ACK One GitOps对关联集群的操作权限,由系统默认创建的ClusterRole ack-mc:argocd-ackone-dev 所包含的RBAC权限控制,默认权限不可修改。如果您需要更细粒度的权限控制,例如,控制GitOps对关联集群中的Pod只有创建和查看权限,您可通过自定义创建ClusterRole并指定相关的RBAC权限来实现自定义权限控制。本文为您介绍GitOps的默认权限及如何自定义GitOps的操作权限。
背景信息
ACK One的Fleet实例添加关联集群时,系统会自动创建默认的 ServiceAccountargocd-ackone-sa 和 ClusterRoleack-mc:argocd-ackone-dev,并将ClusterRole绑定到ServiceAccount。GitOps通过ack-mc:argocd-ackone-dev默认包含的RBAC权限实现对关联集群的权限控制。
此外,您也可以自定义GitOps的RBAC权限。这需要您在关联集群中创建自定义的ClusterRole/Role,并通过ClusterRoleBinding 或 RoleBinding 将这些权限绑定到默认的 ServiceAccount argocd-ackone-sa 上,从而实现对集群资源的精细控制。
配置GitOps操作关联集群的RBAC权限
使用以下YAML内容示例创建自定义的ClusterRole。
说明ClusterRole的
name:由您自定义填写。rules中的内容即
apiGroups、resources和verbs需要您根据实际权限范围自定义修改。
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: <your ClusterRole name> rules: - apiGroups: - "" resources: - pods - configmaps - endpoints verbs: - create - delete使用以下YAML内容示例创建ClusterRoleBinding,将您自定义创建的ClusterRole绑定到系统默认的ServiceAccount
argocd-ackone-sa上,为argocd-ackone-sa授予自定义的RBAC权限。说明ClusterRole的
name:必须填写为您在上一步自定义创建的ClusterRole的名称。ServiceAccount的
name:必须为argocd-ackone-sa,请勿修改。apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: <ClusterRoleBinding name> roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: <your ClusterRole name> subjects: - kind: ServiceAccount name: argocd-ackone-sa namespace: ack-multiple-clusters
GitOps默认权限说明
系统默认创建的ClusterRole ack-mc:argocd-ackone-dev所包含的RBAC权限如下:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: ack-mc:argocd-ackone-dev
rules:
- apiGroups:
- ""
resources:
- pods
- configmaps
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
- namespaces
- bindings
- limitranges
- resourcequotas
- persistentvolumes
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- ""
resources:
- events
- namespaces/status
- replicationcontrollers/status
- pods/status
- pods/log
- resourcequotas/status
verbs:
- get
- list
- watch
- patch
- update
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- ingresses
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- metrics.k8s.io
resources:
- pods
verbs:
- get
- watch
- list
- apiGroups:
- networking.k8s.io
resources:
- '*'
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
- apiGroups:
- alicloud.com
resources:
- '*'
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- log.alibabacloud.com
resources:
- '*'
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- create
- watch
- patch
- update
- delete
- deletecollection
- apiGroups:
- serving.knative.dev
resources:
- '*'
verbs:
- get
- list
- create
- watch
- patch
- update
- delete
- deletecollection
- apiGroups:
- eventing.knative.dev
resources:
- '*'
verbs:
- get
- list
- create
- watch
- patch
- update
- delete
- deletecollection
- apiGroups:
- messaging.knative.dev
resources:
- '*'
verbs:
- get
- list
- create
- watch
- patch
- update
- delete
- deletecollection
- apiGroups:
- sources.eventing.knative.dev
resources:
- '*'
verbs:
- get
- list
- create
- watch
- patch
- update
- delete
- deletecollection
- apiGroups:
- alert.alibabacloud.com
resources:
- '*'
verbs:
- get
- list
- create
- watch
- patch
- update
- delete
- deletecollection
- apiGroups:
- alibabacloud.com
resources:
- externalsecrets
- secretstores
verbs:
- '*'
- apiGroups:
- apps.kruise.io
- policy.kruise.io
- rollouts.kruise.io
resources:
- '*'
verbs:
- '*'
- apiGroups:
- argoproj.io
resources:
- analysisruns
- analysistemplates
- clusteranalysistemplates
- experiments
- rollouts
verbs:
- '*'
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
- mutatingwebhookconfigurations
verbs:
- '*'
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- '*'