备案控制台
文档
产品文档
输入文档关键字查找
首页 容器服务 Kubernetes 版 ACK 分布式云容器平台 ACK One 操作指南 注册集群 授权 注册集群ack-cluster-agent组件RBAC权限说明

注册集群ack-cluster-agent组件RBAC权限说明

更新时间:
一键部署
产品详情
相关技术圈
我的收藏

注册集群通过Stub组件和ack-cluster-agent访问链路访问集群资源,所有操作权限收敛于ack-cluster-agent组件所使用的ServiceAccount。安装ack-cluster-agent组件时,会默认部署名为ack的ServiceAccount,同时有受限模式和普通模式两种权限模式可供选择,您可以根据需求更改RBAC授权规则。本文介绍注册集群ack-cluster-agent组件的RBAC权限。

前提条件

确保ack-cluster-agent组件为v1.13.1.69-g00e1991-aliyun及以上版本。关于组件升级操作,请参见管理组件

受限模式的RBAC权限

受限模式下,注册集群默认要求的最小授权为节点列表的获取权限,授权规则如下所示。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-agent-role-nodelist
  labels:
    ack/creator: "ack"
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  verbs:
  - list

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-agent-role-configmap
  labels:
    ack/creator: "ack"
rules:
- apiGroups:
  - ""
  resources:
  - configmaps
  resourceNames:
  - ack-agent-config
  - provider
  verbs:
  - get
  - watch
  - update
  - list

受限模式下,控制台功能将受到限制,例如,无法查看集群中的工作负载。但可以使用onectl安装组件,并在控制台中使用,例如Prometheus监控服务、日志服务等。

使用onectl管理组件时,onectl将赋予Agent集群临时管理员权限,并在组件管理操作完成或被中断后,取消Agent集群的管理员权限。更多信息,请参见通过onectl管理注册集群

普通模式的RBAC权限

普通模式下,注册集群拥有集群的管理员权限,授权规则如下所示。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

普通模式下,控制台的所有功能均可正常使用。

组件管理所需的RBAC权限

安装或更新组件时,例如terway-eniip或logtail-ds等组件,您需要临时将名为ack-admin的ClusterRole权限设置为admin权限。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

组件安装或升级完成后,可将权限恢复至以下最小权限。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["ack-agent-config","provider"]
  verbs: ["get","list","watch","update"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["autoscaler-meta"]
  verbs: ["get","list","watch","update"]
- apiGroups: ["*"]
  resources: ["daemonsets", "deployments"]
  resourceNames: ["terway-eniip","security-inspector","ack-cluster-agent","gatekeeper","ack-virtual-node","metrics-server","logtail-ds","resource-controller","aliyun-acr-credential-helper","migrate-controller","ack-kubernetes-cronhpa-controller","tiller-deploy"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["*"]
  resources: ["daemonsets", "deployments"]
  resourceNames: ["cluster-autoscaler"]
  verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
  resources: ["pods","secrets"]
  verbs: ["list"]

仅启用节点池或弹性节点池功能所需的RBAC权限

安装Terway组件或创建节点池时,您需要临时将名为ack-admin的ClusterRole权限设置为admin权限。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

节点池配置完成后,可将权限恢复至以下最小权限。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["ack-agent-config","provider","autoscaler-meta","eni-config"]
  verbs: ["get","list","watch","update"]
- apiGroups: ["*"]
  resources: ["daemonsets", "deployments"]
  resourceNames: ["terway-eniip", "cluster-autoscaler"]
  verbs: ["get", "list", "watch", "update"]

开启日志服务后查询日志所需的RBAC权限

注册集群开始日志服务功能后,若您需要在ACK控制台查询相关日志,需要设置以下权限。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-agent-role-log
  labels:
    ack/creator: "ack"
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get","list","watch"]
- apiGroups: ["apps"]
  resources: ["daemonsets", "deployments"]
  resourceNames: ["alibaba-log-controller", "logtail-ds", "kube-proxy-master"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["alibaba-log-configuration"]
  verbs: ["get","list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ack-agent-binding-log
  labels:
    ack/creator: "ack"
subjects:
- kind: ServiceAccount
  name: ack
  namespace: kube-system
roleRef:
  kind: ClusterRole
  name: ack-agent-role-log
  apiGroup: rbac.authorization.k8s.io
文档推荐
  • 本页导读 (1)
文档反馈