注冊集群通過Stub組件和ack-cluster-agent訪問鏈路訪問集群資源,所有操作權限收斂于ack-cluster-agent組件所使用的ServiceAccount。安裝ack-cluster-agent組件時,會默認部署名為ack的ServiceAccount,同時有受限模式和管理員模式兩種權限模式可供選擇,您可以根據(jù)需求更改RBAC授權規(guī)則。本文介紹注冊集群ack-cluster-agent組件的RBAC權限。
前提條件
確保ack-cluster-agent組件為v1.13.1.69-g00e1991-aliyun及以上版本。關于組件升級操作,請參見管理組件。
受限模式的RBAC權限
受限模式下,注冊集群默認要求的最小授權為Agent相關ConfigMap讀權限,授權規(guī)則如下所示。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-agent-role-configmap
labels:
ack/creator: "ack"
rules:
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
- ack-agent-config
- provider
verbs:
- get
- watch
- update
- list受限模式下,控制臺功能將受到限制,例如,無法查看集群中的工作負載。但可以使用onectl安裝組件,并在控制臺中使用,例如Prometheus監(jiān)控服務、日志服務等。
使用onectl管理組件時,onectl將賦予Agent集群臨時管理員權限,并在組件管理操作完成或被中斷后,取消Agent集群的管理員權限。更多信息,請參見通過onectl管理注冊集群。
管理員模式的RBAC權限
管理員模式下,注冊集群擁有集群的管理員權限,授權規(guī)則如下所示。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]管理員模式下,控制臺的所有功能均可正常使用。
組件管理所需的RBAC權限
安裝或更新組件時,例如terway-eniip或logtail-ds等組件,您需要臨時將名為ack-admin的ClusterRole權限設置為admin權限。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]組件安裝或升級完成后,可將權限恢復至以下最小權限。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["ack-agent-config","provider"]
verbs: ["get","list","watch","update"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["autoscaler-meta"]
verbs: ["get","list","watch","update"]
- apiGroups: ["*"]
resources: ["daemonsets", "deployments"]
resourceNames: ["terway-eniip","security-inspector","ack-cluster-agent","gatekeeper","ack-virtual-node","metrics-server","logtail-ds","resource-controller","aliyun-acr-credential-helper","migrate-controller","ack-kubernetes-cronhpa-controller","tiller-deploy"]
verbs: ["get", "list", "watch"]
- apiGroups: ["*"]
resources: ["daemonsets", "deployments"]
resourceNames: ["cluster-autoscaler"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
resources: ["pods","secrets"]
verbs: ["list"]僅啟用節(jié)點池或彈性節(jié)點池功能所需的RBAC權限
安裝Terway組件或創(chuàng)建節(jié)點池時,您需要臨時將名為ack-admin的ClusterRole權限設置為admin權限。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]節(jié)點池配置完成后,可將權限恢復至以下最小權限。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-admin
labels:
ack/creator: "ack"
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get","list","watch"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["ack-agent-config","provider","autoscaler-meta","eni-config"]
verbs: ["get","list","watch","update"]
- apiGroups: ["*"]
resources: ["daemonsets", "deployments"]
resourceNames: ["terway-eniip", "cluster-autoscaler"]
verbs: ["get", "list", "watch", "update"]開啟日志服務后查詢日志所需的RBAC權限
注冊集群開始日志服務功能后,若您需要在ACK控制臺查詢相關日志,需要設置以下權限。
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-agent-role-log
labels:
ack/creator: "ack"
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get","list","watch"]
- apiGroups: ["apps"]
resources: ["daemonsets", "deployments"]
resourceNames: ["alibaba-log-controller", "logtail-ds", "kube-proxy-master"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["alibaba-log-configuration"]
verbs: ["get","list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: ack-agent-binding-log
labels:
ack/creator: "ack"
subjects:
- kind: ServiceAccount
name: ack
namespace: kube-system
roleRef:
kind: ClusterRole
name: ack-agent-role-log
apiGroup: rbac.authorization.k8s.io