授予自建集群ALB Ingress Controller权限

ALB Ingress Controller提供强大的Ingress流量管理功能。本文介绍如何授予自建集群ALB Ingress Controller权限,使得自建集群可以使用ALB Ingress Controller的流量管理功能。

操作流程

  1. 步骤一:创建RAM用户

  2. 步骤二:创建权限策略,并授予RAM用户

  3. 步骤三:在自建集群配置AccessKey ID与AccessKey Secret

步骤一:创建RAM用户

  1. 使用阿里云账号登录RAM控制台

  2. 在左侧导航栏,选择身份管理>用户,在右侧页面单击创建用户

  3. 创建用户页面,输入登录名称显示名称,选中使用永久AccessKey访问,然后单击确定

  4. 创建用户页面,复制AccessKey IDAccessKey Secret

步骤二:创建权限策略,并授予RAM用户

  1. 创建调用ALB Ingress Controller组件的权限策略。

    1. 在RAM控制台左侧导航栏,选择权限管理>权限策略,在右侧页面单击创建权限策略

    2. 单击脚本编辑页签,将以下内容复制到代码框,单击确定

      展开查看详细代码

      {
        "Version": "1",
        "Statement": [
          {
            "Action": [
              "ecs:Describe*",
              "ecs:CreateRouteEntry",
              "ecs:DeleteRouteEntry",
              "ecs:CreateNetworkInterface",
              "ecs:DeleteNetworkInterface",
              "ecs:CreateNetworkInterfacePermission",
              "ecs:DeleteNetworkInterfacePermission",
              "ecs:ModifyInstanceAttribute",
              "ecs:AttachKeyPair",
              "ecs:StopInstance",
              "ecs:StartInstance",
              "ecs:ReplaceSystemDisk"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "slb:Describe*",
              "slb:CreateLoadBalancer",
              "slb:DeleteLoadBalancer",
              "slb:ModifyLoadBalancerInternetSpec",
              "slb:RemoveBackendServers",
              "slb:AddBackendServers",
              "slb:RemoveTags",
              "slb:AddTags",
              "slb:StopLoadBalancerListener",
              "slb:StartLoadBalancerListener",
              "slb:SetLoadBalancerHTTPListenerAttribute",
              "slb:SetLoadBalancerHTTPSListenerAttribute",
              "slb:SetLoadBalancerTCPListenerAttribute",
              "slb:SetLoadBalancerUDPListenerAttribute",
              "slb:CreateLoadBalancerHTTPSListener",
              "slb:CreateLoadBalancerHTTPListener",
              "slb:CreateLoadBalancerTCPListener",
              "slb:CreateLoadBalancerUDPListener",
              "slb:DeleteLoadBalancerListener",
              "slb:CreateVServerGroup",
              "slb:DescribeVServerGroups",
              "slb:DeleteVServerGroup",
              "slb:SetVServerGroupAttribute",
              "slb:DescribeVServerGroupAttribute",
              "slb:ModifyVServerGroupBackendServers",
              "slb:AddVServerGroupBackendServers",
              "slb:ModifyLoadBalancerInstanceSpec",
              "slb:ModifyLoadBalancerInternetSpec",
              "slb:SetLoadBalancerModificationProtection",
              "slb:SetLoadBalancerDeleteProtection",
              "slb:SetLoadBalancerName",
              "slb:ModifyLoadBalancerInstanceChargeType",
              "slb:RemoveVServerGroupBackendServers"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "nlb:TagResources",
              "nlb:UnTagResources",
              "nlb:ListTagResources",
              "nlb:CreateLoadBalancer",
              "nlb:DeleteLoadBalancer",
              "nlb:GetLoadBalancerAttribute",
              "nlb:ListLoadBalancers",
              "nlb:UpdateLoadBalancerAttribute",
              "nlb:UpdateLoadBalancerAddressTypeConfig",
              "nlb:UpdateLoadBalancerZones",
              "nlb:CreateListener",
              "nlb:DeleteListener",
              "nlb:ListListeners",
              "nlb:UpdateListenerAttribute",
              "nlb:StopListener",
              "nlb:StartListener",
              "nlb:GetListenerAttribute",
              "nlb:GetListenerHealthStatus",
              "nlb:CreateServerGroup",
              "nlb:DeleteServerGroup",
              "nlb:UpdateServerGroupAttribute",
              "nlb:AddServersToServerGroup",
              "nlb:RemoveServersFromServerGroup",
              "nlb:UpdateServerGroupServersAttribute",
              "nlb:ListServerGroups",
              "nlb:ListServerGroupServers",
              "nlb:GetJobStatus"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "vpc:Describe*",
              "vpc:DeleteRouteEntry",
              "vpc:CreateRouteEntry"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
              "StringEquals": {
                "ram:ServiceName": [
                  "alb.aliyuncs.com",
                  "audit.log.aliyuncs.com",
                  "logdelivery.alb.aliyuncs.com"
                ]
              }
            }
          },
          {
            "Action": [
              "yundun-cert:DescribeSSLCertificateList",
              "yundun-cert:DescribeSSLCertificatePublicKeyDetail",
              "yundun-cert:CreateSSLCertificateWithName",
              "yundun-cert:DeleteSSLCertificate"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "alb:TagResources",
              "alb:UnTagResources",
              "alb:ListServerGroups",
              "alb:ListServerGroupServers",
              "alb:AddServersToServerGroup",
              "alb:RemoveServersFromServerGroup",
              "alb:ReplaceServersInServerGroup",
              "alb:CreateLoadBalancer",
              "alb:DeleteLoadBalancer",
              "alb:UpdateLoadBalancerAttribute",
              "alb:UpdateLoadBalancerEdition",
              "alb:EnableLoadBalancerAccessLog",
              "alb:DisableLoadBalancerAccessLog",
              "alb:EnableDeletionProtection",
              "alb:DisableDeletionProtection",
              "alb:ListLoadBalancers",
              "alb:GetLoadBalancerAttribute",
              "alb:ListListeners",
              "alb:CreateListener",
              "alb:GetListenerAttribute",
              "alb:UpdateListenerAttribute",
              "alb:ListListenerCertificates",
              "alb:AssociateAdditionalCertificatesWithListener",
              "alb:DissociateAdditionalCertificatesFromListener",
              "alb:DeleteListener",
              "alb:CreateRule",
              "alb:DeleteRule",
              "alb:UpdateRuleAttribute",
              "alb:UpdateRulesAttribute",
              "alb:CreateRules",
              "alb:DeleteRules",
              "alb:ListRules",
              "alb:CreateServerGroup",
              "alb:DeleteServerGroup",
              "alb:UpdateServerGroupAttribute",
              "alb:DescribeZones",
              "alb:CreateAcl",
              "alb:DeleteAcl",
              "alb:ListAcls",
              "alb:AddEntriesToAcl",
              "alb:AssociateAclsWithListener",
              "alb:ListAclEntries",
              "alb:RemoveEntriesFromAcl",
              "alb:DissociateAclsFromListener",
              "alb:EnableLoadBalancerIpv6Internet",
              "alb:DisableLoadBalancerIpv6Internet"
            ],
            "Resource": "*",
            "Effect": "Allow"
          }
        ]
      }
    3. 创建权限策略对话框,输入名称,单击确定

  2. 授予RAM用户调用ALB Ingress Controller组件的权限策略。

    1. 在左侧导航栏,选择身份管理>用户

    2. 用户页面,找到步骤一:创建RAM用户创建的RAM用户,在该RAM用户右侧操作列,单击添加权限

    3. 新增授权面板,在权限策略区域选择自定义策略,选择已创建的权限策略,其他采用默认配置,单击确认新增授权

    4. 单击关闭

步骤三:在自建集群配置AccessKey ID与AccessKey Secret

  1. 对AccessKey ID与AccessKey Secret进行Base64编码。

    1. Base64输入AccessKey ID,单击编码,获取AccessKey ID编码后的结果。

    2. 输入AccessKey Secret,单击编码,获取AccessKey Secret编码后的结果。

  2. 执行以下命令,在自建集群的load-balancer-config ConfigMap输入Base64编码后的AccessKey ID与AccessKey Secret,保存load-balancer-config ConfigMap。

    vim <load-balancer-config ConfigMap文件名称> 

    load-balancer-config ConfigMap代码示例如下:

    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: load-balancer-config
      namespace: kube-system
    data:
      cloud-config.conf: |-
        {
            "Global": {
                "AccessKeyID": "VndV***",              # 填写Base64编码后的AccessKey ID。
                "AccessKeySecret": "UWU0NnUyTFdhcG***" # 填写Base64编码后的AccessKey Secret。
            }
        }
                            
  3. 执行以下命令,部署load-balancer-config ConfigMap。

    kubectl apply -f  <load-balancer-config ConfigMap文件名称> 
  4. 重启load-balancer-controller的Pod,使配置生效。

    1. 执行以下命令,获取load-balancer-controller的Pod名称。

      kubectl get pod -n kube-system|grep load-balancer-controller
    2. 执行以下命令,删除load-balancer-controller的Pod。

      kubectl delete pod -n kube-system load-balancer-controller-***

      预期输出:

      pod load-balancer-controller-*** deleted
    3. 执行以下命令,查看重建后load-balancer-controller的Pod状态。

      kubectl get pod -n kube-system|grep load-balancer-controller

      预期输出:

      load-balancer-controller-0o9s***     1/1    Running   0    10s

相关文档

教程:

自建Kubernetes集群使用ALB Ingress最佳实践

源码文档: