ACK注册集群agent组件的RBAC权限设置-阿里云开发者社区

ACK注册集群agent组件的RBAC权限设置

2022-11-14 310

版权

本文内容由阿里云实名注册用户自发贡献，版权归原作者所有，阿里云开发者社区不拥有其著作权，亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容，填写侵权投诉表单进行举报，一经查实，本社区将立刻删除涉嫌侵权内容。

本文涉及的产品

容器服务 Serverless 版 ACK Serverless，952元额度多规格

容器服务 Serverless 版 ACK Serverless，317元额度多规格

容器镜像服务 ACR，镜像仓库100个不限时长

简介： ACK注册集群agent组件的RBAC权限设置

用户使用ACK注册集群通过stub<->agent的访问链路访问集群资源，所有操作的权限收敛于ack-cluster-agent组件所使用的ServiceAccount，默认是名为ack的sa，授权为admin权限，用户可以根据具体需求自行更改授权规则。

前置条件

ack-cluster-agent版本已升级至v1.13.1.69-g00e1991-aliyun及以上。（请在ACK注册集群组件管理页面进行升级）

默认要求的最小化RBAC权限

ACK注册集群要求的最小的授权为节点列表的获取权限，授权规则如下所示：

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["ack-agent-config", "provider"]
  verbs: ["get", "list", "watch", "update"]

组件管理需要的RBAC权限

安装、更新addon组件，例如terway-eniip或logtail-ds等组件，需要临时将ClusterRole/ack-admin的权限设置为admin权限：

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

组件安装、升级完毕后，可恢复至以下最小权限：

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["ack-agent-config","provider"]
  verbs: ["get","list","watch","update"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["autoscaler-meta"]
  verbs: ["get","list","watch","update"]
- apiGroups: ["*"]
  resources: ["daemonsets", "deployments"]
  resourceNames: ["terway-eniip","security-inspector","ack-cluster-agent","gatekeeper","ack-virtual-node","metrics-server","logtail-ds","resource-controller","aliyun-acr-credential-helper","migrate-controller","ack-kubernetes-cronhpa-controller","tiller-deploy"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["*"]
  resources: ["daemonsets", "deployments"]
  resourceNames: ["cluster-autoscaler"]
  verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
  resources: ["pods","secrets"]
  verbs: ["list"]

只启用节点池/弹性节点池功能的RBAC要求

安装terway组件或创建节点池时，需要临时将ClusterRole/ack-admin的权限设置为admin权限：

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

节点池配置完毕后，可恢复至以下最小权限：

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["ack-agent-config","provider","autoscaler-meta","eni-config"]
  verbs: ["get","list","watch","update"]
- apiGroups: ["*"]
  resources: ["daemonsets", "deployments"]
  resourceNames: ["terway-eniip", "cluster-autoscaler"]
  verbs: ["get", "list", "watch", "update"]

ACK注册集群agent组件的RBAC权限设置

前置条件

默认要求的最小化RBAC权限

组件管理需要的RBAC权限

只启用节点池/弹性节点池功能的RBAC要求

容器服务

热门文章

最新文章

相关产品

相关课程

相关电子书

相关实验场景

推荐镜像