Skip to content

Latest commit

 

History

History
111 lines (77 loc) · 3.3 KB

README.zh-cn.rst

File metadata and controls

111 lines (77 loc) · 3.3 KB

ack-ram-tool

一个协助您在使用 ACK 过程中便捷执行涉及 RAM、访问凭证、RBAC权限等相关操作的命令行工具。

您可以通过 Releases 页面下载最新版的命令行工具。

详见 文档

一个用于访问 ACK 集群的 kubectl/client-go 认证插件

获取使用该认证插件的 kubeconfig 文件(使用临时 kubeconfig):

ack-ram-tool credential-plugin get-kubeconfig --cluster-id <clusterId> > kubeconfig

使用获取的 kubeconfig 访问集群(在证书过期前会自动获取新的证书):

kubectl --kubeconfig=kubeconfig get ns

清理缓存的访问凭证:

rm ~/.kube/cache/ack-ram-tool/credential-plugin/*.json

为集群启用 RRSA 特性 :

$ ack-ram-tool rrsa enable --cluster-id <clusterId>

? Are you sure you want to enable RRSA feature? Yes
Enable RRSA feature for cluster c86fdd*** successfully

为 RAM 角色关联一个 Service Account(允许使用这个 Service Account 的 OIDC Token 来扮演此 RAM 角色:

$ ack-ram-tool rrsa associate-role --cluster-id <clusterId> \
    --namespace <namespce> --service-account <serviceAccountName> \
    --role-name <roleName>

? Are you sure you want to associate RAM Role test-rrsa to service account test-serviceaccount (namespace: test-namespace)? Yes
Will change the assumeRolePolicyDocument of RAM Role test-rrsa with blow content:
{
  "Statement": [
   {
    "Action": "sts:AssumeRole",
    "Effect": "Allow",
    "Principal": {
     "RAM": [
      "acs:ram::18***:root"
     ]
    }
   },
   },
   {
    "Action": "sts:AssumeRole",
    "Condition": {
     "StringEquals": {
      "oidc:aud": "sts.aliyuncs.com",
      "oidc:iss": "https://oidc-ack-**/c86fdd***",
      "oidc:sub": "system:serviceaccount:test-namespace:test-serviceaccount"
     }
    },
    "Effect": "Allow",
    "Principal": {
     "Federated": [
      "acs:ram::18***:oidc-provider/ack-rrsa-c86fdd***"
     ]
    }
   }
  ],
  "Version": "1"
 }
? Are you sure you want to associate RAM Role test-rrsa to service account test-serviceaccount (namespace: test-namespace)? Yes
Associate RAM Role test-rrsa to service account test-serviceaccount (namespace: test-namespace) successfully

更多信息详见 文档

对于发现的安全漏洞,请邮件发送至kubernetes-[email protected],您可在`SECURITY.md <./SECURITY.md>`__文件中找到更多信息。