容器計算服務 ACS(Container Compute Service)的授權體系包含對基礎計算資源的RAM授權和對ACS類型ACK集群側RBAC授權,不同用戶角色在這兩個層面都具有不同的權限要求。本文介紹針對企業資源管理人員,Kubernetes集群管理人員,以及集群與應用運維人員、應用開發人員、權限管理人員五類對象的授權最佳實踐。
ACS授權體系
ACS的授權體系包含對基礎資源層的RAM授權以及對ACS集群層的RBAC授權。ACS授權體系如下圖所示。
RAM授權包括對集群的運維操作,因為ACS集群是 ACK 的一種 Serverless K8s 集群類型,對ACS集群的運維操作需要通過ACK OpenAPI執行,所以需要獲取ACK產品及其所依賴的阿里云產品的OpenAPI操作權限,主要包括以下操作:
集群:創建、查看、刪除。
集群RBAC授權管理。
集群監控、日志、事件。
RBAC授權對應的是運行于ACS集群中Kubernetes應用的運維操作,需要獲取ACS集群及其命名空間的操作權限,主要包括對以下Kubernetes對象的增刪改查操作:
工作負載:Deployment、StatefulSet、Job、CronJob、Pod、ReplicaSet、HPA等。
網絡:Service、Ingress、NetworkPolicy等。
存儲:PV、PVC、StorageClass等。
Namespace、ConfigMap、Secrets等。
系統默認授權策略
容器計算服務ACS預置以下系統授權策略,您可以通過給RAM用戶或RAM角色授權系統默認授權策略,完成快速授權。
系統默認授權策略授權范圍較大,可具有ACK、ACS所有OpenAPI的讀或寫權限,請謹慎授權。
系統默認授權策略 | 授權策略描述 |
AliyunAccFullAccess | 管理容器計算服務ACS的權限。 |
AliyunAccReadOnlyAccess | 只讀訪問容器計算服務ACS的權限。 |
AliyunCSFullAccess | 管理容器服務ACK的權限。 重要 可讀寫操作包括ACS類型在內所有ACK集群的,請謹慎授權。 |
AliyunCSReadOnlyAccess | 只讀訪問容器服務ACK的權限。 重要 可讀操作包括ACS類型在內所有ACK集群的,請謹慎授權。 |
AliyunAccFullAccess授權策略
{
"Statement": [
{
"Effect": "Allow",
"Action": "acc:*",
"Resource": "*"
}
],
"Version": "1"
}AliyunAccReadOnlyAccess授權策略
{
"Version": "1",
"Statement": [
{
"Action": [
"acc:Describe*",
"acc:CheckServiceRole"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunCSFullAccess授權策略
{
"Version": "1",
"Statement": [
{
"Action": "cs:*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:PassRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:Service": "cs.aliyuncs.com"
}
}
}
]
}AliyunCSReadOnlyAccess授權策略
{
"Version": "1",
"Statement": [
{
"Action": [
"cs:CheckServiceRole",
"cs:Get*",
"cs:List*",
"cs:Describe*"
],
"Resource": "*",
"Effect": "Allow"
}
]
}授權最佳實踐
當RAM用戶或RAM角色需要進行集群運維和應用運維時,您需要依次對其進行RAM授權和RBAC授權。在進行RBAC授權之前,您需要先進行RAM授權。三種典型場景的授權操作如下:
如果授權對象為集群與集群內應用的運維人員,請參見場景一:授權對象為集群與集群內應用的運維人員。
如果授權對象為集群內應用的開發人員,請參見場景二:授權對象為集群內應用的開發人員。
如果授權對象為集群內應用的權限管理員,請參見場景三:授權對象為集群內應用的權限管理員。
場景一:授權對象為集群與集群內應用的運維人員
授權對象需要管理和運維ACS集群所需的必要權限,同時有ACS集群內應用資源對象的運維需求。因此授權流程包含RAM授權和RBAC授權。
RAM授權
容器服務ACK在RAM側提供了AliyunCSFullAccess和AliyunCSReadOnlyAccess兩個系統策略。
AliyunCSFullAccess包含了容器服務ACK全部OpenAPI的讀寫訪問權限。
AliyunCSReadOnlyAccess包含了容器服務ACK全部OpenAPI的只讀訪問權限。
重要以上兩個系統策略授權操作包括ACS類型在內所有ACK集群的,請謹慎授權。
如果您有細粒度權限控制的需求,可以自定義授權策略。具體操作,請參見為RAM用戶或RAM角色授予RAM權限。
此場景下,RAM授權策略示例如下所示。
{ "Statement": [ { "Effect": "Allow", "Action": [ "acc:DescribeCommodityStatus", "acc:CheckServiceRole", "acc:DescribeCloudProducts", "acc:DescribeRegions", "acc:DescribeZones", "acc:GetInstancePrice" ], "Resource": "*" }, { "Effect": "Allow", "Action": "bssapi:GetPayAsYouGoPrice", "Resource": "*" }, { "Action": "ecs:DescribePrice", "Effect": "Allow", "Resource": "*" }, { "Action": "ram:GetRole", "Effect": "Allow", "Resource": "*" }, { "Action": [ "cs:CreateCluster", "cs:DescribeAddons" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "cs:GetClusters", "cs:DescribeClustersV1", "cs:DescribeClusterUserKubeconfig", "cs:DescribeClusterResources", "cs:DescribeUserQuota", "cs:DescribeClusterLogs", "cs:ModifyCluster", "cs:UpgradeCluster", "cs:GetUpgradeStatus", "cs:ResumeUpgradeCluster", "cs:PauseClusterUpgrade", "cs:CancelClusterUpgrade", "cs:InstallClusterAddons", "cs:UpgradeClusterAddons", "cs:DescribeClusterAddonsUpgradeStatus", "cs:UnInstallClusterAddons", "cs:DeleteCluster", "cs:DescribeClusterDetail", "cs:GetClusterAuditProject", "cs:DescribeClusterAddonsVersion", "cs:DescribeClusterTasks", "cs:DescribeClusterEvents", "cs:DescribeEvents", "cs:ListClusterReportSummary", "cs:GetClusterBasicInfo", "cs:ListReportTaskRule", "cs:CreateReportTaskRule", "cs:CreateClusterCheck" ], "Effect": "Allow", "Resource": "acs:cs:*:*:cluster/<yourclusterID>" }, { "Action": [ "cs:CheckServiceRole", "cs:DescribeKubernetesVersionMetadata" ], "Effect": "Allow", "Resource": "acs:cs:*:*:cluster/*" }, { "Action": [ "log:ListProject" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "vpc:ListEnhanhcedNatGatewayAvailableZones", "vpc:DescribeEipAddresses" ], "Effect": "Allow", "Resource": "*" } ], "Version": "1" }上面示例中
<yourclusterID>需要替換成實際ACS集群ID。關于容器服務ACK OpenAPI的更多說明,請參見【產品變更】容器服務OpenAPI鑒權優化公告和API概覽。
RBAC授權
完成RAM授權后,您還需要為RAM用戶或RAM角色授予對應集群的RBAC權限。容器服務ACK在集群層面提供了四種預置角色。
角色
集群內RBAC權限
管理員
對所有命名空間下所有資源有讀寫權限。
運維人員
對所有命名空間下控制臺可見Kubernetes資源有讀寫權限,對集群節點、存儲卷、命名空間、配額有只讀權限。
開發人員
對所有命名空間或所選命名空間下控制臺可見Kubernetes資源有讀寫權限。
受限用戶
對所有命名空間或所選命名空間下控制臺可見Kubernetes資源有只讀權限。
此場景下,您可以容器計算服務控制臺授權管理頁面,為授權對象配置目標集群和對應命名空間的訪問權限為運維人員。
綁定預置角色后,ACS會自動在集群中創建與被授權對象身份對應的ClusterRoleBinding實例。預置運維人員角色的RBAC權限如下所示。
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cs:ops rules: - apiGroups: [""] resources: ["pods", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: [""] resources: ["configmaps", "endpoints", "persistentvolumeclaims", "replicationcontrollers", "replicationcontrollers/scale", "secrets", "serviceaccounts", "services", "services/proxy"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: [""] resources: ["bindings", "events", "limitranges", "namespaces/status", "replicationcontrollers/status", "pods/log", "pods/status", "resourcequotas", "resourcequotas/status", "componentstatuses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["namespaces", "nodes", "persistentvolumes"] verbs: ["get", "list", "watch", "patch"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get"] - apiGroups: ["apps"] resources: ["daemonsets", "deployments", "deployments/rollback", "deployments/scale", "replicasets", "replicasets/scale", "statefulsets"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["autoscaling"] resources: ["horizontalpodautoscalers"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["batch"] resources: ["cronjobs", "jobs"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["extensions"] resources: ["daemonsets", "deployments", "deployments/rollback", "deployments/scale","ingresses","replicasets", "replicasets/scale", "replicationcontrollers/scale"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["networking.k8s.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["servicecatalog.k8s.io"] resources: ["clusterserviceclasses", "clusterserviceplans", "clusterservicebrokers", "serviceinstances", "servicebindings"] verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - apiGroups: ["servicecatalog.k8s.io"] resources: ["clusterservicebrokers/status", "clusterserviceclasses/status", "clusterserviceplans/status", "serviceinstances/status", "serviceinstances/reference", "servicebindings/status",] verbs: ["update"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["alicloud.com"] resources: ["*"] verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - apiGroups: ["policy"] resources: ["poddisruptionbudgets"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["metrics.k8s.io"] resources: ["pods"] verbs: ["get", "watch", "list"] - apiGroups: ["networking.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["config.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["rbac.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["istio.alibabacloud.com"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["authentication.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["log.alibabacloud.com"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["monitoring.kiali.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["kiali.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["serving.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["eventing.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["messaging.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["sources.eventing.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["tekton.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["alert.alibabacloud.com"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]如果您有細粒度的RBAC權限控制需求,可以參考RBAC創建自定義ClusterRole實例,然后在容器計算服務控制臺授權管理頁面選擇自定義角色,再從下拉列表中選擇自定義的ClusterRole名稱。具體操作,請參見自定義RBAC授權策略。
場景二:授權對象為集群內應用的開發人員
授權對象只需要擁有ACS類型ACK集群內Kubernetes資源對象的操作權限(即RBAC授權),無需云上資源的訪問權限。
在進行RBAC授權之前,授權對象需要至少具有目標集群的容器服務只讀權限(即RAM授權)。授權Action及Resource “*” 代表授予RAM用戶或RAM角色包括ACS類型集群在內所有ACK集群的授權Action操作,所以請盡量不要將Resource置為“*”,除非您充分了解授權范圍及影響,有目的性地進行全部授權。
RAM授權
您需要在RAM管理控制臺,新增自定義策略,并將該策略授權給目標RAM用戶或RAM角色。具體操作,請參見為RAM用戶或RAM角色授予RAM權限。自定義策略內容如下所示:
{ "Statement": [ { "Effect": "Allow", "Action": [ "acc:DescribeCommodityStatus", "acc:CheckServiceRole", "acc:DescribeCloudProducts", "acc:DescribeRegions", "acc:DescribeZones", "acc:GetInstancePrice" ], "Resource": "*" }, { "Effect": "Allow", "Action": "bssapi:GetPayAsYouGoPrice", "Resource": "*" }, { "Action": [ "cs:Get*", "cs:List*", "cs:Check*", "cs:Describe*" ], "Effect": "Allow", "Resource": [ "acs:cs:*:*:cluster/<yourclusterID>"。 ] }, { "Action": [ "vpc:ListEnhanhcedNatGatewayAvailableZones", "vpc:DescribeEipAddresses" ], "Effect": "Allow", "Resource": "*" } ], "Version": "1" }上面示例中
<yourclusterID>需要替換成實際ACS集群ID。說明如果您只需要為授權對象添加ACS類型ACK集群的只讀權限,請務必通過該示例指定ACS類型ACK集群ARN,不可以為其添加容器服務ACK提供的RAM系統策略
AliyunCSReadOnlyAccess,否則將會為授權對象添加除ACS類型以外所有ACK集群的只讀權限。RBAC授權
您需要在容器計算服務控制臺授權管理頁面,為授權對象(RAM用戶或RAM角色)配置目標集群和對應命名空間的訪問權限為開發人員。
綁定預置角色后,ACS會自動在集群中創建與被授權對象身份對應的ClusterRoleBinding實例。預置開發人員角色的RBAC權限如下所示。
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cs:ns:dev rules: - apiGroups: [""] resources: ["pods", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: [""] resources: ["configmaps", "endpoints", "persistentvolumeclaims", "replicationcontrollers", "replicationcontrollers/scale", "secrets", "serviceaccounts", "services", "services/proxy"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: [""] resources: ["events", "replicationcontrollers/status", "pods/log", "pods/status"] verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: ["daemonsets", "deployments", "deployments/rollback", "deployments/scale", "replicasets", "replicasets/scale", "statefulsets"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["autoscaling"] resources: ["horizontalpodautoscalers"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["batch"] resources: ["cronjobs", "jobs"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["extensions"] resources: ["daemonsets", "deployments", "deployments/rollback", "deployments/scale","ingresses","replicasets", "replicasets/scale", "replicationcontrollers/scale"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["networking.k8s.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["servicecatalog.k8s.io"] resources: ["clusterserviceclasses", "clusterserviceplans", "clusterservicebrokers", "serviceinstances", "servicebindings"] verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - apiGroups: ["servicecatalog.k8s.io"] resources: ["clusterservicebrokers/status", "clusterserviceclasses/status", "clusterserviceplans/status", "serviceinstances/status", "serviceinstances/reference", "servicebindings/status",] verbs: ["update"] - apiGroups: ["alicloud.com"] resources: ["*"] verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - apiGroups: ["policy"] resources: ["poddisruptionbudgets"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["networking.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["config.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["rbac.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["istio.alibabacloud.com"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["authentication.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["log.alibabacloud.com"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["monitoring.kiali.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["kiali.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["serving.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["eventing.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["messaging.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["sources.eventing.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["tekton.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["alert.alibabacloud.com"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
場景三:授權對象為集群內應用的權限管理員
授權對象需要管理其他RAM用戶或RAM角色的RBAC權限。默認情況下,RAM用戶或RAM角色不具備對其他RAM用戶或RAM角色授權RBAC的權限。當授權對象進入容器計算服務控制臺授權管理頁面時,如果界面提示當前子賬號不具備授權管理權限,請聯系主賬號或權限管理員授權,則說明授權對象缺少必要的RAM授權或對集群的RBAC管理員授權。
RAM授權
需要確保授權對象被授予必要的RAM權限,策略內容需要包括:
列舉其他RAM用戶或RAM角色
給指定RAM用戶或RAM角色授予RAM權限策略
查看指定RAM用戶或RAM角色的Kubernetes RBAC權限配置
Kubernetes RBAC授權能力
您需要登錄RAM管理控制臺,為指定RAM用戶或RAM角色授予相應的RAM權限,具體操作,請參見為RAM用戶或RAM角色授予RAM權限。RAM自定義策略內容示例如下所示。
{ "Statement": [ { "Effect": "Allow", "Action": [ "acc:DescribeCommodityStatus", "acc:CheckServiceRole", "acc:DescribeCloudProducts", "acc:DescribeRegions", "acc:DescribeZones", "acc:GetInstancePrice" ], "Resource": "*" }, { "Effect": "Allow", "Action": "bssapi:GetPayAsYouGoPrice", "Resource": "*" }, { "Action": [ "ram:Get*", "ram:List*", "cs:GetUserPermissions", "cs:GetSubUsers", "cs:GrantPermission" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ram:AttachPolicyToUser", "ram:AttachPolicyToRole" ], "Effect": "Allow", "Resource": [ "acs:ram:*:*:policy/xxxx", # xxxx需要替換成您需要綁定的RAM策略名稱。如果您替換成*,表示授權對象擁有所有RAM策略的授權綁定能力。 "acs:*:*:*:user/*" ] }, { "Action": [ "vpc:ListEnhanhcedNatGatewayAvailableZones", "vpc:DescribeEipAddresses" ], "Effect": "Allow", "Resource": "*" } ], "Version": "1" }RBAC授權
需要為授權對象配置目標集群和對應命名空間的訪問權限為管理員或者自定義角色中的cluster-admin。
說明阿里云賬號(即主賬號)和集群創建者會默認綁定cluster-admin,擁有集群內所有Kubernetes資源對象的訪問權限。
當您對授權對象完成了上述RAM授權和RBAC授權后,即可擁有對其他RAM用戶或RAM角色在指定權限范圍內的RBAC授權管理能力。具體操作,請參見為RAM用戶或RAM角色授予RAM權限。
鑒權Action說明
權限名稱(Action) | 說明 |
acc:CheckServiceRole | 檢查賬號是否授權產品通過角色扮演,訪問其他云資源賬號的ServiceRole。 |
acc:DescribeCommodityStatus | 檢查賬號是否已開通ACS產品。 |
權限名稱(Action) | 說明 |
bssapi:GetPayAsYouGoPrice | 查詢后付費產品詢價服務。 |
ram:ListUserBasicInfos | 查詢所有RAM用戶的基本信息。 |
ram:ListRoles | 查詢所有RAM角色的基本信息。 |