全部產品
Search
文件中心

Container Service for Kubernetes:授權最佳實務

更新時間:Jun 19, 2024

Container ServiceACK的授權體系包含對基礎資源層的RAM授權和對ACK叢集層的RBAC授權,不同使用者角色在這兩個層面都具有不同的許可權要求。本文介紹針對叢集與應用營運人員、應用開發人員、以及許可權管理員三類對象的授權最佳實務。

ACK授權體系

ACK的授權體系包含對基礎資源層的RAM授權以及對ACK叢集層的RBAC授權。ACK授權體系如下圖所示。授權體系

  • RAM授權對應ACK叢集的營運操作,需要擷取ACK產品及其所依賴阿里雲雲產品的OpenAPI操作許可權,主要包括以下操作:

    • 叢集:建立、查看、升級、刪除

    • 節點池:建立、修改、擴縮容

    • 授權管理

    • 叢集監控、日誌、事件

  • RBAC授權對應的是運行於ACK叢集中Kubernetes應用的營運操作,需要擷取ACK叢集及其命名空間的操作許可權,主要包括對以下Kubernetes對象的增刪改查操作:

    • 工作負載:Deployment、StatefulSet、DaemonSet、Job、CronJob、Pod、ReplicaSet、HPA等

    • 網路:Service、Ingress、NetworkPolicy等

    • 儲存:PV、PVC、StorageClass等

    • Namespace、ConfigMap 、Secrets等

因此當RAM使用者或RAM角色需要進行叢集營運和應用營運時,您需要依次對其進行RAM授權和RBAC授權。在進行RBAC授權前,您需要先進行RAM授權。三種典型情境的授權操作,如下所示:

重要

對於離職員工或非受信人員,刪除RAM使用者或RAM角色並不會同步刪除該使用者或角色擁有的ACK叢集KubeConfig中的RBAC許可權。因此,在刪除RAM使用者或RAM角色之前,請吊銷離職員工或非受信使用者的KubeConfig許可權。具體操作,請參見吊銷叢集的KubeConfig憑證

情境一:授權對象為叢集與叢集內應用的營運人員

授權對象需要管理和營運ACK叢集所需的必要許可權,同時有ACK叢集內應用資來源物件的營運需求。因此授權流程包含RAM授權和RBAC授權。

  1. RAM授權

    Container ServiceACK在RAM側提供了AliyunCSFullAccess和AliyunCSReadOnlyAccess兩個系統策略。

    • AliyunCSFullAccess包含了Container ServiceACK全部OpenAPI的讀寫存取權限。

    • AliyunCSReadOnlyAccess包含了Container ServiceACK全部OpenAPI的唯讀存取權限。

    您需要登入Resource Access Management控制台,根據需要選擇綁定其中一個系統策略。具體操作,請參見為RAM使用者授權為RAM角色授權

    如果您有細粒度許可權控制的需求,可以自訂授權策略。具體操作,請參見自訂RAM授權策略

    此情境下,RAM授權策略樣本如下所示。樣本中Action的說明,請參見Action說明

    {
      "Statement": [
        {
          "Action": [
            "cs:GetClusters",
            "cs:DescribeClustersV1",
            "cs:DescribeClusterNodes",
            "cs:DescribeClusterUserKubeconfig",
            "cs:DescribeClustersV1",
            "cs:DescribeClusterResources",
            "cs:DescribeUserQuota",
            "cs:DescribeClusterLogs",
            "cs:ModifyCluster",
            "cs:UpgradeCluster",
            "cs:GetUpgradeStatus",
            "cs:ResumeUpgradeCluster",
            "cs:PauseClusterUpgrade",
            "cs:CancelClusterUpgrade",
            "cs:InstallClusterAddons",
            "cs:UpgradeClusterAddons",
            "cs:DescribeClusterAddonsUpgradeStatus",
            "cs:DescribeAddons",
            "cs:RemoveClusterNodes",
            "cs:CreateClusterNodePool",
            "cs:DescribeClusterNodePools",
            "cs:DescribeClusterNodePoolDetail",
            "cs:ScaleClusterNodePool",
            "cs:ModifyClusterNodePool",
            "cs:DeleteClusterNodepool",
            "cs:UnInstallClusterAddons"
          ],
          "Effect": "Allow",
          "Resource": [
            "acs:cs:*:*:cluster/<yourclusterID>"
          ]
        }
      ],
      "Version": "1"
    }

    關於Container ServiceACK OpenAPI的更多說明,請參見【產品變更】Container ServiceOpenAPI鑒權最佳化公告API概覽

  2. RBAC授權

    完成RAM授權後,您還需要為RAM使用者或RAM角色授予對應叢集的RBAC許可權。Container ServiceACK在叢集層面提供了四種預置角色。

    角色

    叢集內RBAC許可權

    管理員

    對所有命名空間下所有資源的讀寫權限。

    營運人員

    對所有命名空間下控制台可見Kubernetes資源的讀寫權限,對叢集節點、儲存卷、命名空間、配額的唯讀許可權。

    開發人員

    對所有命名空間或所選命名空間下控制台可見Kubernetes資源的讀寫權限。

    受限使用者

    對所有命名空間或所選命名空間下控制台可見Kubernetes資源的唯讀許可權。

    此情境下,您可以在Container Service管理主控台授權管理頁面,為授權對象配置目的地組群和對應命名空間的存取權限為營運人員RBAC

    綁定預置角色後,ACK會自動在叢集中建立與被授權對象身份對應的ClusterRoleBinding執行個體。預置營運人員角色的RBAC許可權如下所示。

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: cs:ops
    rules:
    - apiGroups: [""]
      resources:  ["pods", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: [""]
      resources:  ["configmaps", "endpoints", "persistentvolumeclaims", "replicationcontrollers", "replicationcontrollers/scale", "secrets", "serviceaccounts", "services", "services/proxy"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: [""]
      resources:  ["bindings", "events", "limitranges", "namespaces/status", "replicationcontrollers/status", "pods/log", "pods/status", "resourcequotas", "resourcequotas/status", "componentstatuses"]
      verbs: ["get", "list", "watch"]
    - apiGroups: [""]
      resources:  ["namespaces", "nodes", "persistentvolumes"]
      verbs: ["get", "list", "watch", "patch"]
    - apiGroups: ["coordination.k8s.io"]
      resources:  ["leases"]
      verbs: ["get"]
    - apiGroups: ["apps"]
      resources:  ["daemonsets", "deployments", "deployments/rollback", "deployments/scale", "replicasets", "replicasets/scale", "statefulsets"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["autoscaling"]
      resources:  ["horizontalpodautoscalers"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["batch"]
      resources:  ["cronjobs", "jobs"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["extensions"]
      resources:  ["daemonsets", "deployments", "deployments/rollback", "deployments/scale","ingresses","replicasets", "replicasets/scale", "replicationcontrollers/scale"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["networking.k8s.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["servicecatalog.k8s.io"]
      resources:  ["clusterserviceclasses", "clusterserviceplans", "clusterservicebrokers", "serviceinstances", "servicebindings"]
      verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["servicecatalog.k8s.io"]
      resources:  ["clusterservicebrokers/status", "clusterserviceclasses/status", "clusterserviceplans/status", "serviceinstances/status", "serviceinstances/reference", "servicebindings/status",]
      verbs: ["update"]
    - apiGroups: ["storage.k8s.io"]
      resources:  ["storageclasses"]
      verbs: ["get", "list", "watch"]
    - apiGroups: ["alicloud.com"]
      resources:  ["*"]
      verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["policy"]
      resources:  ["poddisruptionbudgets"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["metrics.k8s.io"]
      resources: ["pods", "nodes"]
      verbs: ["get", "watch", "list"]
    - apiGroups: ["networking.istio.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["config.istio.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["rbac.istio.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["istio.alibabacloud.com"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["authentication.istio.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["log.alibabacloud.com"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["monitoring.kiali.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["kiali.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["apiextensions.k8s.io"]
      resources: ["customresourcedefinitions"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
    - apiGroups: ["serving.knative.dev"]
      resources: ["*"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
    - apiGroups: ["eventing.knative.dev"]
      resources: ["*"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
    - apiGroups: ["messaging.knative.dev"]
      resources: ["*"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
    - apiGroups: ["sources.eventing.knative.dev"]
      resources: ["*"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
    - apiGroups: ["tekton.dev"]
      resources: ["*"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
    - apiGroups: ["alert.alibabacloud.com"]
      resources: ["*"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]

    如果您有細粒度的RBAC許可權控制需求,可以參考RBAC建立自訂ClusterRole執行個體,然後在Container Service管理主控台授權管理頁面選擇自訂角色,再從下拉式清單中選擇自訂的ClusterRole名稱。具體操作,請參見自訂Kubernetes授權策略

情境二:授權對象為叢集內應用的開發人員

授權對象只需要擁有ACK叢集內Kubernetes資來源物件的操作許可權(即RBAC授權),無需雲上資源的存取權限。

重要

在進行RBAC授權前,授權對象需要至少具有目的地組群的Container Service唯讀許可權(即RAM授權)。

  1. RAM授權

    您需要在Resource Access Management控制台,新增自訂策略,並將該策略授權給目標RAM使用者或RAM角色。具體操作,請參見自訂RAM授權策略。自訂策略內容如下所示:

    {
      "Statement": [
        {
          "Action": [
            "cs:Get*",
            "cs:List*",
            "cs:Describe*"
          ],
          "Effect": "Allow",
          "Resource": [
            "acs:cs:*:*:cluster/c5cc77f5180a449a4a48cf8001831xxxx" #請替換為您實際的叢集ID。
          ]
        }
      ],
      "Version": "1"
    }
    說明

    如果您需要為授權對象添加所有叢集的唯讀許可權,可以為其添加Container ServiceACK提供的RAM系統策略AliyunCSReadOnlyAccess

  2. RBAC授權

    您需要在Container Service管理主控台授權管理頁面,為授權對象(RAM使用者或RAM角色)配置目的地組群和對應命名空間的存取權限為開發人員developer

    綁定預置角色後,ACK會自動在叢集中建立與被授權對象身份對應的ClusterRoleBinding執行個體。預置開發人員角色的RBAC許可權如下所示。

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: cs:ns:dev
    rules:
    - apiGroups: [""]
      resources:  ["pods", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: [""]
      resources:  ["configmaps", "endpoints", "persistentvolumeclaims", "replicationcontrollers", "replicationcontrollers/scale", "secrets", "serviceaccounts", "services", "services/proxy"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: [""]
      resources:  ["events", "replicationcontrollers/status", "pods/log", "pods/status"]
      verbs: ["get", "list", "watch"]
    - apiGroups: ["apps"]
      resources:  ["daemonsets", "deployments", "deployments/rollback", "deployments/scale", "replicasets", "replicasets/scale", "statefulsets"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["autoscaling"]
      resources:  ["horizontalpodautoscalers"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["batch"]
      resources:  ["cronjobs", "jobs"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["extensions"]
      resources:  ["daemonsets", "deployments", "deployments/rollback", "deployments/scale","ingresses","replicasets", "replicasets/scale", "replicationcontrollers/scale"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["networking.k8s.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["servicecatalog.k8s.io"]
      resources:  ["clusterserviceclasses", "clusterserviceplans", "clusterservicebrokers", "serviceinstances", "servicebindings"]
      verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["servicecatalog.k8s.io"]
      resources:  ["clusterservicebrokers/status", "clusterserviceclasses/status", "clusterserviceplans/status", "serviceinstances/status", "serviceinstances/reference", "servicebindings/status",]
      verbs: ["update"]
    - apiGroups: ["alicloud.com"]
      resources:  ["*"]
      verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["policy"]
      resources:  ["poddisruptionbudgets"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["networking.istio.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["config.istio.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["rbac.istio.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["istio.alibabacloud.com"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["authentication.istio.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["log.alibabacloud.com"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["monitoring.kiali.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["kiali.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["apiextensions.k8s.io"]
      resources: ["customresourcedefinitions"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
    - apiGroups: ["serving.knative.dev"]
      resources: ["*"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
    - apiGroups: ["eventing.knative.dev"]
      resources: ["*"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
    - apiGroups: ["messaging.knative.dev"]
      resources: ["*"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
    - apiGroups: ["sources.eventing.knative.dev"]
      resources: ["*"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
    - apiGroups: ["tekton.dev"]
      resources: ["*"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
    - apiGroups: ["alert.alibabacloud.com"]
      resources: ["*"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]

    如果您有細粒度的RBAC許可權控制需求,可以參考RBAC建立自訂ClusterRole執行個體,然後在Container Service管理主控台授權管理頁面選擇自訂角色,再從下拉式清單中選擇自訂的ClusterRole名稱。具體操作,請參見自訂Kubernetes授權策略

情境三:授權對象為叢集內應用的許可權管理員

授權對象需要管理其他RAM使用者或RAM角色的RBAC許可權。預設情況下,RAM使用者或RAM角色不具備對其他RAM使用者或RAM角色授權RBAC的許可權。當授權對象進入Container Service管理主控台授權管理頁面時,如果介面提示當前子帳號不具備授權系統管理權限,請聯絡主帳號或許可權管理員授權,則說明授權對象缺少必要的RAM授權或對叢集的RBAC管理員授權。

  1. RAM授權

    需要確保授權對象被授予必要的RAM許可權,策略內容需要包括:

    • 列舉其他RAM使用者或RAM角色

    • 給指定RAM使用者或RAM角色授予RAM權限原則

    • 查看指定RAM使用者或RAM角色的Kubernetes RBAC許可權配置

    • Kubernetes RBAC授權能力

    您需要登入Resource Access Management控制台,為指定RAM使用者或RAM角色授予相應的RAM許可權,具體操作,請參見自訂RAM授權策略。RAM自訂策略內容樣本如下所示。

    {
        "Statement": [{
                "Action": [
                    "ram:Get*",
                    "ram:List*",
                    "cs:GetUserPermissions",
                    "cs:GetSubUsers",
                    "cs:GrantPermission"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "ram:AttachPolicyToUser",
                    "ram:AttachPolicyToRole"
                ],
                "Effect": "Allow",
                "Resource":  [
                    "acs:ram:*:*:policy/xxxx", # xxxx需要替換成您需要綁定的RAM策略名稱稱。如果您替換成*,表示授權對象擁有所有RAM策略的授權綁定能力。
                    "acs:*:*:*:user/*"
                ]
            }
        ],
        "Version": "1"
    }
  2. RBAC授權

    需要為授權對象配置目的地組群和對應命名空間的存取權限為管理員或者自訂角色中的cluster-admin

    說明

    阿里雲帳號(即主帳號)和叢集建立者會預設綁定cluster-admin,擁有叢集內所有Kubernetes資來源物件的存取權限。

    cluster-admin

當您對授權對象完成了上述RAM授權和RBAC授權後,即可擁有對其他RAM使用者或RAM角色在指定許可權範圍內的RBAC授權管理能力。具體操作,請參見配置RAM使用者或RAM角色RBAC許可權