mirror of
https://github.com/rancher/rancher-docs.git
synced 2026-05-05 20:53:33 +00:00
Billy Tat
224 lines
6.6 KiB
Markdown
224 lines
6.6 KiB
Markdown
---
|
|
title: 最小 EKS 权限
|
|
---
|
|
|
|
此处提供在 Rancher 中使用 EKS 驱动所有功能所需的最小权限。Rancher 需要额外的权限来配置`服务角色`和 `VPC` 资源。你可以选择在创建集群**之前**创建这些资源,以便在定义集群配置时选择这些资源。
|
|
|
|
| 资源 | 描述 |
|
|
---------|------------
|
|
| 服务角色 | 服务角色向 Kubernetes 提供管理资源所需的权限。Rancher 可以使用以下[服务角色权限](#服务角色权限)来创建服务角色。 |
|
|
| VPC | 提供 EKS 和 Worker 节点使用的隔离网络资源。Rancher 使用以下 [VPC 权限](#vpc-权限)创建 VPC 资源。 |
|
|
|
|
|
|
资源定位使用 `*` 作为在 Rancher 中创建 EKS 集群之前,无法已知创建的资源的名称(ARN)。
|
|
|
|
```json
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Sid": "EC2Permisssions",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"ec2:RunInstances",
|
|
"ec2:RevokeSecurityGroupIngress",
|
|
"ec2:RevokeSecurityGroupEgress",
|
|
"ec2:DescribeInstanceTypes",
|
|
"ec2:DescribeRegions",
|
|
"ec2:DescribeVpcs",
|
|
"ec2:DescribeTags",
|
|
"ec2:DescribeSubnets",
|
|
"ec2:DescribeSecurityGroups",
|
|
"ec2:DescribeRouteTables",
|
|
"ec2:DescribeLaunchTemplateVersions",
|
|
"ec2:DescribeLaunchTemplates",
|
|
"ec2:DescribeKeyPairs",
|
|
"ec2:DescribeInternetGateways",
|
|
"ec2:DescribeImages",
|
|
"ec2:DescribeAvailabilityZones",
|
|
"ec2:DescribeAccountAttributes",
|
|
"ec2:DeleteTags",
|
|
"ec2:DeleteSecurityGroup",
|
|
"ec2:DeleteKeyPair",
|
|
"ec2:CreateTags",
|
|
"ec2:CreateSecurityGroup",
|
|
"ec2:CreateLaunchTemplateVersion",
|
|
"ec2:CreateLaunchTemplate",
|
|
"ec2:CreateKeyPair",
|
|
"ec2:AuthorizeSecurityGroupIngress",
|
|
"ec2:AuthorizeSecurityGroupEgress"
|
|
],
|
|
"Resource": "*"
|
|
},
|
|
{
|
|
"Sid": "CloudFormationPermisssions",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"cloudformation:ListStacks",
|
|
"cloudformation:ListStackResources",
|
|
"cloudformation:DescribeStacks",
|
|
"cloudformation:DescribeStackResources",
|
|
"cloudformation:DescribeStackResource",
|
|
"cloudformation:DeleteStack",
|
|
"cloudformation:CreateStackSet",
|
|
"cloudformation:CreateStack"
|
|
],
|
|
"Resource": "*"
|
|
},
|
|
{
|
|
"Sid": "IAMPermissions",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"iam:PassRole",
|
|
"iam:ListRoles",
|
|
"iam:ListRoleTags",
|
|
"iam:ListInstanceProfilesForRole",
|
|
"iam:ListInstanceProfiles",
|
|
"iam:ListAttachedRolePolicies",
|
|
"iam:GetRole",
|
|
"iam:GetInstanceProfile",
|
|
"iam:DetachRolePolicy",
|
|
"iam:DeleteRole",
|
|
"iam:CreateRole",
|
|
"iam:AttachRolePolicy"
|
|
],
|
|
"Resource": "*"
|
|
},
|
|
{
|
|
"Sid": "KMSPermisssions",
|
|
"Effect": "Allow",
|
|
"Action": "kms:ListKeys",
|
|
"Resource": "*"
|
|
},
|
|
{
|
|
"Sid": "EKSPermisssions",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"eks:UpdateNodegroupVersion",
|
|
"eks:UpdateNodegroupConfig",
|
|
"eks:UpdateClusterVersion",
|
|
"eks:UpdateClusterConfig",
|
|
"eks:UntagResource",
|
|
"eks:TagResource",
|
|
"eks:ListUpdates",
|
|
"eks:ListTagsForResource",
|
|
"eks:ListNodegroups",
|
|
"eks:ListFargateProfiles",
|
|
"eks:ListClusters",
|
|
"eks:DescribeUpdate",
|
|
"eks:DescribeNodegroup",
|
|
"eks:DescribeFargateProfile",
|
|
"eks:DescribeCluster",
|
|
"eks:DeleteNodegroup",
|
|
"eks:DeleteFargateProfile",
|
|
"eks:DeleteCluster",
|
|
"eks:CreateNodegroup",
|
|
"eks:CreateFargateProfile",
|
|
"eks:CreateCluster"
|
|
],
|
|
"Resource": "*"
|
|
}
|
|
]
|
|
}
|
|
```
|
|
|
|
### 服务角色权限
|
|
|
|
指的是 Rancher 在 EKS 集群创建过程中,代表用户创建服务角色所需的权限。
|
|
|
|
```json
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Sid": "IAMPermisssions",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"iam:AddRoleToInstanceProfile",
|
|
"iam:AttachRolePolicy",
|
|
"iam:CreateInstanceProfile",
|
|
"iam:CreateRole",
|
|
"iam:CreateServiceLinkedRole",
|
|
"iam:DeleteInstanceProfile",
|
|
"iam:DeleteRole",
|
|
"iam:DetachRolePolicy",
|
|
"iam:GetInstanceProfile",
|
|
"iam:GetRole",
|
|
"iam:ListAttachedRolePolicies",
|
|
"iam:ListInstanceProfiles",
|
|
"iam:ListInstanceProfilesForRole",
|
|
"iam:ListRoles",
|
|
"iam:ListRoleTags",
|
|
"iam:PassRole",
|
|
"iam:RemoveRoleFromInstanceProfile"
|
|
],
|
|
"Resource": "*"
|
|
}
|
|
]
|
|
}
|
|
```
|
|
|
|
创建 EKS 集群时,Rancher 将创建具有以下信任策略的服务角色:
|
|
|
|
```json
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Action": "sts:AssumeRole",
|
|
"Principal": {
|
|
"Service": "eks.amazonaws.com"
|
|
},
|
|
"Effect": "Allow",
|
|
"Sid": ""
|
|
}
|
|
]
|
|
}
|
|
```
|
|
|
|
此角色还将具有两个角色策略,其中包含以下策略 ARN:
|
|
|
|
```
|
|
arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
|
|
arn:aws:iam::aws:policy/AmazonEKSServicePolicy
|
|
```
|
|
|
|
### VPC 权限
|
|
|
|
Rancher 创建 VPC 和关联资源所需的权限。
|
|
|
|
```json
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Sid": "VPCPermissions",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"ec2:ReplaceRoute",
|
|
"ec2:ModifyVpcAttribute",
|
|
"ec2:ModifySubnetAttribute",
|
|
"ec2:DisassociateRouteTable",
|
|
"ec2:DetachInternetGateway",
|
|
"ec2:DescribeVpcs",
|
|
"ec2:DeleteVpc",
|
|
"ec2:DeleteTags",
|
|
"ec2:DeleteSubnet",
|
|
"ec2:DeleteRouteTable",
|
|
"ec2:DeleteRoute",
|
|
"ec2:DeleteInternetGateway",
|
|
"ec2:CreateVpc",
|
|
"ec2:CreateSubnet",
|
|
"ec2:CreateSecurityGroup",
|
|
"ec2:CreateRouteTable",
|
|
"ec2:CreateRoute",
|
|
"ec2:CreateInternetGateway",
|
|
"ec2:AttachInternetGateway",
|
|
"ec2:AssociateRouteTable"
|
|
],
|
|
"Resource": "*"
|
|
}
|
|
]
|
|
}
|
|
```
|