Izin Config Sync default
Halaman ini mencantumkan izin default yang diperlukan Config Sync dan komponennya untuk memiliki akses yang benar di tingkat cluster.
Izin default
Tabel berikut mencantumkan izin yang diaktifkan Config Sync secara default. Anda tidak boleh menonaktifkan izin ini saat Config Sync sedang digunakan.
Komponen | Namespace | Service account | Izin | Deskripsi |
---|---|---|---|---|
reconciler-manager |
config-management-system |
reconciler-manager |
cluster-admin |
Untuk menyediakan rekonsiler root dan membuat ClusterRoleBinding untuk rekonsiler root, reconciler-manager harus memiliki izin cluster-admin . |
root reconcilers |
config-management-system |
Nama rekonsiler root | cluster-admin |
Untuk menerapkan resource kustom dan cakupan cluster, rekonsiler root harus memiliki izin cluster-admin . |
namespace reconcilers |
config-management-system |
Nama rekonsiler namespace | configsync.gke.io:ns-reconciler |
Untuk mendapatkan dan mengupdate objek RepoSync dan ResourceGroup beserta statusnya, rekonsiler namespace memerlukan izin configsync.gke.io:ns-reconciler . |
resource-group-controller-manager |
config-management-system |
resource-group-sa |
Untuk memeriksa status objek dan mengaktifkan pemilihan pemimpin, resource-group-controller-manager memerlukan
peran resource-group-manager-role dan resource-group-leader-election-role . |
|
admission-webhook |
config-management-system |
admission-webhook |
cluster-admin |
Untuk menolak permintaan ke objek apa pun di cluster, webhook penerimaan harus memiliki izin cluster-admin . |
importer |
config-management-system |
importer |
cluster-admin |
Untuk menetapkan izin RBAC, importer harus memiliki
izin admin cluster. |
Izin khusus Config Sync
Bagian berikut menjelaskan izin configsync.gke.io:ns-reconciler
dan
resource-group-manager-role resource-group-leader-election-role
yang tercantum dalam tabel sebelumnya.
Config Sync otomatis menerapkan izin ini dengan menyertakan ClusterRoles berikut di manifes Reconciler Namespace dan Pengontrol Grup Resource.
RBAC untuk rekonsiliasi namespace
ClusterRole berikut menunjukkan izin kontrol akses berbasis peran untuk rekonsiler namespace:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: configsync.gke.io:ns-reconciler
labels:
configmanagement.gke.io/system: "true"
configmanagement.gke.io/arch: "csmr"
rules:
- apiGroups: ["configsync.gke.io"]
resources: ["reposyncs"]
verbs: ["get"]
- apiGroups: ["configsync.gke.io"]
resources: ["reposyncs/status"]
verbs: ["get","list","update"]
- apiGroups: ["kpt.dev"]
resources: ["resourcegroups"]
verbs: ["*"]
- apiGroups: ["kpt.dev"]
resources: ["resourcegroups/status"]
verbs: ["*"]
- apiGroups:
- policy
resources:
- podsecuritypolicies
resourceNames:
- acm-psp
verbs:
- use
RBAC untuk Pengontrol Grup Resource
ClusterRole berikut menunjukkan izin kontrol akses berbasis peran untuk Pengontrol Resource Group:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
labels:
configmanagement.gke.io/arch: "csmr"
configmanagement.gke.io/system: "true"
name: resource-group-manager-role
rules:
# This permission is needed to get the status for managed resources
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
# This permission is needed to watch/unwatch types as they are registered or removed.
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
# This permission is needed so that the ResourceGroup controller can reconcile a ResourceGroup CR
- apiGroups:
- kpt.dev
resources:
- resourcegroups
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
# This permission is needed so that the ResourceGroup controller can update the status of a ResourceGroup CR
- apiGroups:
- kpt.dev
resources:
- resourcegroups/status
verbs:
- get
- patch
- update
# This permission is needed so that the ResourceGroup controller can work on a cluster with PSP enabled
- apiGroups:
- policy
resourceNames:
- acm-psp
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
configmanagement.gke.io/arch: "csmr"
configmanagement.gke.io/system: "true"
name: resource-group-leader-election-role
namespace: resource-group-system
rules: // The following permissions are needed so that the leader election can work
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps/status
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- '*'