全部產品
Search

搜尋本產品

    Server Load Balancer:授予自建Kubernetes叢集ALB Ingress Controller許可權

    文件中心

    Server Load Balancer:授予自建Kubernetes叢集ALB Ingress Controller許可權

    更新時間:Jun 19, 2024

    ALB Ingress基於阿里雲應用型負載平衡ALB(Application Load Balancer)之上提供更為強大的Ingress流量管理方式。ALB Ingress除了支援在阿里雲Container ServiceACK等容器產品中使用,也可以在您自建的Kubernetes叢集中使用。在自建的Kubernetes叢集中使用ALB Ingress前,需要先授予自建Kubernetes叢集ALB Ingress Controller許可權。

    步驟一:建立RAM使用者

    1. 使用阿里雲帳號登入RAM控制台

    2. 在左側導覽列,選擇身份管理>使用者,在右側頁面單擊建立使用者

    3. 建立使用者頁面,輸入登入名稱稱顯示名稱,選中OpenAPI 呼叫訪問,然後單擊確定

    4. 建立使用者頁面,複製AccessKey IDAccessKey Secret

    步驟二:建立權限原則,並授予RAM使用者

    1. 建立調用ALB Ingress Controller組件的權限原則。

      1. 在RAM控制台左側導覽列,選擇許可權管理>權限原則,在右側頁面單擊建立權限原則

      2. 單擊指令碼編輯頁簽,將以下內容複寫到代碼框,單擊繼續編輯基本資料

        展開查看詳細代碼

        {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:Describe*",
        "ecs:CreateRouteEntry",
        "ecs:DeleteRouteEntry",
        "ecs:CreateNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:ModifyInstanceAttribute",
        "ecs:AttachKeyPair",
        "ecs:StopInstance",
        "ecs:StartInstance",
        "ecs:ReplaceSystemDisk"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "slb:Describe*",
        "slb:CreateLoadBalancer",
        "slb:DeleteLoadBalancer",
        "slb:ModifyLoadBalancerInternetSpec",
        "slb:RemoveBackendServers",
        "slb:AddBackendServers",
        "slb:RemoveTags",
        "slb:AddTags",
        "slb:StopLoadBalancerListener",
        "slb:StartLoadBalancerListener",
        "slb:SetLoadBalancerHTTPListenerAttribute",
        "slb:SetLoadBalancerHTTPSListenerAttribute",
        "slb:SetLoadBalancerTCPListenerAttribute",
        "slb:SetLoadBalancerUDPListenerAttribute",
        "slb:CreateLoadBalancerHTTPSListener",
        "slb:CreateLoadBalancerHTTPListener",
        "slb:CreateLoadBalancerTCPListener",
        "slb:CreateLoadBalancerUDPListener",
        "slb:DeleteLoadBalancerListener",
        "slb:CreateVServerGroup",
        "slb:DescribeVServerGroups",
        "slb:DeleteVServerGroup",
        "slb:SetVServerGroupAttribute",
        "slb:DescribeVServerGroupAttribute",
        "slb:ModifyVServerGroupBackendServers",
        "slb:AddVServerGroupBackendServers",
        "slb:ModifyLoadBalancerInstanceSpec",
        "slb:ModifyLoadBalancerInternetSpec",
        "slb:SetLoadBalancerModificationProtection",
        "slb:SetLoadBalancerDeleteProtection",
        "slb:SetLoadBalancerName",
        "slb:ModifyLoadBalancerInstanceChargeType",
        "slb:RemoveVServerGroupBackendServers"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "nlb:TagResources",
        "nlb:UnTagResources",
        "nlb:ListTagResources",
        "nlb:CreateLoadBalancer",
        "nlb:DeleteLoadBalancer",
        "nlb:GetLoadBalancerAttribute",
        "nlb:ListLoadBalancers",
        "nlb:UpdateLoadBalancerAttribute",
        "nlb:UpdateLoadBalancerAddressTypeConfig",
        "nlb:UpdateLoadBalancerZones",
        "nlb:CreateListener",
        "nlb:DeleteListener",
        "nlb:ListListeners",
        "nlb:UpdateListenerAttribute",
        "nlb:StopListener",
        "nlb:StartListener",
        "nlb:GetListenerAttribute",
        "nlb:GetListenerHealthStatus",
        "nlb:CreateServerGroup",
        "nlb:DeleteServerGroup",
        "nlb:UpdateServerGroupAttribute",
        "nlb:AddServersToServerGroup",
        "nlb:RemoveServersFromServerGroup",
        "nlb:UpdateServerGroupServersAttribute",
        "nlb:ListServerGroups",
        "nlb:ListServerGroupServers",
        "nlb:GetJobStatus"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:Describe*",
        "vpc:DeleteRouteEntry",
        "vpc:CreateRouteEntry"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": [
            "alb.aliyuncs.com",
            "audit.log.aliyuncs.com",
            "logdelivery.alb.aliyuncs.com"
          ]
        }
      }
    },
    {
      "Action": [
        "yundun-cert:DescribeSSLCertificateList",
        "yundun-cert:DescribeSSLCertificatePublicKeyDetail",
        "yundun-cert:CreateSSLCertificateWithName",
        "yundun-cert:DeleteSSLCertificate"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "alb:TagResources",
        "alb:UnTagResources",
        "alb:ListServerGroups",
        "alb:ListServerGroupServers",
        "alb:AddServersToServerGroup",
        "alb:RemoveServersFromServerGroup",
        "alb:ReplaceServersInServerGroup",
        "alb:CreateLoadBalancer",
        "alb:DeleteLoadBalancer",
        "alb:UpdateLoadBalancerAttribute",
        "alb:UpdateLoadBalancerEdition",
        "alb:EnableLoadBalancerAccessLog",
        "alb:DisableLoadBalancerAccessLog",
        "alb:EnableDeletionProtection",
        "alb:DisableDeletionProtection",
        "alb:ListLoadBalancers",
        "alb:GetLoadBalancerAttribute",
        "alb:ListListeners",
        "alb:CreateListener",
        "alb:GetListenerAttribute",
        "alb:UpdateListenerAttribute",
        "alb:ListListenerCertificates",
        "alb:AssociateAdditionalCertificatesWithListener",
        "alb:DissociateAdditionalCertificatesFromListener",
        "alb:DeleteListener",
        "alb:CreateRule",
        "alb:DeleteRule",
        "alb:UpdateRuleAttribute",
        "alb:UpdateRulesAttribute",
        "alb:CreateRules",
        "alb:DeleteRules",
        "alb:ListRules",
        "alb:CreateServerGroup",
        "alb:DeleteServerGroup",
        "alb:UpdateServerGroupAttribute",
        "alb:DescribeZones",
        "alb:CreateAcl",
        "alb:DeleteAcl",
        "alb:ListAcls",
        "alb:AddEntriesToAcl",
        "alb:AssociateAclsWithListener",
        "alb:ListAclEntries",
        "alb:RemoveEntriesFromAcl",
        "alb:DissociateAclsFromListener",
        "alb:EnableLoadBalancerIpv6Internet",
        "alb:DisableLoadBalancerIpv6Internet"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

      3. 基本資料下方,輸入名稱,單擊確定

    2. 授予RAM使用者調用ALB Ingress Controller組件的權限原則。

      1. 在左側導覽列,選擇身份管理>使用者

      2. 使用者頁面,找到建立的RAM使用者,在該RAM使用者右側操作列,單擊添加許可權

      3. 添加許可權面板,單擊自訂策略,選擇已建立的權限原則,其他採用預設配置,單擊確定

    步驟三:在自建叢集配置AccessKey ID與AccessKey Secret

    1. 對AccessKey ID與AccessKey Secret進行Base64編碼,擷取AccessKey ID、AccessKey Secret編碼後的結果。

    2. 執行以下命令,在自建叢集的load-balancer-config ConfigMap輸入Base64編碼後的AccessKey ID與AccessKey Secret,儲存load-balancer-config ConfigMap。

      vim <load-balancer-config ConfigMap檔案名稱>

      load-balancer-config ConfigMap程式碼範例如下:

      apiVersion: v1
kind: ConfigMap
metadata:
  name: load-balancer-config
  namespace: kube-system
data:
  cloud-config.conf: |-
    {
        "Global": {
            "AccessKeyID": "VndV***",              # 填寫Base64編碼後的AccessKey ID。
            "AccessKeySecret": "UWU0NnUyTFdhcG***" # 填寫Base64編碼後的AccessKey Secret。
        }
    }

    3. 執行以下命令,部署load-balancer-config ConfigMap。

      kubectl apply -f  <load-balancer-config ConfigMap檔案名稱>

    4. 重啟load-balancer-controller的Pod,使配置生效。

      1. 執行以下命令,擷取load-balancer-controller的Pod名稱。

        kubectl get pod -n kube-system|grep load-balancer-controller

      2. 執行以下命令,刪除load-balancer-controller的Pod。

        kubectl delete pod -n kube-system load-balancer-controller-***

        預期輸出:

        pod load-balancer-controller-*** deleted

      3. 執行以下命令,查看重建後load-balancer-controller的Pod狀態。

        kubectl get pod -n kube-system|grep load-balancer-controller

        預期輸出:

        load-balancer-controller-0o9s***     1/1    Running   0    10s

    相關文檔

    自建Kubernetes叢集情境下您可參考對應的ALB Ingress最佳實務文檔: