ack-ram-tool是容器服務 Kubernetes 版為輔助您管理集群RAM和RBAC權限提供的命令行工具。當用戶離職或權限需要變更時,通過ack-ram-tool工具您可以及時清理集群中已刪除用戶的權限,避免安全風險。
步驟一:安裝配置ack-ram-tool
執行以下命令,根據不同操作系統選擇安裝配置ack-ram-tool。
cd /tmp wget https://ack-ram-tool.oss-cn-hangzhou.aliyuncs.com/dist/v0.18.0/ack-ram-tool_0.18.0_Darwin_arm64.tar.gz tar zxvf ack-ram-tool_0.18.0_Darwin_arm64.tar.gz cp ack-ram-tool /usr/local/bin ack-ram-tool version
cd /tmp wget https://ack-ram-tool.oss-cn-hangzhou.aliyuncs.com/dist/v0.18.0/ack-ram-tool_0.18.0_Darwin_x86_64.tar.gz tar zxvf ack-ram-tool_0.18.0_Darwin_x86_64.tar.gz cp ack-ram-tool /usr/local/bin ack-ram-tool version
cd /tmp wget https://ack-ram-tool.oss-cn-hangzhou.aliyuncs.com/dist/v0.18.0/ack-ram-tool_0.18.0_Linux_arm64.tar.gz tar zxvf ack-ram-tool_0.18.0_Linux_arm64.tar.gz cp ack-ram-tool /usr/local/bin ack-ram-tool version
cd /tmp wget https://ack-ram-tool.oss-cn-hangzhou.aliyuncs.com/dist/v0.18.0/ack-ram-tool_0.18.0_Linux_x86_64.tar.gz tar zxvf ack-ram-tool_0.18.0_Linux_x86_64.tar.gz cp ack-ram-tool /usr/local/bin ack-ram-tool version
通過以下任一方式配置ack-ram-tool所需的訪問憑證。
步驟二:配置ack-ram-tool訪問憑證所需的權限
ack-ram-tool使用的訪問憑證需要擁有RAM權限和集群的RBAC權限。
為RAM用戶授予如下權限。具體操作,請參見為RAM用戶授權。
{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": [ "cs:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ram:ListUsers", "ram:ListRoles" ], "Resource": "*" } ] }
為RAM用戶授予集群的RBAC管理員權限。
登錄容器服務管理控制臺,在左側導航欄選擇授權管理。
在授權管理頁面,單擊RAM 用戶頁簽,找到待添加的RAM用戶,單擊右側的管理權限,進入權限管理頁面。
單擊添加權限,選擇集群和命名空間,選擇權限管理為管理員的權限,然后單擊提交授權。
步驟三:查詢集群內指定RAM用戶的RBAC Binding
您可以通過ack-ram-tool rbac scan-user-permissions
命令,查詢目標集群內指定RAM用戶的RBAC Binding信息。
僅查詢已刪除的RAM用戶和角色的RBAC Binding
執行以下命令,查看集群內已刪除的RAM用戶和角色的RBAC Binding信息。
ack-ram-tool rbac scan-user-permissions -c <集群ID>
預期輸出:
2023-12-12T15:34:37+08:00 INFO start to scan users and bindings for cluster c401890df511a4362bf24bece4da****
2023-12-12T15:34:43+08:00 WARN by default, only deleted users are included. Use the --all-users flag to include all users
UID UserType UserName Binding
30086537005566**** (deleted) RamRole ClusterRoleBinding/-/30086537005566****-clusterrolebinding
24320678733226**** (deleted) RamUser ClusterRoleBinding/-/24320678733226****-clusterrolebinding
UserType
的參數說明如下:
UserType的值 | 說明 |
RamRole | RAM角色 |
RamUser | RAM用戶 |
Root | 阿里云賬號(主賬號) |
查詢所有RAM用戶和角色的RBAC Binding
執行以下命令,查看所有RAM用戶和角色的RBAC Binding信息。
ack-ram-tool rbac scan-user-permissions --all-users -c <集群ID>
預期輸出:
2023-12-12T15:36:00+08:00 INFO Start to scan users and bindings for cluster c401890df511a4362bf24bece4da6****
UID UserType UserName Binding
30032484611590**** (deleted) RamRole ClusterRoleBinding/-/30032484611590****-clusterrolebinding
20492499986425**** (deleted) RamUser ClusterRoleBinding/-/20492499986425****-clusterrolebinding
27203272572548**** RamUser scan ClusterRoleBinding/-/27203272572548****-clusterrolebinding
113802571552**** Root ClusterRoleBinding/-/113802571552****-cluster-admin-clusterrolebinding
29068913515444**** RamUser test-ack-ram-check ClusterRoleBinding/-/29068913515444****-clusterrolebinding
查詢當前阿里云賬號下所有集群的RBAC Binding
執行以下命令,查看當前阿里云賬號下所有集群的RBAC Binding信息。
ack-ram-tool rbac scan-user-permissions -c all
預期輸出:
2023-12-12T16:44:55+08:00 INFO start to scan users and bindings for all clusters
2023-12-12T16:44:55+08:00 INFO start to get all clusters, users and roles
2023-12-12T16:44:58+08:00 INFO ---- c401890df511a4362bf24bece4da6**** (test-pro111323223) ----
2023-12-12T16:44:58+08:00 INFO [c401890df511a4362bf24bece4da6****] start to scan bindings for cluster c401890df511a4362bf24bece4da6****
2023-12-12T16:45:00+08:00 WARN [c401890df511a4362bf24bece4da6****] by default, only deleted users are included. Use the --all-users flag to include all users
ClusterId: c401890df511a4362bf24bece4da6****
UID UserType UserName Binding
30086537005566**** (deleted) RamRole ClusterRoleBinding/-/30086537005566****-clusterrolebinding
20492499986425**** (deleted) RamUser ClusterRoleBinding/-/20492499986425****-clusterrolebinding
2023-12-12T16:45:00+08:00 INFO ---- c137a979dec21472c8279c903cfc**** (test-pro) ----
2023-12-12T16:45:00+08:00 INFO [c137a979dec21472c8279c903cfce****] start to scan bindings for cluster c137a979dec21472c8279c903cfce****
2023-12-12T16:45:01+08:00 WARN [c137a979dec21472c8279c903cfce****] by default, only deleted users are included. Use the --all-users flag to include all users
ClusterId: c137a979dec21472c8279c903cfce****
UID UserType UserName Binding
30086537005566**** (deleted) RamRole ClusterRoleBinding/-/30086537005566****-clusterrolebinding
24320678733226**** (deleted) RamUser ClusterRoleBinding/-/24320678733226****-clusterrolebinding
步驟四:清理集群內指定RAM用戶或RAM角色的RBAC Binding并清除KubeConfig權限
您可以通過ack-ram-tool rbac cleanup-user-permissions
命令,清理目標集群內指定RAM用戶或RAM角色的RBAC Binding以及清除該用戶的KubeConfig。
當日志中出現
this user has been active in the past 7 days
時,表明目標RAM用戶或RAM角色最近7天內有集群訪問記錄,請謹慎操作。執行清理操作前,ack-ram-tool工具會在當前目錄下以集群ID命名的文件夾中備份待刪除的Binding原始JSON文件。
清理RAM用戶或RAM角色在單個集群中的權限
執行以下命令,清理指定RAM用戶或RAM角色在單個集群中的權限。
以下命令行中的<UID>
,您可以通過ack-ram-tool rbac scan-user-permissions -c <集群ID>
命令獲取。
ack-ram-tool rbac cleanup-user-permissions -c <集群ID> -u <UID>
預期輸出:
2023-12-12T18:17:10+08:00 INFO start to scan users and bindings
2023-12-12T18:17:15+08:00 WARN we will clean up RBAC bindings as follows:
UID UserType UserName Binding
25908395708943**** RamUser ack-admin ClusterRoleBinding/-/25908395708943****-clusterrolebinding
2023-12-12T18:17:15+08:00 WARN we will clean up kubeconfig permissions for users as follows:
UID: 25908395708943****
2023-12-12T18:17:15+08:00 INFO start to check cluster audit log for user 25908395708943****
2023-12-12T18:17:16+08:00 WARN this user has been active in the past 7 days, and the last activity time was: 2023-12-12T10:27:56+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c137a979dec21472c8279c903cfce****
sls logstore: audit-c137a979dec21472c8279c903cfce****
last activity: 2023-12-12T10:27:56+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76e****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T18:17:37+08:00 INFO start to backup binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding
2023-12-12T18:17:38+08:00 INFO the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c137a979dec21472c8279c903cfce****/ClusterRoleBinding--25908395708943****-clusterrolebinding.json
2023-12-12T18:17:38+08:00 INFO start to clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T18:17:38+08:00 INFO finished clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T18:17:38+08:00 INFO all bindings and permissions have been cleaned up
清理RAM用戶或RAM角色在所有集群中的權限
執行以下命令,清理指定RAM用戶或角色在當前阿里云賬號下所有集群中的RBAC Binding,并清除其KubeConfig。
ack-ram-tool rbac cleanup-user-permissions -c all -u <UID>
預期輸出:
2023-12-12T19:28:23+08:00 INFO start to scan users and bindings for all clusters
2023-12-12T19:28:23+08:00 INFO start to get all clusters, users and roles
2023-12-12T19:28:24+08:00 INFO ---- c401890df511a4362bf24bece4da6**** (test-pro111323223) ----
2023-12-12T19:28:24+08:00 INFO [c401890df511a4362bf24bece4da6****] start to clean up bindings and permissions for cluster c401890df511a4362bf24bece4da6****
2023-12-12T19:28:24+08:00 INFO [c401890df511a4362bf24bece4da6****] start to scan users and bindings
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] we will clean up RBAC bindings as follows:
UID UserType UserName Binding
25908395708943**** RamUser ack-admin ClusterRoleBinding/-/25908395708943****-clusterrolebinding
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] we will clean up kubeconfig permissions for users as follows:
UID: 259083957089437690
2023-12-12T19:28:25+08:00 INFO [c401890df511a4362bf24bece4da6****] start to check cluster audit log for user 25908395708943****
2023-12-12T19:28:25+08:00 WARN [c401890df511a4362bf24bece4da6****] this user has been active in the past 7 days, and the last activity time was: 2023-12-12T10:27:56+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c401890df511a4362bf24bece4da****
sls logstore: audit-c401890df511a4362bf24bece4da6****
last activity: 2023-12-12T10:27:56+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] start to backup binding ClusterRoleBinding/-/25908395708943**** -clusterrolebinding
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c401890df511a4362bf24bece4da6**** /ClusterRoleBinding--259083957089437XXX-clusterrolebinding.json
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] start to clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] finished clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T19:28:49+08:00 INFO [c401890df511a4362bf24bece4da6****] all bindings and permissions have been cleaned up
2023-12-12T19:28:49+08:00 INFO ---- c137a979dec21472c8279c903cfce**** (test-pro) ----
2023-12-12T19:28:49+08:00 INFO [c137a979dec21472c8279c903cfce****] start to clean up bindings and permissions for cluster c137a979dec21472c8279c903cfce****
2023-12-12T19:28:49+08:00 INFO [c137a979dec21472c8279c903cfce****] start to scan users and bindings
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] we will clean up RBAC bindings as follows:
UID UserType UserName Binding
25908395708943**** RamUser ack-admin ClusterRoleBinding/-/25908395708943**** -clusterrolebinding
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] we will clean up kubeconfig permissions for users as follows:
UID: 25908395708943****
2023-12-12T19:28:51+08:00 INFO [c137a979dec21472c8279c903cfce****] start to check cluster audit log for user 25908395708943****
2023-12-12T19:28:51+08:00 WARN [c137a979dec21472c8279c903cfce****] this user has been active in the past 7 days, and the last activity time was: 2023-12-12T17:55:50+08:00. You will find the relevant audit log details below:
sls project: k8s-log-c137a979dec21472c8279c903cfce****
sls logstore: audit-c137a979dec21472c8279c903cfce****
last activity: 2023-12-12T17:55:50+08:00 (auditID: 8f6f1483-77f3-44b3-85cb-f23d1a76****)
? Are you sure you want to clean up these bindings and permissions? Yes
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] start to backup binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] the origin binding ClusterRoleBinding/-/25908395708943****-clusterrolebinding have been backed up to file c137a979dec21472c8279c903cfce**** /ClusterRoleBinding--25908395708943**** -clusterrolebinding.json
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] start to clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] finished clean up kubeconfig permissions for uid 25908395708943****
2023-12-12T19:28:52+08:00 INFO [c137a979dec21472c8279c903cfce****] all bindings and permissions have been cleaned up
相關文檔
如需了解更多KubeConfig管理的內容,請參見清除KubeConfig。