阿里云负载均衡授予自建集群ALB Ingress Controller权限-云淘科技

操作流程

1. 步骤一：创建RAM用户

2. 步骤二：创建权限策略，并授予RAM用户

3. 步骤三：在自建集群配置AccessKey ID与AccessKey Secret

步骤一：创建RAM用户

1. 使用阿里云账号登录RAM控制台。

2. 在左侧导航栏，选择身份管理>用户，在右侧页面单击创建用户。

3. 在创建用户页面，输入登录名称，显示名称，选中OpenAPI 调用访问，然后单击确定。

4. 在创建用户页面，复制AccessKey ID和AccessKey Secret。

步骤二：创建权限策略，并授予RAM用户

1. 创建调用ALB Ingress Controller组件的权限策略。

   1. 在RAM控制台左侧导航栏，选择权限管理>权限策略，在右侧页面单击创建权限策略。

   2. 单击脚本编辑页签，将以下内容复制到代码框，单击继续编辑基本信息。

      展开查看详细代码

      {
        "Version": "1",
        "Statement": [
          {
            "Action": [
              "ecs:Describe*",
              "ecs:CreateRouteEntry",
              "ecs:DeleteRouteEntry",
              "ecs:CreateNetworkInterface",
              "ecs:DeleteNetworkInterface",
              "ecs:CreateNetworkInterfacePermission",
              "ecs:DeleteNetworkInterfacePermission",
              "ecs:ModifyInstanceAttribute",
              "ecs:AttachKeyPair",
              "ecs:StopInstance",
              "ecs:StartInstance",
              "ecs:ReplaceSystemDisk"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "slb:Describe*",
              "slb:CreateLoadBalancer",
              "slb:DeleteLoadBalancer",
              "slb:ModifyLoadBalancerInternetSpec",
              "slb:RemoveBackendServers",
              "slb:AddBackendServers",
              "slb:RemoveTags",
              "slb:AddTags",
              "slb:StopLoadBalancerListener",
              "slb:StartLoadBalancerListener",
              "slb:SetLoadBalancerHTTPListenerAttribute",
              "slb:SetLoadBalancerHTTPSListenerAttribute",
              "slb:SetLoadBalancerTCPListenerAttribute",
              "slb:SetLoadBalancerUDPListenerAttribute",
              "slb:CreateLoadBalancerHTTPSListener",
              "slb:CreateLoadBalancerHTTPListener",
              "slb:CreateLoadBalancerTCPListener",
              "slb:CreateLoadBalancerUDPListener",
              "slb:DeleteLoadBalancerListener",
              "slb:CreateVServerGroup",
              "slb:DescribeVServerGroups",
              "slb:DeleteVServerGroup",
              "slb:SetVServerGroupAttribute",
              "slb:DescribeVServerGroupAttribute",
              "slb:ModifyVServerGroupBackendServers",
              "slb:AddVServerGroupBackendServers",
              "slb:ModifyLoadBalancerInstanceSpec",
              "slb:ModifyLoadBalancerInternetSpec",
              "slb:SetLoadBalancerModificationProtection",
              "slb:SetLoadBalancerDeleteProtection",
              "slb:SetLoadBalancerName",
              "slb:ModifyLoadBalancerInstanceChargeType",
              "slb:RemoveVServerGroupBackendServers"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "nlb:TagResources",
              "nlb:UnTagResources",
              "nlb:ListTagResources",
              "nlb:CreateLoadBalancer",
              "nlb:DeleteLoadBalancer",
              "nlb:GetLoadBalancerAttribute",
              "nlb:ListLoadBalancers",
              "nlb:UpdateLoadBalancerAttribute",
              "nlb:UpdateLoadBalancerAddressTypeConfig",
              "nlb:UpdateLoadBalancerZones",
              "nlb:CreateListener",
              "nlb:DeleteListener",
              "nlb:ListListeners",
              "nlb:UpdateListenerAttribute",
              "nlb:StopListener",
              "nlb:StartListener",
              "nlb:GetListenerAttribute",
              "nlb:GetListenerHealthStatus",
              "nlb:CreateServerGroup",
              "nlb:DeleteServerGroup",
              "nlb:UpdateServerGroupAttribute",
              "nlb:AddServersToServerGroup",
              "nlb:RemoveServersFromServerGroup",
              "nlb:UpdateServerGroupServersAttribute",
              "nlb:ListServerGroups",
              "nlb:ListServerGroupServers",
              "nlb:GetJobStatus"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "vpc:Describe*",
              "vpc:DeleteRouteEntry",
              "vpc:CreateRouteEntry"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
              "StringEquals": {
                "ram:ServiceName": [
                  "alb.aliyuncs.com",
                  "audit.log.aliyuncs.com",
                  "logdelivery.alb.aliyuncs.com"
                ]
              }
            }
          },
          {
            "Action": [
              "yundun-cert:DescribeSSLCertificateList",
              "yundun-cert:DescribeSSLCertificatePublicKeyDetail",
              "yundun-cert:CreateSSLCertificateWithName",
              "yundun-cert:DeleteSSLCertificate"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "alb:TagResources",
              "alb:UnTagResources",
              "alb:ListServerGroups",
              "alb:ListServerGroupServers",
              "alb:AddServersToServerGroup",
              "alb:RemoveServersFromServerGroup",
              "alb:ReplaceServersInServerGroup",
              "alb:CreateLoadBalancer",
              "alb:DeleteLoadBalancer",
              "alb:UpdateLoadBalancerAttribute",
              "alb:UpdateLoadBalancerEdition",
              "alb:EnableLoadBalancerAccessLog",
              "alb:DisableLoadBalancerAccessLog",
              "alb:EnableDeletionProtection",
              "alb:DisableDeletionProtection",
              "alb:ListLoadBalancers",
              "alb:GetLoadBalancerAttribute",
              "alb:ListListeners",
              "alb:CreateListener",
              "alb:GetListenerAttribute",
              "alb:UpdateListenerAttribute",
              "alb:ListListenerCertificates",
              "alb:AssociateAdditionalCertificatesWithListener",
              "alb:DissociateAdditionalCertificatesFromListener",
              "alb:DeleteListener",
              "alb:CreateRule",
              "alb:DeleteRule",
              "alb:UpdateRuleAttribute",
              "alb:UpdateRulesAttribute",
              "alb:CreateRules",
              "alb:DeleteRules",
              "alb:ListRules",
              "alb:CreateServerGroup",
              "alb:DeleteServerGroup",
              "alb:UpdateServerGroupAttribute",
              "alb:DescribeZones",
              "alb:CreateAcl",
              "alb:DeleteAcl",
              "alb:ListAcls",
              "alb:AddEntriesToAcl",
              "alb:AssociateAclsWithListener",
              "alb:ListAclEntries",
              "alb:RemoveEntriesFromAcl",
              "alb:DissociateAclsFromListener",
              "alb:EnableLoadBalancerIpv6Internet",
              "alb:DisableLoadBalancerIpv6Internet"
            ],
            "Resource": "*",
            "Effect": "Allow"
          }
        ]
      }

   3. 在基本信息下方，输入名称，单击确定。

2. 授予RAM用户调用ALB Ingress Controller组件的权限策略。

   1. 在左侧导航栏，选择身份管理>用户。

   2. 在用户页面，找到步骤一：创建RAM用户创建的RAM用户，在该RAM用户右侧操作列，单击添加权限。

   3. 在添加权限面板，单击自定义策略，选择已创建的权限策略，其他采用默认配置，单击确定。

步骤三：在自建集群配置AccessKey ID与AccessKey Secret

1. 对AccessKey ID与AccessKey Secret进行Base64编码。

   1. 在Base64输入AccessKey ID，单击编码，获取AccessKey ID编码后的结果。

   2. 输入AccessKey Secret，单击编码，获取AccessKey Secret编码后的结果。

2. 执行以下命令，在自建集群的load-balancer-config ConfigMap输入Base64编码后的AccessKey ID与AccessKey Secret，保存load-balancer-config ConfigMap。

   vim  

   load-balancer-config ConfigMap代码示例如下：

   apiVersion: v1
   kind: ConfigMap
   metadata:
     name: load-balancer-config
     namespace: kube-system
   data:
     cloud-config.conf: |-
       {
           "Global": {
               "AccessKeyID": "VndV***",              # 填写Base64编码后的AccessKey ID。
               "AccessKeySecret": "UWU0NnUyTFdhcG***" # 填写Base64编码后的AccessKey Secret。
           }
       }
                           

3. 执行以下命令，部署load-balancer-config ConfigMap。

   kubectl apply -f   

4. 重启load-balancer-controller的Pod，使配置生效。

   1. 执行以下命令，获取load-balancer-controller的Pod名称。

      kubectl get pod -n kube-system|grep load-balancer-controller

   2. 执行以下命令，删除load-balancer-controller的Pod。

      kubectl delete pod -n kube-system load-balancer-controller-***

      预期输出：

      pod load-balancer-controller-*** deleted

   3. 执行以下命令，查看重建后load-balancer-controller的Pod状态。

      kubectl get pod -n kube-system|grep load-balancer-controller

      预期输出：

      load-balancer-controller-0o9s***     1/1    Running   0    10s

相关文档

教程：

自建Kubernetes集群使用ALB Ingress最佳实践

源码文档：

• 如何从源码进行controller的部署

• ALB Ingress的简单使用入门

• ALB Ingress的详细使用手册