云监控服务关联角色AliyunServiceRoleForCloudMonitor是为了监控用户阿里云服务设计的一个预定义RAM角色。RBAC(Role-Based Access Control)是基于角色的访问控制。在容器服务ACK诊断过程中,除AliyunServiceRoleForCloudMonitor授权的容器服务ACK访问权限外,还需要通过RBAC实现对ACK集群资源的访问和诊断。
容器服务ACK的RBAC访问权限
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cloudmonitor-aliyunserviceroleforcloudmonitor-clusterrole
rules:
- apiGroups: ["vector.oam.dev"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["o11y.aliyun.dev"]
resources: ["*"]
verbs: ["*"]
- apiGroups: [""]
resources: ["pods","replicationcontrollers","podtemplates", "nodes", "services","events","persistentvolumes","persistentvolumeclaims","componentstatuses","bindings", "namespaces","endpoints", "configmaps", "secrets", "resourcequotas", "serviceaccounts","pods/log","services/proxy"]
verbs: ["*"]
- apiGroups: [""]
resources: ["nodes/metrics"]
verbs: ["get"]
- apiGroups: [""]
resources: ["limitranges"]
verbs: ["list", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["list", "watch"]
- apiGroups: ["batch"]
resources: ["cronjobs", "jobs"]
verbs: ["list", "watch"]
- apiGroups: ["autoscaling"]
resources: ["horizontalpodautoscalers"]
verbs: ["list", "watch"]
- apiGroups: ["policy"]
resources: ["poddisruptionbudgets"]
verbs: ["list", "watch"]
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests"]
verbs: ["list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses","volumeattachments"]
verbs: ["get", "list", "watch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps","extensions"]
resources: ["deployments", "daemonsets", "statefulsets","replicasets","networkpolicies"]
verbs: ["*"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["*"]
- apiGroups: ["monitoring.coreos.com"]
resources: ["alertmanagers","podmonitors","prometheuses","prometheuses/finalizers","alertmanagers/finalizers","servicemonitors","prometheusrules","probes"]
verbs: ["*"]
- apiGroups: ["batch.code.alibaba-inc.com"]
resources: ["clustertokenrotations","ststokenrotations"]
verbs: ["*"]
- apiGroups: ["monitor.aliyun.com"]
resources: ["alicloudpromrules","alicloudpromrules/status"]
verbs: ["*"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["rolebindings","roles","clusterroles","clusterrolebindings"]
verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
resources: ["networkpolicies","ingresses","ingressclasses"]
verbs: ["*"]
- apiGroups: ["apps.kruise.io"]
resources: ["statefulsets"]
verbs: ["*"]
- apiGroups: ["nsm.alibabacloud.com"]
resources: ["networkservices"]
verbs: ["*"]
- nonResourceURLs:
- "/metrics"
verbs:
- get
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
- apiGroups: ["log.alibabacloud.com"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["telemetry.alibabacloud.com"]
resources: ["*"]
verbs: ["*"]
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch如何禁止访问集群Apiserver
方法一
您可以通过修改ClusterRole实现禁止访问集群Apiserver。
使用阿里云账号登录容器服务ACK控制台,在左侧导航栏选择集群列表,单击目标集群名称。
在左侧导航栏中选择。
在角色页面单击Cluster Role页签,在搜索框中输入cloudmonitor-aliyunserviceroleforcloudmonitor-clusterrole进行搜索。
在cloudmonitor-aliyunserviceroleforcloudmonitor-clusterrole的操作列下,单击YAML 编辑,增加annotation配置
inner.service.alibabacloud.com/user-customized: true,同时删除rules字段下所有权限。
方法二
您可以通过到RAM控制台,选择导航栏,删除AliyunServiceRoleForCloudMonitor来禁止访问集群Apiserver。
该文章对您有帮助吗?