日本熟妇hd丰满老熟妇,中文字幕一区二区三区在线不卡 ,亚洲成片在线观看,免费女同在线一区二区

AI 助理
備案控制臺
文檔
有獎調研
輸入文檔關鍵字查找
首頁 容器服務 Kubernetes 版 ACK 容器服務 Kubernetes 版 操作指南 集群 連接集群 管理KubeConfig 通過ack-ram-tool清理集群中指定用戶的權限

通過ack-ram-tool清理集群中指定用戶的權限

更新時間:
產品詳情
相關技術圈
我的收藏

ack-ram-tool是容器服務 Kubernetes 版為輔助您管理集群RAM和RBAC權限提供的命令行工具。當用戶離職或權限需要變更時,通過ack-ram-tool工具您可以及時清理集群中已刪除用戶的權限,避免安全風險。

步驟一:安裝配置ack-ram-tool

  1. 執行以下命令,根據不同操作系統選擇安裝配置ack-ram-tool。

    展開查看Darwin_arm64系統的ack-ram-tool安裝配置

    cd /tmp
wget https://ack-ram-tool.oss-cn-hangzhou.aliyuncs.com/dist/v0.18.0/ack-ram-tool_0.18.0_Darwin_arm64.tar.gz
tar zxvf ack-ram-tool_0.18.0_Darwin_arm64.tar.gz
cp ack-ram-tool /usr/local/bin
ack-ram-tool version

    展開查看Darwin_x86_64系統的ack-ram-tool安裝配置

    cd /tmp
wget https://ack-ram-tool.oss-cn-hangzhou.aliyuncs.com/dist/v0.18.0/ack-ram-tool_0.18.0_Darwin_x86_64.tar.gz
tar zxvf ack-ram-tool_0.18.0_Darwin_x86_64.tar.gz
cp ack-ram-tool /usr/local/bin
ack-ram-tool version

    展開查看Linux_arm64系統的ack-ram-tool安裝配置

    cd /tmp
wget https://ack-ram-tool.oss-cn-hangzhou.aliyuncs.com/dist/v0.18.0/ack-ram-tool_0.18.0_Linux_arm64.tar.gz 
tar zxvf ack-ram-tool_0.18.0_Linux_arm64.tar.gz
cp ack-ram-tool /usr/local/bin
ack-ram-tool version

    展開查看Linux_x86_64系統的ack-ram-tool安裝配置

    cd /tmp
wget https://ack-ram-tool.oss-cn-hangzhou.aliyuncs.com/dist/v0.18.0/ack-ram-tool_0.18.0_Linux_x86_64.tar.gz
tar zxvf ack-ram-tool_0.18.0_Linux_x86_64.tar.gz
cp ack-ram-tool /usr/local/bin
ack-ram-tool version

  2. 通過以下任一方式配置ack-ram-tool所需的訪問憑證。

    • 自動從如下環境變量中讀取憑證信息。

      • ALIBABA_CLOUD_ACCESS_KEY_ID

      • ALIBABA_CLOUD_ACCESS_KEY_SECRET

      • ALIBABA_CLOUD_SECURITY_TOKEN,關于如何獲取SECURITY_TOKEN,請參見什么是STS。

    • 從aliyun CLI配置文件~/.aliyun/config.json中讀取憑證信息。關于配置方法,請參見配置憑證

步驟二:配置ack-ram-tool訪問憑證所需的權限

ack-ram-tool使用的訪問憑證需要擁有RAM權限和集群的RBAC權限。

  1. 為RAM用戶授予如下權限。具體操作,請參見為RAM用戶授權。

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "cs:*"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ram:ListUsers",
        "ram:ListRoles"
      ],
      "Resource": "*"
    }
  ]
}

  2. 為RAM用戶授予集群的RBAC管理員權限。

    1. 登錄容器服務管理控制臺,在左側導航欄選擇授權管理。

    2. 在授權管理頁面,單擊RAM 用戶頁簽,找到待添加的RAM用戶,單擊右側的管理權限,進入權限管理頁面。

    3. 單擊添加權限,選擇集群命名空間,選擇權限管理管理員的權限,然后單擊提交授權

步驟三:查詢集群內指定RAM用戶的RBAC Binding

您可以通過ack-ram-tool rbac scan-user-permissions命令,查詢目標集群內指定RAM用戶的RBAC Binding信息。

僅查詢已刪除的RAM用戶和角色的RBAC Binding

執行以下命令,查看集群內已刪除的RAM用戶和角色的RBAC Binding信息。

ack-ram-tool rbac scan-user-permissions -c <集群ID>

預期輸出:

2023-12-12T15:34:37+08:00 INFO start to scan users and bindings for cluster c401890df511a4362bf24bece4da****
2023-12-12T15:34:43+08:00 WARN by default, only deleted users are included. Use the --all-users flag to include all users
UID                           UserType  UserName  Binding                                                    
30086537005566**** (deleted)  RamRole             ClusterRoleBinding/-/30086537005566****-clusterrolebinding  
24320678733226**** (deleted)  RamUser             ClusterRoleBinding/-/24320678733226****-clusterrolebinding

UserType的參數說明如下:

UserType的值

說明

RamRole

RAM角色

RamUser

RAM用戶

Root

阿里云賬號(主賬號)

查詢所有RAM用戶和角色的RBAC Binding

執行以下命令,查看所有RAM用戶和角色的RBAC Binding信息。

ack-ram-tool rbac scan-user-permissions --all-users -c <集群ID>

預期輸出:

2023-12-12T15:36:00+08:00 INFO Start to scan users and bindings for cluster c401890df511a4362bf24bece4da6****
UID                           UserType  UserName                   Binding                                                                
30032484611590**** (deleted)  RamRole                              ClusterRoleBinding/-/30032484611590****-clusterrolebinding              
20492499986425**** (deleted)  RamUser                              ClusterRoleBinding/-/20492499986425****-clusterrolebinding              
27203272572548****            RamUser   scan                       ClusterRoleBinding/-/27203272572548****-clusterrolebinding        
113802571552****              Root                                 ClusterRoleBinding/-/113802571552****-cluster-admin-clusterrolebinding  
29068913515444****            RamUser   test-ack-ram-check         ClusterRoleBinding/-/29068913515444****-clusterrolebinding

查詢當前阿里云賬號下所有集群的RBAC Binding

執行以下命令,查看當前阿里云賬號下所有集群的RBAC Binding信息。

ack-ram-tool rbac scan-user-permissions -c all

預期輸出:

2023-12-12T16:44:55+08:00 INFO start to scan users and bindings for all clusters
2023-12-12T16:44:55+08:00 INFO start to get all clusters, users and roles
2023-12-12T16:44:58+08:00 INFO ---- c401890df511a4362bf24bece4da6**** (test-pro111323223) ----
2023-12-12T16:44:58+08:00 INFO [c401890df511a4362bf24bece4da6****] start to scan bindings for cluster c401890df511a4362bf24bece4da6****
2023-12-12T16:45:00+08:00 WARN [c401890df511a4362bf24bece4da6****] by default, only deleted users are included. Use the --all-users flag to include all users
ClusterId: c401890df511a4362bf24bece4da6****
UID                           UserType  UserName  Binding                                                    
30086537005566**** (deleted)  RamRole             ClusterRoleBinding/-/30086537005566****-clusterrolebinding  
20492499986425**** (deleted)  RamUser             ClusterRoleBinding/-/20492499986425****-clusterrolebinding  
2023-12-12T16:45:00+08:00 INFO ---- c137a979dec21472c8279c903cfc**** (test-pro) ----
2023-12-12T16:45:00+08:00 INFO [c137a979dec21472c8279c903cfce****] start to scan bindings for cluster c137a979dec21472c8279c903cfce****
2023-12-12T16:45:01+08:00 WARN [c137a979dec21472c8279c903cfce****] by default, only deleted users are included. Use the --all-users flag to include all users
ClusterId: c137a979dec21472c8279c903cfce****
UID                           UserType  UserName  Binding                                                    
30086537005566**** (deleted)  RamRole             ClusterRoleBinding/-/30086537005566****-clusterrolebinding  
24320678733226**** (deleted)  RamUser             ClusterRoleBinding/-/24320678733226****-clusterrolebinding

步驟四:清理集群內指定RAM用戶或RAM角色的RBAC Binding并清除KubeConfig權限

您可以通過ack-ram-tool rbac cleanup-user-permissions命令,清理目標集群內指定RAM用戶或RAM角色的RBAC Binding以及清除該用戶的KubeConfig。

重要

  • 當日志中出現this user has been active in the past 7 days時,表明目標RAM用戶或RAM角色最近7天內有集群訪問記錄,請謹慎操作。

  • 執行清理操作前,ack-ram-tool工具會在當前目錄下以集群ID命名的文件夾中備份待刪除的Binding原始JSON文件。

清理RAM用戶或RAM角色在單個集群中的權限

執行以下命令,清理指定RAM用戶或RAM角色在單個集群中的權限。

以下命令行中的<UID>,您可以通過ack-ram-tool rbac scan-user-permissions -c <集群ID>命令獲取。

ack-ram-tool rbac cleanup-user-permissions -c <集群ID> -u <UID>

預期輸出:

展開查看預期輸出

2023-12-12T18:17:10+08:00 INFO start to scan users and bindings
2023-12-12T18:17:15+08:00 WARN we will clean up RBAC bindings as follows:
UID                 UserType  UserName   Binding                                                    
25908395708943****  RamUser   ack-admin  ClusterRoleBinding/-/25908395708943****-clusterrolebinding  
2023-12-12T18:17:15+08:00 WARN we will clean up kubeconfig permissions for users as follows:
UID: 25908395708943****
2023-12-12T18:17:15+08:00 INFO start to check cluster audit log for user 25908395708943****
2023-12-12T18:17:16+08:00 WARN this user has been active in the past 7 days, and the last activity time was: 2023-12-12T10:27:56+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c137a979dec21472c8279c903cfce****
sls logstore: audit-c137a979dec21472c8279c903cfce****
last activity: 2023-12-12T10:27:56+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76e****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T18:17:37+08:00 INFO start to backup binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding
2023-12-12T18:17:38+08:00 INFO the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c137a979dec21472c8279c903cfce****/ClusterRoleBinding--25908395708943****-clusterrolebinding.json
2023-12-12T18:17:38+08:00 INFO start to clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T18:17:38+08:00 INFO finished clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T18:17:38+08:00 INFO all bindings and permissions have been cleaned up

清理RAM用戶或RAM角色在所有集群中的權限

執行以下命令,清理指定RAM用戶或角色在當前阿里云賬號下所有集群中的RBAC Binding,并清除其KubeConfig。

ack-ram-tool rbac cleanup-user-permissions -c all -u <UID>

預期輸出:

展開查看預期輸出

2023-12-12T19:28:23+08:00 INFO start to scan users and bindings for all clusters
2023-12-12T19:28:23+08:00 INFO start to get all clusters, users and roles
2023-12-12T19:28:24+08:00 INFO ---- c401890df511a4362bf24bece4da6**** (test-pro111323223) ----
2023-12-12T19:28:24+08:00 INFO [c401890df511a4362bf24bece4da6****] start to clean up bindings and permissions for cluster c401890df511a4362bf24bece4da6**** 
2023-12-12T19:28:24+08:00 INFO [c401890df511a4362bf24bece4da6****] start to scan users and bindings
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] we will clean up RBAC bindings as follows:
UID                 UserType  UserName   Binding                                                    
25908395708943****  RamUser   ack-admin  ClusterRoleBinding/-/25908395708943****-clusterrolebinding  
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] we will clean up kubeconfig permissions for users as follows:
UID: 259083957089437690
2023-12-12T19:28:25+08:00 INFO [c401890df511a4362bf24bece4da6****] start to check cluster audit log for user 25908395708943**** 
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] this user has been active in the past 7 days, and the last activity time was: 2023-12-12T10:27:56+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c401890df511a4362bf24bece4da****  
sls logstore: audit-c401890df511a4362bf24bece4da6**** 
last activity: 2023-12-12T10:27:56+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] start to backup binding ClusterRoleBinding/-/25908395708943**** -clusterrolebinding
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c401890df511a4362bf24bece4da6**** /ClusterRoleBinding--259083957089437XXX-clusterrolebinding.json
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] start to clean up kubeconfig permissions for uid 25908395708943**** 
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] finished clean up kubeconfig permissions for uid 25908395708943**** 
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] all bindings and permissions have been cleaned up
2023-12-12T19:28:49+08:00 INFO ---- c137a979dec21472c8279c903cfce****  (test-pro) ----
2023-12-12T19:28:49+08:00 INFO [c137a979dec21472c8279c903cfce****] start to clean up bindings and permissions for cluster c137a979dec21472c8279c903cfce**** 
2023-12-12T19:28:49+08:00 INFO [c137a979dec21472c8279c903cfce****] start to scan users and bindings
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] we will clean up RBAC bindings as follows:
UID                 UserType  UserName   Binding                                                    
25908395708943****   RamUser   ack-admin  ClusterRoleBinding/-/25908395708943**** -clusterrolebinding  
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] we will clean up kubeconfig permissions for users as follows:
UID: 25908395708943**** 
2023-12-12T19:28:51+08:00 INFO [c137a979dec21472c8279c903cfce****] start to check cluster audit log for user 25908395708943**** 
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] this user has been active in the past 7 days, and the last activity time was: 2023-12-12T17:55:50+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c137a979dec21472c8279c903cfce**** 
sls logstore: audit-c137a979dec21472c8279c903cfce**** 
last activity: 2023-12-12T17:55:50+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] start to backup binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c137a979dec21472c8279c903cfce**** /ClusterRoleBinding--25908395708943**** -clusterrolebinding.json
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] start to clean up kubeconfig permissions for uid 25908395708943**** 
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] finished clean up kubeconfig permissions for uid 25908395708943**** 
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] all bindings and permissions have been cleaned up

相關文檔

如需了解更多KubeConfig管理的內容,請參見清除KubeConfig