預設 Config Sync 權限

本頁列出 Config Sync 及其元件在叢集層級需要具備的預設權限,才能正確存取。

預設權限

下表列出 Config Sync 預設啟用的權限。使用 Config Sync 時,請勿停用這些權限。

元件 命名空間 服務帳戶 權限 說明
reconciler-manager config-management-system reconciler-manager cluster-admin 如要佈建根協調器並為根協調器建立 ClusterRoleBinding,reconciler-manager 必須具備 cluster-admin 權限。
root reconcilers config-management-system 根協調器的名稱 cluster-admin 如要套用叢集範圍和自訂資源,根協調器必須具備 cluster-admin 權限。
namespace reconcilers config-management-system 命名空間調解器名稱 configsync.gke.io:ns-reconciler 如要取得及更新 RepoSync 和 ResourceGroup 物件及其狀態,命名空間協調器需要 configsync.gke.io:ns-reconciler 權限。
resource-group-controller-manager config-management-system resource-group-sa 如要檢查物件狀態及啟用領導者選舉,resource-group-controller-manager 需要 resource-group-manager-roleresource-group-leader-election-role 角色。
admission-webhook config-management-system admission-webhook cluster-admin 如要拒絕叢集上任何物件的要求,Admission Webhook 必須具備 cluster-admin 權限。
importer config-management-system importer cluster-admin 如要設定 RBAC 權限,importer 必須具備叢集管理員權限。

Config Sync 專屬權限

以下各節將詳細說明上表列出的 configsync.gke.io:ns-reconcilerresource-group-manager-role resource-group-leader-election-role 權限。

Config Sync 會在命名空間協調器和資源群組控制器資訊清單中加入下列 ClusterRole,自動套用這些權限。

命名空間調解器的 RBAC

下列 ClusterRole 會顯示命名空間調解器的角色型存取權控管權限:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: configsync.gke.io:ns-reconciler
  labels:
    configmanagement.gke.io/system: "true"
    configmanagement.gke.io/arch: "csmr"
rules:
- apiGroups: ["configsync.gke.io"]
  resources: ["reposyncs"]
  verbs: ["get"]
- apiGroups: ["configsync.gke.io"]
  resources: ["reposyncs/status"]
  verbs: ["get","list","update"]
- apiGroups: ["kpt.dev"]
  resources: ["resourcegroups"]
  verbs: ["*"]
- apiGroups: ["kpt.dev"]
  resources: ["resourcegroups/status"]
  verbs: ["*"]
- apiGroups:
  - policy
  resources:
  - podsecuritypolicies
  resourceNames:
  - acm-psp
  verbs:
  - use

資源群組控制器的 RBAC

下列 ClusterRole 會顯示 Resource Group Controller 的角色型存取權控管權限:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  creationTimestamp: null
  labels:
    configmanagement.gke.io/arch: "csmr"
    configmanagement.gke.io/system: "true"
  name: resource-group-manager-role
rules:
# This permission is needed to get the status for managed resources
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
# This permission is needed to watch/unwatch types as they are registered or removed.
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  - get
  - list
  - watch
# This permission is needed so that the ResourceGroup Controller can reconcile a ResourceGroup CR
- apiGroups:
  - kpt.dev
  resources:
  - resourcegroups
  verbs:
  - create
  - delete
  - get
  - list
  - patch
  - update
  - watch
# This permission is needed so that the ResourceGroup Controller can update the status of a ResourceGroup CR
- apiGroups:
  - kpt.dev
  resources:
  - resourcegroups/status
  verbs:
  - get
  - patch
  - update
# This permission is needed so that the ResourceGroup Controller can work on a cluster with PSP enabled
- apiGroups:
  - policy
  resourceNames:
  - acm-psp
  resources:
  - podsecuritypolicies
  verbs:
  - use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  labels:
    configmanagement.gke.io/arch: "csmr"
    configmanagement.gke.io/system: "true"
  name: resource-group-leader-election-role
  namespace: resource-group-system
rules:  // The following permissions are needed so that the leader election can work
- apiGroups:
  - ""
  resources:
  - configmaps
  verbs:
  - get
  - list
  - watch
  - create
  - update
  - patch
  - delete
- apiGroups:
  - ""
  resources:
  - configmaps/status
  verbs:
  - get
  - update
  - patch
- apiGroups:
  - ""
  resources:
  - events
  verbs:
  - create
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - '*'