默认 Config Sync 权限
本页面列出 Config Sync 及其组件需要具有的默认权限,以便在集群级层具有正确的访问权限。
默认权限
下表列出了 Config Sync 默认启用的权限。使用 Config Sync 时,不应停用这些权限。
| 组件 | 命名空间 | 服务账号 | 权限 | 说明 |
|---|---|---|---|---|
reconciler-manager |
config-management-system |
reconciler-manager |
cluster-admin |
如需预配根协调器并为根协调器创建 ClusterRoleBinding,reconciler-manager 必须具有 cluster-admin 权限。 |
root reconcilers |
config-management-system |
根协调器的名称 | cluster-admin |
如需应用集群级的自定义资源,根协调器必须具有 cluster-admin 权限。 |
namespace reconcilers |
config-management-system |
命名空间协调器的名称 | configsync.gke.io:ns-reconciler |
如需获取和更新 RepoSync 和 ResourceGroup 对象及其状态,命名空间协调器需要具有 configsync.gke.io:ns-reconciler 权限。 |
resource-group-controller-manager |
config-management-system |
resource-group-sa |
如需检查对象状态并启用主节点选举,resource-group-controller-manager 需要具有 resource-group-manager-role 和 resource-group-leader-election-role 角色。 |
|
admission-webhook |
config-management-system |
admission-webhook |
cluster-admin |
如需拒绝对集群上任何对象的请求,准入网络钩子必须具有 cluster-admin 权限。 |
importer |
config-management-system |
importer |
cluster-admin |
如需设置 RBAC 权限,importer 必须具有集群管理员权限。 |
Config Sync 特定权限
以下部分详细介绍了上表中列出的 configsync.gke.io:ns-reconciler 和 resource-group-manager-role resource-group-leader-election-role 权限。
Config Sync 通过在命名空间协调器和资源组控制器清单中添加以下 ClusterRole,来自动应用这些权限。
命名空间协调器的 RBAC
以下 ClusterRole 显示了命名空间协调器的基于角色的访问权限控制权限:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: configsync.gke.io:ns-reconciler
labels:
configmanagement.gke.io/system: "true"
configmanagement.gke.io/arch: "csmr"
rules:
- apiGroups: ["configsync.gke.io"]
resources: ["reposyncs"]
verbs: ["get"]
- apiGroups: ["configsync.gke.io"]
resources: ["reposyncs/status"]
verbs: ["get","list","update"]
- apiGroups: ["kpt.dev"]
resources: ["resourcegroups"]
verbs: ["*"]
- apiGroups: ["kpt.dev"]
resources: ["resourcegroups/status"]
verbs: ["*"]
- apiGroups:
- policy
resources:
- podsecuritypolicies
resourceNames:
- acm-psp
verbs:
- use
资源组控制器的 RBAC
以下 ClusterRole 显示了资源组控制器的基于角色的访问权限控制权限:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
creationTimestamp: null
labels:
configmanagement.gke.io/arch: "csmr"
configmanagement.gke.io/system: "true"
name: resource-group-manager-role
rules:
# This permission is needed to get the status for managed resources
- apiGroups:
- '*'
resources:
- '*'
verbs:
- get
- list
- watch
# This permission is needed to watch/unwatch types as they are registered or removed.
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- get
- list
- watch
# This permission is needed so that the ResourceGroup controller can reconcile a ResourceGroup CR
- apiGroups:
- kpt.dev
resources:
- resourcegroups
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
# This permission is needed so that the ResourceGroup controller can update the status of a ResourceGroup CR
- apiGroups:
- kpt.dev
resources:
- resourcegroups/status
verbs:
- get
- patch
- update
# This permission is needed so that the ResourceGroup controller can work on a cluster with PSP enabled
- apiGroups:
- policy
resourceNames:
- acm-psp
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
configmanagement.gke.io/arch: "csmr"
configmanagement.gke.io/system: "true"
name: resource-group-leader-election-role
namespace: resource-group-system
rules: // The following permissions are needed so that the leader election can work
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
- create
- update
- patch
- delete
- apiGroups:
- ""
resources:
- configmaps/status
verbs:
- get
- update
- patch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- '*'