Role-Based Access Control (RBAC) is a method of regulating access based on roles. To use ACK node labels for a grayscale deployment of components, you must grant the component read-only permission to retrieve the node labels.
ACK RBAC access permissions
To enable grayscale deployments that use ACK node labels, you must grant the component permission to retrieve cluster label information. The following code shows the required permissions and their scope.
The component only retrieves cluster labels and does not access your business data.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: sysom-aliyunserviceroleforsysom-clusterrole
rules:
- apiGroups:
- ''
resources:
- pods
- nodes
- services
verbs:
- get
- list
- watchRevoke component access to the cluster
If you no longer need to use ACK node labels for grayscale deployments, follow these steps to revoke the component's access to the cluster.
Log on to the ACK console.
In the navigation pane on the left, click Cluster List. Then, click the name of the target cluster.
In the navigation pane on the left, choose .
In the search box, enter
sysom-aliyunserviceroleforsysom-clusterrole.In the Actions column, click Edit YAML. Add the
annotationconfigurationinner.service.alibabacloud.com/user-customized: 'true'and delete all permissions under therulesfield, as shown in the following example.apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: inner.service.alibabacloud.com/user-customized: 'true' # Marked as user-customized name: sysom-aliyunserviceroleforsysom-clusterrole rules: null