GKE on AWS 使用 AWS IAM 角色来创建和管理集群和节点池。本页面介绍如何创建以下默认角色:
- GKE Multi-Cloud API 服务代理角色
- GKE Multi-Cloud API 使用此 AWS IAM 角色来通过 AWS API 管理资源。此角色由服务代理使用。
- 控制层面 AWS IAM 角色
- 您的集群控制平面使用此角色来控制节点池。
- 节点池 AWS IAM 角色
- 控制层面使用此角色来创建节点池虚拟机。
本页面介绍了如何针对以下情况创建角色:
- 一组默认权限,可用于测试
- 可以对具有某些 AWS 标记的资源执行操作
您可以选择其中一个选项以满足组织的安全政策。如需详细了解标记,请参阅标记 AWS 资源。
或者,您可以限制 GKE on AWS 用于满足组织要求的 AWS IAM 角色的权限范围。如需了解详情,请参阅 AWS IAM 角色。
准备工作
如果您选择创建可对具有特定标记的资源执行操作的权限,则必须选择标记和值。然后,您可以使用这些值标记集群中的资源以限制对它们的访问权限。
创建 GKE Multi-Cloud API 服务代理角色
如需创建 GKE Multi-Cloud API 服务代理角色,请使用以下命令检索 Google Cloud 项目编号并使用它来创建角色。
PROJECT_ID="$(gcloud config get-value project)"
PROJECT_NUMBER=$(gcloud projects describe "$PROJECT_ID" \
--format "value(projectNumber)")
aws iam create-role --role-name API_ROLE \
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "accounts.google.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"accounts.google.com:sub": "service-'$PROJECT_NUMBER'@gcp-sa-gkemulticloud.iam.gserviceaccount.com"
}
}
}
]
}'
将 API_ROLE 替换为此角色的名称。
保存此命令生成的 Amazon 资源名称 (ARN) 以备以后使用。
创建有范围的权限
如果要为具有默认权限的 GKE Multi-Cloud API 服务代理角色创建政策,或者创建范围限定为带有特定标记的资源,请在下方选择。然后运行以下命令:
aws iam create-policy --policy-name API_POLICY \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateLaunchTemplate",
"ec2:CreateNetworkInterface",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteNetworkInterface",
"ec2:DeleteSecurityGroup",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DescribeAccountAttributes",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:GetConsoleOutput",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RunInstances",
"iam:AWSServiceName",
"iam:CreateServiceLinkedRole",
"iam:GetInstanceProfile",
"iam:PassRole",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:CreateOrUpdateTags",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeleteTags",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DisableMetricsCollection",
"autoscaling:EnableMetricsCollection",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:RemoveTags",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*"
}
]
}'
将 API_POLICY 替换为 GKE Multi-Cloud API AWS IAM 政策的名称。
(可选)您可以将 Resource 的值设置为 arn:aws:iam::ACCOUNT_ID:*,并将 ACCOUNT_ID 替换为您的 AWS 账号 ID,以限制此政策应用于特定账号的资源。
aws iam create-policy --policy-name API_POLICY _ec2 \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:GetConsoleOutput"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["ec2:CreateSecurityGroup"],
"Resource": ["arn:aws:ec2:*:*:security-group/*"],
"Condition": {
"StringEquals": {
"aws:RequestTag/ACCESS_CONTROL_TAG_KEY ": "ACCESS_CONTROL_TAG_VALUE "
}
}
},
{
"Effect": "Allow",
"Action": ["ec2:CreateSecurityGroup"],
"Resource": ["arn:aws:ec2:*:*:vpc/*"]
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": ["arn:aws:ec2:*:*:security-group/*"],
"Condition": {
"StringEquals": {
"aws:ResourceTag/ACCESS_CONTROL_TAG_KEY ": "ACCESS_CONTROL_TAG_VALUE "
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource": ["arn:aws:ec2:*:*:security-group-rule/*"],
"Condition": {
"StringEquals": {
"aws:RequestTag/ACCESS_CONTROL_TAG_KEY ": "ACCESS_CONTROL_TAG_VALUE "
}
}
},
{
"Effect": "Allow",
"Action": ["ec2:CreateLaunchTemplate"],
"Resource": ["arn:aws:ec2:*:*:launch-template/*"],
"Condition": {
"StringEquals": {
"aws:RequestTag/ACCESS_CONTROL_TAG_KEY ": "ACCESS_CONTROL_TAG_VALUE "
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteLaunchTemplate"
],
"Resource": ["arn:aws:ec2:*:*:launch-template/*"],
"Condition": {
"StringEquals": {
"aws:ResourceTag/ACCESS_CONTROL_TAG_KEY ": "ACCESS_CONTROL_TAG_VALUE "
}
}
},
{
"Effect": "Allow",
"Action": ["ec2:RunInstances"],
"Resource": ["arn:aws:ec2:*:*:image/ami-*"],
"Condition": {
"StringEquals": {
"ec2:Owner": ["099720109477", "amazon"]
}
}
},
{
"Effect": "Allow",
"Action": ["ec2:RunInstances"],
"Resource": [
"arn:aws:ec2:*:*:subnet/*"
],
"Condition": {
"ArnLike": {
"ec2:LaunchTemplate": "arn:aws:ec2:*:*:launch-template/*"
}
}
},
{
"Effect": "Allow",
"Action": ["ec2:RunInstances"],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"Bool": {
"ec2:IsLaunchTemplateResource": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Resource": ["arn:aws:ec2:*:*:volume/*"],
"Condition": {
"StringEquals": {
"aws:RequestTag/ACCESS_CONTROL_TAG_KEY ": "ACCESS_CONTROL_TAG_VALUE "
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteVolume"
],
"Resource": ["arn:aws:ec2:*:*:volume/*"],
"Condition": {
"StringEquals": {
"aws:ResourceTag/ACCESS_CONTROL_TAG_KEY ": "ACCESS_CONTROL_TAG_VALUE "
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": ["arn:aws:ec2:*:*:network-interface/*"],
"Condition": {
"StringEquals": {
"aws:RequestTag/ACCESS_CONTROL_TAG_KEY ": "ACCESS_CONTROL_TAG_VALUE "
}
}
},
{
"Effect": "Allow",
"Action": ["ec2:CreateNetworkInterface"],
"Resource": ["arn:aws:ec2:*:*:security-group/*"],
"Condition": {
"StringEquals": {
"aws:ResourceTag/ACCESS_CONTROL_TAG_KEY ": "ACCESS_CONTROL_TAG_VALUE "
}
}
},
{
"Effect": "Allow",
"Action": ["ec2:CreateNetworkInterface"],
"Resource": ["arn:aws:ec2:*:*:subnet/*"]
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute"
],
"Resource": [
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/ACCESS_CONTROL_TAG_KEY ": "ACCESS_CONTROL_TAG_VALUE "
}
}
},
{
"Action": [
"ec2:CreateTags"
],
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:security-group-rule/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/ACCESS_CONTROL_TAG_KEY ": "ACCESS_CONTROL_TAG_VALUE "
}
}
},
{
"Action": [
"ec2:CreateTags"
],
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction" : "RunInstances"
}
}
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:security-group-rule/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/ACCESS_CONTROL_TAG_KEY ": "ACCESS_CONTROL_TAG_VALUE "
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:ModifyInstanceAttribute"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:security-group/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/ACCESS_CONTROL_TAG_KEY ": "ACCESS_CONTROL_TAG_VALUE "
}
}
}
]
}'
请替换以下内容:
API_POLICY:GKE Multi-Cloud API AWS IAM 政策的前缀。ACCESS_CONTROL_TAG_KEY:适用于此政策的标记键ACCESS_CONTROL_TAG_VALUE:适用于此政策的标记值
(可选)您可以进一步将此政策限制为 AWS 区域和账号 ID。如需将政策限制为区域和账号 ID,请将 arn:aws:ec2:*:*:security-group/* 等资源值替换为 arn:aws:ec2:AWS_REGION:ACCOUNT_ID:security-group/*。
复制为此政策创建的 ARN,以用于以下命令。
创建有关使用标记的其他政策
如果您使用标记来限制访问权限,请按照以下步骤创建其他政策。如果您使用的是默认政策,请跳至将政策附加到 GKE Multi-Cloud API 角色。
创建政策以使用以下命令控制对 AWS IAM 的访问权限:
aws iam create-policy --policy-nameAPI_POLICY _iam \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["iam:CreateServiceLinkedRole"],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
],
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "autoscaling.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": ["iam:CreateServiceLinkedRole"],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing"
],
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": ["iam:PassRole"],
"Resource": ["arn:aws:iam::*:role/*"],
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
}
}
}
,
{
"Effect": "Allow",
"Action": ["iam:GetInstanceProfile"],
"Resource": ["arn:aws:iam::*:instance-profile/*"]
}
]
}'创建政策以控制对 AWS EC2 自动扩缩资源的访问权限:
aws iam create-policy --policy-nameAPI_POLICY _autoscaling \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["autoscaling:DescribeAutoScalingGroups"],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"autoscaling:CreateAutoScalingGroup",
"autoscaling:CreateOrUpdateTags"
],
"Resource": [
"arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/gke-*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/ACCESS_CONTROL_TAG_KEY ": "ACCESS_CONTROL_TAG_VALUE "
}
}
},
{
"Effect": "Allow",
"Action": [
"autoscaling:CreateOrUpdateTags",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeleteTags",
"autoscaling:DisableMetricsCollection",
"autoscaling:EnableMetricsCollection",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup"
],
"Resource": [
"arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/gke-*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/ACCESS_CONTROL_TAG_KEY ": "ACCESS_CONTROL_TAG_VALUE "
}
}
}
]
}'保存此命令生成的 ARN 供日后使用。
创建政策以控制对 AWS Elastic 负载均衡器资源的访问权限。
aws iam create-policy --policy-nameAPI_POLICY _elasticloadbalancing \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:AddTags"
],
"Resource": ["arn:aws:elasticloadbalancing:*:*:targetgroup/gke-*"],
"Condition": {
"StringEquals": {
"aws:RequestTag/ACCESS_CONTROL_TAG_KEY ": "ACCESS_CONTROL_TAG_VALUE "
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:RemoveTags"
],
"Resource": ["arn:aws:elasticloadbalancing:*:*:targetgroup/gke-*"],
"Condition": {
"StringEquals": {
"aws:ResourceTag/ACCESS_CONTROL_TAG_KEY ": "ACCESS_CONTROL_TAG_VALUE "
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:AddTags"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:listener/net/gke-*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/gke-*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/ACCESS_CONTROL_TAG_KEY ": "ACCESS_CONTROL_TAG_VALUE "
}
}
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:RemoveTags"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:listener/net/gke-*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/gke-*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/ACCESS_CONTROL_TAG_KEY ": "ACCESS_CONTROL_TAG_VALUE "
}
}
}
]
}'保存此命令生成的 ARN 供日后使用。
创建政策以控制对 AWS 密钥管理服务资源的访问权限。
如需详细了解每个密钥的权限,请参阅创建具有特定权限的 KMS 密钥。
aws iam create-policy --policy-nameAPI_POLICY _kms \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["kms:DescribeKey"],
"Resource": ["arn:aws:kms:*:*:key/*"]
},
{
"Effect": "Allow",
"Action": ["kms:Encrypt"],
"Resource":CONTROL_PLANE_CONFIG_KMS_KEY_ARN
},
{
"Effect": "Allow",
"Action": ["kms:Encrypt"],
"Resource":NODE_POOL_CONFIG_KMS_KEY_ARN
},
{
"Effect": "Allow",
"Action": ["kms:GenerateDataKeyWithoutPlaintext"],
"Resource":CONTROL_PLANE_MAIN_VOLUME_KMS_KEY_ARN
}
]
}'请替换以下内容:
CONTROL_PLANE_CONFIG_KMS_KEY_ARN:您的 KMS 控制层面配置加密密钥 ARN。如果您只为集群使用一个 KMS 密钥,请为此处设置的所有值使用该密钥的 ARN。NODE_POOL_CONFIG_KMS_KEY_ARN:您的 KMS 节点池配置加密密钥 ARNCONTROL_PLANE_MAIN_VOLUME_KMS_KEY_ARN:您的 KMS 控制层面主卷加密密钥 ARN
保存此命令生成的 ARN 供日后使用。
将政策附加到 GKE Multi-Cloud API 角色
对于您在前面步骤中创建的每个政策,请运行以下命令,将该政策附加到 GKE Multi-Cloud API 角色:
aws iam attach-role-policy \
--policy-arn API_POLICY_ARN \
--role-name API_ROLE
替换
- 将
API_POLICY_ARN替换为您之前创建的每个政策的 API 政策 ARN - 将
API_ROLE替换为 GKE Multi-Cloud API 服务代理角色名称
创建集群或节点池
如果您创建范围限定为标记资源的角色和政策,则必须在创建集群或节点池时指定标记。您可以使用集群和节点池创建命令的 --tags 参数来执行此操作。
创建集群
如需创建集群,请按照说明创建集群并添加 --tags 参数,如下所示:
gcloud container aws clusters create CLUSTER_NAME \
...
--tags="ACCESS_CONTROL_TAG_KEY =ACCESS_CONTROL_TAG_VALUE "
请替换以下内容:
ACCESS_CONTROL_TAG_KEY:适用于此政策的标记键ACCESS_CONTROL_TAG_VALUE:适用于此政策的标记值
创建节点池
如需创建节点池,请按照说明创建节点池并添加 --tags 参数,如下所示:
gcloud container aws node-pools create NODE_POOL_NAME \
...
--tags "ACCESS_CONTROL_TAG_KEY =ACCESS_CONTROL_TAG_VALUE "
请替换以下内容:
ACCESS_CONTROL_TAG_KEY:适用于此政策的标记键ACCESS_CONTROL_TAG_VALUE:适用于此政策的标记值
创建控制平面角色
如需创建具有默认权限的控制层面角色,请按以下步骤操作:
如需创建此角色,请运行以下命令:
aws iam create-role --role-nameCONTROL_PLANE_ROLE \
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}'将
CONTROL_PLANE_ROLE替换为控制平面角色的名称。为此角色创建 IAM 政策。如果您为数据库和配置加密创建了多个 KMS 密钥,请以英文逗号分隔列表的形式添加其所有 ARN。
选择您是要直接连接到控制层面,还是直接连接到控制层面并使用标记。
aws iam create-policy --policy-nameCONTROL_PLANE_POLICY \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateRoute",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteRoute",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSnapshot",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeDhcpOptions",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInternetGateways",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeRegions",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications",
"ec2:DescribeVpcs",
"ec2:DetachVolume",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume",
"ec2:RevokeSecurityGroupIngress",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags",
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
"elasticloadbalancing:AttachLoadBalancerToSubnets",
"elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateLoadBalancerListeners",
"elasticloadbalancing:CreateLoadBalancerPolicy",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteLoadBalancerListeners",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DetachLoadBalancerFromSubnets",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
"elasticfilesystem:CreateAccessPoint",
"elasticfilesystem:DeleteAccessPoint",
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets",
"kms:CreateGrant",
"kms:Decrypt",
"kms:Encrypt",
"kms:GrantIsForAWSResource"
],
"Resource": "*"
}
]
}'请替换以下内容:
- 将
CONTROL_PLANE_POLICY替换为控制平面政策的名称
aws iam create-policy --policy-nameCONTROL_PLANE_POLICY _autoscaling \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeTags"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup"
],
"Resource": [
"arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/gke-*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/ACCESS_CONTROL_TAG_KEY ": "ACCESS_CONTROL_TAG_VALUE "
}
}
}
]
}'
aws iam create-policy --policy-nameCONTROL_PLANE_POLICY _ec2 \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeDhcpOptions",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInternetGateways",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeRegions",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications",
"ec2:DescribeVpcs"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["ec2:AttachNetworkInterface"],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:network-interface/*"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateVolume",
"ec2:CreateTags",
"ec2:AttachVolume",
"ec2:DeleteVolume",
"ec2:DetachVolume",
"ec2:ModifyVolume"
],
"Resource": ["arn:aws:ec2:*:*:volume/*"]
},
{
"Effect": "Allow",
"Action": ["ec2:AttachVolume", "ec2:DetachVolume"],
"Resource": ["arn:aws:ec2:*:*:instance/*"]
},
{
"Effect": "Allow",
"Action": ["ec2:CreateSecurityGroup", "ec2:CreateTags"],
"Resource": ["arn:aws:ec2:*:*:security-group/*"]
},
{
"Effect": "Allow",
"Action": ["ec2:CreateSecurityGroup"],
"Resource": ["arn:aws:ec2:*:*:vpc/*"]
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": ["arn:aws:ec2:*:*:security-group/*"]
},
{
"Effect": "Allow",
"Action": ["ec2:CreateSnapshot", "ec2:CreateTags", "ec2:DeleteSnapshot"],
"Resource": ["arn:aws:ec2:*:*:snapshot/*"]
},
{
"Effect": "Allow",
"Action": ["ec2:CreateSnapshot"],
"Resource": ["arn:aws:ec2:*:*:volume/*"]
},
{
"Effect": "Allow",
"Action": ["ec2:CreateRoute", "ec2:DeleteRoute"],
"Resource": ["arn:aws:ec2:*:*:route-table/*"]
},
{
"Effect": "Allow",
"Action": ["ec2:ModifyInstanceAttribute"],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:volume/*"
]
},
{
"Effect": "Allow",
"Action": ["ec2:DeleteTags"],
"Resource": [
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:snapshot/*",
"arn:aws:ec2:*:*:volume/*"
]
}
]
}'
aws iam create-policy --policy-nameCONTROL_PLANE_POLICY _elasticloadbalancing \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets",
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateLoadBalancerPolicy",
"elasticloadbalancing:CreateLoadBalancerListeners",
"elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteLoadBalancerListeners",
"elasticloadbalancing:DetachLoadBalancerFromSubnets",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
],
"Resource": ["arn:aws:elasticloadbalancing:*:*:loadbalancer/*"]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:RegisterTargets"
],
"Resource": ["arn:aws:elasticloadbalancing:*:*:targetgroup/*"]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:ModifyListener"
],
"Resource": ["arn:aws:elasticloadbalancing:*:*:listener/*"]
}
]
}'
aws iam create-policy --policy-nameCONTROL_PLANE_POLICY _elasticfilesystem \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticfilesystem:DescribeAccessPoints",
"elasticfilesystem:DescribeFileSystems",
"elasticfilesystem:DescribeMountTargets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticfilesystem:CreateAccessPoint"
],
"Resource": [
"arn:aws:elasticfilesystem:*:*:file-system/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticfilesystem:DeleteAccessPoint"
],
"Resource": [
"arn:aws:elasticfilesystem:*:*:access-point/*"
]
}
]
}'
aws iam create-policy --policy-nameCONTROL_PLANE_POLICY _kms \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["kms:Decrypt", "kms:Encrypt"],
"Resource":DATABASE_KMS_KEY_ARN
},
{
"Effect": "Allow",
"Action": ["kms:Decrypt"],
"Resource":CONTROL_PLANE_CONFIG_KMS_KEY_ARN
},
{
"Effect": "Allow",
"Action": ["kms:CreateGrant"],
"Resource":CONTROL_PLANE_MAIN_VOLUME_KMS_KEY_ARN ,
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": "true"
}
}
}
]
}'请替换以下内容:
CONTROL_PLANE_POLICY:控制平面政策的名称ACCESS_CONTROL_TAG_KEY:适用于此政策的标记键ACCESS_CONTROL_TAG_VALUE:适用于此政策的标记值DATABASE_KMS_KEY_ARN:您的 KMS etcd 加密密钥 ARNCONTROL_PLANE_CONFIG_KMS_KEY_ARN:您的 KMS 控制层面加密密钥 ARNCONTROL_PLANE_MAIN_VOLUME_KMS_KEY_ARN:您的 KMS 控制层面主卷加密密钥 ARN
复制每个
Policy.Arn的值以在下面的命令中使用。- 将
如果您使用 HTTP 代理,请为 AWS Secrets Manager 创建额外的政策。
aws iam create-policy --policy-nameCONTROL_PLANE_POLICY _secretsmanager \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource":PROXY_CONFIG_ARN
}
]
}'请替换以下内容:
- 将
KMS_KEY_ARN替换为您的 KMS etcd 加密密钥 ARN - 将
CONTROL_PLANE_POLICY替换为控制平面政策的名称
复制每个
Policy.Arn的值以在下一个命令中使用。- 将
将新政策附加到相应角色。
aws iam attach-role-policy \
--policy-arnCONTROL_PLANE_POLICY_ARN \
--role-nameCONTROL_PLANE_ROLE 请替换以下内容:
CONTROL_PLANE_ROLE- 将
CONTROL_PLANE_POLICY_ARN替换为上一个命令中的Policy.Arn值
如需创建 IAM 实例配置文件,请运行以下命令。
aws iam create-instance-profile \
--instance-profile-nameCONTROL_PLANE_PROFILE 将
CONTROL_PLANE_PROFILE替换为 GKE 多云控制平面配置文件的名称。最后,将新角色添加到您刚创建的实例配置文件中。
aws iam add-role-to-instance-profile \
--instance-profile-nameCONTROL_PLANE_PROFILE \
--role-nameCONTROL_PLANE_ROLE 请替换以下内容:
CONTROL_PLANE_PROFILECONTROL_PLANE_ROLE
您稍后将在创建集群期间使用此处选择的实例配置文件名称。
创建节点池角色
如需创建具有默认权限的节点池角色,请按以下步骤操作:
为要使用的节点池中的虚拟机创建角色。
aws iam create-role --role-nameNODE_POOL_ROLE \
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}'将
NODE_POOL_ROLE替换为您的节点池角色的名称。使用节点池虚拟机所需的权限创建政策。选择您是要直接连接到控制平面还是使用 HTTP 代理。
aws iam create-policy --policy-nameNODE_POOL_POLICY _kms \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["kms:Decrypt"],
"Resource":NODE_POOL_CONFIG_KMS_KEY_ARN
}
]
}'请替换以下内容:
NODE_POOL_POLICY:您的节点池政策的名称。NODE_POOL_CONFIG_KMS_KEY_ARN:您的 KMS 节点池配置加密密钥 ARN。
aws iam create-policy --policy-nameNODE_POOL_POLICY _kms \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["kms:Decrypt"],
"Resource":NODE_POOL_CONFIG_KMS_KEY_ARN
}
]
}'
aws iam create-policy --policy-nameNODE_POOL_POLICY _secretsmanager \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource":PROXY_CONFIG_ARN
}
]
}'请替换以下内容:
KMS_KEY_ARN:您的节点池的 KMS 密钥。NODE_POOL_POLICY:您的节点池政策的名称。PROXY_CONFIG_ARN:代理配置的 ARN。如需了解详情,请参阅创建代理配置。
复制每个 Policy.Arn 的值以在下一个命令中使用。
将该角色关联到其政策。
aws iam attach-role-policy --role-nameNODE_POOL_ROLE \
--policy-arn "NODE_POOL_POLICY_ARN "请替换以下内容:
NODE_POOL_ROLE:节点池角色的名称。NODE_POOL_POLICY_ARN:上一个命令中的Policy.Arn值。
如果您的工作负载需要使用 ECR 容器注册表,请附加以下政策以获取 ECR 访问权限:
创建具有以下权限的政策:
aws iam create-policy --policy-nameNODE_POOL_POLICY _ecr \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecr-public:GetAuthorizationToken",
"sts:GetServiceBearerToken"
],
"Resource": "*"
}
]
}'将
Policy.Arn的值复制为NODE_POOL_ECR_POLICY_ARN将其附加到您创建的节点池角色。
aws iam attach-role-policy --role-nameNODE_POOL_ROLE \
--policy-arn "NODE_POOL_ECR_POLICY_ARN "请替换以下内容:
NODE_POOL_ROLE:节点池角色的名称。NODE_POOL_ECR_POLICY_ARN:上一个命令中的Policy.Arn值。
将 AmazonEC2ContainerRegistryReadOnly 附加到节点池角色,以获得私有注册表访问权限:
aws iam attach-role-policy --role-nameNODE_POOL_ROLE \
--policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly将
NODE_POOL_ROLE替换为您的节点池角色的名称。为此角色创建实例配置文件。
aws iam create-instance-profile \
--instance-profile-nameNODE_POOL_PROFILE 将
NODE_POOL_PROFILE替换为您的节点池配置文件的名称。将新角色添加到实例配置文件中。
aws iam add-role-to-instance-profile \
--instance-profile-nameNODE_POOL_PROFILE \
--role-nameNODE_POOL_ROLE 请替换以下内容:
NODE_POOL_PROFILE:节点池配置文件的名称。NODE_POOL_ROLE:节点池角色的名称。