Container ServiceACK的授權體系包含對基礎資源層的RAM授權和對ACK叢集層的RBAC授權,不同使用者角色在這兩個層面都具有不同的許可權要求。本文介紹針對叢集的唯讀管理員、應用營運人員、應用開發人員以及許可權管理員三類對象的授權最佳實務。
授權體系
Container ServiceACK的授權體系包含對基礎資源層的RAM授權以及對叢集層的RBAC授權。授權體系如下圖所示。
RAM授權:基於RAM系統策略或自訂策略的授權,屬於雲資源維度授權,通過RAM授權,您可以擷取Container ServiceACK產品及其所依賴阿里雲雲產品的OpenAPI操作許可權,對叢集進行如下營運操作:
叢集:建立、查看、升級、刪除
節點池:建立、修改、擴縮容
授權管理
叢集監控、日誌、事件
RBAC授權:基於Kubernetes RBAC的授權,屬於叢集內部資源維度授權,通過RBAC授權,可以讓不同的使用者擁有操作不同Kubernetes資源的許可權。主要包括對以下Kubernetes對象資源的增刪改查操作:
工作負載:Deployment、StatefulSet、DaemonSet、Job、CronJob、Pod、ReplicaSet等
網路:Service、Ingress、NetworkPolicy等
儲存:PV、PVC、StorageClass等
Namespace、ConfigMap 、Secrets等
情境一:授權對象為僅查看叢集資源的唯讀管理員
授權對象為需要唯讀所有命名空間下Kubernetes資源所需的必要許可權。
授予RAM使用者或角色唯讀管理員權限
通過控制台授權
通過控制台授予許可權,請參見使用RBAC授予叢集內資源操作許可權。
阿里雲CLI授權樣本
您可以通過GrantPermissions OpenAPI中的
role_name請求參數為RAM使用者或角色授予唯讀管理員admin-view許可權,通過DescribeUserPermission查詢當前RAM使用者或角色的許可權資訊。aliyun cs POST /permissions/users/234xxxxxxxx --header "Content-Type=application/json;" --body "[{\"cluster\":\"c24xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\",\"is_custom\":false,\"role_name\":\"admin-view\",\"role_type\":\"cluster\"}]"Terraform授權樣本
resource "alicloud_cs_kubernetes_permissions" "default" { uid = alicloud_ram_user.user.id permissions { cluster = alicloud_cs_managed_kubernetes.default.id role_type = "cluster" role_name = "admin-view" namespace = "" is_custom = false is_ram_role = false } }
情境二:授權對象為叢集與叢集內應用的營運人員
授權對象需要管理和營運ACK叢集及其內應用資源,因此需要進行RAM和RBAC授權。
RAM授權
Container ServiceACK在RAM側提供了AliyunCSFullAccess和AliyunCSReadOnlyAccess兩個系統策略。
AliyunCSFullAccess包含了Container ServiceACK全部OpenAPI的讀寫存取權限。
AliyunCSReadOnlyAccess包含了Container ServiceACK全部OpenAPI的唯讀存取權限。
您需要登入Resource Access Management控制台,根據需要選擇綁定其中一個系統策略。具體操作,請參見為RAM使用者授權和為RAM角色授權。
如果您有細粒度許可權控制的需求,可以自訂授權策略。具體操作,請參見使用RAM授予叢集及雲資源存取權限。
此情境下,RAM授權策略樣本如下所示。樣本中Action的說明,請參見Action說明。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "cs:GetClusters", "cs:ModifyCluster", "cs:UpgradeCluster", "cs:DescribeClusterDetail", "cs:DescribeClusterVuls", "cs:DescribeClusterSecuritySummary", "cs:DescribeClusterUserKubeconfig", "cs:RevokeK8sClusterKubeConfig", "cs:CheckControlPlaneLogEnable", "cs:DescribeClusterResources", "cs:DescribeClusterEvents", "cs:DescribeClusterLogs", "cs:GetClusterAuditProject", "cs:ListClusterChecks", "cs:GetClusterCheck", "cs:RunClusterCheck", "cs:ModifyClusterAudit", "cs:DescribeResourcesDeleteProtection", "cs:UpdateResourcesDeleteProtection", "cs:DescribeClusterNodePools", "cs:DescribeClusterNodePoolDetail", "cs:CreateClusterNodePool", "cs:ModifyClusterNodePool", "cs:UpgradeClusterNodepool", "cs:DeleteClusterNodepool", "cs:CreateAutoscalingConfig", "cs:SyncClusterNodePool", "cs:RepairClusterNodePool", "cs:AttachInstancesToNodePool", "cs:ModifyNodePoolNodeConfig", "cs:DescribeClusterNodes", "cs:RemoveClusterNodes", "cs:RemoveNodePoolNodes", "cs:DiagnoseClustersNode", "cs:DescribeNodePoolVuls", "cs:FixNodePoolVuls", "cs:DrainNodes", "cs:DescribeClusterAddonMetadata", "cs:DescribeClusterAddonsVersion", "cs:InstallClusterAddons", "cs:UpgradeClusterAddons", "cs:ModifyClusterAddon", "cs:UnInstallClusterAddons", "cs:DescribeClusterAddonInstance", "cs:DescribeClusterAddonsUpgradeStatus", "cs:DescribeClusterAddonUpgradeStatus", "cs:ListClusterComponent", "cs:GetClusterComponent", "cs:DescribePolicyInstances", "cs:DeployPolicyInstance", "cs:ModifyPolicyInstance", "cs:DeletePolicyInstance", "cs:DescribePolicyGovernanceInCluster", "cs:DescribePolicyInstancesStatus", "cs:UpdateContactGroupForAlert", "cs:StartAlert", "cs:StopAlert", "cs:ListAlertRules", "cs:GetAlertHistory", "cs:DescribeClusterTasks", "cs:GetClusterBasicInfo", "cs:ListClusterReportSummary", "cs:GetClusterReportSummary", "cs:ListReportTaskRule", "cs:CreateTrigger", "cs:DescribeKubernetesClusterHookTrigger", "cs:CreateDiagnose", "cs:CreateClusterOverviewReport", "cs:GetAIDiagnosisResult", "cs:CreateReportTaskRule", "cs:CreateClusterReport", "cs:GetClusterCheckResult", "cs:GetClusterServices", "cs:UpdateControlPlaneLog", "cs:UpdateClusterName" ], "Resource": "acs:cs:*:*:cluster/xxxxx" # 請將xxxxx替換為您的叢集ID。 }, { "Effect": "Allow", "Action": [ "cs:DescribeSubAccountHelmPermission", "cs:CheckServiceRole", "cs:DeleteTriggerHook", "cs:QueryAlertContact", "cs:QueryAlertContactGroup", "cs:AddOrUpdateAlertContact", "cs:AddOrUpdateAlertContactGroup", "cs:DeleteAlertContact", "cs:DeleteAlertContactGroup", "cs:DescribeKubernetesVersionMetadata", "cs:ListOperationPlans", "cs:DescribeClusterEndpoints", "cs:DescribeTaskInfo", "cs:DescribeEvents", "cs:DescribeUserQuota", "cs:DescribeTasks", "cs:PauseTask", "cs:CancelTask", "cs:DescribeAddons", "cs:DeleteReportTaskRule", "cs:CreateSessionMessage", "cs:DescribePolicies", "cs:DescribePolicyDetails" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "vpc:DescribeVSwitches", "vpc:DescribeVpcs", "vpc:DescribeEipAddresses" ], "Resource": "*" }, { "Effect": "Allow", "Action": "kms:ListKeys", "Resource": "*" }, { "Effect": "Allow", "Action": [ "arms:ListDashboards", "arms:InstallAddon" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudshell:CreateEnvironment", "cloudshell:AttachStorage", "cloudshell:DetachStorage", "cloudshell:CreateSession" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ess:DescribeScalingActivities", "ess:DescribeScalingActivityDetail", "ess:DescribeLifecycleActions" ], "Resource": "*" }, { "Effect": "Allow", "Action": "oos:ListExecutions", "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecs:DescribeKeyPairs", "ecs:DescribeInstances", "ecs:DescribeSecurityGroups", "ecs:DescribeImages", "ecs:DescribePrice" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cr:ListInstance", "cr:ListInstanceDomain", "cr:ListRepository", "cr:ListArtifactTag" ], "Resource": "*" }, { "Effect": "Allow", "Action": "ram:GetRole", "Resource": "acs:ram:*:*:role/aliyuncisdefaultrole" }, { "Effect": "Allow", "Action": [ "log:GetDashboard", "log:GetSavedSearch", "log:GetLogStore", "log:GetIndex", "log:UpdateIndex", "log:GetLogStoreLogs", "log:CreateDashboardSharing", "log:ListProject", "log:GetProjectLogs", "log:GetResourceRecord", "log:CreateResourceRecord", "log:UpdateResourceRecord" ], "Resource": "*" } ] }關於Container ServiceACK OpenAPI的更多說明,請參見【產品變更】Container ServiceOpenAPI鑒權最佳化公告和API概覽。
RBAC授權
完成RAM授權後,您還需要為RAM使用者或RAM角色授予對應叢集的RBAC許可權。Container ServiceACK在叢集層面提供了五種預置角色。
預置角色
叢集內RBAC許可權
預置角色
叢集內RBAC許可權
管理員
對所有命名空間下Kubernetes資源的RBAC讀寫權限,以及對叢集節點、儲存卷、命名空間、配額的讀寫權限。
唯讀管理員
對所有命名空間下Kubernetes資源的RBAC唯讀許可權。
營運人員
對所有命名空間下控制台可見Kubernetes資源的讀寫權限,對叢集節點、儲存卷、命名空間、配額的唯讀許可權。
開發人員
對所有命名空間或所選命名空間下控制台可見Kubernetes資源的RBAC讀寫權限。
受限使用者
對所有命名空間或所選命名空間下控制台可見Kubernetes資源的RBAC唯讀許可權。
自訂
許可權由您所選擇的ClusterRole決定,請在確定所選ClusterRole對各類資源的操作許可權後再進行授權,以免RAM使用者或RAM角色獲得不符合預期的許可權。關於自訂許可權的授權,請參見使用自訂RBAC限制叢集內資源操作。
RAM使用者或RAM角色被授予cluster-admin許可權後,在該叢集內可視為與阿里雲帳號有相同許可權的超級帳號,擁有操作叢集內所有資源的任意許可權。請謹慎授予。
登入Container Service管理主控台,在左側導覽列選擇授權管理。
在授權管理頁面 ,根據授權對象,選擇RAM 使用者或RAM 角色頁簽,在目標授權對象右側操作列下,單擊系統管理權限。
在彈出頁面,單擊+添加許可權,配置目的地組群和對應命名空間的許可權管理為營運人員,最後點擊提交授權完成配置。
綁定預置角色後,ACK會自動在叢集中建立與被授權對象身份對應的ClusterRoleBinding執行個體。預置營運人員角色的RBAC許可權如下所示。
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cs:ops rules: - apiGroups: [""] resources: ["pods", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: [""] resources: ["configmaps", "endpoints", "persistentvolumeclaims", "replicationcontrollers", "replicationcontrollers/scale", "secrets", "serviceaccounts", "services", "services/proxy"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: [""] resources: ["bindings", "events", "limitranges", "namespaces/status", "replicationcontrollers/status", "pods/log", "pods/status", "resourcequotas", "resourcequotas/status", "componentstatuses"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["namespaces", "nodes", "persistentvolumes"] verbs: ["get", "list", "watch", "patch"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get"] - apiGroups: ["apps"] resources: ["daemonsets", "deployments", "deployments/rollback", "deployments/scale", "replicasets", "replicasets/scale", "statefulsets"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["autoscaling"] resources: ["horizontalpodautoscalers"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["batch"] resources: ["cronjobs", "jobs"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["extensions"] resources: ["daemonsets", "deployments", "deployments/rollback", "deployments/scale","ingresses","replicasets", "replicasets/scale", "replicationcontrollers/scale"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["networking.k8s.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["servicecatalog.k8s.io"] resources: ["clusterserviceclasses", "clusterserviceplans", "clusterservicebrokers", "serviceinstances", "servicebindings"] verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - apiGroups: ["servicecatalog.k8s.io"] resources: ["clusterservicebrokers/status", "clusterserviceclasses/status", "clusterserviceplans/status", "serviceinstances/status", "serviceinstances/reference", "servicebindings/status"] verbs: ["update"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["alicloud.com"] resources: ["*"] verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - apiGroups: ["policy"] resources: ["poddisruptionbudgets"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["metrics.k8s.io"] resources: ["pods", "nodes"] verbs: ["get", "watch", "list"] - apiGroups: ["networking.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["config.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["rbac.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["istio.alibabacloud.com"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["authentication.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["log.alibabacloud.com"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["monitoring.kiali.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["kiali.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["serving.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["eventing.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["messaging.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["sources.eventing.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["tekton.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["alert.alibabacloud.com"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]如果您有細粒度的RBAC許可權控制需求,可以參考RBAC建立自訂ClusterRole執行個體,然後在Container Service管理主控台授權管理頁面選擇自訂角色,再從下拉式清單中選擇自訂的ClusterRole名稱。具體操作,請參見使用自訂RBAC限制叢集內資源操作。
情境三:授權對象為叢集內應用的開發人員
授權對象只需要擁有ACK叢集內Kubernetes資來源物件的操作許可權(RBAC授權),以及目的地組群的Container Service唯讀許可權(RAM授權),無需雲上資源的存取權限。
在進行RBAC授權前,授權對象至少需具備目的地組群的Container Service唯讀許可權(RAM授權)。
RAM授權
您需要在Resource Access Management控制台,新增自訂策略,並將該策略授權給目標RAM使用者或RAM角色。具體操作,請參見使用RAM授予叢集及雲資源存取權限。自訂策略內容如下所示:
{ "Statement": [ { "Action": [ "cs:GetClusters", "cs:DescribeClusterDetail", "cs:GetClusterAuditProject", "cs:DescribeResourcesDeleteProtection" ], "Resource": "acs:cs:*:*:cluster/xxxxx", #請替換為您實際的叢集ID "Effect": "Allow" } ], "Version": "1" }如果您需要為授權對象添加所有叢集的唯讀許可權,可以為其添加Container ServiceACK提供的RAM系統策略
AliyunCSReadOnlyAccess。RBAC授權
登入Container Service管理主控台,在左側導覽列選擇授權管理。
在授權管理頁面 ,根據授權對象,選擇RAM 使用者或RAM 角色頁簽,在目標授權對象右側操作列下,單擊系統管理權限。
在彈出頁面,單擊+添加許可權,配置目的地組群和對應命名空間的許可權管理為開發人員,最後點擊提交授權完成配置。
綁定預置角色後,ACK會自動在叢集中建立與被授權對象身份對應的ClusterRoleBinding執行個體。預置開發人員角色的RBAC許可權如下所示。
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cs:ns:dev rules: - apiGroups: [""] resources: ["pods", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: [""] resources: ["configmaps", "endpoints", "persistentvolumeclaims", "replicationcontrollers", "replicationcontrollers/scale", "secrets", "serviceaccounts", "services", "services/proxy"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: [""] resources: ["events", "replicationcontrollers/status", "pods/log", "pods/status"] verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: ["daemonsets", "deployments", "deployments/rollback", "deployments/scale", "replicasets", "replicasets/scale", "statefulsets"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["autoscaling"] resources: ["horizontalpodautoscalers"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["batch"] resources: ["cronjobs", "jobs"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["extensions"] resources: ["daemonsets", "deployments", "deployments/rollback", "deployments/scale","ingresses","replicasets", "replicasets/scale", "replicationcontrollers/scale"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["networking.k8s.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["servicecatalog.k8s.io"] resources: ["clusterserviceclasses", "clusterserviceplans", "clusterservicebrokers", "serviceinstances", "servicebindings"] verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - apiGroups: ["servicecatalog.k8s.io"] resources: ["clusterservicebrokers/status", "clusterserviceclasses/status", "clusterserviceplans/status", "serviceinstances/status", "serviceinstances/reference", "servicebindings/status"] verbs: ["update"] - apiGroups: ["alicloud.com"] resources: ["*"] verbs: ["create", "delete", "get", "list", "patch", "update", "watch"] - apiGroups: ["policy"] resources: ["poddisruptionbudgets"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["networking.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["config.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["rbac.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["istio.alibabacloud.com"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["authentication.istio.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["log.alibabacloud.com"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["monitoring.kiali.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["kiali.io"] resources: ["*"] verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["serving.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["eventing.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["messaging.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["sources.eventing.knative.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["tekton.dev"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"] - apiGroups: ["alert.alibabacloud.com"] resources: ["*"] verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]如果您有細粒度的RBAC許可權控制需求,可以參考RBAC建立自訂ClusterRole執行個體,然後在Container Service管理主控台授權管理頁面選擇自訂角色,再從下拉式清單中選擇自訂的ClusterRole名稱。具體操作,請參見使用自訂RBAC限制叢集內資源操作。
情境四:授權對象為叢集內應用的許可權管理員
授權對象需要管理其他RAM使用者或RAM角色的RBAC許可權。預設情況下,RAM使用者或RAM角色不具備對其他RAM使用者或RAM角色授權RBAC的許可權。當授權對象進入Container Service管理主控台授權管理頁面時,如果介面提示當前子帳號不具備授權系統管理權限,請聯絡主帳號或許可權管理員授權,則說明授權對象缺少必要的RAM授權或對叢集的RBAC管理員授權。
RAM授權
需要確保授權對象被授予必要的RAM許可權,策略內容需要包括:
列舉其他RAM使用者或RAM角色
查看指定RAM使用者或RAM角色的Kubernetes RBAC許可權配置
Kubernetes RBAC授權能力
您需要登入Resource Access Management控制台,為指定RAM使用者或RAM角色授予相應的RAM許可權,具體操作,請參見使用RAM授予叢集及雲資源存取權限。RAM自訂策略內容樣本如下所示。
{ "Statement": [ { "Action": [ "ram:ListRoles", "ram:ListUserBasicInfos", "cs:GetClusters", "cs:DescribeUserPermission", "cs:DescribeClusterDetail", "cs:GrantPermissions", "cs:UpdateUserPermissions", "cs:GetClusterAuditProject", "cs:DescribeResourcesDeleteProtection", "cs:UpdateResourcesDeleteProtection", "cs:DescribeClusterAddonUpgradeStatus" ], "Resource": "*", "Effect": "Allow" } ], "Version": "1" }RBAC授權
登入Container Service管理主控台,在左側導覽列選擇授權管理。
在授權管理頁面 ,根據授權對象,選擇RAM 使用者或RAM 角色頁簽,在目標授權對象右側操作列下,單擊系統管理權限。
在彈出頁面,單擊+添加許可權,配置目的地組群和對應命名空間的許可權管理為管理員或者自訂角色中的cluster-admin,最後點擊提交授權完成配置。
阿里雲帳號(即主帳號)和叢集建立者會預設綁定cluster-admin,擁有叢集內所有Kubernetes資來源物件的存取權限。
當您對授權對象完成了上述RAM授權和RBAC授權後,即可擁有對其他RAM使用者或RAM角色在指定許可權範圍內的RBAC授權管理能力。具體操作,請參見使用RBAC授予叢集內資源操作許可權。
