云监控使用容器服务ACK的RBAC访问权限说明

云监控服务关联角色AliyunServiceRoleForCloudMonitor是为了监控用户阿里云服务设计的一个预定义RAM角色。RBAC(Role-Based Access Control)是基于角色的访问控制。在容器服务ACK诊断过程中,除AliyunServiceRoleForCloudMonitor授权的容器服务ACK访问权限外,还需要通过RBAC实现对ACK集群资源的访问和诊断。

容器服务ACKRBAC访问权限

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cloudmonitor-aliyunserviceroleforcloudmonitor-clusterrole
rules:
  - apiGroups: ["vector.oam.dev"]
    resources: ["*"]
    verbs: ["*"]
  - apiGroups: ["o11y.aliyun.dev"]
    resources: ["*"]
    verbs: ["*"]
  - apiGroups: [""]
    resources: ["pods","replicationcontrollers","podtemplates", "nodes", "services","events","persistentvolumes","persistentvolumeclaims","componentstatuses","bindings", "namespaces","endpoints", "configmaps", "secrets", "resourcequotas", "serviceaccounts","pods/log","services/proxy"]
    verbs: ["*"]
  - apiGroups: [""]
    resources: ["nodes/metrics"]
    verbs: ["get"]
  - apiGroups: [""]
    resources: ["limitranges"]
    verbs: ["list", "watch"]
  - apiGroups: ["admissionregistration.k8s.io"]
    resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["extensions"]
    resources: ["ingresses"]
    verbs: ["list", "watch"]
  - apiGroups: ["batch"]
    resources: ["cronjobs", "jobs"]
    verbs: ["list", "watch"]
  - apiGroups: ["autoscaling"]
    resources: ["horizontalpodautoscalers"]
    verbs: ["list", "watch"]
  - apiGroups: ["policy"]
    resources: ["poddisruptionbudgets"]
    verbs: ["list", "watch"]
  - apiGroups: ["certificates.k8s.io"]
    resources: ["certificatesigningrequests"]
    verbs: ["list", "watch"]
  - apiGroups: ["storage.k8s.io"]
    resources: ["storageclasses","volumeattachments"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["coordination.k8s.io"]
    resources: ["leases"]
    verbs: ["get", "list", "watch"]
  - apiGroups: ["apps","extensions"]
    resources: ["deployments", "daemonsets", "statefulsets","replicasets","networkpolicies"]
    verbs: ["*"]
  - apiGroups: ["apiextensions.k8s.io"]
    resources: ["customresourcedefinitions"]
    verbs: ["*"]
  - apiGroups: ["monitoring.coreos.com"]
    resources: ["alertmanagers","podmonitors","prometheuses","prometheuses/finalizers","alertmanagers/finalizers","servicemonitors","prometheusrules","probes"]
    verbs: ["*"]
  - apiGroups: ["batch.code.alibaba-inc.com"]
    resources: ["clustertokenrotations","ststokenrotations"]
    verbs: ["*"]
  - apiGroups: ["monitor.aliyun.com"]
    resources: ["alicloudpromrules","alicloudpromrules/status"]
    verbs: ["*"]
  - apiGroups: ["rbac.authorization.k8s.io"]
    resources: ["rolebindings","roles","clusterroles","clusterrolebindings"]
    verbs: ["*"]
  - apiGroups: ["networking.k8s.io"]
    resources: ["networkpolicies","ingresses","ingressclasses"]
    verbs: ["*"]
  - apiGroups: ["apps.kruise.io"]
    resources: ["statefulsets"]
    verbs: ["*"]
  - apiGroups: ["nsm.alibabacloud.com"]
    resources: ["networkservices"]
    verbs: ["*"]
  - nonResourceURLs:
      - "/metrics"
    verbs:
      - get
  - apiGroups: [""]
    resources: ["serviceaccounts/token"]
    verbs: ["create"]
  - apiGroups: ["log.alibabacloud.com"]
    resources: ["*"]
    verbs: ["*"]
  - apiGroups: ["telemetry.alibabacloud.com"]
    resources: ["*"]
    verbs: ["*"]
  - apiGroups:
      - discovery.k8s.io
    resources:
      - endpointslices
    verbs:
      - get
      - list
      - watch

如何禁止访问集群Apiserver

方法一

您可以通过修改ClusterRole实现禁止访问集群Apiserver。

  1. 使用阿里云账号登录容器服务ACK控制台,在左侧导航栏选择集群列表,单击目标集群名称。

  2. 在左侧导航栏中选择安全管理 > 角色

  3. 在角色页面单击Cluster Role页签,在搜索框中输入cloudmonitor-aliyunserviceroleforcloudmonitor-clusterrole进行搜索。

  4. cloudmonitor-aliyunserviceroleforcloudmonitor-clusterrole操作列下,单击YAML 编辑,增加annotation配置inner.service.alibabacloud.com/user-customized: true ,同时删除rules字段下所有权限。

方法二

您可以通过到RAM控制台,选择导航栏身份管理 > 角色,删除AliyunServiceRoleForCloudMonitor来禁止访问集群Apiserver。