3.3. 安装程序角色的权限界限


您可以将策略作为安装程序 角色的权限边界 应用。您可以使用 AWS 管理的策略或客户管理的策略来设置 Amazon Web Services (AWS) Identity and Access Management (IAM)实体(user 或 role)的边界。策略和边界策略的组合限制了用户或角色的最大权限。ROSA 包括一组三个准备的权限边界策略文件,您可以使用该文件来限制安装程序角色的权限,因为不支持更改安装程序策略本身。

注意

此功能只在 Red Hat OpenShift Service on AWS (经典架构)集群中被支持。

权限边界策略文件如下:

  • Core 边界策略文件包含 ROSA (经典架构)安装程序在 AWS 集群上安装 Red Hat OpenShift Service 所需的最小权限。安装程序没有创建虚拟私有云(VPC)或 PrivateLink (PL)的权限。需要提供 VPC。
  • VPC 边界策略文件包含 ROSA (经典架构)安装程序创建/管理 VPC 所需的最低权限。它不包括 PL 或核心安装的权限。如果您需要安装具有足够权限的集群,以便安装程序安装集群并创建/管理 VPC,但您不需要设置 PL,然后使用 core 和 VPC 边界文件以及安装程序角色。
  • PrivateLink (PL) 边界策略文件包含 ROSA (经典架构)安装程序使用集群创建 AWS PL 所需的最小权限。它不包括 VPC 或核心安装的权限。在安装过程中为所有 PL 集群提供预先创建的 VPC。

当使用权限边界策略文件时,会应用以下组合:

  • 没有权限边界策略意味着完整安装程序策略权限应用到集群。
  • core 仅为安装程序角色设置最受限的权限。VPC 和 PL 权限不包括在核心中 只有 边界策略。

    • 安装程序无法创建或管理 VPC 或 PL。
    • 您必须有客户提供的 VPC,并且 PrivateLink (PL)不可用。
  • Core + VPC 为安装程序角色设置核心和 VPC 权限。

    • 安装程序无法创建或管理 PL。
    • 假设您没有使用 custom/BYO-VPC。
    • 假设安装程序将创建和管理 VPC。
  • Core + PrivateLink (PL) 意味着安装程序可以置备 PL 基础架构。

    • 您必须具有客户提供的 VPC。
    • 这是用于带有 PL 的私有集群。

这个示例步骤适用于具有最多权限限制的安装程序角色和策略,仅适用于 ROSA 的核心 安装程序权限边界策略。您可以使用 AWS 控制台或 AWS CLI 完成此操作。本例使用 AWS CLI 和以下策略:

例 3.16. sts_installer_core_permission_boundary_policy.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
		    "autoscaling:DescribeAutoScalingGroups",
		    "ec2:AllocateAddress",
		    "ec2:AssociateAddress",
		    "ec2:AttachNetworkInterface",
		    "ec2:AuthorizeSecurityGroupEgress",
		    "ec2:AuthorizeSecurityGroupIngress",
		    "ec2:CopyImage",
		    "ec2:CreateNetworkInterface",
		    "ec2:CreateSecurityGroup",
		    "ec2:CreateTags",
		    "ec2:CreateVolume",
		    "ec2:DeleteNetworkInterface",
		    "ec2:DeleteSecurityGroup",
		    "ec2:DeleteSnapshot",
		    "ec2:DeleteTags",
		    "ec2:DeleteVolume",
		    "ec2:DeregisterImage",
		    "ec2:DescribeAccountAttributes",
		    "ec2:DescribeAddresses",
		    "ec2:DescribeAvailabilityZones",
		    "ec2:DescribeDhcpOptions",
		    "ec2:DescribeImages",
		    "ec2:DescribeInstanceAttribute",
		    "ec2:DescribeInstanceCreditSpecifications",
		    "ec2:DescribeInstances",
		    "ec2:DescribeInstanceStatus",
		    "ec2:DescribeInstanceTypeOfferings",
		    "ec2:DescribeInstanceTypes",
		    "ec2:DescribeInternetGateways",
		    "ec2:DescribeKeyPairs",
		    "ec2:DescribeNatGateways",
		    "ec2:DescribeNetworkAcls",
		    "ec2:DescribeNetworkInterfaces",
		    "ec2:DescribePrefixLists",
		    "ec2:DescribeRegions",
		    "ec2:DescribeReservedInstancesOfferings",
		    "ec2:DescribeRouteTables",
		    "ec2:DescribeSecurityGroups",
		    "ec2:DescribeSecurityGroupRules",
		    "ec2:DescribeSubnets",
		    "ec2:DescribeTags",
		    "ec2:DescribeVolumes",
		    "ec2:DescribeVpcAttribute",
		    "ec2:DescribeVpcClassicLink",
		    "ec2:DescribeVpcClassicLinkDnsSupport",
		    "ec2:DescribeVpcEndpoints",
		    "ec2:DescribeVpcs",
		    "ec2:GetConsoleOutput",
		    "ec2:GetEbsDefaultKmsKeyId",
		    "ec2:ModifyInstanceAttribute",
		    "ec2:ModifyNetworkInterfaceAttribute",
		    "ec2:ReleaseAddress",
		    "ec2:RevokeSecurityGroupEgress",
		    "ec2:RevokeSecurityGroupIngress",
		    "ec2:RunInstances",
		    "ec2:StartInstances",
		    "ec2:StopInstances",
		    "ec2:TerminateInstances",
		    "elasticloadbalancing:AddTags",
		    "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
		    "elasticloadbalancing:AttachLoadBalancerToSubnets",
		    "elasticloadbalancing:ConfigureHealthCheck",
		    "elasticloadbalancing:CreateListener",
		    "elasticloadbalancing:CreateLoadBalancer",
		    "elasticloadbalancing:CreateLoadBalancerListeners",
		    "elasticloadbalancing:CreateTargetGroup",
		    "elasticloadbalancing:DeleteLoadBalancer",
		    "elasticloadbalancing:DeleteTargetGroup",
		    "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
		    "elasticloadbalancing:DeregisterTargets",
		    "elasticloadbalancing:DescribeInstanceHealth",
		    "elasticloadbalancing:DescribeListeners",
		    "elasticloadbalancing:DescribeLoadBalancerAttributes",
		    "elasticloadbalancing:DescribeLoadBalancers",
		    "elasticloadbalancing:DescribeTags",
		    "elasticloadbalancing:DescribeTargetGroupAttributes",
		    "elasticloadbalancing:DescribeTargetGroups",
		    "elasticloadbalancing:DescribeTargetHealth",
		    "elasticloadbalancing:ModifyLoadBalancerAttributes",
		    "elasticloadbalancing:ModifyTargetGroup",
		    "elasticloadbalancing:ModifyTargetGroupAttributes",
		    "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
		    "elasticloadbalancing:RegisterTargets",
		    "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
		    "elasticloadbalancing:SetSecurityGroups",
		    "iam:AddRoleToInstanceProfile",
		    "iam:CreateInstanceProfile",
		    "iam:DeleteInstanceProfile",
		    "iam:GetInstanceProfile",
		    "iam:TagInstanceProfile",
		    "iam:GetRole",
		    "iam:GetRolePolicy",
		    "iam:GetUser",
		    "iam:ListAttachedRolePolicies",
		    "iam:ListInstanceProfiles",
		    "iam:ListInstanceProfilesForRole",
		    "iam:ListRolePolicies",
		    "iam:ListRoles",
		    "iam:ListUserPolicies",
		    "iam:ListUsers",
		    "iam:PassRole",
		    "iam:RemoveRoleFromInstanceProfile",
		    "iam:SimulatePrincipalPolicy",
		    "iam:TagRole",
		    "iam:UntagRole",
		    "route53:ChangeResourceRecordSets",
		    "route53:ChangeTagsForResource",
		    "route53:CreateHostedZone",
		    "route53:DeleteHostedZone",
		    "route53:GetAccountLimit",
		    "route53:GetChange",
		    "route53:GetHostedZone",
		    "route53:ListHostedZones",
		    "route53:ListHostedZonesByName",
		    "route53:ListResourceRecordSets",
		    "route53:ListTagsForResource",
		    "route53:UpdateHostedZoneComment",
		    "s3:CreateBucket",
		    "s3:DeleteBucket",
		    "s3:DeleteObject",
		    "s3:GetAccelerateConfiguration",
		    "s3:GetBucketAcl",
		    "s3:GetBucketCORS",
		    "s3:GetBucketLocation",
		    "s3:GetBucketLogging",
		    "s3:GetBucketObjectLockConfiguration",
		    "s3:GetBucketPolicy",
		    "s3:GetBucketRequestPayment",
		    "s3:GetBucketTagging",
		    "s3:GetBucketVersioning",
		    "s3:GetBucketWebsite",
		    "s3:GetEncryptionConfiguration",
		    "s3:GetLifecycleConfiguration",
		    "s3:GetObject",
		    "s3:GetObjectAcl",
		    "s3:GetObjectTagging",
		    "s3:GetObjectVersion",
		    "s3:GetReplicationConfiguration",
		    "s3:ListBucket",
		    "s3:ListBucketVersions",
		    "s3:PutBucketAcl",
		    "s3:PutBucketPolicy",
		    "s3:PutBucketTagging",
		    "s3:PutEncryptionConfiguration",
		    "s3:PutObject",
		    "s3:PutObjectAcl",
		    "s3:PutObjectTagging",
		    "servicequotas:GetServiceQuota",
		    "servicequotas:ListAWSDefaultServiceQuotas",
		    "sts:AssumeRole",
		    "sts:AssumeRoleWithWebIdentity",
		    "sts:GetCallerIdentity",
		    "tag:GetResources",
		    "tag:UntagResources",
		    "kms:DescribeKey",
		    "cloudwatch:GetMetricData",
		    "ec2:CreateRoute",
		    "ec2:DeleteRoute",
		    "ec2:CreateVpcEndpoint",
		    "ec2:DeleteVpcEndpoints",
		    "ec2:CreateVpcEndpointServiceConfiguration",
		    "ec2:DeleteVpcEndpointServiceConfigurations",
		    "ec2:DescribeVpcEndpointServiceConfigurations",
		    "ec2:DescribeVpcEndpointServicePermissions",
		    "ec2:DescribeVpcEndpointServices",
		    "ec2:ModifyVpcEndpointServicePermissions"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/red-hat-managed": "true"
                }
            }
        }
    ]
}
重要

要使用权限边界,您需要准备权限边界策略并将其添加到 AWS IAM 中的相关安装程序角色中。虽然 ROSA (rosa) CLI 提供了一个权限边界功能,但它适用于所有角色,而不仅仅是安装程序角色,这意味着它不适用于提供的权限边界策略(仅适用于安装程序角色)。

先决条件

  • 您有一个 AWS 帐户。
  • 您有管理 AWS 角色和策略所需的权限。
  • 您已在工作站上安装和配置了最新的 AWS (aws)和 ROSA (rosa) CLI。
  • 您已准备了 ROSA 帐户范围内的角色,包括安装程序角色以及相应的策略。如果您的 AWS 帐户中不存在这些,请参阅附加资源 中的"创建帐户范围的 STS 角色和策略"。

流程

  1. rosa CLI 中输入以下命令来准备策略文件:

    $ curl -o ./rosa-installer-core.json https://raw.githubusercontent.com/openshift/managed-cluster-config/master/resources/sts/4.17/sts_installer_core_permission_boundary_policy.json
  2. 输入以下命令在 AWS 中创建策略并收集其 Amazon 资源名称(ARN):

    $ aws iam create-policy \
    --policy-name rosa-core-permissions-boundary-policy \
    --policy-document file://./rosa-installer-core.json \
    --description "ROSA installer core permission boundary policy, the minimum permission set, allows BYO-VPC, disallows PrivateLink"

    输出示例

    {
        "Policy": {
            "PolicyName": "rosa-core-permissions-boundary-policy",
            "PolicyId": "<Policy ID>",
            "Arn": "arn:aws:iam::<account ID>:policy/rosa-core-permissions-boundary-policy",
            "Path": "/",
            "DefaultVersionId": "v1",
            "AttachmentCount": 0,
            "PermissionsBoundaryUsageCount": 0,
            "IsAttachable": true,
            "CreateDate": "<CreateDate>",
            "UpdateDate": "<UpdateDate>"
        }
    }

  3. 输入以下命令在您要限制的安装程序角色中添加权限边界策略:

    $ aws iam put-role-permissions-boundary \
    --role-name ManagedOpenShift-Installer-Role \
    --permissions-boundary arn:aws:iam::<account ID>:policy/rosa-core-permissions-boundary-policy
  4. rosa CLI 中输入以下命令来显示安装程序角色,以验证附加策略(包括权限边界):

    $ aws iam get-role --role-name ManagedOpenShift-Installer-Role \
    --output text | grep PERMISSIONSBOUNDARY

    输出示例

    PERMISSIONSBOUNDARY	arn:aws:iam::<account ID>:policy/rosa-core-permissions-boundary-policy	Policy

    有关 PL 和 VPC 权限边界策略的更多信息,请参阅:

    例 3.17. sts_installer_privatelink_permission_boundary_policy.json

    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "ec2:ModifyVpcEndpointServiceConfiguration",
            "route53:ListHostedZonesByVPC",
            "route53:CreateVPCAssociationAuthorization",
            "route53:AssociateVPCWithHostedZone",
            "route53:DeleteVPCAssociationAuthorization",
            "route53:DisassociateVPCFromHostedZone",
            "route53:ChangeResourceRecordSets"
          ],
          "Resource": "*"
        }
      ]
    }

    例 3.18. sts_installer_vpc_permission_boundary_policy.json

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
    		    "ec2:AssociateDhcpOptions",
    		    "ec2:AssociateRouteTable",
    		    "ec2:AttachInternetGateway",
    		    "ec2:CreateDhcpOptions",
    		    "ec2:CreateInternetGateway",
    		    "ec2:CreateNatGateway",
    		    "ec2:CreateRouteTable",
    		    "ec2:CreateSubnet",
    		    "ec2:CreateVpc",
    		    "ec2:DeleteDhcpOptions",
    		    "ec2:DeleteInternetGateway",
    		    "ec2:DeleteNatGateway",
    		    "ec2:DeleteRouteTable",
    		    "ec2:DeleteSubnet",
    		    "ec2:DeleteVpc",
    		    "ec2:DetachInternetGateway",
    		    "ec2:DisassociateRouteTable",
    		    "ec2:ModifySubnetAttribute",
    		    "ec2:ModifyVpcAttribute",
    		    "ec2:ReplaceRouteTableAssociation"
                ],
                "Resource": "*"
            }
        ]
    }

其他资源

Red Hat logoGithubRedditYoutubeTwitter

学习

尝试、购买和销售

社区

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

© 2024 Red Hat, Inc.