RBAC access permissions for ACK

更新时间:
复制 MD 格式

Role-Based Access Control (RBAC) is a method of regulating access based on roles. To use ACK node labels for a grayscale deployment of components, you must grant the component read-only permission to retrieve the node labels.

ACK RBAC access permissions

To enable grayscale deployments that use ACK node labels, you must grant the component permission to retrieve cluster label information. The following code shows the required permissions and their scope.

Note

The component only retrieves cluster labels and does not access your business data.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: sysom-aliyunserviceroleforsysom-clusterrole
rules:
  - apiGroups:
      - ''
    resources:
      - pods
      - nodes
      - services
    verbs:
      - get
      - list
      - watch

Revoke component access to the cluster

If you no longer need to use ACK node labels for grayscale deployments, follow these steps to revoke the component's access to the cluster.

  1. Log on to the ACK console.

  2. In the navigation pane on the left, click Cluster List. Then, click the name of the target cluster.

  3. In the navigation pane on the left, choose Security Management > Roles > Cluster Role.

  4. In the search box, enter sysom-aliyunserviceroleforsysom-clusterrole.

  5. In the Actions column, click Edit YAML. Add the annotation configuration inner.service.alibabacloud.com/user-customized: 'true' and delete all permissions under the rules field, as shown in the following example.

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      annotations:
        inner.service.alibabacloud.com/user-customized: 'true' # Marked as user-customized
      name: sysom-aliyunserviceroleforsysom-clusterrole
    rules: null