteClusterNodepool", "cs:CreateAutoscalingConfig", "cs:SyncClusterNodePool", "cs:RepairClusterNodePool", "cs:AttachInstancesToNodePool", "cs:ModifyNodePoolNodeConfig", "cs:DescribeClusterNodes", "cs:RemoveClusterNodes", "cs:RemoveNodePoolNodes", "cs:DiagnoseClustersNode", "cs:DescribeNodePoolVuls", "cs:FixNodePoolVuls", "cs:DrainNodes", "cs:DescribeClusterAddonMetadata", "cs:DescribeClusterAddonsVersion", "cs:InstallClusterAddons", "cs:UpgradeClusterAddons", "cs:ModifyClusterAddon", "cs:UnInstallClusterAddons", "cs:DescribeClusterAddonInstance", "cs:DescribeClusterAddonsUpgradeStatus", "cs:DescribeClusterAddonUpgradeStatus", "cs:ListClusterComponent", "cs:GetClusterComponent", "cs:DescribePolicyInstances", "cs:DeployPolicyInstance", "cs:ModifyPolicyInstance", "cs:DeletePolicyInstance", "cs:DescribePolicyGovernanceInCluster", "cs:DescribePolicyInstancesStatus", "cs:UpdateContactGroupForAlert", "cs:StartAlert", "cs:StopAlert", "cs:ListAlertRules", "cs:GetAlertHistory", "cs:DescribeClusterTasks", "cs:GetClusterBasicInfo", "cs:ListClusterReportSummary", "cs:GetClusterReportSummary", "cs:ListReportTaskRule", "cs:CreateTrigger", "cs:DescribeKubernetesClusterHookTrigger", "cs:CreateDiagnose", "cs:CreateClusterOverviewReport", "cs:GetAIDiagnosisResult", "cs:CreateReportTaskRule", "cs:CreateClusterReport", "cs:GetClusterCheckResult", "cs:GetClusterServices", "cs:UpdateControlPlaneLog", "cs:UpdateClusterName" ], "Resource": "acs:cs:*:*:cluster/xxxxx" # 请将xxxxx替换为您的集群ID。 }, { "Effect": "Allow", "Action": [ "cs:DescribeSubAccountHelmPermission", "cs:CheckServiceRole", "cs:DeleteTriggerHook", "cs:QueryAlertContact", "cs:QueryAlertContactGroup", "cs:AddOrUpdateAlertContact", "cs:AddOrUpdateAlertContactGroup", "cs:DeleteAlertContact", "cs:DeleteAlertContactGroup", "cs:DescribeKubernetesVersionMetadata", "cs:ListOperationPlans", "cs:DescribeClusterEndpoints", "cs:DescribeTaskInfo", "cs:DescribeEvents", "cs:PauseTask", "cs:CancelTask", "cs:DescribeAddons", "cs:DeleteReportTaskRule", "cs:CreateSessionMessage", "cs:DescribePolicies", "cs:DescribePolicyDetails" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "vpc:DescribeVSwitches", "vpc:DescribeVpcs", "vpc:DescribeEipAddresses" ], "Resource": "*" }, { "Effect": "Allow", "Action": "kms:ListKeys", "Resource": "*" }, { "Effect": "Allow", "Action": [ "arms:ListDashboards", "arms:InstallAddon" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudshell:CreateEnvironment", "cloudshell:AttachStorage", "cloudshell:DetachStorage", "cloudshell:CreateSession" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ess:DescribeScalingActivities", "ess:DescribeScalingActivityDetail", "ess:DescribeLifecycleActions" ], "Resource": "*" }, { "Effect": "Allow", "Action": "oos:ListExecutions", "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecs:DescribeKeyPairs", "ecs:DescribeInstances", "ecs:DescribeSecurityGroups", "ecs:DescribeImages", "ecs:DescribePrice" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cr:ListInstance", "cr:ListInstanceDomain", "cr:ListRepository", "cr:ListArtifactTag" ], "Resource": "*" }, { "Effect": "Allow", "Action": "ram:GetRole", "Resource": "acs:ram:*:*:role/aliyuncisdefaultrole" }, { "Effect": "Allow", "Action": [ "log:GetDashboard", "log:GetSavedSearch", "log:GetLogStore", "log:GetIndex", "log:UpdateIndex", "log:GetLogStoreLogs", "log:CreateDashboardSharing", "log:ListProject", "log:GetProjectLogs", "log:GetResourceRecord", "log:CreateResourceRecord", "log:UpdateResourceRecord" ], "Resource": "*" } ] }
关于容器服务ACK OpenAPI的更多说明,请参见【产品变更】容器服务OpenAPI鉴权优化公告和API概览。
RBAC授权
完成RAM授权后,您还需要为RAM用户或RAM角色授予对应集群的RBAC权限。容器服务ACK在集群层面提供了四种预置角色。
角色
集群内RBAC权限
管理员
对所有命名空间下所有资源的读写权限。
运维人员
对所有命名空间下控制台可见Kubernetes资源的读写权限,对集群节点、存储卷、命名空间、配额的只读权限。
开发人员
对所有命名空间或所选命名空间下控制台可见Kubernetes资源的读写权限。
受限用户
对所有命名空间或所选命名空间下控制台可见Kubernetes资源的只读权限。
登录容器服务管理控制台,在左侧导航栏选择授权管理。
在授权管理页面 ,根据授权对象,选择RAM 用户或RAM 角色页签,在目标授权对象右侧操作列下,单击管理权限。
在弹出页面,单击+添加权限,配置目标集群和对应命名空间的权限管理为运维人员,最后点击提交授权完成配置。
绑定预置角色后,ACK会自动在集群中创建与被授权对象身份对应的ClusterRoleBinding实例。预置运维人员角色的RBAC权限如下所示。
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cs:ops rules: - apiGroups: [""] resources: ["pods", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: [""] resources: ["configmaps", "endpoints", "persistentvolumeclaims", "replicationcontrollers", "replicationcontrollers/scale", "secrets", "serviceaccounts", "services", "services/proxy"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: [""] resources: ["bindings", "events", "limitranges", "namespaces/status", "replicationcontrollers/status", "pods/log", "pods/status", "resourcequotas", "resourcequotas/status", "componentstatuses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["namespaces", "nodes", "persistentvolumes"] verbs: ["get", "list", "watch", "patch"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get"] - apiGroups: ["apps"] resources: ["daemonsets", "deployments", "deployments/rollback", "deployments/scale", "replicasets", "replicasets/scale", "statefulsets"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["autoscaling"] resources: ["horizontalpodautoscalers"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["batch"] resources: ["cronjobs", "jobs"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["extensions"] resources: ["daemonsets", "deployments", "deployments/rollback", "deployments/scale","ingresses","replicasets", "replicasets/scale", "replicationcontrollers/scale"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["networking.k8s.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["servicecatalog.k8s.io"] resources: ["clusterserviceclasses", "clusterserviceplans", "clusterservicebrokers", "serviceinstances", "servicebindings"] verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - apiGroups: ["servicecatalog.k8s.io"] resources: ["clusterservicebrokers/status", "clusterserviceclasses/status", "clusterserviceplans/status", "serviceinstances/status", "serviceinstances/reference", "servicebindings/status",] verbs: ["update"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["alicloud.com"] resources: ["*"] verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - apiGroups: ["policy"] resources: ["poddisruptionbudgets"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["metrics.k8s.io"] resources: ["pods", "nodes"] verbs: ["get", "watch", "list"] - apiGroups: ["networking.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["config.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["rbac.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["istio.alibabacloud.com"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["authentication.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["log.alibabacloud.com"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["monitoring.kiali.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["kiali.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["serving.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["eventing.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["messaging.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["sources.eventing.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["tekton.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["alert.alibabacloud.com"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
如果您有细粒度的RBAC权限控制需求,可以参考RBAC创建自定义ClusterRole实例,然后在容器服务管理控制台授权管理页面选择自定义角色,再从下拉列表中选择自定义的ClusterRole名称。具体操作,请参见使用自定义RBAC限制集群内资源操作。
场景二:授权对象为集群内应用的开发人员
授权对象只需要拥有ACK集群内Kubernetes资源对象的操作权限(即RBAC授权),无需云上资源的访问权限。
在进行RBAC授权前,授权对象需要至少具有目标集群的容器服务只读权限(即RAM授权)。
RAM授权
您需要在RAM管理控制台,新增自定义策略,并将该策略授权给目标RAM用户或RAM角色。具体操作,请参见使用RAM授予集群及云资源访问权限。自定义策略内容如下所示:
{ "Statement": [ { "Action": [ "cs:GetClusters", "cs:DescribeClusterDetail", "cs:GetClusterAuditProject", "cs:DescribeResourcesDeleteProtection" ], "Resource": "acs:cs:*:*:cluster/xxxxx", #请替换为您实际的集群ID "Effect": "Allow" } ], "Version": "1" }
说明如果您需要为授权对象添加所有集群的只读权限,可以为其添加容器服务ACK提供的RAM系统策略
AliyunCSReadOnlyAccess
。RBAC授权
登录容器服务管理控制台,在左侧导航栏选择授权管理。
在授权管理页面 ,根据授权对象,选择RAM 用户或RAM 角色页签,在目标授权对象右侧操作列下,单击管理权限。
在弹出页面,单击+添加权限,配置目标集群和对应命名空间的权限管理为开发人员,最后点击提交授权完成配置。
绑定预置角色后,ACK会自动在集群中创建与被授权对象身份对应的ClusterRoleBinding实例。预置开发人员角色的RBAC权限如下所示。
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cs:ns:dev rules: - apiGroups: [""] resources: ["pods", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: [""] resources: ["configmaps", "endpoints", "persistentvolumeclaims", "replicationcontrollers", "replicationcontrollers/scale", "secrets", "serviceaccounts", "services", "services/proxy"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: [""] resources: ["events", "replicationcontrollers/status", "pods/log", "pods/status"] verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: ["daemonsets", "deployments", "deployments/rollback", "deployments/scale", "replicasets", "replicasets/scale", "statefulsets"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["autoscaling"] resources: ["horizontalpodautoscalers"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["batch"] resources: ["cronjobs", "jobs"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["extensions"] resources: ["daemonsets", "deployments", "deployments/rollback", "deployments/scale","ingresses","replicasets", "replicasets/scale", "replicationcontrollers/scale"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["networking.k8s.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["servicecatalog.k8s.io"] resources: ["clusterserviceclasses", "clusterserviceplans", "clusterservicebrokers", "serviceinstances", "servicebindings"] verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - apiGroups: ["servicecatalog.k8s.io"] resources: ["clusterservicebrokers/status", "clusterserviceclasses/status", "clusterserviceplans/status", "serviceinstances/status", "serviceinstances/reference", "servicebindings/status",] verbs: ["update"] - apiGroups: ["alicloud.com"] resources: ["*"] verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - apiGroups: ["policy"] resources: ["poddisruptionbudgets"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["networking.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["config.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["rbac.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["istio.alibabacloud.com"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["authentication.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["log.alibabacloud.com"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["monitoring.kiali.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["kiali.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["serving.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["eventing.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["messaging.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["sources.eventing.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["tekton.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["alert.alibabacloud.com"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
如果您有细粒度的RBAC权限控制需求,可以参考RBAC创建自定义ClusterRole实例,然后在容器服务管理控制台授权管理页面选择自定义角色,再从下拉列表中选择自定义的ClusterRole名称。具体操作,请参见使用自定义RBAC限制集群内资源操作。
场景三:授权对象为集群内应用的权限管理员
授权对象需要管理其他RAM用户或RAM角色的RBAC权限。默认情况下,RAM用户或RAM角色不具备对其他RAM用户或RAM角色授权RBAC的权限。当授权对象进入容器服务管理控制台授权管理页面时,如果界面提示当前子账号不具备授权管理权限,请联系主账号或权限管理员授权,则说明授权对象缺少必要的RAM授权或对集群的RBAC管理员授权。
RAM授权
需要确保授权对象被授予必要的RAM权限,策略内容需要包括:
列举其他RAM用户或RAM角色
查看指定RAM用户或RAM角色的Kubernetes RBAC权限配置
Kubernetes RBAC授权能力
您需要登录RAM管理控制台,为指定RAM用户或RAM角色授予相应的RAM权限,具体操作,请参见使用RAM授予集群及云资源访问权限。RAM自定义策略内容示例如下所示。
{ "Statement": [ { "Action": [ "ram:ListRoles", "ram:ListUserBasicInfos", "cs:GetClusters", "cs:DescribeUserPermission", "cs:DescribeClusterDetail", "cs:GrantPermissions", "cs:UpdateUserPermissions", "cs:GetClusterAuditProject", "cs:DescribeResourcesDeleteProtection", "cs:UpdateResourcesDeleteProtection", "cs:DescribeClusterAddonUpgradeStatus" ], "Resource": "*", "Effect": "Allow" } ], "Version": "1" }
RBAC授权
登录容器服务管理控制台,在左侧导航栏选择授权管理。
在授权管理页面 ,根据授权对象,选择RAM 用户或RAM 角色页签,在目标授权对象右侧操作列下,单击管理权限。
在弹出页面,单击+添加权限,配置目标集群和对应命名空间的权限管理为管理员或者自定义角色中的cluster-admin,最后点击提交授权完成配置。
说明阿里云账号(即主账号)和集群创建者会默认绑定cluster-admin,拥有集群内所有Kubernetes资源对象的访问权限。
当您对授权对象完成了上述RAM授权和RBAC授权后,即可拥有对其他RAM用户或RAM角色在指定权限范围内的RBAC授权管理能力。具体操作,请参见使用RBAC授予集群内资源操作权限。