一个协助您在使用 ACK 过程中便捷执行涉及 RAM、访问凭证、RBAC权限等相关操作的命令行工具。
您可以通过 Releases 页面下载最新版的命令行工具。
详见 文档
一个用于访问 ACK 集群的 kubectl/client-go 认证插件 。
获取使用该认证插件的 kubeconfig 文件(使用临时 kubeconfig):
ack-ram-tool credential-plugin get-kubeconfig --cluster-id <clusterId> > kubeconfig
使用获取的 kubeconfig 访问集群(在证书过期前会自动获取新的证书):
kubectl --kubeconfig=kubeconfig get ns
清理缓存的访问凭证:
rm ~/.kube/cache/ack-ram-tool/credential-plugin/*.json
为集群启用 RRSA 特性 :
$ ack-ram-tool rrsa enable --cluster-id <clusterId>
? Are you sure you want to enable RRSA feature? Yes
Enable RRSA feature for cluster c86fdd*** successfully
为 RAM 角色关联一个 Service Account(允许使用这个 Service Account 的 OIDC Token 来扮演此 RAM 角色:
$ ack-ram-tool rrsa associate-role --cluster-id <clusterId> \
--namespace <namespce> --service-account <serviceAccountName> \
--role-name <roleName>
? Are you sure you want to associate RAM Role test-rrsa to service account test-serviceaccount (namespace: test-namespace)? Yes
Will change the assumeRolePolicyDocument of RAM Role test-rrsa with blow content:
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::18***:root"
]
}
},
},
{
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"oidc:aud": "sts.aliyuncs.com",
"oidc:iss": "https://oidc-ack-**/c86fdd***",
"oidc:sub": "system:serviceaccount:test-namespace:test-serviceaccount"
}
},
"Effect": "Allow",
"Principal": {
"Federated": [
"acs:ram::18***:oidc-provider/ack-rrsa-c86fdd***"
]
}
}
],
"Version": "1"
}
? Are you sure you want to associate RAM Role test-rrsa to service account test-serviceaccount (namespace: test-namespace)? Yes
Associate RAM Role test-rrsa to service account test-serviceaccount (namespace: test-namespace) successfully
更多信息详见 文档
对于发现的安全漏洞,请邮件发送至kubernetes-[email protected],您可在`SECURITY.md <./SECURITY.md>`__文件中找到更多信息。