GKE on AWS 會使用 AWS IAM 角色建立及管理叢集和節點集區。本頁面適用於身分和帳戶管理員、作業人員和開發人員,他們想建立及管理與使用者權限相關的政策。如要進一步瞭解我們在 Google Cloud 內容中提及的常見角色和範例工作,請參閱「常見的 GKE Enterprise 使用者角色和工作」。
本頁說明如何建立下列預設角色:
- GKE Multi-cloud API 服務代理人角色
- GKE Multi-Cloud API 會使用這個 AWS IAM 角色,透過 AWS API 管理資源。這個角色是由 Google 代管的服務帳戶 (又稱服務代理程式) 使用。
- 控制層 AWS IAM 角色
- 叢集控制層會使用這個角色來控制節點集區。
- 節點集區 AWS IAM 角色
- 控制層會使用這個角色建立節點集區 VM。
本頁說明如何為下列情況建立角色:
- 一組預設權限,適合用於測試
- 對具有特定 AWS 標記的資源執行作業的權限
您可以選擇其中一種方法,以符合貴機構的安全性政策。如要進一步瞭解標記,請參閱「標記 AWS 資源」。
您可以視需要為 GKE on AWS 使用的 AWS IAM 角色設定權限範圍,以符合貴機構的需求。詳情請參閱「AWS IAM 角色」。
事前準備
如果您選擇建立權限,以處理具有特定標記的資源,則必須選擇標記和值。然後使用這些值標記叢集中的資源,限制資源存取權。
建立 GKE Multi-Cloud API 服務代理人角色
如要建立 GKE Multi-Cloud API 服務代理程式角色,請使用下列指令擷取 Google Cloud 專案編號,並用來建立角色。
PROJECT_ID="$(gcloud config get-value project)"
PROJECT_NUMBER=$(gcloud projects describe "$PROJECT_ID" \
--format "value(projectNumber)")
aws iam create-role --role-name API_ROLE \
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "accounts.google.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"accounts.google.com:sub": "service-'$PROJECT_NUMBER'@gcp-sa-gkemulticloud.iam.gserviceaccount.com"
}
}
}
]
}'
將 API_ROLE 替換為這個角色的名稱。
請儲存這個指令產生的 Amazon 資源名稱 (ARN),稍後會用到。
建立範圍權限
請選擇要為 GKE Multi-Cloud API 服務代理程式角色建立具有預設權限的政策,還是要將政策範圍限定於具有特定標記的資源。然後執行下列指令:
預設
aws iam create-policy --policy-name API_POLICY \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateLaunchTemplate",
"ec2:CreateNetworkInterface",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteNetworkInterface",
"ec2:DeleteSecurityGroup",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DescribeAccountAttributes",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:GetConsoleOutput",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RunInstances",
"iam:AWSServiceName",
"iam:CreateServiceLinkedRole",
"iam:GetInstanceProfile",
"iam:PassRole",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:CreateOrUpdateTags",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeleteTags",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DisableMetricsCollection",
"autoscaling:EnableMetricsCollection",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:RemoveTags",
"kms:DescribeKey",
"kms:Encrypt",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*"
}
]
}'
將 API_POLICY 替換為 GKE Multi-Cloud API AWS IAM 政策的名稱。
您可以選擇設定 Resource 的值為 arn:aws:iam::ACCOUNT_ID:*,並將 ACCOUNT_ID 替換為 AWS 帳戶 ID,限制這項政策適用的資源為特定帳戶。
範圍僅限標記
aws iam create-policy --policy-name API_POLICY_ec2 \
--policy-document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:GetConsoleOutput"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": ["ec2:CreateSecurityGroup"],
"Resource": ["arn:aws:ec2:*:*:security-group/*"],
"Condition": {
"StringEquals": {
"aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
}
}
},
{
"Effect": "Allow",
"Action": ["ec2:CreateSecurityGroup"],
"Resource": ["arn:aws:ec2:*:*:vpc/*"]
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": ["arn:aws:ec2:*:*:security-group/*"],
"Condition": {
"StringEquals": {
"aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource": ["arn:aws:ec2:*:*:security-group-rule/*"],
"Condition": {
"StringEquals": {
"aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
}
}
},
{
"Effect": "Allow",
"Action": ["ec2:CreateLaunchTemplate"],
"Resource": ["arn:aws:ec2:*:*:launch-template/*"],
"Condition": {
"StringEquals": {
"aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteLaunchTemplate"
],
"Resource": ["arn:aws:ec2:*:*:launch-template/*"],
"Condition": {
"StringEquals": {
"aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
}
}
},
{
"Effect": "Allow",
"Action": ["ec2:RunInstances"],
"Resource": ["arn:aws:ec2:*:*:image/ami-*"],
"Condition": {
"StringEquals": {
"ec2:Owner": ["099720109477", "amazon"]
}
}
},
{
"Effect": "Allow",
"Action": ["ec2:RunInstances"],
"Resource": [
"arn:aws:ec2:*:*:subnet/*"
],
"Condition": {
"ArnLike": {
"ec2:LaunchTemplate": "arn:aws:ec2:*:*:launch-template/*"
}
}
},
{
"Effect": "Allow",
"Action": ["ec2:RunInstances"],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"Bool": {
"ec2:IsLaunchTemplateResource": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Resource": ["arn:aws:ec2:*:*:volume/*"],
"Condition": {
"StringEquals": {
"aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteVolume"
],
"Resource": ["arn:aws:ec2:*:*:volume/*"],
"Condition": {
"StringEquals": {
"aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface"
],
"Resource": ["arn:aws:ec2:*:*:network-interface/*"],
"Condition": {
"StringEquals": {
"aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
}
}
},
{
"Effect": "Allow",
"Action": ["ec2:CreateNetworkInterface"],
"Resource": ["arn:aws:ec2:*:*:security-group/*"],
"Condition": {
"StringEquals": {
"aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
}
}
},
{
"Effect": "Allow",
"Action": ["ec2:CreateNetworkInterface"],
"Resource": ["arn:aws:ec2:*:*:subnet/*"]
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute"
],
"Resource": [
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
}
}
},
{
"Action": [
"ec2:CreateTags"
],
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:security-group-rule/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
}
}
},
{
"Action": [
"ec2:CreateTags"
],
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction" : "RunInstances"
}
}
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:security-group-rule/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:ModifyInstanceAttribute"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:security-group/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
}
}
}
]
}'
更改下列內容:
API_POLICY:GKE Multi-Cloud API AWS IAM 政策的前置字串。ACCESS_CONTROL_TAG_KEY:適用於這項政策的標記鍵ACCESS_CONTROL_TAG_VALUE:適用於這項政策的標記值
您也可以選擇將這項政策進一步限制在 AWS 區域和帳戶 ID。如要將政策限制在特定區域和帳戶 ID,請將「資源」的值 (例如 arn:aws:ec2:*:*:security-group/*) 替換為 arn:aws:ec2:AWS_REGION:ACCOUNT_ID:security-group/*。
複製為這項政策建立的 ARN,以用於下列指令。
建立其他標記使用政策
如果您要使用標記限制存取權,請按照下列步驟建立其他政策。如果您使用預設政策,請跳至「將政策附加至 GKE Multi-Cloud API 角色」。
使用下列指令建立政策,控管 AWS IAM 的存取權:
aws iam create-policy --policy-name API_POLICY_iam \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["iam:CreateServiceLinkedRole"], "Resource": [ "arn:aws:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" ], "Condition": { "StringEquals": { "iam:AWSServiceName": "autoscaling.amazonaws.com" } } }, { "Effect": "Allow", "Action": ["iam:CreateServiceLinkedRole"], "Resource": [ "arn:aws:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing" ], "Condition": { "StringEquals": { "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com" } } }, { "Effect": "Allow", "Action": ["iam:PassRole"], "Resource": ["arn:aws:iam::*:role/*"], "Condition": { "StringEquals": { "iam:PassedToService": "ec2.amazonaws.com" } } } , { "Effect": "Allow", "Action": ["iam:GetInstanceProfile"], "Resource": ["arn:aws:iam::*:instance-profile/*"] } ] }'使用下列指令建立政策,控管 AWS EC2 Auto Scaling 資源的存取權:
aws iam create-policy --policy-name API_POLICY_autoscaling \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["autoscaling:DescribeAutoScalingGroups"], "Resource": "*" }, { "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateOrUpdateTags" ], "Resource": [ "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/gke-*" ], "Condition": { "StringEquals": { "aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } }, { "Effect": "Allow", "Action": [ "autoscaling:CreateOrUpdateTags", "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeleteTags", "autoscaling:DisableMetricsCollection", "autoscaling:EnableMetricsCollection", "autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup" ], "Resource": [ "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/gke-*" ], "Condition": { "StringEquals": { "aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } } ] }'請儲存這個指令產生的 ARN,稍後會用到。
建立政策,控管 AWS Elastic Load Balancer 資源的存取權。
aws iam create-policy --policy-name API_POLICY_elasticloadbalancing \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:AddTags" ], "Resource": ["arn:aws:elasticloadbalancing:*:*:targetgroup/gke-*"], "Condition": { "StringEquals": { "aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:AddTags", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:ModifyTargetGroupAttributes", "elasticloadbalancing:RemoveTags" ], "Resource": ["arn:aws:elasticloadbalancing:*:*:targetgroup/gke-*"], "Condition": { "StringEquals": { "aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:AddTags" ], "Resource": [ "arn:aws:elasticloadbalancing:*:*:listener/net/gke-*", "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/gke-*" ], "Condition": { "StringEquals": { "aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:AddTags", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:RemoveTags" ], "Resource": [ "arn:aws:elasticloadbalancing:*:*:listener/net/gke-*", "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/gke-*" ], "Condition": { "StringEquals": { "aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } } ] }'請儲存這個指令產生的 ARN,稍後會用到。
建立政策,控管 AWS Key Management Service 資源的存取權。
如要進一步瞭解各個金鑰的權限,請參閱建立具有特定權限的 KMS 金鑰。
aws iam create-policy --policy-name API_POLICY_kms \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["kms:DescribeKey"], "Resource": ["arn:aws:kms:*:*:key/*"] }, { "Effect": "Allow", "Action": ["kms:Encrypt"], "Resource": CONTROL_PLANE_CONFIG_KMS_KEY_ARN }, { "Effect": "Allow", "Action": ["kms:Encrypt"], "Resource": NODE_POOL_CONFIG_KMS_KEY_ARN }, { "Effect": "Allow", "Action": ["kms:GenerateDataKeyWithoutPlaintext"], "Resource": CONTROL_PLANE_MAIN_VOLUME_KMS_KEY_ARN } ] }'更改下列內容:
CONTROL_PLANE_CONFIG_KMS_KEY_ARN:您的 KMS 控制層設定加密金鑰 ARN。如果叢集只使用一個 KMS 金鑰,請在此處的所有值使用該金鑰的 ARN。NODE_POOL_CONFIG_KMS_KEY_ARN:您的 KMS 節點集區設定加密金鑰 ARNCONTROL_PLANE_MAIN_VOLUME_KMS_KEY_ARN:您的 KMS 控制層主要磁碟區加密金鑰 ARN
請儲存這個指令產生的 ARN,稍後會用到。
將政策附加至 GKE Multi-Cloud API 角色
針對您在先前步驟中建立的每項政策,執行下列指令,將政策附加至 GKE Multi-Cloud API 角色:
aws iam attach-role-policy \
--policy-arn API_POLICY_ARN \
--role-name API_ROLE
取代
API_POLICY_ARN,並提供您先前建立的每項政策的 API 政策 ARNAPI_ROLE,其中包含 GKE Multi-Cloud API 服務代理人角色名稱
建立叢集或節點集區
如果建立的角色和政策範圍限定為已加上標記的資源,建立叢集或節點集區時,就必須指定標記。您可以使用叢集和節點集區建立指令的 --tags 參數執行這項操作。
建立叢集
如要建立叢集,請按照操作說明建立叢集,並納入 --tags 參數,如下所示:
gcloud container aws clusters create CLUSTER_NAME \
...
--tags="ACCESS_CONTROL_TAG_KEY=ACCESS_CONTROL_TAG_VALUE"
更改下列內容:
ACCESS_CONTROL_TAG_KEY:適用於這項政策的標記鍵ACCESS_CONTROL_TAG_VALUE:適用於這項政策的標記值
建立節點集區
如要建立節點集區,請按照建立節點集區的指示操作,並加入 --tags 參數,如下所示:
gcloud container aws node-pools create NODE_POOL_NAME \
...
--tags "ACCESS_CONTROL_TAG_KEY=ACCESS_CONTROL_TAG_VALUE"
更改下列內容:
ACCESS_CONTROL_TAG_KEY:適用於這項政策的標記鍵ACCESS_CONTROL_TAG_VALUE:適用於這項政策的標記值
建立控制層角色
如要使用預設權限建立控制平面角色,請按照下列步驟操作:
如要建立這個角色,請執行下列指令:
aws iam create-role --role-name CONTROL_PLANE_ROLE \ --assume-role-policy-document '{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }'將
CONTROL_PLANE_ROLE替換為控制平面角色名稱。為這個角色建立 IAM 政策。如果您為資料庫和設定加密建立多個 KMS 金鑰,請以逗號分隔清單的形式納入所有 ARN。
選擇直接連線至控制層,或直接連線至控制層並使用標記。
直接連線
aws iam create-policy --policy-name CONTROL_PLANE_POLICY \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": [ "ec2:AttachNetworkInterface", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateRoute", "ec2:CreateSecurityGroup", "ec2:CreateSnapshot", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteSnapshot", "ec2:DeleteTags", "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeDhcpOptions", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeInternetGateways", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", "ec2:ModifyVolume", "ec2:RevokeSecurityGroupIngress", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", "autoscaling:SetDesiredCapacity", "autoscaling:TerminateInstanceInAutoScalingGroup", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateLoadBalancerListeners", "elasticloadbalancing:CreateLoadBalancerPolicy", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteLoadBalancerListeners", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DetachLoadBalancerFromSubnets", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", "elasticfilesystem:CreateAccessPoint", "elasticfilesystem:DeleteAccessPoint", "elasticfilesystem:DescribeAccessPoints", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets", "kms:CreateGrant", "kms:Decrypt", "kms:Encrypt", "kms:GrantIsForAWSResource" ], "Resource": "*" } ] }'更改下列內容:
- 將
CONTROL_PLANE_POLICY替換為控制平面政策的名稱
直接使用標記
aws iam create-policy --policy-name CONTROL_PLANE_POLICY_autoscaling \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "autoscaling:SetDesiredCapacity", "autoscaling:TerminateInstanceInAutoScalingGroup" ], "Resource": [ "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/gke-*" ], "Condition": { "StringEquals": { "aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } } ] }' aws iam create-policy --policy-name CONTROL_PLANE_POLICY_ec2 \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeDhcpOptions", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeInternetGateways", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs" ], "Resource": "*" }, { "Effect": "Allow", "Action": ["ec2:AttachNetworkInterface"], "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:network-interface/*" ] }, { "Effect": "Allow", "Action": [ "ec2:CreateVolume", "ec2:CreateTags", "ec2:AttachVolume", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyVolume" ], "Resource": ["arn:aws:ec2:*:*:volume/*"] }, { "Effect": "Allow", "Action": ["ec2:AttachVolume", "ec2:DetachVolume"], "Resource": ["arn:aws:ec2:*:*:instance/*"] }, { "Effect": "Allow", "Action": ["ec2:CreateSecurityGroup", "ec2:CreateTags"], "Resource": ["arn:aws:ec2:*:*:security-group/*"] }, { "Effect": "Allow", "Action": ["ec2:CreateSecurityGroup"], "Resource": ["arn:aws:ec2:*:*:vpc/*"] }, { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:DeleteSecurityGroup", "ec2:RevokeSecurityGroupIngress" ], "Resource": ["arn:aws:ec2:*:*:security-group/*"] }, { "Effect": "Allow", "Action": ["ec2:CreateSnapshot", "ec2:CreateTags", "ec2:DeleteSnapshot"], "Resource": ["arn:aws:ec2:*:*:snapshot/*"] }, { "Effect": "Allow", "Action": ["ec2:CreateSnapshot"], "Resource": ["arn:aws:ec2:*:*:volume/*"] }, { "Effect": "Allow", "Action": ["ec2:CreateRoute", "ec2:DeleteRoute"], "Resource": ["arn:aws:ec2:*:*:route-table/*"] }, { "Effect": "Allow", "Action": ["ec2:ModifyInstanceAttribute"], "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Effect": "Allow", "Action": ["ec2:DeleteTags"], "Resource": [ "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:snapshot/*", "arn:aws:ec2:*:*:volume/*" ] } ] }' aws iam create-policy --policy-name CONTROL_PLANE_POLICY_elasticloadbalancing \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:AddTags", "elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateLoadBalancerPolicy", "elasticloadbalancing:CreateLoadBalancerListeners", "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteLoadBalancerListeners", "elasticloadbalancing:DetachLoadBalancerFromSubnets", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], "Resource": ["arn:aws:elasticloadbalancing:*:*:loadbalancer/*"] }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:RegisterTargets" ], "Resource": ["arn:aws:elasticloadbalancing:*:*:targetgroup/*"] }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:DeleteListener", "elasticloadbalancing:ModifyListener" ], "Resource": ["arn:aws:elasticloadbalancing:*:*:listener/*"] } ] }' aws iam create-policy --policy-name CONTROL_PLANE_POLICY_elasticfilesystem \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticfilesystem:DescribeAccessPoints", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticfilesystem:CreateAccessPoint" ], "Resource": [ "arn:aws:elasticfilesystem:*:*:file-system/*" ] }, { "Effect": "Allow", "Action": [ "elasticfilesystem:DeleteAccessPoint" ], "Resource": [ "arn:aws:elasticfilesystem:*:*:access-point/*" ] } ] }' aws iam create-policy --policy-name CONTROL_PLANE_POLICY_kms \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["kms:Decrypt", "kms:Encrypt"], "Resource": DATABASE_KMS_KEY_ARN }, { "Effect": "Allow", "Action": ["kms:Decrypt"], "Resource": CONTROL_PLANE_CONFIG_KMS_KEY_ARN }, { "Effect": "Allow", "Action": ["kms:CreateGrant"], "Resource": CONTROL_PLANE_MAIN_VOLUME_KMS_KEY_ARN, "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" } } } ] }'更改下列內容:
CONTROL_PLANE_POLICY:控制平面政策的名稱ACCESS_CONTROL_TAG_KEY:適用於這項政策的標記鍵ACCESS_CONTROL_TAG_VALUE:適用於這項政策的標記值DATABASE_KMS_KEY_ARN:您的 KMS etcd 加密金鑰 ARNCONTROL_PLANE_CONFIG_KMS_KEY_ARN:您的 KMS 控制層加密金鑰 ARNCONTROL_PLANE_MAIN_VOLUME_KMS_KEY_ARN:您的 KMS 控制層主要磁碟區加密金鑰 ARN
複製每個
Policy.Arn的值,以供後續指令使用。- 將
如果您使用 HTTP Proxy,請為 AWS Secrets Manager 建立額外政策。
aws iam create-policy --policy-name CONTROL_PLANE_POLICY_secretsmanager \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": PROXY_CONFIG_ARN } ] }'更改下列內容:
KMS_KEY_ARN,並提供 KMS etcd 加密金鑰 ARN- 將
CONTROL_PLANE_POLICY替換為控制平面政策的名稱
複製每個
Policy.Arn的值,以供下一個指令使用。將新政策附加至對應角色。
aws iam attach-role-policy \ --policy-arn CONTROL_PLANE_POLICY_ARN \ --role-name CONTROL_PLANE_ROLE更改下列內容:
CONTROL_PLANE_ROLE- 將
CONTROL_PLANE_POLICY_ARN替換為上一個指令中的Policy.Arn值
如要建立 IAM 執行個體設定檔,請執行下列指令。
aws iam create-instance-profile \ --instance-profile-name CONTROL_PLANE_PROFILE將
CONTROL_PLANE_PROFILE替換為 GKE Multi-Cloud 控制平面設定檔的名稱。最後,將新角色新增至您剛建立的執行個體設定檔。
aws iam add-role-to-instance-profile \ --instance-profile-name CONTROL_PLANE_PROFILE \ --role-name CONTROL_PLANE_ROLE更改下列內容:
CONTROL_PLANE_PROFILECONTROL_PLANE_ROLE
您稍後會在叢集建立期間使用您在這裡選擇的執行個體設定檔名稱。
建立節點集區角色
如要建立具有預設權限的節點集區角色,請按照下列步驟操作:
為節點集區中的 VM 建立要使用的角色。
aws iam create-role --role-name NODE_POOL_ROLE \ --assume-role-policy-document '{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }'將
NODE_POOL_ROLE替換為節點集區角色名稱。建立政策,並授予節點集區 VM 所需的權限。選擇是否要直接連線至控制層,或是使用 HTTP Proxy。
直接
aws iam create-policy --policy-name NODE_POOL_POLICY_kms \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["kms:Decrypt"], "Resource": NODE_POOL_CONFIG_KMS_KEY_ARN } ] }'更改下列內容:
NODE_POOL_POLICY:節點集區政策名稱。NODE_POOL_CONFIG_KMS_KEY_ARN:您的 KMS 節點集區設定加密金鑰 ARN。
HTTP Proxy
aws iam create-policy --policy-name NODE_POOL_POLICY_kms \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["kms:Decrypt"], "Resource": NODE_POOL_CONFIG_KMS_KEY_ARN } ] }' aws iam create-policy --policy-name NODE_POOL_POLICY_secretsmanager \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": PROXY_CONFIG_ARN } ] }'更改下列內容:
KMS_KEY_ARN:節點集區的 KMS 金鑰。NODE_POOL_POLICY:節點集區政策名稱。PROXY_CONFIG_ARN:Proxy 設定的 ARN。詳情請參閱「建立 Proxy 設定」。
複製每個 Policy.Arn 的值,以供下一個指令使用。
將角色附加至政策。
aws iam attach-role-policy --role-name NODE_POOL_ROLE \ --policy-arn "NODE_POOL_POLICY_ARN"更改下列內容:
NODE_POOL_ROLE:節點集區角色的名稱。NODE_POOL_POLICY_ARN:上一個指令的Policy.Arn值。
如果工作負載需要使用 ECR 容器登錄檔,請附加下列 ECR 存取政策:
公開註冊表
建立具有下列權限的政策:
aws iam create-policy --policy-name NODE_POOL_POLICY_ecr \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr-public:GetAuthorizationToken", "sts:GetServiceBearerToken" ], "Resource": "*" } ] }'將
Policy.Arn的值複製為NODE_POOL_ECR_POLICY_ARN將其附加至您建立的節點集區角色。
aws iam attach-role-policy --role-name NODE_POOL_ROLE \ --policy-arn "NODE_POOL_ECR_POLICY_ARN"更改下列內容:
NODE_POOL_ROLE:節點集區角色的名稱。NODE_POOL_ECR_POLICY_ARN:上一個指令的Policy.Arn值。
私人登錄檔
將 AmazonEC2ContainerRegistryReadOnly 附加至節點集區角色,以存取私人登錄檔:
aws iam attach-role-policy --role-name NODE_POOL_ROLE \ --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly將
NODE_POOL_ROLE替換為節點集區角色名稱。為這個角色建立執行個體設定檔。
aws iam create-instance-profile \ --instance-profile-name NODE_POOL_PROFILE將
NODE_POOL_PROFILE替換為節點集區設定檔的名稱。將新角色新增至執行個體設定檔。
aws iam add-role-to-instance-profile \ --instance-profile-name NODE_POOL_PROFILE \ --role-name NODE_POOL_ROLE更改下列內容:
NODE_POOL_PROFILE:節點集區設定檔的名稱。NODE_POOL_ROLE:節點集區角色的名稱。