本文介绍ACK服务关联角色AliyunServiceRoleForContainerService以及如何删除该角色。

背景信息

ACK服务关联角色AliyunServiceRoleForContainerService是ACK在某些情况下,为了完成自身的某个功能,需要获取其他云服务的访问权限而提供的RAM角色。更多关于服务关联角色的信息,请参见服务关联角色

应用场景

ACK管控功能需要访问负载均衡SLB(Server Load Balancer)、弹性伸缩ESS(Elastic Scaling Service)、云服务器ECS(Elastic Compute Service)、专有网络VPC(Virtual Private Cloud)、资源编排服务ROS(Resource Orchestration Service)等云服务的资源时,可通过自动创建的ACK服务关联角色AliyunServiceRoleForContainerService获取访问权限。

权限说明

ACK服务关联角色AliyunServiceRoleForContainerService具备以下云服务的访问权限。详情请参见服务关联角色策略内容

	{
            "Action": [
                "ecs:RunInstances",
                "ecs:RenewInstance",
                "ecs:Create*",
                "ecs:AllocatePublicIpAddress",
                "ecs:AllocateEipAddress",
                "ecs:Delete*",
                "ecs:StartInstance",
                "ecs:StopInstance",
                "ecs:RebootInstance",
                "ecs:Describe*",
                "ecs:AuthorizeSecurityGroup",
                "ecs:RevokeSecurityGroup",
                "ecs:AuthorizeSecurityGroupEgress",
                "ecs:AttachDisk",
                "ecs:DetachDisk",
                "ecs:WaitFor*",
                "ecs:AddTags",
                "ecs:ReplaceSystemDisk",
                "ecs:ModifyInstanceAttribute",
                "ecs:JoinSecurityGroup",
                "ecs:LeaveSecurityGroup",
                "ecs:UnassociateEipAddress",
                "ecs:ReleaseEipAddress",
                "ecs:CreateKeyPair",
                "ecs:ImportKeyPair",
                "ecs:AttachKeyPair",
                "ecs:DetachKeyPair",
                "ecs:DeleteKeyPairs",
                "ecs:AttachInstanceRamRole",
                "ecs:DetachInstanceRamRole",
                "ecs:AllocateDedicatedHosts",
                "ecs:CreateOrder",
                "ecs:DeleteInstance",
                "ecs:CreateDisk",
                "ecs:Createvpc",
                "ecs:Deletevpc",
                "ecs:DeleteVSwitch",
                "ecs:ResetDisk",
                "ecs:DeleteSnapshot",
                "ecs:AllocatePublicIpAddress",
                "ecs:CreateVSwitch",
                "ecs:DeleteSecurityGroup",
                "ecs:CreateImage",
                "ecs:RemoveTags",
                "ecs:ReleaseDedicatedHost",
                "ecs:CreateInstance",
                "ecs:RevokeSecurityGroupEgress",
                "ecs:DeleteDisk",
                "ecs:StopInstance",
                "ecs:CreateSecurityGroup",
                "ecs:DeleteImage",
                "ecs:ModifyInstanceSpec",
                "ecs:CreateSnapshot",
                "ecs:CreateCommand",
                "ecs:InvokeCommand",
                "ecs:StopInvocation",
                "ecs:DeleteCommand",
                "ecs:RunCommand",
                "ecs:DescribeInvocationResults",
                "ecs:ModifyCommand"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
		

	{
            "Action": [
                "vpc:Describe*",
                "vpc:AllocateEipAddress",
                "vpc:AssociateEipAddress",
                "vpc:UnassociateEipAddress",
                "vpc:ReleaseEipAddress",
                "vpc:CreateRouteEntry",
                "vpc:DeleteRouteEntry",
                "vpc:CreateVSwitch",
                "vpc:DeleteVSwitch",
                "vpc:CreateVpc",
                "vpc:DeleteVpc",
                "vpc:CreateNatGateway",
                "vpc:DeleteNatGateway",
                "vpc:CreateSnatEntry",
                "vpc:DeleteSnatEntry",
                "vpc:ModifyEipAddressAttribute",
                "vpc:CreateForwardEntry",
                "vpc:DeleteBandwidthPackage",
                "vpc:CreateBandwidthPackage",
                "vpc:DeleteForwardEntry",
                "vpc:TagResources",
                "vpc:DeletionProtection"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
		

	{
            "Action": [
                "slb:Describe*",
                "slb:CreateLoadBalancer",
                "slb:DeleteLoadBalancer",
                "slb:RemoveBackendServers",
                "slb:StartLoadBalancerListener",
                "slb:StopLoadBalancerListener",
                "slb:CreateLoadBalancerTCPListener",
                "slb:AddBackendServers*",
                "slb:CreateVServerGroup",
                "slb:CreateLoadBalancerHTTPSListener",
                "slb:CreateLoadBalancerUDPListener",
                "slb:ModifyLoadBalancerInternetSpec",
                "slb:SetBackendServers",
                "slb:AddVServerGroupBackendServers",
                "slb:DeleteVServerGroup",
                "slb:ModifyVServerGroupBackendServers",
                "slb:CreateLoadBalancerHTTPListener",
                "slb:RemoveVServerGroupBackendServers",
                "slb:DeleteLoadBalancerListener",
                "slb:AddTags",
                "slb:RemoveTags",
                "slb:SetLoadBalancerDeleteProtection"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
		

	{
            "Action": [
                "dns:Describe*",
                "dns:AddDomainRecord"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
		

	{
            "Action": [
                "rds:Describe*",
                "rds:ModifySecurityIps"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
		

	{
            "Action": [
                "ros:Describe*",
                "ros:WaitConditions",
                "ros:AbandonStack",
                "ros:DeleteStack",
                "ros:CreateStack",
                "ros:UpdateStack",
                "ros:ValidateTemplate",
                "ros:DoActions",
                "ros:InquiryStack",
                "ros:SetDeletionProtection",
                "ros:PreviewStack"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
		

	{
            "Action": [
                "ess:Describe*",
                "ess:CreateScalingConfiguration",
                "ess:EnableScalingGroup",
                "ess:ExitStandby",
                "ess:DetachDBInstances",
                "ess:DetachLoadBalancers",
                "ess:AttachInstances",
                "ess:DeleteScalingConfiguration",
                "ess:AttachLoadBalancers",
                "ess:DetachInstances",
                "ess:ModifyScalingRule",
                "ess:RemoveInstances",
                "ess:ModifyScalingGroup",
                "ess:AttachDBInstances",
                "ess:CreateScalingRule",
                "ess:DeleteScalingRule",
                "ess:ExecuteScalingRule",
                "ess:SetInstancesProtection",
                "ess:ModifyNotificationConfiguration",
                "ess:CreateNotificationConfiguration",
                "ess:EnterStandby",
                "ess:DeleteScalingGroup",
                "ess:CreateScalingGroup",
                "ess:DisableScalingGroup",
                "ess:DeleteNotificationConfiguration",
                "ess:ModifyScalingConfiguration",
                "ess:SetGroupDeletionProtection",
                "ess:CreateLifecycleHook",
                "ess:DescribeLifecycleHooks",
                "ess:ModifyLifecycleHook",
                "ess:DeleteLifecycleHook"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
		

	{
            "Action": [
                "ram:GetUser",
                "ram:ListUsers",
                "ram:GetRole",
                "ram:ListPoliciesForRole"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ram:DetachPolicyFromRole",
                "ram:AttachPolicyToRole",
                "ram:DeletePolicy",
                "ram:DeletePolicyVersion",
                "ram:DeleteRole"
            ],
            "Resource": [
                "acs:ram:*:*:role/KubernetesMasterRole-*",
                "acs:ram:*:*:role/KubernetesWorkerRole-*",
                "acs:ram:*:*:policy/k8sMasterRolePolicy-*",
                "acs:ram:*:*:policy/k8sWorkerRolePolicy-*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ram:CreateRole",
                "ram:CreatePolicy"
            ],
            "Resource": [
                "acs:ram:*:*:role/*",
                "acs:ram:*:*:policy/*"
            ],
            "Effect": "Allow"
        }
		

	{
            "Action": [
                "cms:CreateMyGroups",
                "cms:AddMyGroupInstances",
                "cms:DeleteMyGroupInstances",
                "cms:DeleteMyGroups",
                "cms:GetMyGroups",
                "cms:ListMyGroups",
                "cms:UpdateMyGroupInstances",
                "cms:UpdateMyGroups",
                "cms:TaskConfigCreate",
                "cms:TaskConfigList"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
		

	{
            "Action": [
                "ens:Describe*",
                "ens:CreateInstance",
                "ens:StartInstance",
                "ens:StopInstance",
                "ens:ReleasePrePaidInstance"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
		

删除ACK服务关联角色

如果您需要删除ACK服务关联角色AliyunServiceRoleForContainerService,请注意删除AliyunServiceRoleForContainerService后,您无法进行集群管理(包括但不限于创建集群、扩容、弹性伸缩等)。删除AliyunServiceRoleForContainerService的操作步骤如下。

注意 如果当前账号下还存在ACK集群,则需先删除这些集群,才能删除AliyunServiceRoleForContainerService,否则提示删除失败。
  1. 登录RAM控制台
  2. 在左侧导航栏,单击RAM角色管理
  3. RAM角色管理页面的搜索框中,输入AliyunServiceRoleForContainerService。
  4. 在搜索到名称为AliyunServiceRoleForContainerService的RAM角色的右侧,单击删除
  5. 删除RAM角色对话框中,单击确定
    • 如果当前账号下还存在ACK集群,需先删除集群,才能删除AliyunServiceRoleForContainerService,否则提示删除失败。
    • 如果当前账号下的ACK集群已全部删除完成,则可直接删除AliyunServiceRoleForContainerService。

常见问题

问:为什么我的RAM用户无法自动创建ACK服务关联角色AliyunServiceRoleForContainerService?

答:您需要拥有指定的权限才能自动创建或删除AliyunServiceRoleForContainerService。因此,在RAM用户无法自动创建AliyunServiceRoleForContainerService时,您需为其添加以下权限策略。
{
    "Statement": [
        {
            "Action": [
                "ram:CreateServiceLinkedRole"
            ],
            "Resource": "acs:ram:*:主账号ID:role/*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "cs.aliyuncs.com"
                    ]
                }
            }
        }
    ],
    "Version": "1"
}
说明 请将主账号ID替换为您实际的阿里云账号(主账号)ID。