Default cluster role permissions
In an ACK One registered cluster, the default cluster role for the ack-virtual-node component includes these permissions:
Default permissions
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-virtual-node-clusterrole
rules:
- apiGroups:
- ''
resources:
- pods
verbs:
- get
- list
- watch
- patch
- delete
- apiGroups:
- ''
resources:
- pods/status
verbs:
- update
- patch
- apiGroups:
- ''
resources:
- pods/binding
verbs:
- create
- apiGroups:
- ''
resources:
- nodes
verbs:
- get
- list
- watch
- create
- delete
- update
- patch
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests
verbs:
- get
- list
- watch
- create
- delete
- apiGroups:
- certificates.k8s.io
resources:
- certificatesigningrequests/approval
- certificatesigningrequests/signerName
- certificatesigningrequests/status
verbs:
- update
- patch
- apiGroups:
- admissionregistration.k8s.io
resourceNames:
- vk-webhook
resources:
- mutatingwebhookconfigurations
verbs:
- get
- list
- watch
- delete
- patch
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
verbs:
- create
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
- clusterrolebindings
- roles
- rolebindings
verbs:
- get
- list
- watch
- create
- delete
- update
- apiGroups:
- apps
resources:
- deployments
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- coordination.k8s.io
resourceNames:
- vk-scaler-leader
- vk-store
resources:
- leases
verbs:
- get
- patch
- update
- list
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- eci.alibabacloud.com
resources:
- imagecaches
verbs:
- get
- list
- watch
- apiGroups:
- eci.alibabacloud.com
resources:
- imagecaches/status
verbs:
- update
- apiGroups:
- ''
- discovery.k8s.io
resources:
- endpoints
- endpointslices
- services
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
- events
verbs:
- create
- patch
- update
- apiGroups:
- events.k8s.io
resources:
- events
verbs:
- create
- patch
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- update
- create
- apiGroups:
- apps.kruise.io
resources:
- sidecarsets
verbs:
- get
- list
- watch
- apiGroups:
- sidecarset.alibabacloud.com
resources:
- sidecarsetresourcebindings
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- csinodes
verbs:
- get
- create
- apiGroups:
- apps.kruise.io
resources:
- containerrecreaterequests
verbs:
- get
- list
- watch
- apiGroups:
- apps.kruise.io
resources:
- containerrecreaterequests/status
verbs:
- update
- apiGroups:
- ''
resourceNames:
- default
resources:
- serviceaccounts/token
verbs:
- create
- apiGroups:
- authentication.k8s.io
resources:
- tokenreviews
verbs:
- create
- apiGroups:
- authorization.k8s.io
resources:
- subjectaccessreviews
verbs:
- create
- apiGroups:
- ''
resources:
- persistentvolumeclaims
- persistentvolumes
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
- nodes/status
verbs:
- update
- patch
- apiGroups:
- ''
resources:
- nodes/proxy
verbs:
- create
- apiGroups:
- ''
resources:
- nodes/log
- nodes/metrics
- nodes/status
verbs:
- get
- list
- watch
- apiGroups:
- storage.alibabacloud.com
resources:
- containernetworkfilesystems
verbs:
- get
- list
- watch
- apiGroups:
- monitoring.coreos.com
resources:
- podmonitors
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
- secrets
- configmaps
verbs:
- create
- apiGroups:
- ''
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- ''
resources:
- configmaps
verbs:
- get
- list
- watch
- apiGroups:
- ''
resourceNames:
- eci-profile
resources:
- configmaps
verbs:
- get
- patch
- watch
- update
- apiGroups:
- 'network.alibabacloud.com'
resources:
- podnetworkings
verbs:
- get
- list
- watch
Customize the cluster role
By default, the ack-virtual-node component requires get, list, and watch permissions on secret resources, which allows applications to mount and use them.
However, if you know the specific names of the secrets that your application requires, you can restrict the permissions to only those resources for least privilege.
Procedure
Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, click Components and Add-ons.
-
On the Add-ons page, find the ack-virtual-node component. On the component's card, you can install, uninstall, upgrade, or modify its parameters.
|
Parameter
|
Description
|
Example
|
|
ACKVirtualNodeAllowLWResources
|
Allows the virtual node to use list-watch to access specific secret resources by name. Default: false.
|
true
|
|
ACKVirtualNodeAllowLWSecrets
|
The names of the secret resources accessible via list-watch. Separate multiple names with commas.
|
secret1,secret2
|
Verify the permissions
-
Run the following command to inspect the ClusterRoleBinding and its bound cluster role:
kubectl get clusterrolebinding ack-virtual-node-clusterrolebinding -o yaml
-
Run the following command to test the permissions:
kubectl auth can-i get secrets --as=system:serviceaccount:kube-system:ack-virtual-node
The command outputs yes if the ack-virtual-node component has permission, and no otherwise.