容器服务规范化并收敛了跨服务授权 ServiceRole(ServiceRoleForVKE)的权限策略 Policy(ServiceRolePolicyForVKE),避免因权限过大,而存在潜在的安全风险和安全审查漏洞。
收敛后的 ServiceRolePolicyForVKE 具体语法如下。
{ "Statement": [ { "Effect": "Allow", "Action": [ "ecs:Describe*", "ecs:Get*", "ecs:CreateInstances", "ecs:DeleteInstance", "ecs:DeleteVolume", "ecs:AttachVolume", "ecs:DetachVolume", "ecs:ExtendVolume", "ecs:ReplaceSystemVolume", "ecs:ModifyInstanceAttribute", "ecs:StartInstance", "ecs:StopInstance", "ecs:BindAssumeRole", "ecs:UnbindAssumeRole", "ecs:ListAssumeRoles" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "vpc:Describe*", "vpc:CreateSecurityGroup", "vpc:CreateNetworkInterface", "vpc:CreateRouteTable", "vpc:CreateRouteEntry", "vpc:CreateNetworkInterfacePermission", "vpc:AllocateEipAddress", "vpc:AuthorizeSecurityGroupIngress", "vpc:AuthorizeSecurityGroupEgress", "vpc:RevokeSecurityGroupIngress", "vpc:RevokeSecurityGroupEgress", "vpc:ModifyNetworkInterfaceAttributes", "vpc:AttachNetworkInterface", "vpc:DetachNetworkInterface", "vpc:DeleteSecurityGroup", "vpc:DeleteNetworkInterface", "vpc:DeleteRouteTable", "vpc:DeleteRouteEntry", "vpc:DeleteNetworkInterfacePermission", "vpc:AssociateRouteTable", "vpc:AssociateEipAddress", "vpc:DisassociateEipAddress", "vpc:DisassociateRouteTable", "vpc:ReleaseEipAddress", "vpc:ClientGroupAddClient", "vpc:ClientGroupDeleteClient", "vpc:ServerGroupAddServer", "vpc:ServerGroupDeleteServer", "vpc:AddBandwidthPackageIp", "vpc:RemoveBandwidthPackageIp" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "clb:Describe*", "clb:CreateLoadBalancer", "clb:CreateRules", "clb:CreateServerGroup", "clb:CreateListener", "clb:AddServerGroupBackendServers", "clb:ModifyLoadBalancerAttributes", "clb:ModifyListenerAttributes", "clb:ModifyServerGroupAttributes", "clb:ModifyRules", "clb:RemoveServerGroupBackendServers", "clb:DeleteLoadBalancer", "clb:DeleteServerGroup", "clb:DeleteListener", "clb:DeleteRules" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "alb:Describe*", "alb:CreateLoadBalancer", "alb:CreateServerGroup", "alb:CreateListener", "alb:CreateRules", "alb:AddServerGroupBackendServers", "alb:ModifyLoadBalancerAttributes", "alb:ModifyServerGroupBackendServers", "alb:ModifyServerGroupAttributes", "alb:ModifyListenerAttributes", "alb:ModifyRules", "alb:RemoveServerGroupBackendServers", "alb:DeleteLoadBalancer", "alb:DeleteServerGroup", "alb:DeleteListener", "alb:DeleteRules" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "natgateway:CreateNatGateway", "natgateway:CreateSnatEntry", "natgateway:Describe*", "natgateway:DeleteNatGateway", "natgateway:DeleteSnatEntry" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "cr:List*", "cr:Get*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "FileNAS:List*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "tls:CreateProject", "tls:CreateTopic", "tls:CreateIndex", "tls:CreateRule", "tls:CreateHostGroup", "tls:Describe*" "tls:GetLogCollectorConfig", "tls:LogCollectorHeartbeat", "tls:PutLogs", "tls:ModifyRule", "tls:ApplyRuleToHostGroups", "tls:DeleteRuleFromHostGroups", "tls:DeleteRule" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "tos:ListBuckets" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "storage_ebs:Describe*", "storage_ebs:CreateVolume", "storage_ebs:AttachVolume", "storage_ebs:DetachVolume", "storage_ebs:ExtendVolume", "storage_ebs:DeleteVolume" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "algalon:List*", "algalon:CreateDatasource", "algalon:UpdateDatasource", "algalon:DeleteDatasource" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "vke:List*" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "iam:List*", "iam:CreateRole", "iam:CreatePolicy", "iam:UpdatePolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:DeleteRole", "iam:DeletePolicy" ], "Resource": [ "*" ] } ] }