本文介绍在首次使用ACK时如何通过Terraform授权容器服务角色。
前提条件
已安装并配置Terraform。
步骤一:开通容器服务ACK
在创建ACK集群前您需要开通相应服务。
创建一个工作目录,并在工作目录中创建名为
main.tf的配置文件。将如下代码复制到
main.tf配置文件。执行如下命令,初始化Terraform运行环境。
terraform init返回信息如下,Terraform初始化成功。
Initializing the backend... Initializing provider plugins... ... Terraform has been successfully initialized! ...执行如下命令,开通容器服务ACK。
terraform apply返回信息如下,输入
yes,按Enter键,服务开通成功。You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure. Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value: yes Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
步骤二:授权角色
首次登录容器服务 Kubernetes 版时,需要为服务账号授予系统服务角色,具体步骤如下。
在
main.tf配置文件中添加如下代码,并执行terraform apply查询账号中是否存在已授权的角色。说明由于Terraform本身的限制,无法自动检测角色是否存在,且无法自动授权不存在的角色,因此需要您手动查询角色信息,并为账号手动授权需要的角色。
// 判断角色是否存在。 data "alicloud_ram_roles" "roles" { policy_type = "System" } // 列举出账号已被完整授权角色信息。 output "exist_role" { value = data.alicloud_ram_roles.roles }返回信息如下。
No changes. Your infrastructure matches the configuration. Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed. Apply complete! Resources: 0 added, 0 changed, 0 destroyed. Outputs: ... exist_role = { "id" = "1788****59" "ids" = tolist([ "3009617019****1438", "3023233020****0278", "3302003419****4675", "3178548808****5924", "3371411011****5177", "3475619590****3519", ]) "name_regex" = tostring(null) "names" = tolist([ "AliyunCASDefaultRole", "AliyunContainerRegistryDefaultRole", "AliyunCSDefaultRole", "AliyunCSKubernetesAuditRole", "AliyunCSManagedArmsRole", "AliyunCSManagedCmsRole", "AliyunCSManagedCsiRole", "AliyunCSManagedKubernetesRole", "AliyunCSManagedLogRole", "AliyunCSManagedNetworkRole", "AliyunCSManagedVKRole", "AliyunCSServerlessKubernetesRole", "AliyunServiceRoleForCSB", "AliyunServiceRoleForECI", "AliyunServiceRoleForGws", "AliyunServiceRoleForResourceDirectory", "AliyunServiceRoleForServiceMesh", ]) "output_file" = tostring(null) "policy_name" = tostring(null) "policy_type" = "System" "roles" = tolist([ { "arn" = "acs:ram::1848450434088535:role/aliyuncasdefaultrole" "assume_role_policy_document" = <<-EOT { "Statement": [{ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": {"Service": ["cas.aliyuncs.com"]}}], "Version": "1"} EOT "create_date" = "2023-07-17T03:27:28Z" "description" = "云盾证书服务(CAS)默认使用此角色来访问您在其他云产品中的资源" "document" = <<-EOT { "Statement": [{ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": {"Service": ["cas.aliyuncs.com"]}}], "Version": "1"} EOT "id" = "300961701980****" "name" = "AliyunCASDefaultRole" "update_date" = "2023-07-17T03:27:28Z" }, { "arn" = "acs:ram::1848450434****:role/aliyuncontainerregistrydefaultrole" "assume_role_policy_document" = <<-EOT { "Statement": [{ "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": {"Service": ["cr.aliyuncs.com"]}}], "Version": "1"} "id" = "3502335964487******" "name" = "AliyunServiceRoleForServiceMesh" "update_date" = "2022-09-27T10:26:50Z" }, ]) }在
main.tf配置文件中替换如下授权模板。provider "alicloud" { } // 创建角色。 resource "alicloud_ram_role" "role" { for_each = { for r in var.roles : r.name => r } name = each.value.name document = each.value.policy_document description = each.value.description force = true } // 角色关联系统权限。 resource "alicloud_ram_role_policy_attachment" "attach" { for_each = { for r in var.roles : r.name => r } policy_name = each.value.policy_name policy_type = "System" role_name = each.value.name depends_on = [alicloud_ram_role.role] } // 所需角色。 variable "roles" { type = list(object({ name = string policy_document = string description = string policy_name = string })) default = [ { name = "AliyunCSManagedLogRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "集群的日志组件使用此角色来访问您在其他云产品中的资源。" policy_name = "AliyunCSManagedLogRolePolicy" }, { name = "AliyunCSManagedCmsRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "集群的CMS组件使用此角色来访问您在其他云产品中的资源。" policy_name = "AliyunCSManagedCmsRolePolicy" }, { name = "AliyunCSManagedCsiRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "集群的存储插件使用此角色来访问您在其他云产品中的资源。" policy_name = "AliyunCSManagedCsiRolePolicy" }, { name = "AliyunCSManagedVKRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "ACK Serverless集群的VK组件使用此角色来访问您在其他云产品中的资源。" policy_name = "AliyunCSManagedVKRolePolicy" }, { name = "AliyunCSClusterRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "集群在应用运行期使用此角色来访问您在其他云产品中的资源。" policy_name = "AliyunCSClusterRolePolicy" }, { name = "AliyunCSServerlessKubernetesRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "集群默认使用此角色来访问您在其他云产品中的资源。" policy_name = "AliyunCSServerlessKubernetesRolePolicy" }, { name = "AliyunCSKubernetesAuditRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "集群审计功能使用此角色来访问您在其他云产品中的资源。" policy_name = "AliyunCSKubernetesAuditRolePolicy" }, { name = "AliyunCSManagedNetworkRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "集群网络组件使用此角色来访问您在其他云产品中的资源。" policy_name = "AliyunCSManagedNetworkRolePolicy" }, { name = "AliyunCSDefaultRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "集群操作时默认使用此角色来访问您在其他云产品中的资源。" policy_name = "AliyunCSDefaultRolePolicy" }, { name = "AliyunCSManagedKubernetesRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "集群默认使用此角色来访问您在其他云产品中的资源。" policy_name = "AliyunCSManagedKubernetesRolePolicy" }, { name = "AliyunCSManagedArmsRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "集群Arms插件使用此角色来访问您在其他云产品中的资源。" policy_name = "AliyunCSManagedArmsRolePolicy" }, { name = "AliyunCISDefaultRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"cs.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "容器服务(CS)智能运维使用此角色来访问您在其他云产品中的资源。" policy_name = "AliyunCISDefaultRolePolicy" }, { name = "AliyunOOSLifecycleHook4CSRole" policy_document = "{\"Statement\":[{\"Action\":\"sts:AssumeRole\",\"Effect\":\"Allow\",\"Principal\":{\"Service\":[\"oos.aliyuncs.com\"]}}],\"Version\":\"1\"}" description = "集群扩缩容节点池依赖OOS服务,OOS使用此角色来访问您在其他云产品中的资源。" policy_name = "AliyunOOSLifecycleHook4CSRolePolicy" } ] }执行如下命令,初始化Terraform运行环境。
terraform init返回信息如下:“Terraform初始化成功”。
Initializing the backend... Initializing provider plugins... ... Terraform has created a lock file .terraform.lock.hcl to record the providerselections it made above. Include this file in your version control repositoryso that Terraform can guarantee to make the same selections by default whenyou run "terraform init" in the future. Terraform has been successfully initialized! ...执行
terraform apply,为您的账号进行角色授权。返回信息如下,输入
yes,按Enter键,表示授权成功。..... Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve. Enter a value:执行如下命令,查看已存在的角色。
terraform show返回信息如下,列举出了账号授权的所有角色信息,表示角色授权已完成。
data "alicloud_ram_roles" "roles" { ... "names" = [ "AliyunCISDefaultRole", "AliyunCSClusterRole", "AliyunCSDefaultRole", ... ] ... }
服务角色
AliyunCSManagedLogRole
说明:ACK托管集群和ACK Serverless集群的日志组件使用该角色访问您在SLS服务中的资源。
授权代码:
{ "name": "AliyunCSManagedLogRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "集群的日志组件使用此角色来访问您在其他云产品中的资源。", "policy_name": "AliyunCSManagedLogRolePolicy" }
AliyunCSManagedCmsRole
说明:ACK托管集群和ACK Serverless集群的监控组件使用该角色访问您在CMS、SLS服务中的资源。
授权代码:
{ "name": "AliyunCSManagedCmsRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "集群的CMS组件使用此角色来访问您在其他云产品中的资源。", "policy_name": "AliyunCSManagedCmsRolePolicy" }
AliyunCSManagedCsiRole
说明:ACK托管集群和ACK Serverless集群的存储组件使用该角色访问您在ECS、NAS服务中的资源。
授权代码:
{ "name": "AliyunCSManagedCsiRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "集群的存储插件使用此角色来访问您在其他云产品中的资源。", "policy_name": "AliyunCSManagedCsiRolePolicy" }
AliyunCSManagedVKRole
说明:ACK Serverless集群的Virtual Node组件使用该角色访问您在ECS、VPC、ECI等服务中的资源。
授权代码:
{ "name": "AliyunCSManagedVKRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "ACK Serverless集群的VK组件使用此角色来访问您在其他云产品中的资源。", "policy_name": "AliyunCSManagedVKRolePolicy" }
AliyunCSServerlessKubernetesRole
说明:ACK Serverless集群使用该角色来访问您在ECS、VPC、SLB、PVTZ等服务中的资源。
授权代码:
{ "name": "AliyunCSServerlessKubernetesRole" "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "ACK Serverless集群默认使用此角色来访问您在其他云产品中的资源。" "policy_name": "AliyunCSServerlessKubernetesRolePolicy" }
AliyunCSKubernetesAuditRole
说明:ACK托管集群和ACK Serverless集群的审计功能使用该角色来访问您在SLS服务中的资源。
授权代码:
{ "name": "AliyunCSKubernetesAuditRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "集群的审计功能使用此角色来访问您在其他云产品中的资源。", "policy_name": "AliyunCSKubernetesAuditRolePolicy" }
AliyunCSManagedNetworkRole
说明:ACK托管集群和ACK Serverless集群的网络组件使用该角色访问您在ECS、VPC服务中的资源。
授权代码:
{ "name": "AliyunCSManagedNetworkRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "集群的网络组件使用此角色来访问您在其他云产品中的资源。", "policy_name": "AliyunCSManagedNetworkRolePolicy" }
AliyunCSDefaultRole
说明:ACK在集群管控操作中使用该角色访问您在ECS、VPC、SLB、ROS、ESS等服务中的资源。
授权代码:
{ "name": "AliyunCSDefaultRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "集群在集群操作时默认使用此角色来访问您在其他云产品中的资源。", "policy_name": "AliyunCSDefaultRolePolicy" }
AliyunCSManagedKubernetesRole
说明:ACK托管集群使用该角色访问您在ECS、VPC、SLB、ACR等服务中的资源。
授权代码:
{ "name": "AliyunCSManagedKubernetesRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "集群默认使用此角色来访问您在其他云产品中的资源。", "policy_name": "AliyunCSManagedKubernetesRolePolicy" }
AliyunCSManagedArmsRole
说明:ACK托管集群和ACK Serverless集群集群的应用实时监控组件使用该角色访问您在ARMS服务中的资源。
授权代码:
{ "name": "AliyunCSManagedArmsRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "集群的Arms插件使用此角色来访问您在其他云产品中的资源。", "policy_name": "AliyunCSManagedArmsRolePolicy" }
AliyunCSClusterRole
说明:容器服务(CS)在应用运行期使用此角色来访问您在其他云产品中的资源权限描述:用于容器服务(CS) Cluster 角色的权限策略。
授权代码:
{ "name": "AliyunCSClusterRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "集群在应用运行期使用此角色来访问您在其他云产品中的资源。", "policy_name": "AliyunCSClusterRolePolicy" }
可选角色
AliyunCISDefaultRole
说明:ACK容器智能运维将使用该角色访问您在ECS、VPC、SLB等服务中的资源,为您提供诊断和巡检等服务。
授权代码:
{ "name": "AliyunCISDefaultRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "ACK智能运维使用此角色来访问您在其他云产品中的资源。", "policy_name": "AliyunCISDefaultRolePolicy" }
AliyunCSManagedAcrRole
说明:ACK托管集群和ACK Serverless集群的镜像拉取免密插件使用该角色访问您在ACR容器镜像服务中的资源。
授权代码:
{ "name": "AliyunCSManagedAcrRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "集群的镜像拉取免密插件使用该角色访问您在ACR容器镜像服务中的资源。", "policy_name": "AliyunCSManagedAcrRolePolicy" }
AliyunCSManagedNlcRole
说明:ACK托管集群托管节点池控制组件使用该角色访问您的ECS和ACK节点池资源。
授权代码:
{ "name": "AliyunCSManagedNlcRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "集群托管节点池控制组件使用该角色访问您的ECS和ACK节点池资源。", "policy_name": "AliyunCSManagedNlcRolePolicy" }
AliyunCSManagedAutoScalerRole
说明:ACK托管集群和ACK Serverless集群的弹性伸缩组件使用该角色来访问您在ESS和ECS服务中的资源。
授权代码:
{ "name": "AliyunCSManagedAutoScalerRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "集群的弹性伸缩组件使用此角色来访问您在其他云产品中的资源。", "policy_name": "AliyunCSManagedAutoScalerRolePolicy" }
AliyunCSManagedSecurityRole
说明:ACK托管集群和ACK Serverless集群的落盘加密插件使用该角色访问您在KMS服务中的资源。
授权代码:
{ "name": "AliyunCSManagedSecurityRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "集群的落盘加密插件使用该角色访问您在KMS服务中的资源。", "policy_name": "AliyunCSManagedSecurityRolePolicy" }
AliyunCSManagedCostRole
说明:ACK托管集群和ACK Serverless集群的成本分析组件使用该角色访问您在账单管理API、ECS和ECI服务中的资源。
授权代码:
{ "name": "AliyunCSManagedCostRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "集群的成本分析组件使用该角色访问您在账单管理API、ECS和ECI服务中的资源。", "policy_name": "AliyunCSManagedCostRolePolicy" }
AliyunCSManagedNimitzRole
说明:ACK灵骏集群的网络组件使用该角色访问您在智能计算灵骏服务中的资源。
授权代码:
{ "name": "AliyunCSManagedNimitzRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "ACK灵骏集群的网络组件使用该角色访问您在智能计算灵骏服务中的资源。", "policy_name": "AliyunCSManagedNimitzRolePolicy" }
AliyunCSManagedBackupRestoreRole
说明:ACK托管集群的备份中心组件使用该角色访问您在云备份(Cloud Backup)服务和OSS服务中的资源。
授权代码:
{ "name": "AliyunCSManagedBackupRestoreRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "集群的备份中心组件使用该角色访问您在云备份(Cloud Backup)服务和OSS服务中的资源。", "policy_name": "AliyunCSManagedBackupRestoreRolePolicy" }
AliyunCSManagedEdgeRole
说明:ACK Edge集群的管控组件使用该角色访问您在智能接入网关、VPC和云企业网CEN服务中的资源。
授权代码:
{ "name": "AliyunCSManagedEdgeRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["cs.aliyuncs.com"] } } ], "Version": "1" }, "description": "ACK Edge集群的管控组件使用该角色访问您在智能接入网关、VPC和云企业网CEN服务中的资源。", "policy_name": "AliyunCSManagedEdgeRolePolicy" }
AliyunOOSLifecycleHook4CSRole
说明:容器服务 Kubernetes 版扩缩容节点池依赖OOS服务,OOS使用此角色来访问您在其他云产品中的资源。
授权代码:
{ "name": "AliyunOOSLifecycleHook4CSRole", "policy_document": { "Statement": [ { "Action": "sts:AssumeRole", "Effect": "Allow", "Principal": { "Service": ["oos.aliyuncs.com"] } } ], "Version": "1" }, "description": "集群扩缩容节点池依赖OOS服务,OOS使用此角色来访问您在其他云产品中的资源。", "policy_name": "AliyunOOSLifecycleHook4CSRolePolicy" }