通过ack-ram-tool清理集群中指定用户的权限

ack-ram-tool是容器服务 Kubernetes 版为辅助您管理集群RAM和RBAC权限提供的命令行工具。当用户离职或权限需要变更时,通过ack-ram-tool工具您可以及时清理集群中已删除用户的权限,避免安全风险。

步骤一:安装配置ack-ram-tool

  1. 执行以下命令,根据不同操作系统选择安装配置ack-ram-tool。

    展开查看Darwin_arm64系统的ack-ram-tool安装配置

    cd /tmp
    wget https://ack-ram-tool.oss-cn-hangzhou.aliyuncs.com/dist/v0.18.0/ack-ram-tool_0.18.0_Darwin_arm64.tar.gz
    tar zxvf ack-ram-tool_0.18.0_Darwin_arm64.tar.gz
    cp ack-ram-tool /usr/local/bin
    ack-ram-tool version

    展开查看Darwin_x86_64系统的ack-ram-tool安装配置

    cd /tmp
    wget https://ack-ram-tool.oss-cn-hangzhou.aliyuncs.com/dist/v0.18.0/ack-ram-tool_0.18.0_Darwin_x86_64.tar.gz
    tar zxvf ack-ram-tool_0.18.0_Darwin_x86_64.tar.gz
    cp ack-ram-tool /usr/local/bin
    ack-ram-tool version

    展开查看Linux_arm64系统的ack-ram-tool安装配置

    cd /tmp
    wget https://ack-ram-tool.oss-cn-hangzhou.aliyuncs.com/dist/v0.18.0/ack-ram-tool_0.18.0_Linux_arm64.tar.gz 
    tar zxvf ack-ram-tool_0.18.0_Linux_arm64.tar.gz
    cp ack-ram-tool /usr/local/bin
    ack-ram-tool version

    展开查看Linux_x86_64系统的ack-ram-tool安装配置

    cd /tmp
    wget https://ack-ram-tool.oss-cn-hangzhou.aliyuncs.com/dist/v0.18.0/ack-ram-tool_0.18.0_Linux_x86_64.tar.gz
    tar zxvf ack-ram-tool_0.18.0_Linux_x86_64.tar.gz
    cp ack-ram-tool /usr/local/bin
    ack-ram-tool version
  2. 通过以下任一方式配置ack-ram-tool所需的访问凭证。

    • 自动从如下环境变量中读取凭证信息。

      • ALIBABA_CLOUD_ACCESS_KEY_ID

      • ALIBABA_CLOUD_ACCESS_KEY_SECRET

      • ALIBABA_CLOUD_SECURITY_TOKEN,关于如何获取SECURITY_TOKEN,请参见什么是STS

    • 从aliyun CLI配置文件~/.aliyun/config.json中读取凭证信息。关于配置方法,请参见配置凭证

步骤二:配置ack-ram-tool访问凭证所需的权限

ack-ram-tool使用的访问凭证需要拥有RAM权限和集群的RBAC权限。

  1. 为RAM用户授予如下权限。具体操作,请参见为RAM用户授权

    {
      "Version": "1",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "cs:*"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "ram:ListUsers",
            "ram:ListRoles"
          ],
          "Resource": "*"
        }
      ]
    }
  2. 为RAM用户授予集群的RBAC管理员权限。

    1. 登录容器服务管理控制台,在左侧导航栏选择授权管理

    2. 在授权管理页面,单击RAM 用户页签,找到待添加的RAM用户,单击右侧的管理权限,进入权限管理页面。

    3. 单击添加权限,选择集群命名空间,选择权限管理管理员的权限,然后单击提交授权

步骤三:查询集群内指定RAM用户的RBAC Binding

您可以通过ack-ram-tool rbac scan-user-permissions命令,查询目标集群内指定RAM用户的RBAC Binding信息。

仅查询已删除的RAM用户和角色的RBAC Binding

执行以下命令,查看集群内已删除的RAM用户和角色的RBAC Binding信息。

ack-ram-tool rbac scan-user-permissions -c <集群ID>

预期输出:

2023-12-12T15:34:37+08:00 INFO start to scan users and bindings for cluster c401890df511a4362bf24bece4da****
2023-12-12T15:34:43+08:00 WARN by default, only deleted users are included. Use the --all-users flag to include all users
UID                           UserType  UserName  Binding                                                    
30086537005566**** (deleted)  RamRole             ClusterRoleBinding/-/30086537005566****-clusterrolebinding  
24320678733226**** (deleted)  RamUser             ClusterRoleBinding/-/24320678733226****-clusterrolebinding  

UserType的参数说明如下:

UserType的值

说明

RamRole

RAM角色

RamUser

RAM用户

Root

阿里云账号(主账号)

查询所有RAM用户和角色的RBAC Binding

执行以下命令,查看所有RAM用户和角色的RBAC Binding信息。

ack-ram-tool rbac scan-user-permissions --all-users -c <集群ID>

预期输出:

2023-12-12T15:36:00+08:00 INFO Start to scan users and bindings for cluster c401890df511a4362bf24bece4da6****
UID                           UserType  UserName                   Binding                                                                
30032484611590**** (deleted)  RamRole                              ClusterRoleBinding/-/30032484611590****-clusterrolebinding              
20492499986425**** (deleted)  RamUser                              ClusterRoleBinding/-/20492499986425****-clusterrolebinding              
27203272572548****            RamUser   scan                       ClusterRoleBinding/-/27203272572548****-clusterrolebinding        
113802571552****              Root                                 ClusterRoleBinding/-/113802571552****-cluster-admin-clusterrolebinding  
29068913515444****            RamUser   test-ack-ram-check         ClusterRoleBinding/-/29068913515444****-clusterrolebinding  

查询当前阿里云账号下所有集群的RBAC Binding

执行以下命令,查看当前阿里云账号下所有集群的RBAC Binding信息。

ack-ram-tool rbac scan-user-permissions -c all

预期输出:

2023-12-12T16:44:55+08:00 INFO start to scan users and bindings for all clusters
2023-12-12T16:44:55+08:00 INFO start to get all clusters, users and roles
2023-12-12T16:44:58+08:00 INFO ---- c401890df511a4362bf24bece4da6**** (test-pro111323223) ----
2023-12-12T16:44:58+08:00 INFO [c401890df511a4362bf24bece4da6****] start to scan bindings for cluster c401890df511a4362bf24bece4da6****
2023-12-12T16:45:00+08:00 WARN [c401890df511a4362bf24bece4da6****] by default, only deleted users are included. Use the --all-users flag to include all users
ClusterId: c401890df511a4362bf24bece4da6****
UID                           UserType  UserName  Binding                                                    
30086537005566**** (deleted)  RamRole             ClusterRoleBinding/-/30086537005566****-clusterrolebinding  
20492499986425**** (deleted)  RamUser             ClusterRoleBinding/-/20492499986425****-clusterrolebinding  
2023-12-12T16:45:00+08:00 INFO ---- c137a979dec21472c8279c903cfc**** (test-pro) ----
2023-12-12T16:45:00+08:00 INFO [c137a979dec21472c8279c903cfce****] start to scan bindings for cluster c137a979dec21472c8279c903cfce****
2023-12-12T16:45:01+08:00 WARN [c137a979dec21472c8279c903cfce****] by default, only deleted users are included. Use the --all-users flag to include all users
ClusterId: c137a979dec21472c8279c903cfce****
UID                           UserType  UserName  Binding                                                    
30086537005566**** (deleted)  RamRole             ClusterRoleBinding/-/30086537005566****-clusterrolebinding  
24320678733226**** (deleted)  RamUser             ClusterRoleBinding/-/24320678733226****-clusterrolebinding  

步骤四:清理集群内指定RAM用户或RAM角色的RBAC Binding并清除KubeConfig权限

您可以通过ack-ram-tool rbac cleanup-user-permissions命令,清理目标集群内指定RAM用户或RAM角色的RBAC Binding以及清除该用户的KubeConfig。

重要
  • 当日志中出现this user has been active in the past 7 days时,表明目标RAM用户或RAM角色最近7天内有集群访问记录,请谨慎操作。

  • 执行清理操作前,ack-ram-tool工具会在当前目录下以集群ID命名的文件夹中备份待删除的Binding原始JSON文件。

清理RAM用户或RAM角色在单个集群中的权限

执行以下命令,清理指定RAM用户或RAM角色在单个集群中的权限。

以下命令行中的<UID>,您可以通过ack-ram-tool rbac scan-user-permissions -c <集群ID>命令获取。

ack-ram-tool rbac cleanup-user-permissions -c <集群ID> -u <UID>

预期输出:

展开查看预期输出

2023-12-12T18:17:10+08:00 INFO start to scan users and bindings
2023-12-12T18:17:15+08:00 WARN we will clean up RBAC bindings as follows:
UID                 UserType  UserName   Binding                                                    
25908395708943****  RamUser   ack-admin  ClusterRoleBinding/-/25908395708943****-clusterrolebinding  
2023-12-12T18:17:15+08:00 WARN we will clean up kubeconfig permissions for users as follows:
UID: 25908395708943****
2023-12-12T18:17:15+08:00 INFO start to check cluster audit log for user 25908395708943****
2023-12-12T18:17:16+08:00 WARN this user has been active in the past 7 days, and the last activity time was: 2023-12-12T10:27:56+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c137a979dec21472c8279c903cfce****
sls logstore: audit-c137a979dec21472c8279c903cfce****
last activity: 2023-12-12T10:27:56+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76e****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T18:17:37+08:00 INFO start to backup binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding
2023-12-12T18:17:38+08:00 INFO the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c137a979dec21472c8279c903cfce****/ClusterRoleBinding--25908395708943****-clusterrolebinding.json
2023-12-12T18:17:38+08:00 INFO start to clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T18:17:38+08:00 INFO finished clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T18:17:38+08:00 INFO all bindings and permissions have been cleaned up

清理RAM用户或RAM角色在所有集群中的权限

执行以下命令,清理指定RAM用户或角色在当前阿里云账号下所有集群中的RBAC Binding,并清除其KubeConfig。

ack-ram-tool rbac cleanup-user-permissions -c all -u <UID>

预期输出:

展开查看预期输出

2023-12-12T19:28:23+08:00 INFO start to scan users and bindings for all clusters
2023-12-12T19:28:23+08:00 INFO start to get all clusters, users and roles
2023-12-12T19:28:24+08:00 INFO ---- c401890df511a4362bf24bece4da6**** (test-pro111323223) ----
2023-12-12T19:28:24+08:00 INFO [c401890df511a4362bf24bece4da6****] start to clean up bindings and permissions for cluster c401890df511a4362bf24bece4da6**** 
2023-12-12T19:28:24+08:00 INFO [c401890df511a4362bf24bece4da6****] start to scan users and bindings
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] we will clean up RBAC bindings as follows:
UID                 UserType  UserName   Binding                                                    
25908395708943****  RamUser   ack-admin  ClusterRoleBinding/-/25908395708943****-clusterrolebinding  
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] we will clean up kubeconfig permissions for users as follows:
UID: 259083957089437690
2023-12-12T19:28:25+08:00 INFO [c401890df511a4362bf24bece4da6****] start to check cluster audit log for user 25908395708943**** 
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] this user has been active in the past 7 days, and the last activity time was: 2023-12-12T10:27:56+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c401890df511a4362bf24bece4da****  
sls logstore: audit-c401890df511a4362bf24bece4da6**** 
last activity: 2023-12-12T10:27:56+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] start to backup binding ClusterRoleBinding/-/25908395708943**** -clusterrolebinding
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c401890df511a4362bf24bece4da6**** /ClusterRoleBinding--259083957089437XXX-clusterrolebinding.json
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] start to clean up kubeconfig permissions for uid 25908395708943**** 
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] finished clean up kubeconfig permissions for uid 25908395708943**** 
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] all bindings and permissions have been cleaned up
2023-12-12T19:28:49+08:00 INFO ---- c137a979dec21472c8279c903cfce****  (test-pro) ----
2023-12-12T19:28:49+08:00 INFO [c137a979dec21472c8279c903cfce****] start to clean up bindings and permissions for cluster c137a979dec21472c8279c903cfce**** 
2023-12-12T19:28:49+08:00 INFO [c137a979dec21472c8279c903cfce****] start to scan users and bindings
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] we will clean up RBAC bindings as follows:
UID                 UserType  UserName   Binding                                                    
25908395708943****   RamUser   ack-admin  ClusterRoleBinding/-/25908395708943**** -clusterrolebinding  
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] we will clean up kubeconfig permissions for users as follows:
UID: 25908395708943**** 
2023-12-12T19:28:51+08:00 INFO [c137a979dec21472c8279c903cfce****] start to check cluster audit log for user 25908395708943**** 
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] this user has been active in the past 7 days, and the last activity time was: 2023-12-12T17:55:50+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c137a979dec21472c8279c903cfce**** 
sls logstore: audit-c137a979dec21472c8279c903cfce**** 
last activity: 2023-12-12T17:55:50+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] start to backup binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c137a979dec21472c8279c903cfce**** /ClusterRoleBinding--25908395708943**** -clusterrolebinding.json
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] start to clean up kubeconfig permissions for uid 25908395708943**** 
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] finished clean up kubeconfig permissions for uid 25908395708943**** 
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] all bindings and permissions have been cleaned up

相关文档

如需了解更多KubeConfig管理的内容,请参见清除KubeConfig