运行环境
- 容器服务
问题描述
- 只读访问容器服务控制台,并且只允许删除pod操作
解决方案
- 登录火山引擎访问控制控制台创建自定义策略
- 点击新建策略,并填入以下内容
{
"Statement": [
{
"Action": [
"vke:Get*",
"vke:List*",
"vke:Search*",
"vke:Describe*",
"vke:IsInShortTermWhiteList",
"vke:ForwardKubernetesApi",
"ecs:Describe*",
"vpc:Describe*",
"vke:DeletePod"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
]
}
- 添加此策略给IAM子用户
- 为VKE集群创建新的ClusterRole
- 保存以下内容至
vistorWithDeletePod.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: vistorWithDeletePod
rules:
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- get
- list
- watch
- delete
- apiGroups:
- ""
resources:
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
- services/proxy
- namespaces
- nodes
- persistentvolumes
- limitranges
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
- replicationcontrollers/status
- pods/log
- pods/status
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
- controllerrevisions
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- ingresses
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- '*'
verbs:
- get
- list
- watch
- apiGroups:
- servicecatalog.k8s.io
resources:
- clusterserviceclasses
- clusterserviceplans
- clusterservicebrokers
- serviceinstances
- servicebindings
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- get
- list
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
- apiGroups:
- storage.k8s.io
resources:
- storageclasses
verbs:
- get
- list
- watch
- apiGroups:
- vke.volcengine.com
resources:
- cronhpas
verbs:
- get
- list
- watch
- apiGroups:
- appinspect.elkeid.bytedance.com
resources:
- secinspectpolicies
- secinspectreports
- secinspectrunconfigs
- secinspectclusterreports
verbs:
- get
- list
- watch
- 执行
kubectl apply -f vistorWithDeletePod.yaml
创建ClusterRole
- 为IAM用户授权vistorWithDeletePod 角色
- 使用主账号登录容器服务授权管理控制台
- 点击用户名
- 新窗口中点击更新
- 新窗口中选择访问权限为自定义,角色名为vistorWithDeletePod,并点击确定
测试