只读访问VKE控制台并且可以删除pod

• 容器服务

• 只读访问容器服务控制台，并且只允许删除pod操作

1. 登录火山引擎访问控制控制台创建自定义策略

• 点击新建策略，并填入以下内容

{
    "Statement": [
        {
            "Action": [
                "vke:Get*",
                "vke:List*",
                "vke:Search*",
                "vke:Describe*",
                "vke:IsInShortTermWhiteList",
                "vke:ForwardKubernetesApi",
                "ecs:Describe*",
                "vpc:Describe*",
                "vke:DeletePod"
            ],
            "Resource": [
                "*"
            ],
            "Effect": "Allow"
        }
    ]
}

2. 添加此策略给IAM子用户
3. 为VKE集群创建新的ClusterRole

• 保存以下内容至vistorWithDeletePod.yaml

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: vistorWithDeletePod
rules:
- apiGroups:
  - ""
  resources:
  - pods
  - pods/attach
  - pods/exec
  - pods/portforward
  - pods/proxy
  verbs:
  - get
  - list
  - watch
  - delete
- apiGroups:
  - ""
  resources:
  - endpoints
  - persistentvolumeclaims
  - replicationcontrollers
  - replicationcontrollers/scale
  - serviceaccounts
  - services
  - services/proxy
  - namespaces
  - nodes
  - persistentvolumes
  - limitranges
  - resourcequotas
  - resourcequotas/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - events
  - replicationcontrollers/status
  - pods/log
  - pods/status
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - replicasets
  - replicasets/scale
  - statefulsets
  - controllerrevisions
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - autoscaling
  resources:
  - horizontalpodautoscalers
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - batch
  resources:
  - cronjobs
  - jobs
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - daemonsets
  - deployments
  - deployments/rollback
  - deployments/scale
  - ingresses
  - replicasets
  - replicasets/scale
  - replicationcontrollers/scale
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - networking.k8s.io
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - servicecatalog.k8s.io
  resources:
  - clusterserviceclasses
  - clusterserviceplans
  - clusterservicebrokers
  - serviceinstances
  - servicebindings
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - policy
  resources:
  - poddisruptionbudgets
  verbs:
  - get
  - list
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - storage.k8s.io
  resources:
  - storageclasses
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - vke.volcengine.com
  resources:
  - cronhpas
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - appinspect.elkeid.bytedance.com
  resources:
  - secinspectpolicies
  - secinspectreports
  - secinspectrunconfigs
  - secinspectclusterreports
  verbs:
  - get
  - list
  - watch

• 执行kubectl apply -f vistorWithDeletePod.yaml创建ClusterRole

3. 为IAM用户授权vistorWithDeletePod 角色

• 使用主账号登录容器服务授权管理控制台
• 点击用户名
• 新窗口中点击更新
• 新窗口中选择访问权限为自定义，角色名为vistorWithDeletePod，并点击确定

1. 登录容器服务控制台
2. 选择菜单栏的工作负载下容器组。
3. 操作删除对应pod 如果您有其他问题，欢迎您联系火山引擎技术支持服务