文档

自定义GitOps操作关联集群的RBAC权限

更新时间:

ACK One GitOps对关联集群的操作权限,由系统默认创建的ClusterRole ack-mc:argocd-ackone-dev 所包含的RBAC权限控制,默认权限不可修改。如果您需要对GitOps的操作权限有更细粒度的控制,例如,控制GitOps对指定关联集群中的Pod只有创建和查看权限,您可通过自定义创建ClusterRole并指定相关的RBAC权限,实现自定义权限的控制。本文为您介绍GitOps的默认权限及如何自定义GitOps的操作权限。

背景信息

ACK One的Fleet实例添加关联集群时,会在关联集群上创建默认的ServiceAccount argocd-ackone-sa和默认的ClusterRole ack-mc:argocd-ackone-dev,并将ClusterRole绑定到ServiceAccount ,GitOps通过ack-mc:argocd-ackone-dev默认包含的RBCA权限实现对关联集群的权限控制。

您也可以自定义GitOps操作各关联集群的RBAC权限,实现集群资源的自定义控制。该方式需要您在已关联的集群中,自定义创建ClusterRole/Role,并通过ClusterRoleBinding/RoleBinding绑定到集群默认的ServiceAccount argocd-ackone-sa上,将自定义的RBAC权限授权给ServiceAccount。

image

配置GitOps操作关联集群的RBAC权限

  1. 使用以下YAML内容示例创建自定义的ClusterRole。

    说明
    • ClusterRole的name:由您自定义填写。

    • rules中的内容即apiGroupsresourcesverbs需要您根据实际权限范围自定义修改。

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: <your ClusterRole name>
    rules:
      - apiGroups:
          - ""
        resources:
          - pods
          - configmaps
          - endpoints
        verbs:
          - create
          - delete
  2. 使用以下YAML内容示例创建ClusterRoleBinding,将您自定义创建的ClusterRole绑定到系统默认的ServiceAccount argocd-ackone-sa上,为argocd-ackone-sa授予自定义的RBAC权限。

    说明

    ClusterRole的name:必须填写为您在上一步自定义创建的ClusterRole的名称。

    ServiceAccount的name:必须为argocd-ackone-sa,请勿修改。

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: <ClusterRoleBinding name>
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: <your ClusterRole name>
    subjects:
    - kind: ServiceAccount
      name: argocd-ackone-sa
      namespace: ack-multiple-clusters

GitOps默认权限说明

系统默认创建的ClusterRole ack-mc:argocd-ackone-dev所包含的RBAC权限如下:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-mc:argocd-ackone-dev
rules:
  - apiGroups:
      - ""
    resources:
      - pods
      - configmaps
      - endpoints
      - persistentvolumeclaims
      - replicationcontrollers
      - replicationcontrollers/scale
      - serviceaccounts
      - services
      - namespaces
      - bindings
      - limitranges
      - resourcequotas
      - persistentvolumes
    verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - ""
    resources:
      - events
      - namespaces/status
      - replicationcontrollers/status
      - pods/status
      - pods/log
      - resourcequotas/status
    verbs:
      - get
      - list
      - watch
      - patch
      - update
  - apiGroups:
      - apps
    resources:
      - daemonsets
      - deployments
      - deployments/rollback
      - deployments/scale
      - replicasets
      - replicasets/scale
      - statefulsets
    verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - autoscaling
    resources:
      - horizontalpodautoscalers
    verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - batch
    resources:
      - cronjobs
      - jobs
    verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - extensions
    resources:
      - daemonsets
      - deployments
      - deployments/rollback
      - deployments/scale
      - ingresses
      - replicasets
      - replicasets/scale
      - replicationcontrollers/scale
    verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - metrics.k8s.io
    resources:
      - pods
    verbs:
      - get
      - watch
      - list
  - apiGroups:
      - networking.k8s.io
    resources:
      - '*'
    verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - storage.k8s.io
    resources:
      - storageclasses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - alicloud.com
    resources:
      - '*'
    verbs:
      - create
      - delete
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - policy
    resources:
      - poddisruptionbudgets
    verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - log.alibabacloud.com
    resources:
      - '*'
    verbs:
      - create
      - delete
      - deletecollection
      - get
      - list
      - patch
      - update
      - watch
  - apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    verbs:
      - get
      - list
      - create
      - watch
      - patch
      - update
      - delete
      - deletecollection
  - apiGroups:
      - serving.knative.dev
    resources:
      - '*'
    verbs:
      - get
      - list
      - create
      - watch
      - patch
      - update
      - delete
      - deletecollection
  - apiGroups:
      - eventing.knative.dev
    resources:
      - '*'
    verbs:
      - get
      - list
      - create
      - watch
      - patch
      - update
      - delete
      - deletecollection
  - apiGroups:
      - messaging.knative.dev
    resources:
      - '*'
    verbs:
      - get
      - list
      - create
      - watch
      - patch
      - update
      - delete
      - deletecollection
  - apiGroups:
      - sources.eventing.knative.dev
    resources:
      - '*'
    verbs:
      - get
      - list
      - create
      - watch
      - patch
      - update
      - delete
      - deletecollection
  - apiGroups:
      - alert.alibabacloud.com
    resources:
      - '*'
    verbs:
      - get
      - list
      - create
      - watch
      - patch
      - update
      - delete
      - deletecollection
  - apiGroups:
      - alibabacloud.com
    resources:
      - externalsecrets
      - secretstores
    verbs:
      - '*'
  - apiGroups:
      - apps.kruise.io
      - policy.kruise.io
      - rollouts.kruise.io
    resources:
      - '*'
    verbs:
      - '*'
  - apiGroups:
      - argoproj.io
    resources:
      - analysisruns
      - analysistemplates
      - clusteranalysistemplates
      - experiments
      - rollouts
    verbs:
      - '*'
  - apiGroups:
      - admissionregistration.k8s.io
    resources:
      - validatingwebhookconfigurations
      - mutatingwebhookconfigurations
    verbs:
      - '*'
  - apiGroups:
      - coordination.k8s.io
    resources:
      - leases
    verbs:
      - '*'
  • 本页导读 (1)