AI 助理
备案控制台
官方文档
输入文档关键字查找
首页 微服务引擎 安全合规 使用RAM进行访问控制 MSE访问容器服务ACK的RBAC权限说明

MSE访问容器服务ACK的RBAC权限说明

更新时间:
产品详情
我的收藏

ACK支持基于Kubernetes原生的RBAC(Role-Based Access Control)授权机制。RBAC授权支持为不同用户赋予同一集群内的Kubernetes资源不同的操作权限。当您同意授权MSE服务关联角色AliyunServiceRoleForMSE后,会默认绑定指定的RBAC角色mse-aliyunserviceroleformse-clusterrole,使得MSE通过服务角色所对应的RBAC权限访问ACK集群内部资源,从而满足MSE服务管控侧必要的集群资源访问需求。

MSE服务角色的RBAC权限策略

  • 默认情况下,ACK集群不会主动创建该RBAC角色,只有在您授权MSE的服务角色并访问ACK集群时,由MSE触发创建该RBAC角色及授权绑定操作。

  • RBAC角色仅用于MSE指定功能的最小化权限访问,不会影响您正常业务的RBAC授权。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: mse-aliyunserviceroleformse-clusterrole
rules:
  # base
  - apiGroups: [""]
    resources: ["pods", "nodes", "services", "namespaces", "endpoints", "secrets", "configmaps"]
    verbs: ["get", "watch", "list"]
  - apiGroups: ["discovery.k8s.io"]
    resources: ["endpointslices"]
    verbs: ["get", "list", "watch"]

  # ingress
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses", "ingressclasses"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["ingresses/status"]
    verbs: ["*"]

  # Use for Kubernetes Service APIs
  - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
    resources: ["*"]
    verbs: ["get", "watch", "list"]
  - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
    resources: ["*"]
    verbs: ["*"]

  # CRD
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["get", "list", "watch"]

  # istio
  - apiGroups: ["networking.istio.io"]
    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
    resources: [ "workloadentries" ]
  - apiGroups: ["networking.istio.io"]
    verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
    resources: [ "workloadentries/status" ]
 
  - apiGroups: [""]
    resources: ["services", "namespaces"]
    verbs: ["get", "list", "watch", "create"]
  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "list", "watch", "create"]
    
  - apiGroups: [ "mse.alibabacloud.com" ]
    resources: [ "mseingressconfigs", "mseingressconfigs/status"]
    verbs: [ "get", "watch", "list" ]
  - apiGroups: [ "events.k8s.io" ]
    resources: [ "events"]
    verbs: [ "get", "watch", "list" ]

如何配置禁止MSE访问ACK集群的权限

方法一

您可以通过修改ClusterRole实现禁止访问集群,步骤如下:

  1. 使用阿里云账号登录容器服务ACK控制台,在左侧导航栏选择集群列表,单击目标集群名称。

  2. 在左侧导航栏中选择安全管理 > 角色

  3. 在角色页面单击Cluster Role页签,在搜索框中输入mse-aliyunserviceroleformse-clusterrole进行搜索。

  4. mse-aliyunserviceroleformse-clusterrole操作列下,单击YAML 编辑,增加annotation配置inner.service.alibabacloud.com/user-customized: true ,同时删除rules字段下所有权限。

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    inner.service.alibabacloud.com/user-customized: true
  name: mse-aliyunserviceroleformse-clusterrole
rules:[]
方法二

您可以通过删除AliyunServiceRoleForMSE实现禁止访问集群。

上一篇:MSE服务关联角色下一篇:开发参考