Agent组件有哪些RBAC权限要求

注册集群通过Stub组件和ack-cluster-agent访问链路访问集群资源,所有操作权限收敛于ack-cluster-agent组件所使用的ServiceAccount。安装ack-cluster-agent组件时,会默认部署名为ackServiceAccount,同时有受限模式和管理员模式两种权限模式可供选择,您可以根据需求更改RBAC授权规则。本文介绍注册集群ack-cluster-agent组件的RBAC权限。

前提条件

已安装ack-cluster-agent组件,且版本为1.13.1.105-g8ee9abb-aliyun及以上。详细操作,请参见管理组件

受限模式的RBAC权限

受限模式下,注册集群默认要求的最小授权为Agent相关ConfigMap读权限,授权规则如下所示。

---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ack-agent-create-cm-role
  namespace: kube-system
  labels:
    ack/creator: "ack"
rules:
- apiGroups: 
  - ""
  resources: 
  - configmaps
  verbs: 
  - create 
---  
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ack-agent-update-cm-role
  namespace: kube-system
  labels:
    ack/creator: "ack"
rules:
- apiGroups: 
  - ""
  resources: 
  - configmaps
  resourceNames: 
  - ack-agent-config
  - provider
  verbs: 
  - update
  - get
  
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ack-agent-read-cm-role
  namespace: kube-public
  labels:
    ack/creator: "ack"
rules:
- apiGroups: 
  - ""
  resources: 
  - configmaps
  resourceNames: 
  - kube-root-ca.crt 
  verbs: 
  - get

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ack-agent-create-cm-rolebinding
  namespace: kube-system
  labels:
    ack/creator: "ack"
subjects:
- kind: ServiceAccount
  name: ack
  namespace: kube-system
roleRef:
  kind: Role
  name: ack-agent-create-cm-role
  apiGroup: rbac.authorization.k8s.io
---  
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ack-agent-update-cm-rolebinding
  namespace: kube-system
  labels:
    ack/creator: "ack"
subjects:
- kind: ServiceAccount
  name: ack
  namespace: kube-system
roleRef:
  kind: Role
  name: ack-agent-update-cm-role
  apiGroup: rbac.authorization.k8s.io    
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ack-agent-read-cm-rolebinding
  namespace: kube-public
  labels:
    ack/creator: "ack"
subjects:
- kind: ServiceAccount
  name: ack
  namespace: kube-system
roleRef:
  kind: Role
  name: ack-agent-read-cm-role
  apiGroup: rbac.authorization.k8s.io  
---

受限模式下,控制台功能将受到限制,例如,无法查看集群中的工作负载。但可以使用onectl安装组件,并在控制台中使用,例如Prometheus监控服务、日志服务等。

使用onectl管理组件时,onectl将赋予Agent集群临时管理员权限,并在组件管理操作完成或被中断后,取消Agent集群的管理员权限。更多信息,请参见通过onectl管理注册集群

管理员模式的RBAC权限

管理员模式下,注册集群拥有集群的管理员权限,授权规则如下所示。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

管理员模式下,控制台的所有功能均可正常使用。

组件管理所需的RBAC权限

安装或更新组件时,例如terway-eniiplogtail-ds等组件,您需要临时将名为ack-adminClusterRole权限设置为admin权限。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

组件安装或升级完成后,可将权限恢复至以下最小权限。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["ack-agent-config","provider"]
  verbs: ["get","list","watch","update"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["autoscaler-meta"]
  verbs: ["get","list","watch","update"]
- apiGroups: ["*"]
  resources: ["daemonsets", "deployments"]
  resourceNames: ["terway-eniip","security-inspector","ack-cluster-agent","gatekeeper","ack-virtual-node","metrics-server","logtail-ds","resource-controller","aliyun-acr-credential-helper","migrate-controller","ack-kubernetes-cronhpa-controller","tiller-deploy"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["*"]
  resources: ["daemonsets", "deployments"]
  resourceNames: ["cluster-autoscaler"]
  verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
  resources: ["pods","secrets"]
  verbs: ["list"]

仅启用节点池或弹性节点池功能所需的RBAC权限

安装Terway组件或创建节点池时,您需要临时将名为ack-adminClusterRole权限设置为admin权限。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

节点池配置完成后,可将权限恢复至以下最小权限。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["ack-agent-config","provider","autoscaler-meta","eni-config"]
  verbs: ["get","list","watch","update"]
- apiGroups: ["*"]
  resources: ["daemonsets", "deployments"]
  resourceNames: ["terway-eniip", "cluster-autoscaler"]
  verbs: ["get", "list", "watch", "update"]

开启日志服务后查询日志所需的RBAC权限

注册集群开始日志服务功能后,若您需要在ACK控制台查询相关日志,需要设置以下权限。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-agent-role-log
  labels:
    ack/creator: "ack"
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get","list","watch"]
- apiGroups: ["apps"]
  resources: ["daemonsets", "deployments"]
  resourceNames: ["alibaba-log-controller", "logtail-ds", "kube-proxy-master"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["alibaba-log-configuration"]
  verbs: ["get","list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ack-agent-binding-log
  labels:
    ack/creator: "ack"
subjects:
- kind: ServiceAccount
  name: ack
  namespace: kube-system
roleRef:
  kind: ClusterRole
  name: ack-agent-role-log
  apiGroup: rbac.authorization.k8s.io

只读的RBAC权限

用于用户在阿里云控制台查看Kubernetes的相关资源。

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-readonly-clusterrole
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  - namespaces
  - pods
  - pods/log
  - pods/exec
  - configmaps
  - endpoints
  - events
  - limitranges
  - persistentvolumeclaims
  - podtemplates
  - replicationcontrollers
  - resourcequotas
  - serviceaccounts
  - services
  verbs:
  - get
  - list
- apiGroups:
  - apps
  resources:
  - deployments
  - daemonsets
  - statefulsets
  - replicasets
  verbs:
  - get
  - list
- apiGroups:
  - batch
  resources:
  - jobs
  - cronjobs
  verbs:
  - get
  - list
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - get
  - list
- apiGroups:
  - discovery.k8s.io
  resources:
  - endpointslices
  verbs:
  - get
  - list
- apiGroups:
  - events.k8s.io
  resources:
  - events
  verbs:
  - get
  - list
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - deployments
  - ingresses
  - networkpolicies
  - replicasets
  verbs:
  - get
  - list
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  - networkpolicies
  verbs:
  - get
  - list
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - get
  - list
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - rolebindings
  - roles
  verbs:
  - get
  - list
- apiGroups:
  - storage.k8s.io
  resources:
  - csistoragecapacities
  verbs:
  - get
  - list

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ack-readonly-clusterrolebinding
  labels:
    ack/creator: "ack"
subjects:
- kind: ServiceAccount
  name: ack
  namespace: kube-system
roleRef:
  kind: ClusterRole
  name: ack-readonly-clusterrole
  apiGroup: rbac.authorization.k8s.io