容器服务ACK的授权体系包含对基础资源层的RAM授权和对ACK集群层的RBAC授权,不同用户角色在这两个层面都具有不同的权限要求。本文介绍针对集群与应用运维人员、应用开发人员、以及权限管理人员三类对象的授权最佳实践。
ACK授权体系
ACK的授权体系包含对基础资源层的RAM授权以及对ACK集群层的RBAC授权。ACK授权体系如下图所示。
- RAM授权对应ACK集群的运维操作,需要获取ACK产品及其所依赖阿里云云产品的OpenAPI操作权限,主要包括以下操作:
- 集群:创建、查看、升级、删除
- 节点池:创建、修改、扩缩容
- 授权管理
- 集群监控、日志、事件
- RBAC授权对应的是运行于ACK集群中Kubernetes应用的运维操作,需要获取ACK集群及其命名空间的操作权限,主要包括对以下Kubernetes对象的增删改查操作:
- 工作负载:Deployment、StatefulSet、DaemonSet、Job、CronJob、Pod、ReplicaSet、HPA等
- 网络:Service、Ingress、NetworkPolicy等
- 存储:PV、PVC、StorageClass等
- Namespace、ConfigMap 、Secrets等
因此当RAM用户或RAM角色需要进行集群运维和应用运维时,您需要依次对其进行RAM授权和RBAC授权。在进行RBAC授权前,您需要先进行RAM授权。三种典型场景的授权操作,如下所示:
- 如果授权对象为集群与集群内应用的运维人员,请参见场景一:授权对象为集群与集群内应用的运维人员。
- 如果授权对象为集群内应用的开发人员,请参见场景二:授权对象为集群内应用的开发人员。
- 如果授权对象为集群内应用的权限管理员,请参见场景三:授权对象为集群内应用的权限管理员。
场景一:授权对象为集群与集群内应用的运维人员
授权对象需要管理和运维ACK集群所需的必要权限,同时有ACK集群内应用资源对象的运维需求。因此授权流程包含RAM授权和RBAC授权。
RAM授权
容器服务ACK在RAM侧提供了AliyunCSFullAccess和AliyunCSReadOnlyAccess两个系统策略。
AliyunCSFullAccess包含了容器服务ACK全部OpenAPI的读写访问权限。
AliyunCSReadOnlyAccess包含了容器服务ACK全部OpenAPI的只读访问权限。
如果您有细粒度权限控制的需求,可以自定义授权策略。具体操作,请参见自定义RAM授权策略。
此场景下,RAM授权策略示例如下所示。示例中Action的说明,请参见Action说明。
{ "Statement": [ { "Action": [ "cs:GetClusters", "cs:DescribeClustersV1", "cs:DescribeClusterNodes", "cs:DescribeClusterUserKubeconfig", "cs:DescribeClustersV1", "cs:DescribeClusterResources", "cs:DescribeUserQuota", "cs:DescribeClusterLogs", "cs:ModifyCluster", "cs:UpgradeCluster", "cs:GetUpgradeStatus", "cs:ResumeUpgradeCluster", "cs:PauseClusterUpgrade", "cs:CancelClusterUpgrade", "cs:InstallClusterAddons", "cs:UpgradeClusterAddons", "cs:DescribeClusterAddonsUpgradeStatus", "cs:DescribeAddons", "cs:RemoveClusterNodes", "cs:CreateClusterNodePool", "cs:DescribeClusterNodePools", "cs:DescribeClusterNodePoolDetail", "cs:ScaleClusterNodePool", "cs:ModifyClusterNodePool", "cs:DeleteClusterNodepool", "cs:UnInstallClusterAddons" ], "Effect": "Allow", "Resource": [ "acs:cs:*:*:cluster/<yourclusterID>" ] } ], "Version": "1" }关于容器服务ACK OpenAPI的更多说明,请参见【产品变更】容器服务OpenAPI鉴权优化公告和API概览。
RBAC授权
完成RAM授权后,您还需要为RAM用户或RAM角色授予对应集群的RBAC权限。容器服务ACK在集群层面提供了四种预置角色。
角色
集群内RBAC权限
管理员
对所有命名空间下所有资源的读写权限。
运维人员
对所有命名空间下控制台可见Kubernetes资源的读写权限,对集群节点、存储卷、命名空间、配额的只读权限。
开发人员
对所有命名空间或所选命名空间下控制台可见Kubernetes资源的读写权限。
受限用户
对所有命名空间或所选命名空间下控制台可见Kubernetes资源的只读权限。
此场景下,您可以在容器服务管理控制台授权管理页面,为授权对象配置目标集群和对应命名空间的访问权限为运维人员。
绑定预置角色后,ACK会自动在集群中创建与被授权对象身份对应的ClusterRoleBinding实例。预置运维人员角色的RBAC权限如下所示。
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cs:ops rules: - apiGroups: [""] resources: ["pods", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: [""] resources: ["configmaps", "endpoints", "persistentvolumeclaims", "replicationcontrollers", "replicationcontrollers/scale", "secrets", "serviceaccounts", "services", "services/proxy"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: [""] resources: ["bindings", "events", "limitranges", "namespaces/status", "replicationcontrollers/status", "pods/log", "pods/status", "resourcequotas", "resourcequotas/status", "componentstatuses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["namespaces", "nodes", "persistentvolumes"] verbs: ["get", "list", "watch", "patch"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get"] - apiGroups: ["apps"] resources: ["daemonsets", "deployments", "deployments/rollback", "deployments/scale", "replicasets", "replicasets/scale", "statefulsets"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["autoscaling"] resources: ["horizontalpodautoscalers"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["batch"] resources: ["cronjobs", "jobs"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["extensions"] resources: ["daemonsets", "deployments", "deployments/rollback", "deployments/scale","ingresses","replicasets", "replicasets/scale", "replicationcontrollers/scale"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["networking.k8s.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["servicecatalog.k8s.io"] resources: ["clusterserviceclasses", "clusterserviceplans", "clusterservicebrokers", "serviceinstances", "servicebindings"] verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - apiGroups: ["servicecatalog.k8s.io"] resources: ["clusterservicebrokers/status", "clusterserviceclasses/status", "clusterserviceplans/status", "serviceinstances/status", "serviceinstances/reference", "servicebindings/status",] verbs: ["update"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["alicloud.com"] resources: ["*"] verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - apiGroups: ["policy"] resources: ["poddisruptionbudgets"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["metrics.k8s.io"] resources: ["pods", "nodes"] verbs: ["get", "watch", "list"] - apiGroups: ["networking.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["config.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["rbac.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["istio.alibabacloud.com"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["authentication.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["log.alibabacloud.com"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["monitoring.kiali.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["kiali.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["serving.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["eventing.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["messaging.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["sources.eventing.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["tekton.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["alert.alibabacloud.com"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]如果您有细粒度的RBAC权限控制需求,可以参考RBAC创建自定义ClusterRole实例,然后在容器服务管理控制台授权管理页面选择自定义角色,再从下拉列表中选择自定义的ClusterRole名称。具体操作,请参见自定义Kubernetes授权策略。
场景二:授权对象为集群内应用的开发人员
授权对象只需要拥有ACK集群内Kubernetes资源对象的操作权限(即RBAC授权),无需云上资源的访问权限。
重要
在进行RBAC授权前,授权对象需要至少具有目标集群的容器服务只读权限(即RAM授权)。
RAM授权
您需要在RAM管理控制台,新增自定义策略,并将该策略授权给目标RAM用户或RAM角色。具体操作,请参见自定义RAM授权策略。自定义策略内容如下所示:
{ "Statement": [ { "Action": [ "cs:Get*", "cs:List*", "cs:Describe*" ], "Effect": "Allow", "Resource": [ "acs:cs:*:*:cluster/c5cc77f5180a449a4a48cf8001831xxxx" #请替换为您实际的集群ID。 ] } ], "Version": "1" }说明如果您需要为授权对象添加所有集群的只读权限,可以为其添加容器服务ACK提供的RAM系统策略
AliyunCSReadOnlyAccess。RBAC授权
您需要在容器服务管理控制台授权管理页面,为授权对象(RAM用户或RAM角色)配置目标集群和对应命名空间的访问权限为开发人员。
绑定预置角色后,ACK会自动在集群中创建与被授权对象身份对应的ClusterRoleBinding实例。预置开发人员角色的RBAC权限如下所示。
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cs:ns:dev rules: - apiGroups: [""] resources: ["pods", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: [""] resources: ["configmaps", "endpoints", "persistentvolumeclaims", "replicationcontrollers", "replicationcontrollers/scale", "secrets", "serviceaccounts", "services", "services/proxy"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: [""] resources: ["events", "replicationcontrollers/status", "pods/log", "pods/status"] verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: ["daemonsets", "deployments", "deployments/rollback", "deployments/scale", "replicasets", "replicasets/scale", "statefulsets"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["autoscaling"] resources: ["horizontalpodautoscalers"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["batch"] resources: ["cronjobs", "jobs"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["extensions"] resources: ["daemonsets", "deployments", "deployments/rollback", "deployments/scale","ingresses","replicasets", "replicasets/scale", "replicationcontrollers/scale"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["networking.k8s.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["servicecatalog.k8s.io"] resources: ["clusterserviceclasses", "clusterserviceplans", "clusterservicebrokers", "serviceinstances", "servicebindings"] verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - apiGroups: ["servicecatalog.k8s.io"] resources: ["clusterservicebrokers/status", "clusterserviceclasses/status", "clusterserviceplans/status", "serviceinstances/status", "serviceinstances/reference", "servicebindings/status",] verbs: ["update"] - apiGroups: ["alicloud.com"] resources: ["*"] verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - apiGroups: ["policy"] resources: ["poddisruptionbudgets"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["networking.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["config.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["rbac.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["istio.alibabacloud.com"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["authentication.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["log.alibabacloud.com"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["monitoring.kiali.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["kiali.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["serving.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["eventing.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["messaging.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["sources.eventing.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["tekton.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["alert.alibabacloud.com"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]如果您有细粒度的RBAC权限控制需求,可以参考RBAC创建自定义ClusterRole实例,然后在容器服务管理控制台授权管理页面选择自定义角色,再从下拉列表中选择自定义的ClusterRole名称。具体操作,请参见自定义Kubernetes授权策略。
场景三:授权对象为集群内应用的权限管理员
授权对象需要管理其他RAM用户或RAM角色的RBAC权限。默认情况下,RAM用户或RAM角色不具备对其他RAM用户或RAM角色授权RBAC的权限。当授权对象进入容器服务管理控制台授权管理页面时,如果界面提示当前子账号不具备授权管理权限,请联系主账号或权限管理员授权,则说明授权对象缺少必要的RAM授权或对集群的RBAC管理员授权。
RAM授权
需要确保授权对象被授予必要的RAM权限,策略内容需要包括:
列举其他RAM用户或RAM角色
给指定RAM用户或RAM角色授予RAM权限策略
查看指定RAM用户或RAM角色的Kubernetes RBAC权限配置
Kubernetes RBAC授权能力
您需要登录RAM管理控制台,为指定RAM用户或RAM角色授予相应的RAM权限,具体操作,请参见自定义RAM授权策略。RAM自定义策略内容示例如下所示。
{ "Statement": [{ "Action": [ "ram:Get*", "ram:List*", "cs:GetUserPermissions", "cs:GetSubUsers", "cs:GrantPermission" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ram:AttachPolicyToUser", "ram:AttachPolicyToRole" ], "Effect": "Allow", "Resource": [ "acs:ram:*:*:policy/xxxx", # xxxx需要替换成您需要绑定的RAM策略名称。如果您替换成*,表示授权对象拥有所有RAM策略的授权绑定能力。 "acs:*:*:*:user/*" ] } ], "Version": "1" }RBAC授权
需要为授权对象配置目标集群和对应命名空间的访问权限为管理员或者自定义角色中的cluster-admin。
说明阿里云账号(即主账号)和集群创建者会默认绑定cluster-admin,拥有集群内所有Kubernetes资源对象的访问权限。
当您对授权对象完成了上述RAM授权和RBAC授权后,即可拥有对其他RAM用户或RAM角色在指定权限范围内的RBAC授权管理能力。具体操作,请参见配置RAM用户或RAM角色RBAC权限。
文档内容是否对您有帮助?