使用API/CLI对阿里云子账户做ACK(Kubernetes) RBAC授权-阿里云开发者社区

开发者社区> 阿里云容器服务 ACK> 正文

使用API/CLI对阿里云子账户做ACK(Kubernetes) RBAC授权

简介: 使用API/CLI对阿里云子账户做ACK(Kubernetes) RBAC授权, 实现自动化运维和统一授权管理。系统管理员可以通过脚本,API实现对子账户的RAM,以及Kubernetes RBAC授权。

使用CloudShell 来一次完成ACK集群的RAM授权和RBAC授权

  1. 登录CloudShell获取一个配置完整集群管理命令行

image

  1. 授权

List existing users

aliyun ram ListUsers  | jq -r ".Users.User[].UserName"

wget https://ack-downloads.oss-cn-hangzhou.aliyuncs.com/rbac/ack-grant-once  -O ack-grant-once  && chmod 755 ack-grant-once

Grant permission once

./ack-grant-once <USER_NAME> <ROLE: one of custom:network-view, cs:admin, cs:ops and cs:dev>

e.g.

./ack-grant-once eric custom:network-view

Prerequisite

Prepare kube config for resource admin user kubernetes-admin before you get start cli and api calls.

Download public/privite kubernetes config file from cluster detail dashboard

https://cs.console.aliyun.com/#/k8s/cluster/<your_cluster_id>/info?eci=false

Otherwise fetch kubenetes config file with openAPI

https://help.aliyun.com/document_detail/86798.html?spm=a2c4g.11186623.6.804.385a49feoJu0gZ

Notice:
certificate-authority-data: kubeconfig ca
user->client-certificate-data: kubeconfig cert
user->client-key-data: kubeconfig key

Decode the base64 for above 3 ca/certs file to put into kubeconfig config.
echo * | base64 –d

RBAC

Grant permission of ACK RBAC thru CLI of kubectl

"cs:admin": cluster admin and full read/write access
"cs:ops": cluster operator without write access of pv/namespace/node
"cs:dev": developer of namespace level access

Additional network-view role is added for readonly access of network operator

"custom:network-view": read access for node/service/endpoints

wget http://ack-downloads.oss-cn-hangzhou.aliyuncs.com/rbac/ack-grant -O ack-grant  && chmod 755 ack-grant

./ack-grant <USER_ID> <ROLE: one of custom:network-view, cs:admin, cs:ops and cs:dev>

Use Python SDK to grant privilege to sub-account of aliyun

Kubernete Python SDK

pip install kubernetes
wget http://ack-downloads.oss-cn-hangzhou.aliyuncs.com/rbac/ack-grant.py -O ack-grant.py

python  ack-grant.py -u <UID of sub-account> -r cs:ops -c /Users/eric/.kube/config_f3

RBAC API

Example to DELETE existing clusterrolebinding

curl -k -v -XDELETE  -H "Accept: application/json" -H "Content-Type: application/json" -H "User-Agent: kubectl/v1.10.3 (darwin/amd64) kubernetes/2bba012" https://<public/private IP of Kubernetes API server>:6443/apis/rbac.authorization.k8s.io/v1/clusterrolebindings/<UID of sub-account>-clusterrolebinding

Create new clusterrolebinding

Request Body: {"apiVersion":"rbac.authorization.k8s.io/v1","kind":"ClusterRoleBinding","metadata":{"name":"<UID of sub-account>-clusterrolebinding","namespace":""},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"ClusterRole","name":"cs:ops"},"subjects":[{"apiGroup":"rbac.authorization.k8s.io","kind":"User","name":"<UID of sub-account>"}]}

curl -k -v -XPOST  -H "Accept: application/json" -H "Content-Type: application/json" -H "User-Agent: kubectl/v1.10.3 (darwin/amd64) kubernetes/2bba012" https://<public/private IP of Kubernetes API server>:6443/apis/rbac.authorization.k8s.io/v1/clusterrolebindings

版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。

分享:
阿里云容器服务 ACK
使用钉钉扫一扫加入圈子
+ 订阅

云端最佳容器应用运行环境,安全、稳定、极致弹性

官方博客
官网链接