清理集群用户的权限 - 容器服务 Kubernetes 版 ACK

ack-ram-tool是容器服务 Kubernetes 版为辅助您管理集群RAM和RBAC权限提供的命令行工具。当用户离职或权限需要变更时，通过ack-ram-tool工具您可以及时清理集群中已删除用户的权限，避免安全风险。

步骤一：安装ack-ram-tool

根据指定环境的架构类型，下载ack-ram-tool客户端。
执行以下命令，授予客户端程序的执行权限。
```
chmod +x ./ack-ram-tool
```

执行以下命令，将ack-ram-tool文件拷贝至系统PATH指定目录。

mkdir -p $HOME/bin && cp ./ack-ram-tool $HOME/bin/ack-ram-tool && export PATH=$HOME/bin:$PATH

（可选）执行以下命令，持久化$HOME/bin中的PATH配置。
```
echo 'export PATH=$HOME/bin:$PATH' >> ~/.bash_profile
```
执行以下命令，查看是否能够返回客户端组件对应的版本，以验证ack-ram-tool客户端组件是否安装成功。
```
ack-ram-tool version
```

步骤二：配置阿里云凭据

阿里云RAM用户和SSO用户可通过以下方式配置获取云资源的访问凭据。

说明

如果当前环境中存在访问凭据相关的环境变量，ack-ram-tool将优先使用环境变量中配置的访问凭据。您可以通过在执行ack-ram-tool命令时增加参数--ignore-env-credentials的方式忽略这些环境变量。关于ack-ram-tool支持的凭据相关环境变量，请参见Credentials。

RAM用户

ack-ram-tool客户端依赖本地配置的阿里云密钥凭据访问RAM进行身份认证。

关于配置资源访问凭证的具体操作，请参见阿里云CLI。

SSO用户

对于阿里云云SSO的用户，可以通过使用云SSO服务提供的CLI工具acs-sso完成登录，并获取云资源访问凭据。关于acs-sso更多信息，请参见使用CLI登录云SSO并访问阿里云资源。阿里云CLI工具中支持external模式，可实现通过执行外部命令行工具的方式动态获取资源凭据。通过执行如下命令，在本地完成云SSO登录和凭据的自动化配置。

aliyun configure --mode External --profile sso

Configuring profile 'sso' in 'External' authenticate mode...
Process Command [acs-sso login --profile sso]:
Default Region Id [cn-shanghai]:
Default Output Format [json]: json (Only support json)
Default Language [zh|en] en:
Saving profile[sso] ...Done.


Configure Done!!!
..............888888888888888888888 ........=8888888888888888888D=..............
...........88888888888888888888888 ..........D8888888888888888888888I...........
.........,8888888888888ZI: ...........................=Z88D8888888888D..........
.........+88888888 ..........................................88888888D..........
.........+88888888 .......Welcome to use Alibaba Cloud.......O8888888D..........
.........+88888888 ............. ************* ..............O8888888D..........
.........+88888888 .... Command Line Interface(Reloaded) ....O8888888D..........
.........+88888888...........................................88888888D..........
..........D888888888888DO+. ..........................?ND888888888888D..........
...........O8888888888888888888888...........D8888888888888888888888=...........
............ .:D8888888888888888888.........78888888888888888888O ..............

步骤三：配置ack-ram-tool访问凭据所需的权限

ack-ram-tool使用的访问凭据需要拥有RAM权限和集群的RBAC权限。

为RAM用户授予如下权限。具体操作，请参见为RAM用户授权。

{
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cs:*"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ram:ListUsers",
        "ram:ListRoles"
      ],
      "Resource": "*"
    }
  ]
}

为RAM用户授予集群的RBAC管理员权限。
1. 登录容器服务管理控制台，在左侧导航栏选择授权管理。
2. 在授权管理页面，单击RAM 用户页签，找到待添加的RAM用户，单击右侧的管理权限，进入权限管理页面。
3. 单击添加权限，选择集群和命名空间，选择权限管理为管理员的权限，然后单击提交授权。

步骤四：查询集群内指定RAM用户的RBAC Binding

您可以通过ack-ram-tool rbac scan-user-permissions命令，查询目标集群内指定RAM用户的RBAC Binding信息。

仅查询已删除的RAM用户和角色的RBAC Binding

执行以下命令，查看集群内已删除的RAM用户和角色的RBAC Binding信息。

ack-ram-tool rbac scan-user-permissions -c <集群ID>

预期输出：

2023-12-12T15:34:37+08:00 INFO start to scan users and bindings for cluster c401890df511a4362bf24bece4da****
2023-12-12T15:34:43+08:00 WARN by default, only deleted users are included. Use the --all-users flag to include all users
UID                           UserType  UserName  Binding                                                    
30086537005566**** (deleted)  RamRole             ClusterRoleBinding/-/30086537005566****-clusterrolebinding  
24320678733226**** (deleted)  RamUser             ClusterRoleBinding/-/24320678733226****-clusterrolebinding

UserType的参数说明如下：

UserType的值	说明
RamRole	RAM角色
RamUser	RAM用户
Root	阿里云账号（主账号）

查询所有RAM用户和角色的RBAC Binding

执行以下命令，查看所有RAM用户和角色的RBAC Binding信息。

ack-ram-tool rbac scan-user-permissions --all-users -c <集群ID>

预期输出：

2023-12-12T15:36:00+08:00 INFO Start to scan users and bindings for cluster c401890df511a4362bf24bece4da6****
UID                           UserType  UserName                   Binding                                                                
30032484611590**** (deleted)  RamRole                              ClusterRoleBinding/-/30032484611590****-clusterrolebinding              
20492499986425**** (deleted)  RamUser                              ClusterRoleBinding/-/20492499986425****-clusterrolebinding              
27203272572548****            RamUser   scan                       ClusterRoleBinding/-/27203272572548****-clusterrolebinding        
113802571552****              Root                                 ClusterRoleBinding/-/113802571552****-cluster-admin-clusterrolebinding  
29068913515444****            RamUser   test-ack-ram-check         ClusterRoleBinding/-/29068913515444****-clusterrolebinding

查询当前阿里云账号下所有集群的RBAC Binding

执行以下命令，查看当前阿里云账号下所有集群的RBAC Binding信息。

ack-ram-tool rbac scan-user-permissions -c all

预期输出：

2023-12-12T16:44:55+08:00 INFO start to scan users and bindings for all clusters
2023-12-12T16:44:55+08:00 INFO start to get all clusters, users and roles
2023-12-12T16:44:58+08:00 INFO ---- c401890df511a4362bf24bece4da6**** (test-pro111323223) ----
2023-12-12T16:44:58+08:00 INFO [c401890df511a4362bf24bece4da6****] start to scan bindings for cluster c401890df511a4362bf24bece4da6****
2023-12-12T16:45:00+08:00 WARN [c401890df511a4362bf24bece4da6****] by default, only deleted users are included. Use the --all-users flag to include all users
ClusterId: c401890df511a4362bf24bece4da6****
UID                           UserType  UserName  Binding                                                    
30086537005566**** (deleted)  RamRole             ClusterRoleBinding/-/30086537005566****-clusterrolebinding  
20492499986425**** (deleted)  RamUser             ClusterRoleBinding/-/20492499986425****-clusterrolebinding  
2023-12-12T16:45:00+08:00 INFO ---- c137a979dec21472c8279c903cfc**** (test-pro) ----
2023-12-12T16:45:00+08:00 INFO [c137a979dec21472c8279c903cfce****] start to scan bindings for cluster c137a979dec21472c8279c903cfce****
2023-12-12T16:45:01+08:00 WARN [c137a979dec21472c8279c903cfce****] by default, only deleted users are included. Use the --all-users flag to include all users
ClusterId: c137a979dec21472c8279c903cfce****
UID                           UserType  UserName  Binding                                                    
30086537005566**** (deleted)  RamRole             ClusterRoleBinding/-/30086537005566****-clusterrolebinding  
24320678733226**** (deleted)  RamUser             ClusterRoleBinding/-/24320678733226****-clusterrolebinding

步骤五：清理集群内指定RAM用户或RAM角色的RBAC Binding并清除KubeConfig权限

您可以通过ack-ram-tool rbac cleanup-user-permissions命令，清理目标集群内指定RAM用户或RAM角色的RBAC Binding以及清除该用户的KubeConfig。

重要

当日志中出现this user has been active in the past 7 days时，表明目标RAM用户或RAM角色最近7天内有集群访问记录，请谨慎操作。
执行清理操作前，ack-ram-tool工具会在当前目录下以集群ID命名的文件夹中备份待删除的Binding原始JSON文件。

清理RAM用户或RAM角色在单个集群中的权限

执行以下命令，清理指定RAM用户或RAM角色在单个集群中的权限。

以下命令行中的<UID>，您可以通过ack-ram-tool rbac scan-user-permissions -c <集群ID>命令获取。

ack-ram-tool rbac cleanup-user-permissions -c <集群ID> -u <UID>

预期输出：

展开查看预期输出

2023-12-12T18:17:10+08:00 INFO start to scan users and bindings
2023-12-12T18:17:15+08:00 WARN we will clean up RBAC bindings as follows:
UID                 UserType  UserName   Binding                                                    
25908395708943****  RamUser   ack-admin  ClusterRoleBinding/-/25908395708943****-clusterrolebinding  
2023-12-12T18:17:15+08:00 WARN we will clean up kubeconfig permissions for users as follows:
UID: 25908395708943****
2023-12-12T18:17:15+08:00 INFO start to check cluster audit log for user 25908395708943****
2023-12-12T18:17:16+08:00 WARN this user has been active in the past 7 days, and the last activity time was: 2023-12-12T10:27:56+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c137a979dec21472c8279c903cfce****
sls logstore: audit-c137a979dec21472c8279c903cfce****
last activity: 2023-12-12T10:27:56+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76e****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T18:17:37+08:00 INFO start to backup binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding
2023-12-12T18:17:38+08:00 INFO the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c137a979dec21472c8279c903cfce****/ClusterRoleBinding--25908395708943****-clusterrolebinding.json
2023-12-12T18:17:38+08:00 INFO start to clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T18:17:38+08:00 INFO finished clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T18:17:38+08:00 INFO all bindings and permissions have been cleaned up

清理RAM用户或RAM角色在所有集群中的权限

执行以下命令，清理指定RAM用户或角色在当前阿里云账号下所有集群中的RBAC Binding，并清除其KubeConfig。

ack-ram-tool rbac cleanup-user-permissions -c all -u <UID>

预期输出：

展开查看预期输出

2023-12-12T19:28:23+08:00 INFO start to scan users and bindings for all clusters
2023-12-12T19:28:23+08:00 INFO start to get all clusters, users and roles
2023-12-12T19:28:24+08:00 INFO ---- c401890df511a4362bf24bece4da6**** (test-pro111323223) ----
2023-12-12T19:28:24+08:00 INFO [c401890df511a4362bf24bece4da6****] start to clean up bindings and permissions for cluster c401890df511a4362bf24bece4da6**** 
2023-12-12T19:28:24+08:00 INFO [c401890df511a4362bf24bece4da6****] start to scan users and bindings
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] we will clean up RBAC bindings as follows:
UID                 UserType  UserName   Binding                                                    
25908395708943****  RamUser   ack-admin  ClusterRoleBinding/-/25908395708943****-clusterrolebinding  
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] we will clean up kubeconfig permissions for users as follows:
UID: 259083957089437690
2023-12-12T19:28:25+08:00 INFO [c401890df511a4362bf24bece4da6****] start to check cluster audit log for user 25908395708943**** 
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] this user has been active in the past 7 days, and the last activity time was: 2023-12-12T10:27:56+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c401890df511a4362bf24bece4da****  
sls logstore: audit-c401890df511a4362bf24bece4da6**** 
last activity: 2023-12-12T10:27:56+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] start to backup binding ClusterRoleBinding/-/25908395708943**** -clusterrolebinding
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c401890df511a4362bf24bece4da6**** /ClusterRoleBinding--259083957089437XXX-clusterrolebinding.json
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] start to clean up kubeconfig permissions for uid 25908395708943**** 
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] finished clean up kubeconfig permissions for uid 25908395708943**** 
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] all bindings and permissions have been cleaned up
2023-12-12T19:28:49+08:00 INFO ---- c137a979dec21472c8279c903cfce****  (test-pro) ----
2023-12-12T19:28:49+08:00 INFO [c137a979dec21472c8279c903cfce****] start to clean up bindings and permissions for cluster c137a979dec21472c8279c903cfce**** 
2023-12-12T19:28:49+08:00 INFO [c137a979dec21472c8279c903cfce****] start to scan users and bindings
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] we will clean up RBAC bindings as follows:
UID                 UserType  UserName   Binding                                                    
25908395708943****   RamUser   ack-admin  ClusterRoleBinding/-/25908395708943**** -clusterrolebinding  
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] we will clean up kubeconfig permissions for users as follows:
UID: 25908395708943**** 
2023-12-12T19:28:51+08:00 INFO [c137a979dec21472c8279c903cfce****] start to check cluster audit log for user 25908395708943**** 
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] this user has been active in the past 7 days, and the last activity time was: 2023-12-12T17:55:50+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c137a979dec21472c8279c903cfce**** 
sls logstore: audit-c137a979dec21472c8279c903cfce**** 
last activity: 2023-12-12T17:55:50+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] start to backup binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c137a979dec21472c8279c903cfce**** /ClusterRoleBinding--25908395708943**** -clusterrolebinding.json
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] start to clean up kubeconfig permissions for uid 25908395708943**** 
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] finished clean up kubeconfig permissions for uid 25908395708943**** 
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] all bindings and permissions have been cleaned up

容器服务 Kubernetes 版 ACK：通过ack-ram-tool清理集群中指定用户的权限

步骤一：安装ack-ram-tool

步骤二：配置阿里云凭据

RAM用户

SSO用户

步骤三：配置ack-ram-tool访问凭据所需的权限

步骤四：查询集群内指定RAM用户的RBAC Binding

仅查询已删除的RAM用户和角色的RBAC Binding

查询所有RAM用户和角色的RBAC Binding

查询当前阿里云账号下所有集群的RBAC Binding

步骤五：清理集群内指定RAM用户或RAM角色的RBAC Binding并清除KubeConfig权限

清理RAM用户或RAM角色在单个集群中的权限

清理RAM用户或RAM角色在所有集群中的权限

相关文档