全部產品
Search

搜尋本產品

    Container Service for Kubernetes:ACK One服務角色策略內容

    文件中心

    Container Service for Kubernetes:ACK One服務角色策略內容

    更新時間:Jun 19, 2024

    服務角色是某個雲端服務在某些情況下,為了完成自身的某個功能,需要擷取其他雲端服務的存取權限而提供的RAM角色。您需要為ACK One服務帳號授予對應的服務角色才能正常使用ACK One功能。本文為您介紹ACK One支援的服務角色以及角色的策略內容。

    授權操作

    僅在第一次使用ACK One服務時需要授權,使用阿里雲帳號(主帳號)或者Resource Access Management員帳號(子帳號)授權一次即可。

    服務角色無需手動建立,您在首次使用ACK One控制台和相關功能時,控制台介面會自動彈出授權提示,您只需要按照提示操作即可完成自動授權。

    重要

    僅阿里雲帳號(主帳號)或Resource Access Management員帳號可以完成服務角色的自動授權,普通RAM使用者沒有授權操作的許可權。如果您在操作時系統提示許可權不足,請將帳號切換到阿里雲(主帳號)或Resource Access Management員帳號完成授權。

    服務關聯角色

    角色名稱

    角色許可權說明

    AliyunServiceRoleForAdcp

    • ACK One在叢集管控操作中使用該角色訪問您在ECS、VPC、SLB等相關雲端服務中的資源。

    • 必須授予該角色的許可權,才能正常使用ACK One功能。

    AliyunAdcpServerlessKubernetesRole

    • ACK One多叢集艦隊和分布式工作流程Argo叢集需要使用該角色,訪問VPC、ECS、PrivateZone、ECI、SLS等服務中的資源。

    • 必須授予該角色的許可權,才能正常使用ACK One功能。

    AliyunAdcpManagedMseRole

    • ACK One多叢集艦隊需要使用該角色訪問MSE等服務中的資源。

    • 該角色許可權僅在使用多叢集網關功能時需要授權,未授權不影響其他功能使用。

    角色策略內容

    AliyunServiceRoleForAdcp

    ECS相關許可權

    • ecs:CreateSecurityGroup

    • ecs:CreateSecurityGroupPermissions

    • ecs:DeleteSecurityGroup

    • ecs:DescribeAccountAttributes

    • ecs:DescribeSecurityGroups

    • ecs:AuthorizeSecurityGroup

    • ecs:RevokeSecurityGroup

    • ecs:AuthorizeSecurityGroupEgress

    • ecs:RevokeSecurityGroupEgress

    • ecs:DescribeNetworkInterfaces

    • ecs:DescribeZones

    VPC相關許可權

    • vpc:DescribeVpcAttribute

    • vpc:DescribeVSwitchAttributes

    • vpc:AllocateEipAddress

    • vpc:AssociateEipAddress

    • vpc:UnassociateEipAddress

    • vpc:ReleaseEipAddress

    • vpc:DescribeEipAddresses

    • vpc:TagResources

    • vpc:DeletionProtection

    • vpc:DescribeRouteTableList

    • vpc:CreateRouteEntry

    • vpc:DeleteeRouteEntry

    • vpc:AcceptVpcPeerConnection

    • vpc:GetVpcPeerConnectionAttribute

    • vpc:DescribeVSwitches

    • vpc:DescribeVpcs

    CEN相關許可權

    • cen:DescribeCenAttachedChildInstances

    • cen:DescribeCens

    SLB相關許可權

    • slb:DescribeLoadBalancerAttribute

    • slb:CreateLoadBalancer

    • slb:DeleteLoadBalancer

    • slb:StartLoadBalancerListener

    • slb:StopLoadBalancerListener

    • slb:CreateLoadBalancerTCPListener

    • slb:CreateLoadBalancerHTTPListener

    • slb:DeleteLoadBalancerListener

    • slb:AddTags

    • slb:RemoveTags

    • slb:SetLoadBalancerDeleteProtection

    • slb:SetLoadBalancerModificationProtection

    • slb:DescribeZones

    • slb:CreateAccessControlList

    • slb:DescribeAccessControlLists

    • slb:AddAccessControlListEntry

    • slb:RemoveAccessControlListEntry

    • slb:SetLoadBalancerTCPListenerAttribute

    服務網格相關許可權

    • servicemesh:CreateServiceMesh

    • servicemesh:DeleteServiceMesh

    • servicemesh:DescribeServiceMeshDetail

    • servicemesh:DescribeServiceMeshes

    • servicemesh:DescribeServiceMeshKubeconfig

    • servicemesh:DescribeServiceMeshLogs

    • servicemesh:ModifyServiceMesh

    • servicemesh:ModifyServiceMeshName

    • servicemesh:DescribeClustersInServiceMesh

    • servicemesh:AddClusterIntoServiceMesh

    • servicemesh:RemoveClusterFromServiceMesh

    • servicemesh:UpdateMeshFeature

    • servicemesh:DescribeRegions

    • servicemesh:DescribeServiceMeshUpgradeStatus

    • servicemesh:DescribeVersions

    • servicemesh:RevokeKubeconfig

    • servicemesh:UpdateServiceMeshOwner

    RAM相關許可權

    • ram:CreateApplication

    • ram:ListApplications

    • ram:ListAppSecretIds

    • ram:GetApplication

    • ram:UpdateApplication

    • ram:CreateAppSecret

    • ram:GetAppSecret

    • ram:DeleteApplication

    • ram:DeleteAppSecret

    • ram:CreateApplication

    • ram:ListApplications

    • ram:ListAppSecretIds

    • ram:CreateServiceLinkedRole

    ARMS相關許可權

    • arms:InstallManagedPrometheus

    • arms:UninstallManagedPrometheus

    AliyunAdcpServerlessKubernetesRole

    VPC相關許可權

    • vpc:DescribeVSwitches

    • vpc:DescribeVpcs

    • vpc:AssociateEipAddress

    • vpc:DescribeEipAddresses

    • vpc:AllocateEipAddress

    • vpc:ReleaseEipAddress

    • vpc:AddCommonBandwidthPackageIp

    • vpc:RemoveCommonBandwidthPackageIp

    ECS 相關許可權

    • ecs:DescribeSecurityGroups

    • ecs:CreateNetworkInterface

    • ecs:CreateNetworkInterfacePermission

    • ecs:DescribeNetworkInterfaces

    • ecs:AttachNetworkInterface

    • ecs:DetachNetworkInterface

    • ecs:DeleteNetworkInterface

    • ecs:DeleteNetworkInterfacePermission

    ARMS相關許可權

    • arms:GetManagedPrometheusStatus

    • arms:InstallManagedPrometheus

    • arms:UninstallManagedPrometheus

    雲解析相關許可權

    • pvtz:AddZone

    • pvtz:DeleteZone

    • pvtz:DescribeZones

    • pvtz:DescribeZoneInfo

    • pvtz:BindZoneVpc

    • pvtz:AddZoneRecord

    • pvtz:DeleteZoneRecord

    • pvtz:DeleteZoneRecordsByRR

    • pvtz:DescribeZoneRecordsByRR

    • pvtz:DescribeZoneRecords

    ECI相關許可權

    • eci:CreateContainerGroup

    • eci:DeleteContainerGroup

    • eci:DescribeContainerGroups

    • eci:DescribeContainerGroupStatus

    • eci:DescribeContainerGroupEvents

    • eci:DescribeContainerLog

    • eci:UpdateContainerGroup

    • eci:UpdateContainerGroupByTemplate

    • eci:CreateContainerGroupFromTemplate

    • eci:RestartContainerGroup

    • eci:ExportContainerGroupTemplate

    • eci:DescribeContainerGroupMetric

    • eci:DescribeMultiContainerGroupMetric

    • eci:ResizeContainerGroupVolume

    • eci:ExecContainerCommand

    • eci:CreateImageCache

    • eci:DescribeImageCaches

    • eci:DeleteImageCache

    Log Service相關許可權

    • log:CreateProject

    • log:GetProject

    • log:DeleteProject

    • log:CreateLogStore

    • log:GetLogStore

    • log:UpdateLogStore

    • log:DeleteLogStore

    • log:CreateConfig

    • log:UpdateConfig

    • log:GetConfig

    • log:DeleteConfig

    • log:CreateMachineGroup

    • log:UpdateMachineGroup

    • log:GetMachineGroup

    • log:DeleteMachineGroup

    • log:ApplyConfigToGroup

    • log:GetAppliedMachineGroups

    • log:GetAppliedConfigs

    • log:RemoveConfigFromMachineGroup

    • log:CreateIndex

    • log:GetIndex

    • log:UpdateIndex

    • log:DeleteIndex

    • log:CreateSavedSearch

    • log:GetSavedSearch

    • log:UpdateSavedSearch

    • log:DeleteSavedSearch

    • log:CreateDashboard

    • log:GetDashboard

    • log:UpdateDashboard

    • log:DeleteDashboard

    • log:CreateJob

    • log:GetJob

    • log:DeleteJob

    • log:PostLogStoreLogs

    • log:UpdateJob

    RAM相關許可權

    ram:CreateServiceLinkedRole

    AliyunAdcpManagedMseRole

    MSE相關許可權

    • mse:AddBlackWhiteList

    • mse:AddGateway

    • mse:AddServiceSource

    • mse:CreateApplication

    • mse:DeleteGateway

    • mse:DeleteServiceSource

    • mse:GetBlackWhiteList

    • mse:GetGateway

    • mse:GetGatewayDetail

    • mse:GetGatewayOption

    • mse:ListServiceSource

    • mse:ListTagResources

    • mse:ModifyLosslessRule

    • mse:TagResources

    • mse:UntagResources

    • mse:UpdateBlackWhiteList

    • mse:UpdateGatewayOption

    • mse:UpdateServiceSource

    Log Service相關許可權

    • log:CloseProductDataCollection

    • log:OpenProductDataCollection

    • log:GetProductDataCollection

    RAM相關許可權

    ram:CreateServiceLinkedRole

    相關文檔