由于专有版集群节点默认绑定的ECS RAM角色权限较大,为了加强专有版集群的默认安全性,容器服务ACK将对新建的专有版集群进一步收敛RAM角色的绑定权限。
变更影响
该变更只影响新创建的ACK专有版集群节点的默认权限,不影响托管版集群、ACK Serverless集群等其他类型的集群。
该变更不会影响存量ACK专有版集群节点的默认权限。如需收敛存量ACK专有版集群节点的角色绑定权限,请修改指定存量集群对应的节点角色的权限策略内容,更多最小化权限策略内容,请参见Master节点绑定角色权限和Worker节点绑定角色权限。
重要修改存量ACK专有版集群的权限前,请确保集群节点上运行的组件没有依赖待删除的权限。如果存在,请不要实施变更,修改前请您备份原有权限模板策略内容,便于及时回滚权限配置。
Master节点绑定角色权限
专有版集群Master节点的RAM角色权限收敛后,默认绑定了CCM、CSI存储、网络和日志组件所需的最小化权限策略。
CCM组件权限策略内容
{ "Version": "1", "Statement": [ { "Action": [ "ecs:Describe*", "ecs:CreateRouteEntry", "ecs:DeleteRouteEntry", "ecs:CreateNetworkInterface", "ecs:DeleteNetworkInterface", "ecs:CreateNetworkInterfacePermission", "ecs:DeleteNetworkInterfacePermission", "ecs:ModifyInstanceAttribute", "ecs:AttachKeyPair", "ecs:StopInstance", "ecs:StartInstance", "ecs:ReplaceSystemDisk" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "slb:Describe*", "slb:CreateLoadBalancer", "slb:DeleteLoadBalancer", "slb:ModifyLoadBalancerInternetSpec", "slb:RemoveBackendServers", "slb:AddBackendServers", "slb:RemoveTags", "slb:AddTags", "slb:StopLoadBalancerListener", "slb:StartLoadBalancerListener", "slb:SetLoadBalancerHTTPListenerAttribute", "slb:SetLoadBalancerHTTPSListenerAttribute", "slb:SetLoadBalancerTCPListenerAttribute", "slb:SetLoadBalancerUDPListenerAttribute", "slb:CreateLoadBalancerHTTPSListener", "slb:CreateLoadBalancerHTTPListener", "slb:CreateLoadBalancerTCPListener", "slb:CreateLoadBalancerUDPListener", "slb:DeleteLoadBalancerListener", "slb:CreateVServerGroup", "slb:DescribeVServerGroups", "slb:DeleteVServerGroup", "slb:SetVServerGroupAttribute", "slb:DescribeVServerGroupAttribute", "slb:ModifyVServerGroupBackendServers", "slb:AddVServerGroupBackendServers", "slb:ModifyLoadBalancerInstanceSpec", "slb:ModifyLoadBalancerInternetSpec", "slb:SetLoadBalancerModificationProtection", "slb:SetLoadBalancerDeleteProtection", "slb:SetLoadBalancerName", "slb:ModifyLoadBalancerInstanceChargeType", "slb:RemoveVServerGroupBackendServers" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "vpc:Describe*", "vpc:DeleteRouteEntry", "vpc:CreateRouteEntry" ], "Resource": [ "*" ], "Effect": "Allow" } ] }CSI存储组件权限策略内容
{ "Version": "1", "Statement": [ { "Action": [ "ecs:DescribeDisks", "ecs:DescribeInstances", "ecs:DescribeAvailableResource", "ecs:DescribeInstanceTypes", "nas:DescribeFileSystems", "ecs:AttachDisk", "ecs:CreateDisk", "ecs:CreateSnapshot", "ecs:DeleteDisk", "ecs:DeleteSnapshot", "ecs:DetachDisk" ], "Resource": [ "*" ], "Effect": "Allow" } ] }网络组件权限策略内容
{ "Version": "1", "Statement": [ { "Action": [ "ecs:CreateNetworkInterface", "ecs:DescribeNetworkInterfaces", "ecs:AttachNetworkInterface", "ecs:DetachNetworkInterface", "ecs:DeleteNetworkInterface", "ecs:DescribeInstanceAttribute", "ecs:DescribeInstanceTypes", "ecs:AssignPrivateIpAddresses", "ecs:UnassignPrivateIpAddresses", "ecs:DescribeInstances", "ecs:ModifyNetworkInterfaceAttribute" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "vpc:DescribeVSwitches" ], "Resource": [ "*" ], "Effect": "Allow" } ] }日志组件权限策略内容
{ "Version": "1", "Statement": [ { "Action": [ "log:CreateProject", "log:GetProject", "log:DeleteProject", "log:CreateLogStore", "log:GetLogStore", "log:UpdateLogStore", "log:DeleteLogStore", "log:CreateConfig", "log:UpdateConfig", "log:GetConfig", "log:DeleteConfig", "log:CreateMachineGroup", "log:UpdateMachineGroup", "log:GetMachineGroup", "log:DeleteMachineGroup", "log:ApplyConfigToGroup", "log:GetAppliedMachineGroups", "log:GetAppliedConfigs", "log:RemoveConfigFromMachineGroup", "log:CreateIndex", "log:GetIndex", "log:UpdateIndex", "log:DeleteIndex", "log:CreateSavedSearch", "log:GetSavedSearch", "log:UpdateSavedSearch", "log:DeleteSavedSearch", "log:CreateDashboard", "log:GetDashboard", "log:UpdateDashboard", "log:DeleteDashboard", "log:CreateJob", "log:GetJob", "log:DeleteJob", "log:UpdateJob", "log:PostLogStoreLogs", "log:CreateSortedSubStore", "log:GetSortedSubStore", "log:ListSortedSubStore", "log:UpdateSortedSubStore", "log:DeleteSortedSubStore", "log:CreateApp", "log:UpdateApp", "log:GetApp", "log:DeleteApp", "log:GetLogStoreLogs", "log:TagResources", "log:ListJobs", "log:ListTagResources", "log:UntagResources", "log:CreateResourceRecord", "log:UpdateResourceRecord", "log:UpsertResourceRecord", "log:GetResourceRecord", "log:DeleteResourceRecord", "log:ListResourceRecords", "log:ListResources", "log:GetResource", "cs:UpdateContactGroup", "cs:DescribeTemplates", "cs:DescribeTemplateAttribute", "eventbridge:PutEvents" ], "Resource": [ "*" ], "Effect": "Allow" } ] }
Worker节点绑定角色权限
专有版集群Worker节点的RAM角色权限收敛后,默认绑定了CSI存储、网络和日志组件所需的最小化权限策略。
CSI存储组件权限策略内容
{ "Version": "1", "Statement": [ { "Action": [ "ecs:DescribeDisks", "ecs:DescribeInstances", "ecs:DescribeAvailableResource", "ecs:DescribeInstanceTypes", "nas:DescribeFileSystems", "ecs:AttachDisk", "ecs:CreateDisk", "ecs:CreateSnapshot", "ecs:DeleteSnapshot", "ecs:DetachDisk" ], "Resource": [ "*" ], "Effect": "Allow" } ] }网络组件权限策略内容
{ "Version": "1", "Statement": [ { "Action": [ "ecs:CreateNetworkInterface", "ecs:DescribeNetworkInterfaces", "ecs:AttachNetworkInterface", "ecs:DetachNetworkInterface", "ecs:DeleteNetworkInterface", "ecs:DescribeInstanceAttribute", "ecs:DescribeInstanceTypes", "ecs:AssignPrivateIpAddresses", "ecs:UnassignPrivateIpAddresses", "ecs:DescribeInstances", "ecs:ModifyNetworkInterfaceAttribute" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "vpc:DescribeVSwitches" ], "Resource": [ "*" ], "Effect": "Allow" } ] }日志组件权限策略内容
{ "Version": "1", "Statement": [ { "Action": [ "log:CreateProject", "log:GetProject", "log:DeleteProject", "log:CreateLogStore", "log:GetLogStore", "log:UpdateLogStore", "log:DeleteLogStore", "log:CreateConfig", "log:UpdateConfig", "log:GetConfig", "log:DeleteConfig", "log:CreateMachineGroup", "log:UpdateMachineGroup", "log:GetMachineGroup", "log:DeleteMachineGroup", "log:ApplyConfigToGroup", "log:GetAppliedMachineGroups", "log:GetAppliedConfigs", "log:RemoveConfigFromMachineGroup", "log:CreateIndex", "log:GetIndex", "log:UpdateIndex", "log:DeleteIndex", "log:CreateSavedSearch", "log:GetSavedSearch", "log:UpdateSavedSearch", "log:DeleteSavedSearch", "log:CreateDashboard", "log:GetDashboard", "log:UpdateDashboard", "log:DeleteDashboard", "log:CreateJob", "log:GetJob", "log:DeleteJob", "log:UpdateJob", "log:PostLogStoreLogs", "log:CreateSortedSubStore", "log:GetSortedSubStore", "log:ListSortedSubStore", "log:UpdateSortedSubStore", "log:DeleteSortedSubStore", "log:CreateApp", "log:UpdateApp", "log:GetApp", "log:DeleteApp", "log:GetLogStoreLogs", "log:TagResources", "log:ListJobs", "log:ListTagResources", "log:UntagResources", "log:CreateResourceRecord", "log:UpdateResourceRecord", "log:UpsertResourceRecord", "log:GetResourceRecord", "log:DeleteResourceRecord", "log:ListResourceRecords", "log:ListResources", "log:GetResource", "cs:UpdateContactGroup", "cs:DescribeTemplates", "cs:DescribeTemplateAttribute", "eventbridge:PutEvents" ], "Resource": [ "*" ], "Effect": "Allow" } ] }