导航
IAM 授权最佳实践
最近更新时间:2024.04.30 18:14:16首次发布时间:2024.03.06 16:40:09
容器服务的用户授权包括 IAM (Identity and Access Management,基于身份的权限控制)授权和 RBAC (Role-Based Access Control ,基于角色的权限控制)授权。本文介绍针对 IAM 用户的授权最佳实践。
前提条件
已创建 IAM 用户。详细操作,请参见 用户管理。
场景一:为 IAM 用户授权指定的集群
场景介绍
为某个 IAM 用户(User)授予指定集群的访问和操作权限,即该 User 只能在指定的 VKE 集群里进行相关资源的增、删、查、改操作。
操作步骤
- 使用火山引擎账号(Account)或具有相关权限的 IAM 用户登录 IAM 控制台。
- 左侧导航栏选择 策略管理,单击 系统预设策略,搜索 VKEReadOnlyAccess。
- 单击 VKEReadOnlyAccess,进入策略详情页面,选择 语法 页签,复制 VKEReadOnlyAccess 策略语法到本地。
- 按如下说明修改复制到本地的 VKEReadOnlyAccess 策略语法,并保存为新的自定义策略,例如 Access-Cluster-A。
将 VKE 相关 Action 中的内容替换为
vke:*,Resource 中的内容替换为需要约束。{ "Effect": "Allow", "Action": [ "vke:*" ], "Resource": [ "trn:vke:{Region_ID}:{Account_ID}:cluster/{Cluster_ID}", "trn:iam:{Account_ID}:project/*", "trn:vpc:{Region_ID}:{Account_ID}:securitygroup/*", "trn:vpc:{Region_ID}:{Account_ID}:subnet/*" ] }其中变量说明如下:
{Region_ID}:替换为目标 VKE 集群所在地域的 ID,例如cn-shanghai。{Account_ID}:替换为您火山引擎账号(主账号)ID,例如210001****。{Cluster_ID}:替换为目标 VKE 集群的 ID,例如ccm0i61o93a9te2k8****。
完整示例如下:
{ "Effect": "Allow", "Action": [ "vke:*" ], "Resource": [ "trn:vke:cn-shanghai:210001****:cluster/ccm0i61o93a9te2k8****", "trn:iam::210001****:project/*", "trn:vpc:cn-shanghai:210001****:securitygroup/*", "trn:vpc:cn-shanghai:210001****:subnet/*" ] }增加如下弹性块存储相关 Action 和 Resource。
{ "Effect": "Allow", "Action": [ "storage_ebs:Describe*", "storage_ebs:CalculatePrice" ], "Resource": [ "*" ] }
- 新建自定义策略 Access-Cluster-A。详细操作,请参见 新建策略。
- 为 IAM 用户授权 Access-Cluster-A 策略。详细操作,请参见 管理用户。
场景二:创建全局权限的自定义策略并授权
场景介绍
VKE 中部分操作(Action)和资源(Resource)没有按照项目(Project)划分。若需要将该类操作和资源授权给 IAM 用户,需要以全局权限的形式授予。
容器服务相关的 Action 和 Resource 说明,请参见 用户自定义策略。
操作步骤
- 使用火山引擎账号(Account)或具有相关权限的 IAM 用户登录 IAM 控制台。
- 新建自定义策略,例如名称为 vke-global。策略的 JSON 内容如下所示。VKE 依赖的云服务资源访问权限,请参见 VKE 服务关联角色说明。
{ "Statement": [ { "Effect": "Allow", "Action": [ "vke:ListKubernetesObservability", "vke:ListScalingPolicies", "vke:UpdateLogCollectRule", "vke:DeleteLogCollectRule", "vke:ListApplicationInspectionItems", "vke:GetApplicationInspectionStatus", "vke:ListApplicationInspectionReports", "vke:ListClusterNetworkCidrs", "vke:ListKubeconfigUsers", "vke:ReinstallAddon", "vke:GetApplicationInspection", "vke:GetLogCollectRule", "vke:ListKeyPairs", "vke:ListSecurityGroups", "vke:CheckCidrConflict", "vke:ListInstances", "vke:ListZones", "vke:SetApplicationInspection", "vke:ListWorkloadEvents", "vke:GetApplicationInspectionItem", "vke:CreateLogCollectRule", "vke:ListNodePoolNodes", "vke:SetApplicationCronInspection", "vke:GetQuota", "vke:GetInstanceConsole", "vke:RollbackRelease", "vke:ListSubnets", "vke:ListFlavors", "vke:InstallAddons", "vke:ListElasticIPPools", "vke:StartApplicationInspection", "vke:RecommendCidr", "vke:AddNodes", "vke:UninstallAddons", "vke:GetApplicationCronInspection", "vke:ListVolumes", "vke:ListClbs", "vke:UpdateClusterNode", "vke:ListClusterNodeLabel", "vke:GetDeployment", "vke:DeleteDeployment", "vke:UpdateDeployment", "vke:ListWorkloadPods", "vke:ListPods", "vke:ListVpcs", "vke:GetNodePool", "vke:ListNodePoolScalingRecords", "vke:ListNodePool", "vke:ListNodePoolNode", "vke:UpdateNodePool", "vke:UpdateNodePoolCount", "vke:GetListeners", "vke:InnerReconcileVCIQuotaUsage", "vke:InnerSyncVCIQuota", "vke:GetEventTopic", "vke:ListLogTopics", "vke:ListLogProjects", "vke:GetLogTopicID", "vke:GetLogProjectID", "vke:UpdateNodePoolForCA", "vke:IsAffectedByVci", "vke:ListCertificates", "vke:ListNodeZones", "vke:ListAllNodePoolNodes", "vke:AddVciSubnets", "vke:ListVciAvailabilityZones", "vke:UpdateNode", "vke:ScaleDownNodePool", "vke:ScaleUpNodePool", "vke:UpdateClusterAutoScalingRule", "vke:GetClusterAutoScalingRule", "vke:ListNodeLabels", "vke:ListClbListeners", "vke:GetNode", "vke:ListLogCollectRules", "vke:IsInShortTermWhiteList", "vke:ListSupportedGpuModels", "vke:ListSupportedKubernetesVersions", "vke:ListQuotas", "vke:ListIngressInstances", "vke:DeletePod", "vke:GetClusterOverview", "vke:GetResourceYaml", "vke:GetAddon", "vke:CreateResourceByYaml", "vke:UpdateResourceByYaml", "vke:GetClusterNode", "vke:CreateStorageClass", "vke:ListCronJobs", "vke:ListWorkloadHistories", "vke:ListClusterNodePod", "vke:DeleteClusterNode", "vke:PatchCronJobSuspend", "vke:CheckAddonInstall", "vke:DeleteService", "vke:GetCronJob", "vke:ListJobsFromCronJob", "vke:CreateService", "vke:ListServices", "vke:ListWorkloadServices", "vke:DeleteCronJob", "vke:UpdateCronJob", "vke:GetService", "vke:UpdateService", "vke:DeleteConfigMap", "vke:CreateCronJob", "vke:DeleteSecret", "vke:CreateSecret", "vke:ListConfigMaps", "vke:CreateJob", "vke:ListDeployments", "vke:GetJob", "vke:ListSecrets", "vke:CreateConfigMap", "vke:UpdateSecret", "vke:PatchWorkloadParallelism", "vke:PatchWorkloadImage", "vke:CreateDeployment", "vke:GetConfigMap", "vke:GetSecret", "vke:PatchWorkloadReplicas", "vke:UpdateJob", "vke:GetDaemonSet", "vke:ListJobs", "vke:RollbackWorkload", "vke:UpdateConfigMap", "vke:RestartWorkload", "vke:GetTerminal", "vke:ListDaemonSets", "vke:UpdateStatefulSet", "vke:GetStatefulSet", "vke:GetNamespaceResource", "vke:ListCluster", "vke:CheckResourceExist", "vke:UpdateDaemonSet", "vke:DeleteStatefulSet", "vke:DeleteUserRbac", "vke:GetContainerLogs", "vke:CreateDaemonSet", "vke:CreateNamespace", "vke:UpdateNamespaceResource", "vke:CreateUserRbac", "vke:UpdateUserRbac", "vke:DeleteJob", "vke:ListNamespace", "vke:ListStatefulSets", "vke:DeleteNamespace", "vke:DeleteDaemonSet", "vke:CreateStatefulSet", "vke:ListClusterNode", "vke:UpdateCluster", "vke:GetCluster", "vke:CreateIngress", "vke:GetNamespace", "vke:UpdateIngress", "vke:ListIngress", "vke:ListEvent", "vke:ListPersistentVolume", "vke:AddClusterNode", "vke:ListUserRbacs", "vke:DeleteIngress", "vke:ListClusterNetworkCidr", "vke:GetIngress", "vke:ListClusterKubernetesVersion", "vke:UpdateNamespace", "vke:ListStorageClass", "vke:GetKubeConfig", "vke:GetPersistentVolumeClaim", "vke:DeleteHorizontalPodAutoscaler", "vke:DeletePersistentVolumeClaim", "vke:CreatePersistentVolumeClaim", "vke:ListObjectEvents", "vke:GetClusterDeployProgress", "vke:UninstallAddon", "vke:ListHorizontalPodAutoscalers", "vke:GetHorizontalPodAutoscaler", "vke:UpdateHorizontalPodAutoscaler", "vke:CreatePersistentVolume", "vke:DeleteStorageClass", "vke:NodePoolScaleDown", "vke:UpgradeAddon", "vke:NodePoolScaleUp", "vke:InstallAddon", "vke:CreateHorizontalPodAutoscaler", "vke:UpdateAutoScalingRule", "vke:GetPersistentVolume", "vke:GetStorageClass", "vke:DeletePersistentVolume", "vke:ListPersistentVolumeClaim", "vke:ListCustomRoles", "vke:StartNodeScan", "vke:GetResource", "vke:ListAPIGroups", "vke:ListBenchmarks", "vke:GetAPIGroup", "vke:CreateRelease", "vke:ListCharts", "vke:GetCheckItem", "vke:ListKubeConfig", "vke:DeleteCRD", "vke:GetPod", "vke:ListWorkloadHorizontalPodAutoscalers", "vke:RevokeKubeConfig", "vke:ListResources", "vke:GetChart", "vke:DeleteResource", "vke:ListNodeReports", "vke:ListCheckItems", "vke:GetCronScan", "vke:StartScan", "vke:UpdateCronScan", "vke:ListCRDs", "vke:UpdateRelease", "vke:ListChartCategories", "vke:UpdateCronHorizontalPodAutoscaler", "vke:GetRelease", "vke:ListCronHorizontalPodAutoscalers", "vke:DeleteCronHorizontalPodAutoscaler", "vke:CreateCronHorizontalPodAutoscaler", "vke:ListReleases", "vke:DeleteRelease", "vke:GetSecretDomains", "vke:ListSupportedResourceTypes", "vke:ListKubeconfigs", "vke:ListNodePools", "vke:ListNodes", "vke:ListSupportedAddons", "vke:ListAddons", "vke:TagResources", "vke:UntagResources", "vke:ListTagsForResource", "vke:ListImageCaches", "vke:ListResourcePackageSpecs", "vke:CreateResourcePackages", "vke:ListBatchSuiteStatus", "vke:ListAiSuiteStatus", "vke:UpdateAiSuiteStatus", "vmp:DeleteAlertingRuleGroup", "vmp:CreateAlertingRuleGroup", "vmp:UpdateAlertingRuleGroup", "vmp:ListWorkspaces", "vmp:ListAlertingRuleGroups", "vmp:ListWorkspaceInstanceTypes", "vmp:ListAlertingRules", "vmp:ListAlertingRuleTemplates", "vmp:ListNotifyGroupPolicies", "vmp:ListNotifyPolicies", "vmp:ListDashboards", "vmp:ListDatasources", "alb:DescribeRules", "ecs:DescribeTags", "clb:DescribeLoadBalancerAttributes", "tls:DescribeProjects", "vpc:ListTagsForResources" ], "Resource": [ "*" ] } ] } - 为已创建的 vke-global 策略添加授权。
- 选择目标 IAM 用户,添加 vke-global 策略的全局权限。
场景三:创建项目范围使用的自定义权限并授权
场景介绍
VKE 中部分操作(Action)和资源(Resource)是按照项目(Project)划分的,可满足项目粒度的权限控制需求。若需要将该类操作和资源授权给 IAM 用户,需要以项目权限的形式授予。
注意
VKE 中有一部分 Action 和 Resource 是无法按照项目划分,因此为 IAM 用户授予项目权限的同时,还需要将无法按照项目划分的 Action 和 Resource,以全局权限的形式授予给该 IAM 用户。否则该 IAM 用户可能无法正常操作和使用容器服务资源。
容器服务相关的 Action 和 Resource 说明,请参见 用户自定义策略。
操作步骤
- 使用火山引擎账号或具有相关权限的 IAM 用户登录 IAM 控制台。
- 新建自定义策略,例如名称为 vke-project。策略的 JSON 内容示例如下所示,请按需自行增删具体的 Action 或 Resource 。VKE 依赖的云服务资源访问权限,请参见 VKE 服务关联角色说明。
{ "Statement": [ { "Effect": "Allow", "Action": [ "vke:CreateCluster", "vke:ListClusters", "vke:UpdateClusterConfig", "vke:DeleteCluster", "vke:CreateKubeconfig", "vke:DeleteKubeconfigs", "vke:CreateNodePool", "vke:CreateDefaultNodePool", "vke:UpdateNodePoolConfig", "vke:DeleteNodePool", "vke:CreateNodes", "vke:DeleteNodes", "vke:CreateAddon", "vke:UpdateAddonConfig", "vke:UpdateAddonVersion", "vke:DeleteAddon", "vke:ForwardKubernetesApi", "alb:DescribeLoadBalancers", "clb:DescribeLoadBalancers", "FileNAS:DescribeFileSystems", "storage_ebs:DescribeVolumes", "FileNAS:DescribeMountPoints", "tls:DescribeTopics", "tls:DescribeProject", "tls:DescribeTopic", "vpc:DescribeSubnets", "vpc:DescribeSecurityGroups", "vpc:DescribeVpcs", "vpc:DescribeBandwidthPackages", "clb:DescribeListeners", "alb:DescribeListeners", "natgateway:DescribeNatGateways", "ecs:DescribeImages", "ecs:DescribeKeyPairs", "ecs:DescribeInstances", "alb:DescribeCertificates", "clb:DescribeCertificates", "vke:CreateScalingPolicy", "vke:UpdateScalingPolicy", "vke:DeleteScalingPolicies" ], "Resource": [ "*" ] } ] } - 为已创建的 vke-project 策略添加授权。
- 选择目标 IAM 用户,添加 vke-project 策略的项目权限。
- 为无法按照项目划分的 Action 和 Resource 新建自定义策略并授权给目标 IAM 用户。
- 例如名称为 vke-global。策略的 JSON 内容示例如下所示,请按需自行增删具体的 Action 或 Resource 。VKE 依赖的云服务资源访问权限,请参见 VKE 服务关联角色说明。
说明
如果您已为无法按照项目划分的 Action 和 Resource 创建了自定义策略,则直接将策略授权给 IAM 用户即可,无需重复创建。
{ "Statement": [ { "Effect": "Allow", "Action": [ "vke:ListKubernetesObservability", "vke:ListScalingPolicies", "vke:UpdateLogCollectRule", "vke:DeleteLogCollectRule", "vke:ListApplicationInspectionItems", "vke:GetApplicationInspectionStatus", "vke:ListApplicationInspectionReports", "vke:ListClusterNetworkCidrs", "vke:ListKubeconfigUsers", "vke:ReinstallAddon", "vke:GetApplicationInspection", "vke:GetLogCollectRule", "vke:ListKeyPairs", "vke:ListSecurityGroups", "vke:CheckCidrConflict", "vke:ListInstances", "vke:ListZones", "vke:SetApplicationInspection", "vke:ListWorkloadEvents", "vke:GetApplicationInspectionItem", "vke:CreateLogCollectRule", "vke:ListNodePoolNodes", "vke:SetApplicationCronInspection", "vke:GetQuota", "vke:GetInstanceConsole", "vke:RollbackRelease", "vke:ListSubnets", "vke:ListFlavors", "vke:InstallAddons", "vke:ListElasticIPPools", "vke:StartApplicationInspection", "vke:RecommendCidr", "vke:AddNodes", "vke:UninstallAddons", "vke:GetApplicationCronInspection", "vke:ListVolumes", "vke:ListClbs", "vke:UpdateClusterNode", "vke:ListClusterNodeLabel", "vke:GetDeployment", "vke:DeleteDeployment", "vke:UpdateDeployment", "vke:ListWorkloadPods", "vke:ListPods", "vke:ListVpcs", "vke:GetNodePool", "vke:ListNodePoolScalingRecords", "vke:ListNodePool", "vke:ListNodePoolNode", "vke:UpdateNodePool", "vke:UpdateNodePoolCount", "vke:GetListeners", "vke:InnerReconcileVCIQuotaUsage", "vke:InnerSyncVCIQuota", "vke:GetEventTopic", "vke:ListLogTopics", "vke:ListLogProjects", "vke:GetLogTopicID", "vke:GetLogProjectID", "vke:UpdateNodePoolForCA", "vke:IsAffectedByVci", "vke:ListCertificates", "vke:ListNodeZones", "vke:ListAllNodePoolNodes", "vke:AddVciSubnets", "vke:ListVciAvailabilityZones", "vke:UpdateNode", "vke:ScaleDownNodePool", "vke:ScaleUpNodePool", "vke:UpdateClusterAutoScalingRule", "vke:GetClusterAutoScalingRule", "vke:ListNodeLabels", "vke:ListClbListeners", "vke:GetNode", "vke:ListLogCollectRules", "vke:IsInShortTermWhiteList", "vke:ListSupportedGpuModels", "vke:ListSupportedKubernetesVersions", "vke:ListQuotas", "vke:ListIngressInstances", "vke:DeletePod", "vke:GetClusterOverview", "vke:GetResourceYaml", "vke:GetAddon", "vke:CreateResourceByYaml", "vke:UpdateResourceByYaml", "vke:GetClusterNode", "vke:CreateStorageClass", "vke:ListCronJobs", "vke:ListWorkloadHistories", "vke:ListClusterNodePod", "vke:DeleteClusterNode", "vke:PatchCronJobSuspend", "vke:CheckAddonInstall", "vke:DeleteService", "vke:GetCronJob", "vke:ListJobsFromCronJob", "vke:CreateService", "vke:ListServices", "vke:ListWorkloadServices", "vke:DeleteCronJob", "vke:UpdateCronJob", "vke:GetService", "vke:UpdateService", "vke:DeleteConfigMap", "vke:CreateCronJob", "vke:DeleteSecret", "vke:CreateSecret", "vke:ListConfigMaps", "vke:CreateJob", "vke:ListDeployments", "vke:GetJob", "vke:ListSecrets", "vke:CreateConfigMap", "vke:UpdateSecret", "vke:PatchWorkloadParallelism", "vke:PatchWorkloadImage", "vke:CreateDeployment", "vke:GetConfigMap", "vke:GetSecret", "vke:PatchWorkloadReplicas", "vke:UpdateJob", "vke:GetDaemonSet", "vke:ListJobs", "vke:RollbackWorkload", "vke:UpdateConfigMap", "vke:RestartWorkload", "vke:GetTerminal", "vke:ListDaemonSets", "vke:UpdateStatefulSet", "vke:GetStatefulSet", "vke:GetNamespaceResource", "vke:ListCluster", "vke:CheckResourceExist", "vke:UpdateDaemonSet", "vke:DeleteStatefulSet", "vke:DeleteUserRbac", "vke:GetContainerLogs", "vke:CreateDaemonSet", "vke:CreateNamespace", "vke:UpdateNamespaceResource", "vke:CreateUserRbac", "vke:UpdateUserRbac", "vke:DeleteJob", "vke:ListNamespace", "vke:ListStatefulSets", "vke:DeleteNamespace", "vke:DeleteDaemonSet", "vke:CreateStatefulSet", "vke:ListClusterNode", "vke:UpdateCluster", "vke:GetCluster", "vke:CreateIngress", "vke:GetNamespace", "vke:UpdateIngress", "vke:ListIngress", "vke:ListEvent", "vke:ListPersistentVolume", "vke:AddClusterNode", "vke:ListUserRbacs", "vke:DeleteIngress", "vke:ListClusterNetworkCidr", "vke:GetIngress", "vke:ListClusterKubernetesVersion", "vke:UpdateNamespace", "vke:ListStorageClass", "vke:GetKubeConfig", "vke:GetPersistentVolumeClaim", "vke:DeleteHorizontalPodAutoscaler", "vke:DeletePersistentVolumeClaim", "vke:CreatePersistentVolumeClaim", "vke:ListObjectEvents", "vke:GetClusterDeployProgress", "vke:UninstallAddon", "vke:ListHorizontalPodAutoscalers", "vke:GetHorizontalPodAutoscaler", "vke:UpdateHorizontalPodAutoscaler", "vke:CreatePersistentVolume", "vke:DeleteStorageClass", "vke:NodePoolScaleDown", "vke:UpgradeAddon", "vke:NodePoolScaleUp", "vke:InstallAddon", "vke:CreateHorizontalPodAutoscaler", "vke:UpdateAutoScalingRule", "vke:GetPersistentVolume", "vke:GetStorageClass", "vke:DeletePersistentVolume", "vke:ListPersistentVolumeClaim", "vke:ListCustomRoles", "vke:StartNodeScan", "vke:GetResource", "vke:ListAPIGroups", "vke:ListBenchmarks", "vke:GetAPIGroup", "vke:CreateRelease", "vke:ListCharts", "vke:GetCheckItem", "vke:ListKubeConfig", "vke:DeleteCRD", "vke:GetPod", "vke:ListWorkloadHorizontalPodAutoscalers", "vke:RevokeKubeConfig", "vke:ListResources", "vke:GetChart", "vke:DeleteResource", "vke:ListNodeReports", "vke:ListCheckItems", "vke:GetCronScan", "vke:StartScan", "vke:UpdateCronScan", "vke:ListCRDs", "vke:UpdateRelease", "vke:ListChartCategories", "vke:UpdateCronHorizontalPodAutoscaler", "vke:GetRelease", "vke:ListCronHorizontalPodAutoscalers", "vke:DeleteCronHorizontalPodAutoscaler", "vke:CreateCronHorizontalPodAutoscaler", "vke:ListReleases", "vke:DeleteRelease", "vke:GetSecretDomains", "vke:ListSupportedResourceTypes", "vke:ListKubeconfigs", "vke:ListNodePools", "vke:ListNodes", "vke:ListSupportedAddons", "vke:ListAddons", "vke:TagResources", "vke:UntagResources", "vke:ListTagsForResource", "vke:ListImageCaches", "vke:ListResourcePackageSpecs", "vke:CreateResourcePackages", "vke:ListBatchSuiteStatus", "vke:ListAiSuiteStatus", "vke:UpdateAiSuiteStatus", "vmp:DeleteAlertingRuleGroup", "vmp:CreateAlertingRuleGroup", "vmp:UpdateAlertingRuleGroup", "vmp:ListWorkspaces", "vmp:ListAlertingRuleGroups", "vmp:ListWorkspaceInstanceTypes", "vmp:ListAlertingRules", "vmp:ListAlertingRuleTemplates", "vmp:ListNotifyGroupPolicies", "vmp:ListNotifyPolicies", "vmp:ListDashboards", "vmp:ListDatasources", "alb:DescribeRules", "ecs:DescribeTags", "clb:DescribeLoadBalancerAttributes", "tls:DescribeProjects", "vpc:ListTagsForResources" ], "Resource": [ "*" ] } ] } - 为已创建的 vke-global 策略添加授权。
- 选择目标 IAM 用户,添加 vke-global 策略的全局权限。
- 例如名称为 vke-global。策略的 JSON 内容示例如下所示,请按需自行增删具体的 Action 或 Resource 。VKE 依赖的云服务资源访问权限,请参见 VKE 服务关联角色说明。