日本熟妇hd丰满老熟妇,中文字幕一区二区三区在线不卡 ,亚洲成片在线观看,免费女同在线一区二区

AI 助理
備案控制臺
文檔
輸入文檔關(guān)鍵字查找
首頁 容器服務(wù) Kubernetes 版 ACK ACK托管與專有集群 操作指南 授權(quán) 授權(quán)最佳實踐

授權(quán)最佳實踐

更新時間:
產(chǎn)品詳情
我的收藏

容器服務(wù)ACK的授權(quán)體系包含對基礎(chǔ)資源層的RAM授權(quán)和對ACK集群層的RBAC授權(quán),不同用戶角色在這兩個層面都具有不同的權(quán)限要求。本文介紹針對集群與應(yīng)用運維人員、應(yīng)用開發(fā)人員、以及權(quán)限管理人員三類對象的授權(quán)最佳實踐。

ACK授權(quán)體系

ACK的授權(quán)體系包含對基礎(chǔ)資源層的RAM授權(quán)以及對ACK集群層的RBAC授權(quán)。ACK授權(quán)體系如下圖所示。授權(quán)體系
  • RAM授權(quán)對應(yīng)ACK集群的運維操作,需要獲取ACK產(chǎn)品及其所依賴阿里云云產(chǎn)品的OpenAPI操作權(quán)限,主要包括以下操作:
    • 集群:創(chuàng)建、查看、升級、刪除
    • 節(jié)點池:創(chuàng)建、修改、擴縮容
    • 授權(quán)管理
    • 集群監(jiān)控、日志、事件
  • RBAC授權(quán)對應(yīng)的是運行于ACK集群中Kubernetes應(yīng)用的運維操作,需要獲取ACK集群及其命名空間的操作權(quán)限,主要包括對以下Kubernetes對象的增刪改查操作:
    • 工作負載:Deployment、StatefulSet、DaemonSet、Job、CronJob、Pod、ReplicaSet、HPA等
    • 網(wǎng)絡(luò):Service、Ingress、NetworkPolicy等
    • 存儲:PV、PVC、StorageClass等
    • Namespace、ConfigMap 、Secrets等
因此當RAM用戶或RAM角色需要進行集群運維和應(yīng)用運維時,您需要依次對其進行RAM授權(quán)和RBAC授權(quán)。在進行RBAC授權(quán)前,您需要先進行RAM授權(quán)。三種典型場景的授權(quán)操作,如下所示:

場景一:授權(quán)對象為集群與集群內(nèi)應(yīng)用的運維人員

授權(quán)對象需要管理和運維ACK集群所需的必要權(quán)限,同時有ACK集群內(nèi)應(yīng)用資源對象的運維需求。因此授權(quán)流程包含RAM授權(quán)和RBAC授權(quán)。

  1. RAM授權(quán)

    容器服務(wù)ACK在RAM側(cè)提供了AliyunCSFullAccess和AliyunCSReadOnlyAccess兩個系統(tǒng)策略。

    • AliyunCSFullAccess包含了容器服務(wù)ACK全部OpenAPI的讀寫訪問權(quán)限。

    • AliyunCSReadOnlyAccess包含了容器服務(wù)ACK全部OpenAPI的只讀訪問權(quán)限。

    您需要登錄RAM管理控制臺,根據(jù)需要選擇綁定其中一個系統(tǒng)策略。具體操作,請參見為RAM用戶授權(quán)為RAM角色授權(quán)。

    如果您有細粒度權(quán)限控制的需求,可以自定義授權(quán)策略。具體操作,請參見自定義RAM授權(quán)策略。

    此場景下,RAM授權(quán)策略示例如下所示。示例中Action的說明,請參見Action說明

    {
  "Statement": [
    {
      "Action": [
        "cs:GetClusters",
        "cs:DescribeClustersV1",
        "cs:DescribeClusterNodes",
        "cs:DescribeClusterUserKubeconfig",
        "cs:DescribeClustersV1",
        "cs:DescribeClusterResources",
        "cs:DescribeUserQuota",
        "cs:DescribeClusterLogs",
        "cs:ModifyCluster",
        "cs:UpgradeCluster",
        "cs:GetUpgradeStatus",
        "cs:ResumeUpgradeCluster",
        "cs:PauseClusterUpgrade",
        "cs:CancelClusterUpgrade",
        "cs:InstallClusterAddons",
        "cs:UpgradeClusterAddons",
        "cs:DescribeClusterAddonsUpgradeStatus",
        "cs:DescribeAddons",
        "cs:RemoveClusterNodes",
        "cs:CreateClusterNodePool",
        "cs:DescribeClusterNodePools",
        "cs:DescribeClusterNodePoolDetail",
        "cs:ScaleClusterNodePool",
        "cs:ModifyClusterNodePool",
        "cs:DeleteClusterNodepool",
        "cs:UnInstallClusterAddons"
      ],
      "Effect": "Allow",
      "Resource": [
        "acs:cs:*:*:cluster/<yourclusterID>"
      ]
    }
  ],
  "Version": "1"
}

    關(guān)于容器服務(wù)ACK OpenAPI的更多說明,請參見【產(chǎn)品變更】容器服務(wù)OpenAPI鑒權(quán)優(yōu)化公告API概覽。

  2. RBAC授權(quán)

    完成RAM授權(quán)后,您還需要為RAM用戶或RAM角色授予對應(yīng)集群的RBAC權(quán)限。容器服務(wù)ACK在集群層面提供了四種預(yù)置角色。

    角色

    集群內(nèi)RBAC權(quán)限

    管理員

    對所有命名空間下所有資源的讀寫權(quán)限。

    運維人員

    對所有命名空間下控制臺可見Kubernetes資源的讀寫權(quán)限,對集群節(jié)點、存儲卷、命名空間、配額的只讀權(quán)限。

    開發(fā)人員

    對所有命名空間或所選命名空間下控制臺可見Kubernetes資源的讀寫權(quán)限。

    受限用戶

    對所有命名空間或所選命名空間下控制臺可見Kubernetes資源的只讀權(quán)限。

    此場景下,您可以在容器服務(wù)管理控制臺授權(quán)管理頁面,為授權(quán)對象配置目標集群和對應(yīng)命名空間的訪問權(quán)限為運維人員。RBAC

    綁定預(yù)置角色后,ACK會自動在集群中創(chuàng)建與被授權(quán)對象身份對應(yīng)的ClusterRoleBinding實例。預(yù)置運維人員角色的RBAC權(quán)限如下所示。

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cs:ops
rules:
- apiGroups: [""]
  resources:  ["pods", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
  resources:  ["configmaps", "endpoints", "persistentvolumeclaims", "replicationcontrollers", "replicationcontrollers/scale", "secrets", "serviceaccounts", "services", "services/proxy"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
  resources:  ["bindings", "events", "limitranges", "namespaces/status", "replicationcontrollers/status", "pods/log", "pods/status", "resourcequotas", "resourcequotas/status", "componentstatuses"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources:  ["namespaces", "nodes", "persistentvolumes"]
  verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["coordination.k8s.io"]
  resources:  ["leases"]
  verbs: ["get"]
- apiGroups: ["apps"]
  resources:  ["daemonsets", "deployments", "deployments/rollback", "deployments/scale", "replicasets", "replicasets/scale", "statefulsets"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["autoscaling"]
  resources:  ["horizontalpodautoscalers"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["batch"]
  resources:  ["cronjobs", "jobs"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["extensions"]
  resources:  ["daemonsets", "deployments", "deployments/rollback", "deployments/scale","ingresses","replicasets", "replicasets/scale", "replicationcontrollers/scale"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["networking.k8s.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["servicecatalog.k8s.io"]
  resources:  ["clusterserviceclasses", "clusterserviceplans", "clusterservicebrokers", "serviceinstances", "servicebindings"]
  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["servicecatalog.k8s.io"]
  resources:  ["clusterservicebrokers/status", "clusterserviceclasses/status", "clusterserviceplans/status", "serviceinstances/status", "serviceinstances/reference", "servicebindings/status",]
  verbs: ["update"]
- apiGroups: ["storage.k8s.io"]
  resources:  ["storageclasses"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["alicloud.com"]
  resources:  ["*"]
  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["policy"]
  resources:  ["poddisruptionbudgets"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["metrics.k8s.io"]
  resources: ["pods", "nodes"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["networking.istio.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["config.istio.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["rbac.istio.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["istio.alibabacloud.com"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["authentication.istio.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["log.alibabacloud.com"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["monitoring.kiali.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["kiali.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
  resources: ["customresourcedefinitions"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["serving.knative.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["eventing.knative.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["messaging.knative.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["sources.eventing.knative.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["tekton.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["alert.alibabacloud.com"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]

    如果您有細粒度的RBAC權(quán)限控制需求,可以參考RBAC創(chuàng)建自定義ClusterRole實例,然后在容器服務(wù)管理控制臺授權(quán)管理頁面選擇自定義角色,再從下拉列表中選擇自定義的ClusterRole名稱。具體操作,請參見自定義Kubernetes授權(quán)策略。

場景二:授權(quán)對象為集群內(nèi)應(yīng)用的開發(fā)人員

授權(quán)對象只需要擁有ACK集群內(nèi)Kubernetes資源對象的操作權(quán)限(即RBAC授權(quán)),無需云上資源的訪問權(quán)限。

重要

在進行RBAC授權(quán)前,授權(quán)對象需要至少具有目標集群的容器服務(wù)只讀權(quán)限(即RAM授權(quán))。

  1. RAM授權(quán)

    您需要在RAM管理控制臺,新增自定義策略,并將該策略授權(quán)給目標RAM用戶或RAM角色。具體操作,請參見自定義RAM授權(quán)策略。自定義策略內(nèi)容如下所示:

    {
  "Statement": [
    {
      "Action": [
        "cs:Get*",
        "cs:List*",
        "cs:Describe*"
      ],
      "Effect": "Allow",
      "Resource": [
        "acs:cs:*:*:cluster/c5cc77f5180a449a4a48cf8001831xxxx" #請?zhí)鎿Q為您實際的集群ID。
      ]
    }
  ],
  "Version": "1"
}
    說明

    如果您需要為授權(quán)對象添加所有集群的只讀權(quán)限,可以為其添加容器服務(wù)ACK提供的RAM系統(tǒng)策略AliyunCSReadOnlyAccess。

  2. RBAC授權(quán)

    您需要在容器服務(wù)管理控制臺授權(quán)管理頁面,為授權(quán)對象(RAM用戶或RAM角色)配置目標集群和對應(yīng)命名空間的訪問權(quán)限為開發(fā)人員developer

    綁定預(yù)置角色后,ACK會自動在集群中創(chuàng)建與被授權(quán)對象身份對應(yīng)的ClusterRoleBinding實例。預(yù)置開發(fā)人員角色的RBAC權(quán)限如下所示。

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cs:ns:dev
rules:
- apiGroups: [""]
  resources:  ["pods", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
  resources:  ["configmaps", "endpoints", "persistentvolumeclaims", "replicationcontrollers", "replicationcontrollers/scale", "secrets", "serviceaccounts", "services", "services/proxy"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
  resources:  ["events", "replicationcontrollers/status", "pods/log", "pods/status"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
  resources:  ["daemonsets", "deployments", "deployments/rollback", "deployments/scale", "replicasets", "replicasets/scale", "statefulsets"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["autoscaling"]
  resources:  ["horizontalpodautoscalers"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["batch"]
  resources:  ["cronjobs", "jobs"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["extensions"]
  resources:  ["daemonsets", "deployments", "deployments/rollback", "deployments/scale","ingresses","replicasets", "replicasets/scale", "replicationcontrollers/scale"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["networking.k8s.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["servicecatalog.k8s.io"]
  resources:  ["clusterserviceclasses", "clusterserviceplans", "clusterservicebrokers", "serviceinstances", "servicebindings"]
  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["servicecatalog.k8s.io"]
  resources:  ["clusterservicebrokers/status", "clusterserviceclasses/status", "clusterserviceplans/status", "serviceinstances/status", "serviceinstances/reference", "servicebindings/status",]
  verbs: ["update"]
- apiGroups: ["alicloud.com"]
  resources:  ["*"]
  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["policy"]
  resources:  ["poddisruptionbudgets"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["networking.istio.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["config.istio.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["rbac.istio.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["istio.alibabacloud.com"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["authentication.istio.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["log.alibabacloud.com"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["monitoring.kiali.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["kiali.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
  resources: ["customresourcedefinitions"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["serving.knative.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["eventing.knative.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["messaging.knative.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["sources.eventing.knative.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["tekton.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["alert.alibabacloud.com"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]

    如果您有細粒度的RBAC權(quán)限控制需求,可以參考RBAC創(chuàng)建自定義ClusterRole實例,然后在容器服務(wù)管理控制臺授權(quán)管理頁面選擇自定義角色,再從下拉列表中選擇自定義的ClusterRole名稱。具體操作,請參見自定義Kubernetes授權(quán)策略。

場景三:授權(quán)對象為集群內(nèi)應(yīng)用的權(quán)限管理員

授權(quán)對象需要管理其他RAM用戶或RAM角色的RBAC權(quán)限。默認情況下,RAM用戶或RAM角色不具備對其他RAM用戶或RAM角色授權(quán)RBAC的權(quán)限。當授權(quán)對象進入容器服務(wù)管理控制臺授權(quán)管理頁面時,如果界面提示當前子賬號不具備授權(quán)管理權(quán)限,請聯(lián)系主賬號或權(quán)限管理員授權(quán),則說明授權(quán)對象缺少必要的RAM授權(quán)或?qū)旱腞BAC管理員授權(quán)。

  1. RAM授權(quán)

    需要確保授權(quán)對象被授予必要的RAM權(quán)限,策略內(nèi)容需要包括:

    • 列舉其他RAM用戶或RAM角色

    • 給指定RAM用戶或RAM角色授予RAM權(quán)限策略

    • 查看指定RAM用戶或RAM角色的Kubernetes RBAC權(quán)限配置

    • Kubernetes RBAC授權(quán)能力

    您需要登錄RAM管理控制臺,為指定RAM用戶或RAM角色授予相應(yīng)的RAM權(quán)限,具體操作,請參見自定義RAM授權(quán)策略。RAM自定義策略內(nèi)容示例如下所示。

    {
    "Statement": [{
            "Action": [
                "ram:Get*",
                "ram:List*",
                "cs:GetUserPermissions",
                "cs:GetSubUsers",
                "cs:GrantPermission"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ram:AttachPolicyToUser",
                "ram:AttachPolicyToRole"
            ],
            "Effect": "Allow",
            "Resource":  [
                "acs:ram:*:*:policy/xxxx", # xxxx需要替換成您需要綁定的RAM策略名稱。如果您替換成*,表示授權(quán)對象擁有所有RAM策略的授權(quán)綁定能力。
                "acs:*:*:*:user/*"
            ]
        }
    ],
    "Version": "1"
}

  2. RBAC授權(quán)

    需要為授權(quán)對象配置目標集群和對應(yīng)命名空間的訪問權(quán)限為管理員或者自定義角色中的cluster-admin。

    說明

    阿里云賬號(即主賬號)和集群創(chuàng)建者會默認綁定cluster-admin,擁有集群內(nèi)所有Kubernetes資源對象的訪問權(quán)限。

    cluster-admin

當您對授權(quán)對象完成了上述RAM授權(quán)和RBAC授權(quán)后,即可擁有對其他RAM用戶或RAM角色在指定權(quán)限范圍內(nèi)的RBAC授權(quán)管理能力。具體操作,請參見配置RAM用戶或RAM角色RBAC權(quán)限。