注册集群通过Stub组件和ack-cluster-agent访问链路访问集群资源,所有操作权限收敛于ack-cluster-agent组件所使用的ServiceAccount。安装ack-cluster-agent组件时,会默认部署名为ack的ServiceAccount,同时有受限模式和管理员模式两种权限模式可供选择,您可以根据需求更改RBAC授权规则。本文介绍注册集群ack-cluster-agent组件的RBAC权限。
前提条件
已安装ack-cluster-agent组件,且版本为1.13.1.105-g8ee9abb-aliyun及以上。详细操作,请参见管理组件。
受限模式的RBAC权限
受限模式下,注册集群默认要求的最小授权为Agent相关ConfigMap读权限,授权规则如下所示。
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ack-agent-create-cm-role
namespace: kube-system
labels:
ack/creator: "ack"
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ack-agent-update-cm-role
namespace: kube-system
labels:
ack/creator: "ack"
rules:
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- ack-agent-config
- provider
verbs:
- update
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: ack-agent-read-cm-role
namespace: kube-public
labels:
ack/creator: "ack"
rules:
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- kube-root-ca.crt
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ack-agent-create-cm-rolebinding
namespace: kube-system
labels:
ack/creator: "ack"
subjects:
- kind: ServiceAccount
name: ack
namespace: kube-system
roleRef:
kind: Role
name: ack-agent-create-cm-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ack-agent-update-cm-rolebinding
namespace: kube-system
labels:
ack/creator: "ack"
subjects:
- kind: ServiceAccount
name: ack
namespace: kube-system
roleRef:
kind: Role
name: ack-agent-update-cm-role
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ack-agent-read-cm-rolebinding
namespace: kube-public
labels:
ack/creator: "ack"
subjects:
- kind: ServiceAccount
name: ack
namespace: kube-system
roleRef:
kind: Role
name: ack-agent-read-cm-role
apiGroup: rbac.authorization.k8s.io
---
受限模式下,控制台功能将受到限制,例如,无法查看集群中的工作负载。但可以使用onectl安装组件,并在控制台中使用,例如Prometheus监控服务、日志服务等。
使用onectl管理组件时,onectl将赋予Agent集群临时管理员权限,并在组件管理操作完成或被中断后,取消Agent集群的管理员权限。更多信息,请参见通过onectl管理注册集群。
管理员模式的RBAC权限
管理员模式下,注册集群拥有集群的管理员权限,授权规则如下所示。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
管理员模式下,控制台的所有功能均可正常使用。
组件管理所需的RBAC权限
安装或更新组件时,例如terway-eniip或logtail-ds等组件,您需要临时将名为ack-admin的ClusterRole权限设置为admin权限。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
组件安装或升级完成后,可将权限恢复至以下最小权限。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["ack-agent-config","provider"]
verbs: ["get","list","watch","update"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["autoscaler-meta"]
verbs: ["get","list","watch","update"]
- apiGroups: ["*"]
resources: ["daemonsets", "deployments"]
resourceNames: ["terway-eniip","security-inspector","ack-cluster-agent","gatekeeper","ack-virtual-node","metrics-server","logtail-ds","resource-controller","aliyun-acr-credential-helper","migrate-controller","ack-kubernetes-cronhpa-controller","tiller-deploy"]
verbs: ["get", "list", "watch"]
- apiGroups: ["*"]
resources: ["daemonsets", "deployments"]
resourceNames: ["cluster-autoscaler"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["pods","secrets"]
verbs: ["list"]
仅启用节点池或弹性节点池功能所需的RBAC权限
安装Terway组件或创建节点池时,您需要临时将名为ack-admin的ClusterRole权限设置为admin权限。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
节点池配置完成后,可将权限恢复至以下最小权限。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["ack-agent-config","provider","autoscaler-meta","eni-config"]
verbs: ["get","list","watch","update"]
- apiGroups: ["*"]
resources: ["daemonsets", "deployments"]
resourceNames: ["terway-eniip", "cluster-autoscaler"]
verbs: ["get", "list", "watch", "update"]
开启日志服务后查询日志所需的RBAC权限
注册集群开始日志服务功能后,若您需要在ACK控制台查询相关日志,需要设置以下权限。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-agent-role-log
labels:
ack/creator: "ack"
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get","list","watch"]
- apiGroups: ["apps"]
resources: ["daemonsets", "deployments"]
resourceNames: ["alibaba-log-controller", "logtail-ds", "kube-proxy-master"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["alibaba-log-configuration"]
verbs: ["get","list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ack-agent-binding-log
labels:
ack/creator: "ack"
subjects:
- kind: ServiceAccount
name: ack
namespace: kube-system
roleRef:
kind: ClusterRole
name: ack-agent-role-log
apiGroup: rbac.authorization.k8s.io
只读的RBAC权限
用于用户在阿里云控制台查看Kubernetes的相关资源。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-readonly-clusterrole
rules:
- apiGroups:
- ""
resources:
- nodes
- namespaces
- pods
- pods/log
- pods/exec
- configmaps
- endpoints
- events
- limitranges
- persistentvolumeclaims
- podtemplates
- replicationcontrollers
- resourcequotas
- serviceaccounts
- services
verbs:
- get
- list
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- statefulsets
- replicasets
verbs:
- get
- list
- apiGroups:
- batch
resources:
- jobs
- cronjobs
verbs:
- get
- list
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- get
- list
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- apiGroups:
- events.k8s.io
resources:
- events
verbs:
- get
- list
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- ingresses
- networkpolicies
- replicasets
verbs:
- get
- list
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- get
- list
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- get
- list
- apiGroups:
- storage.k8s.io
resources:
- csistoragecapacities
verbs:
- get
- list
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ack-readonly-clusterrolebinding
labels:
ack/creator: "ack"
subjects:
- kind: ServiceAccount
name: ack
namespace: kube-system
roleRef:
kind: ClusterRole
name: ack-readonly-clusterrole
apiGroup: rbac.authorization.k8s.io