All Products
Search

This Product

    Container Service for Kubernetes:RBAC permissions required by the ack-cluster-agent component

    Document Center

    Container Service for Kubernetes:RBAC permissions required by the ack-cluster-agent component

    Last Updated:Jan 21, 2025

    External Kubernetes clusters registered to Container Service for Kubernetes (ACK) use the ACK Stub and ack-cluster-agent components to access cluster resources. The access to cluster resources relies on the permissions granted to the ServiceAccount used by ack-cluster-agent. When you install ack-cluster-agent, a ServiceAccount named ack is automatically created. You can grant role-based access control (RBAC) permissions in restricted mode or administrator mode to the ServiceAccount based on your requirements. This topic describes the RBAC permissions required by the ack-cluster-agent component in a registered cluster.

    Prerequisites

    The ack-cluster-agent component version 1.13.1.105-g8ee9abb-aliyun or later is installed. For more information, see Manage components.

    RBAC permissions in restricted mode

    By default, registered clusters require at least the RBAC permissions of read access to ConfigMap of ack-cluster-agent. The following example shows how to grant the RBAC permissions: 

    ---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ack-agent-create-cm-role
  namespace: kube-system
  labels:
    ack/creator: "ack"
rules:
- apiGroups: 
  - ""
  resources: 
  - configmaps
  verbs: 
  - create 
---  
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ack-agent-update-cm-role
  namespace: kube-system
  labels:
    ack/creator: "ack"
rules:
- apiGroups: 
  - ""
  resources: 
  - configmaps
  resourceNames: 
  - ack-agent-config
  - provider
  verbs: 
  - update
  - get
  
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: ack-agent-read-cm-role
  namespace: kube-public
  labels:
    ack/creator: "ack"
rules:
- apiGroups: 
  - ""
  resources: 
  - configmaps
  resourceNames: 
  - kube-root-ca.crt 
  verbs: 
  - get

---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ack-agent-create-cm-rolebinding
  namespace: kube-system
  labels:
    ack/creator: "ack"
subjects:
- kind: ServiceAccount
  name: ack
  namespace: kube-system
roleRef:
  kind: Role
  name: ack-agent-create-cm-role
  apiGroup: rbac.authorization.k8s.io
---  
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ack-agent-update-cm-rolebinding
  namespace: kube-system
  labels:
    ack/creator: "ack"
subjects:
- kind: ServiceAccount
  name: ack
  namespace: kube-system
roleRef:
  kind: Role
  name: ack-agent-update-cm-role
  apiGroup: rbac.authorization.k8s.io    
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: ack-agent-read-cm-rolebinding
  namespace: kube-public
  labels:
    ack/creator: "ack"
subjects:
- kind: ServiceAccount
  name: ack
  namespace: kube-system
roleRef:
  kind: Role
  name: ack-agent-read-cm-role
  apiGroup: rbac.authorization.k8s.io  
---

    In restricted mode, some features in the console are unavailable. For example, you cannot view the workloads in a cluster. However, you can use onectl to install components and use corresponding services in the console, such as Managed Service for Prometheus and Simple Log Service.

    When you use onectl to manage components, the cluster where the ack-cluster-agent component is deployed is granted temporary administrator permissions, and these permissions will be revoked when component management is completed or interrupted. For more information, see Use onectl to manage registered clusters.

    RBAC permissions in administrator mode

    In administrator mode, the registered cluster is granted administrator permissions. The following example shows how to grant administrator permissions to the registered cluster. 

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

    In administrator mode, all features in the console are available.

    RBAC permissions required for component management

    When you install or update components, such as terway-eniip or logtail-ds, you must first grant administrator permissions to the ClusterRole named ack-admin. 

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

    After you install or update components, restore the ClusterRole to the least permissions. 

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["ack-agent-config","provider"]
  verbs: ["get","list","watch","update"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["autoscaler-meta"]
  verbs: ["get","list","watch","update"]
- apiGroups: ["*"]
  resources: ["daemonsets", "deployments"]
  resourceNames: ["terway-eniip","security-inspector","ack-cluster-agent","gatekeeper","ack-virtual-node","metrics-server","logtail-ds","resource-controller","aliyun-acr-credential-helper","migrate-controller","ack-kubernetes-cronhpa-controller","tiller-deploy"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["*"]
  resources: ["daemonsets", "deployments"]
  resourceNames: ["cluster-autoscaler"]
  verbs: ["get", "list", "watch", "update"]
- apiGroups: [""]
  resources: ["pods","secrets"]
  verbs: ["list"]

    RBAC permissions required for creating node pools or elastic node pools

    When you install Terway or create node pools, you must first grant administrator permissions to the ClusterRole named ack-admin. 

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]

    After you install Terway or create node pools, restore the ClusterRole to the least permissions. 

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-admin
  labels:
    ack/creator: "ack"
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get","list","watch"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["ack-agent-config","provider","autoscaler-meta","eni-config"]
  verbs: ["get","list","watch","update"]
- apiGroups: ["*"]
  resources: ["daemonsets", "deployments"]
  resourceNames: ["terway-eniip", "cluster-autoscaler"]
  verbs: ["get", "list", "watch", "update"]

    RBAC permissions required for querying logs after Simple Log Service is enabled

    After Simple Log Service is enabled in the registered cluster, you need to grant the following RBAC permissions to query the relevant logs in the ACK console. 

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-agent-role-log
  labels:
    ack/creator: "ack"
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get","list","watch"]
- apiGroups: ["apps"]
  resources: ["daemonsets", "deployments"]
  resourceNames: ["alibaba-log-controller", "logtail-ds", "kube-proxy-master"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources: ["configmaps"]
  resourceNames: ["alibaba-log-configuration"]
  verbs: ["get","list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ack-agent-binding-log
  labels:
    ack/creator: "ack"
subjects:
- kind: ServiceAccount
  name: ack
  namespace: kube-system
roleRef:
  kind: ClusterRole
  name: ack-agent-role-log
  apiGroup: rbac.authorization.k8s.io

    RBAC permissions for read-only

    The read-only permissions are used to view the resources related to Kubernetes in the ACK console.

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: ack-readonly-clusterrole
rules:
- apiGroups:
  - ""
  resources:
  - nodes
  - namespaces
  - pods
  - pods/log
  - pods/exec
  - configmaps
  - endpoints
  - events
  - limitranges
  - persistentvolumeclaims
  - podtemplates
  - replicationcontrollers
  - resourcequotas
  - serviceaccounts
  - services
  verbs:
  - get
  - list
- apiGroups:
  - apps
  resources:
  - deployments
  - daemonsets
  - statefulsets
  - replicasets
  verbs:
  - get
  - list
- apiGroups:
  - batch
  resources:
  - jobs
  - cronjobs
  verbs:
  - get
  - list
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - get
  - list
- apiGroups:
  - discovery.k8s.io
  resources:
  - endpointslices
  verbs:
  - get
  - list
- apiGroups:
  - events.k8s.io
  resources:
  - events
  verbs:
  - get
  - list
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - deployments
  - ingresses
  - networkpolicies
  - replicasets
  verbs:
  - get
  - list
- apiGroups:
  - networking.k8s.io
  resources:
  - ingresses
  - networkpolicies
  verbs:
  - get
  - list
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - get
  - list
- apiGroups:
  - rbac.authorization.k8s.io
  resources:
  - rolebindings
  - roles
  verbs:
  - get
  - list
- apiGroups:
  - storage.k8s.io
  resources:
  - csistoragecapacities
  verbs:
  - get
  - list

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: ack-readonly-clusterrolebinding
  labels:
    ack/creator: "ack"
subjects:
- kind: ServiceAccount
  name: ack
  namespace: kube-system
roleRef:
  kind: ClusterRole
  name: ack-readonly-clusterrole
  apiGroup: rbac.authorization.k8s.io