【产品变更】专有版集群节点RAM角色权限收敛公告

由于专有版集群节点默认绑定的ECS RAM角色权限较大,为了加强专有版集群的默认安全性,容器服务ACK将对新建的专有版集群进一步收敛RAM角色的绑定权限。

变更影响

  • 该变更只影响新创建的ACK专有版集群节点的默认权限,不影响托管版集群、ACK Serverless集群等其他类型的集群。

  • 该变更不会影响存量ACK专有版集群节点的默认权限。如需收敛存量ACK专有版集群节点的角色绑定权限,请修改指定存量集群对应的节点角色的权限策略内容,更多最小化权限策略内容,请参见Master节点绑定角色权限Worker节点绑定角色权限

    重要

    修改存量ACK专有版集群的权限前,请确保集群节点上运行的组件没有依赖待删除的权限。如果存在,请不要实施变更,修改前请您备份原有权限模板策略内容,便于及时回滚权限配置。

Master节点绑定角色权限

专有版集群Master节点的RAM角色权限收敛后,默认绑定了CCM、CSI存储、网络和日志组件所需的最小化权限策略。

  • CCM组件权限策略内容

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ecs:Describe*",
                    "ecs:CreateRouteEntry",
                    "ecs:DeleteRouteEntry",
                    "ecs:CreateNetworkInterface",
                    "ecs:DeleteNetworkInterface",
                    "ecs:CreateNetworkInterfacePermission",
                    "ecs:DeleteNetworkInterfacePermission",
                    "ecs:ModifyInstanceAttribute",
                    "ecs:AttachKeyPair",
                    "ecs:StopInstance",
                    "ecs:StartInstance",
                    "ecs:ReplaceSystemDisk"
                ],
                "Resource": [
                    "*"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "slb:Describe*",
                    "slb:CreateLoadBalancer",
                    "slb:DeleteLoadBalancer",
                    "slb:ModifyLoadBalancerInternetSpec",
                    "slb:RemoveBackendServers",
                    "slb:AddBackendServers",
                    "slb:RemoveTags",
                    "slb:AddTags",
                    "slb:StopLoadBalancerListener",
                    "slb:StartLoadBalancerListener",
                    "slb:SetLoadBalancerHTTPListenerAttribute",
                    "slb:SetLoadBalancerHTTPSListenerAttribute",
                    "slb:SetLoadBalancerTCPListenerAttribute",
                    "slb:SetLoadBalancerUDPListenerAttribute",
                    "slb:CreateLoadBalancerHTTPSListener",
                    "slb:CreateLoadBalancerHTTPListener",
                    "slb:CreateLoadBalancerTCPListener",
                    "slb:CreateLoadBalancerUDPListener",
                    "slb:DeleteLoadBalancerListener",
                    "slb:CreateVServerGroup",
                    "slb:DescribeVServerGroups",
                    "slb:DeleteVServerGroup",
                    "slb:SetVServerGroupAttribute",
                    "slb:DescribeVServerGroupAttribute",
                    "slb:ModifyVServerGroupBackendServers",
                    "slb:AddVServerGroupBackendServers",
                    "slb:ModifyLoadBalancerInstanceSpec",
                    "slb:ModifyLoadBalancerInternetSpec",
                    "slb:SetLoadBalancerModificationProtection",
                    "slb:SetLoadBalancerDeleteProtection",
                    "slb:SetLoadBalancerName",
                    "slb:ModifyLoadBalancerInstanceChargeType",
                    "slb:RemoveVServerGroupBackendServers"
                ],
                "Resource": [
                    "*"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "vpc:Describe*",
                    "vpc:DeleteRouteEntry",
                    "vpc:CreateRouteEntry"
                ],
                "Resource": [
                    "*"
                ],
                "Effect": "Allow"
            }
        ]
    }
  • CSI存储组件权限策略内容

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ecs:DescribeDisks",
                    "ecs:DescribeInstances",
                    "ecs:DescribeAvailableResource",
                    "ecs:DescribeInstanceTypes",
                    "nas:DescribeFileSystems",
                    "ecs:AttachDisk",
                    "ecs:CreateDisk",
                    "ecs:CreateSnapshot",
                    "ecs:DeleteDisk",
                    "ecs:DeleteSnapshot",
                    "ecs:DetachDisk"
                ],
                "Resource": [
                    "*"
                ],
                "Effect": "Allow"
            }
        ]
    }
  • 网络组件权限策略内容

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ecs:CreateNetworkInterface",
                    "ecs:DescribeNetworkInterfaces",
                    "ecs:AttachNetworkInterface",
                    "ecs:DetachNetworkInterface",
                    "ecs:DeleteNetworkInterface",
                    "ecs:DescribeInstanceAttribute",
                    "ecs:DescribeInstanceTypes",
                    "ecs:AssignPrivateIpAddresses",
                    "ecs:UnassignPrivateIpAddresses",
                    "ecs:DescribeInstances",
                    "ecs:ModifyNetworkInterfaceAttribute"
                ],
                "Resource": [
                    "*"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "vpc:DescribeVSwitches"
                ],
                "Resource": [
                    "*"
                ],
                "Effect": "Allow"
            }
        ]
    }
  • 日志组件权限策略内容

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "log:CreateProject",
                    "log:GetProject",
                    "log:DeleteProject",
                    "log:CreateLogStore",
                    "log:GetLogStore",
                    "log:UpdateLogStore",
                    "log:DeleteLogStore",
                    "log:CreateConfig",
                    "log:UpdateConfig",
                    "log:GetConfig",
                    "log:DeleteConfig",
                    "log:CreateMachineGroup",
                    "log:UpdateMachineGroup",
                    "log:GetMachineGroup",
                    "log:DeleteMachineGroup",
                    "log:ApplyConfigToGroup",
                    "log:GetAppliedMachineGroups",
                    "log:GetAppliedConfigs",
                    "log:RemoveConfigFromMachineGroup",
                    "log:CreateIndex",
                    "log:GetIndex",
                    "log:UpdateIndex",
                    "log:DeleteIndex",
                    "log:CreateSavedSearch",
                    "log:GetSavedSearch",
                    "log:UpdateSavedSearch",
                    "log:DeleteSavedSearch",
                    "log:CreateDashboard",
                    "log:GetDashboard",
                    "log:UpdateDashboard",
                    "log:DeleteDashboard",
                    "log:CreateJob",
                    "log:GetJob",
                    "log:DeleteJob",
                    "log:UpdateJob",
                    "log:PostLogStoreLogs",
                    "log:CreateSortedSubStore",
                    "log:GetSortedSubStore",
                    "log:ListSortedSubStore",
                    "log:UpdateSortedSubStore",
                    "log:DeleteSortedSubStore",
                    "log:CreateApp",
                    "log:UpdateApp",
                    "log:GetApp",
                    "log:DeleteApp",
                    "log:GetLogStoreLogs",
                    "log:TagResources",
                    "log:ListJobs",
                    "log:ListTagResources",
                    "log:UntagResources",
                    "log:CreateResourceRecord",
                    "log:UpdateResourceRecord",
                    "log:UpsertResourceRecord",
                    "log:GetResourceRecord",
                    "log:DeleteResourceRecord",
                    "log:ListResourceRecords",
                    "log:ListResources",
                    "log:GetResource",
                    "cs:UpdateContactGroup",
                    "cs:DescribeTemplates",
                    "cs:DescribeTemplateAttribute",
                    "eventbridge:PutEvents"
                ],
                "Resource": [
                    "*"
                ],
                "Effect": "Allow"
            }
        ]
    }

Worker节点绑定角色权限

专有版集群Worker节点的RAM角色权限收敛后,默认绑定了CSI存储、网络和日志组件所需的最小化权限策略。

  • CSI存储组件权限策略内容

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ecs:DescribeDisks",
                    "ecs:DescribeInstances",
                    "ecs:DescribeAvailableResource",
                    "ecs:DescribeInstanceTypes",
                    "nas:DescribeFileSystems",
                    "ecs:AttachDisk",
                    "ecs:CreateDisk",
                    "ecs:CreateSnapshot",
                    "ecs:DeleteSnapshot",
                    "ecs:DetachDisk"
                ],
                "Resource": [
                    "*"
                ],
                "Effect": "Allow"
            }
        ]
    }
  • 网络组件权限策略内容

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "ecs:CreateNetworkInterface",
                    "ecs:DescribeNetworkInterfaces",
                    "ecs:AttachNetworkInterface",
                    "ecs:DetachNetworkInterface",
                    "ecs:DeleteNetworkInterface",
                    "ecs:DescribeInstanceAttribute",
                    "ecs:DescribeInstanceTypes",
                    "ecs:AssignPrivateIpAddresses",
                    "ecs:UnassignPrivateIpAddresses",
                    "ecs:DescribeInstances",
                    "ecs:ModifyNetworkInterfaceAttribute"
                ],
                "Resource": [
                    "*"
                ],
                "Effect": "Allow"
            },
            {
                "Action": [
                    "vpc:DescribeVSwitches"
                ],
                "Resource": [
                    "*"
                ],
                "Effect": "Allow"
            }
        ]
    }
  • 日志组件权限策略内容

    {
        "Version": "1",
        "Statement": [
            {
                "Action": [
                    "log:CreateProject",
                    "log:GetProject",
                    "log:DeleteProject",
                    "log:CreateLogStore",
                    "log:GetLogStore",
                    "log:UpdateLogStore",
                    "log:DeleteLogStore",
                    "log:CreateConfig",
                    "log:UpdateConfig",
                    "log:GetConfig",
                    "log:DeleteConfig",
                    "log:CreateMachineGroup",
                    "log:UpdateMachineGroup",
                    "log:GetMachineGroup",
                    "log:DeleteMachineGroup",
                    "log:ApplyConfigToGroup",
                    "log:GetAppliedMachineGroups",
                    "log:GetAppliedConfigs",
                    "log:RemoveConfigFromMachineGroup",
                    "log:CreateIndex",
                    "log:GetIndex",
                    "log:UpdateIndex",
                    "log:DeleteIndex",
                    "log:CreateSavedSearch",
                    "log:GetSavedSearch",
                    "log:UpdateSavedSearch",
                    "log:DeleteSavedSearch",
                    "log:CreateDashboard",
                    "log:GetDashboard",
                    "log:UpdateDashboard",
                    "log:DeleteDashboard",
                    "log:CreateJob",
                    "log:GetJob",
                    "log:DeleteJob",
                    "log:UpdateJob",
                    "log:PostLogStoreLogs",
                    "log:CreateSortedSubStore",
                    "log:GetSortedSubStore",
                    "log:ListSortedSubStore",
                    "log:UpdateSortedSubStore",
                    "log:DeleteSortedSubStore",
                    "log:CreateApp",
                    "log:UpdateApp",
                    "log:GetApp",
                    "log:DeleteApp",
                    "log:GetLogStoreLogs",
                    "log:TagResources",
                    "log:ListJobs",
                    "log:ListTagResources",
                    "log:UntagResources",
                    "log:CreateResourceRecord",
                    "log:UpdateResourceRecord",
                    "log:UpsertResourceRecord",
                    "log:GetResourceRecord",
                    "log:DeleteResourceRecord",
                    "log:ListResourceRecords",
                    "log:ListResources",
                    "log:GetResource",
                    "cs:UpdateContactGroup",
                    "cs:DescribeTemplates",
                    "cs:DescribeTemplateAttribute",
                    "eventbridge:PutEvents"
                ],
                "Resource": [
                    "*"
                ],
                "Effect": "Allow"
            }
        ]
    }