GKE on AWS 會使用 AWS IAM 角色建立及管理叢集和節點集區。本頁面適用於想建立及管理使用者權限相關政策的身分和帳戶管理員、作業人員和開發人員。如要進一步瞭解我們在 Google Cloud 內容中提及的常見角色和範例工作,請參閱「常見的 GKE 使用者角色和工作」。
本頁說明如何建立下列預設角色:
- GKE Multi-cloud API 服務代理人角色
- GKE Multi-Cloud API 會使用這個 AWS IAM 角色,透過 AWS API 管理資源。這個角色是由 Google 代管的服務帳戶 (又稱服務代理程式) 使用。
- 控制層 AWS IAM 角色
- 叢集控制層會使用這個角色來控制節點集區。
- 節點集區 AWS IAM 角色
- 控制層會使用這個角色建立節點集區 VM。
本頁說明如何為下列情況建立角色:
- 一組預設權限,適合用於測試
- 對具有特定 AWS 標記的資源執行作業的權限
您可以選擇其中一個選項,以符合貴機構的安全性政策。如要進一步瞭解標記,請參閱「標記 AWS 資源」。
您可以視需要為 GKE on AWS 使用的 AWS IAM 角色設定權限範圍,以符合貴機構的需求。詳情請參閱「AWS IAM 角色」。
事前準備
如果您選擇建立適用於特定標記資源的權限,就必須選擇標記和值。然後使用這些值標記叢集中的資源,限制資源存取權。
建立 GKE Multi-Cloud API 服務代理人角色
如要建立 GKE Multi-Cloud API 服務代理程式角色,請使用下列指令擷取 Google Cloud 專案編號,並用來建立角色。
PROJECT_ID="$(gcloud config get-value project)" PROJECT_NUMBER=$(gcloud projects describe "$PROJECT_ID" \ --format "value(projectNumber)") aws iam create-role --role-name API_ROLE \ --assume-role-policy-document '{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Federated": "accounts.google.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "accounts.google.com:sub": "service-'$PROJECT_NUMBER'@gcp-sa-gkemulticloud.iam.gserviceaccount.com" } } } ] }' 將 API_ROLE 替換為這個角色的名稱。
請儲存這個指令產生的 Amazon 資源名稱 (ARN),稍後會用到。
建立範圍權限
請選擇要為 GKE Multi-Cloud API 服務代理程式角色建立具有預設權限的政策,還是要將政策範圍限定於具有特定標記的資源。然後執行下列指令:
預設
aws iam create-policy --policy-name API_POLICY \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateLaunchTemplate", "ec2:CreateNetworkInterface", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteLaunchTemplate", "ec2:DeleteNetworkInterface", "ec2:DeleteSecurityGroup", "ec2:DeleteTags", "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", "ec2:DescribeInternetGateways", "ec2:DescribeKeyPairs", "ec2:DescribeLaunchTemplates", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroupRules", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:GetConsoleOutput", "ec2:ModifyInstanceAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:RunInstances", "iam:AWSServiceName", "iam:CreateServiceLinkedRole", "iam:GetInstanceProfile", "iam:PassRole", "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateOrUpdateTags", "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeleteTags", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DisableMetricsCollection", "autoscaling:EnableMetricsCollection", "autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:ModifyTargetGroupAttributes", "elasticloadbalancing:RemoveTags", "kms:DescribeKey", "kms:Encrypt", "kms:GenerateDataKeyWithoutPlaintext" ], "Resource": "*" } ] }' 將 API_POLICY 替換為 GKE Multi-Cloud API AWS IAM 政策的名稱。
您可以選擇設定 Resource 的值為 arn:aws:iam::ACCOUNT_ID:*,並將 ACCOUNT_ID 替換為 AWS 帳戶 ID,限制這項政策適用的資源為特定帳戶。
範圍僅限標記
aws iam create-policy --policy-name API_POLICY_ec2 \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeInstances", "ec2:DescribeInternetGateways", "ec2:DescribeKeyPairs", "ec2:DescribeLaunchTemplates", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSecurityGroupRules", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:GetConsoleOutput" ], "Resource": "*" }, { "Effect": "Allow", "Action": ["ec2:CreateSecurityGroup"], "Resource": ["arn:aws:ec2:*:*:security-group/*"], "Condition": { "StringEquals": { "aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } }, { "Effect": "Allow", "Action": ["ec2:CreateSecurityGroup"], "Resource": ["arn:aws:ec2:*:*:vpc/*"] }, { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:DeleteSecurityGroup", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress" ], "Resource": ["arn:aws:ec2:*:*:security-group/*"], "Condition": { "StringEquals": { "aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } }, { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress" ], "Resource": ["arn:aws:ec2:*:*:security-group-rule/*"], "Condition": { "StringEquals": { "aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } }, { "Effect": "Allow", "Action": ["ec2:CreateLaunchTemplate"], "Resource": ["arn:aws:ec2:*:*:launch-template/*"], "Condition": { "StringEquals": { "aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } }, { "Effect": "Allow", "Action": [ "ec2:DeleteLaunchTemplate" ], "Resource": ["arn:aws:ec2:*:*:launch-template/*"], "Condition": { "StringEquals": { "aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } }, { "Effect": "Allow", "Action": ["ec2:RunInstances"], "Resource": ["arn:aws:ec2:*:*:image/ami-*"], "Condition": { "StringEquals": { "ec2:Owner": ["099720109477", "amazon"] } } }, { "Effect": "Allow", "Action": ["ec2:RunInstances"], "Resource": [ "arn:aws:ec2:*:*:subnet/*" ], "Condition": { "ArnLike": { "ec2:LaunchTemplate": "arn:aws:ec2:*:*:launch-template/*" } } }, { "Effect": "Allow", "Action": ["ec2:RunInstances"], "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:key-pair/*", "arn:aws:ec2:*:*:launch-template/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:volume/*" ], "Condition": { "Bool": { "ec2:IsLaunchTemplateResource": "true" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateVolume" ], "Resource": ["arn:aws:ec2:*:*:volume/*"], "Condition": { "StringEquals": { "aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } }, { "Effect": "Allow", "Action": [ "ec2:DeleteVolume" ], "Resource": ["arn:aws:ec2:*:*:volume/*"], "Condition": { "StringEquals": { "aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface" ], "Resource": ["arn:aws:ec2:*:*:network-interface/*"], "Condition": { "StringEquals": { "aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } }, { "Effect": "Allow", "Action": ["ec2:CreateNetworkInterface"], "Resource": ["arn:aws:ec2:*:*:security-group/*"], "Condition": { "StringEquals": { "aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } }, { "Effect": "Allow", "Action": ["ec2:CreateNetworkInterface"], "Resource": ["arn:aws:ec2:*:*:subnet/*"] }, { "Effect": "Allow", "Action": [ "ec2:DeleteNetworkInterface", "ec2:ModifyNetworkInterfaceAttribute" ], "Resource": [ "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*" ], "Condition": { "StringEquals": { "aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } }, { "Action": [ "ec2:CreateTags" ], "Effect": "Allow", "Resource": [ "arn:aws:ec2:*:*:launch-template/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:security-group-rule/*", "arn:aws:ec2:*:*:volume/*" ], "Condition": { "StringEquals": { "aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } }, { "Action": [ "ec2:CreateTags" ], "Effect": "Allow", "Resource": [ "arn:aws:ec2:*:*:instance/*" ], "Condition": { "StringEquals": { "ec2:CreateAction" : "RunInstances" } } }, { "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Effect": "Allow", "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:launch-template/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:security-group-rule/*", "arn:aws:ec2:*:*:volume/*" ], "Condition": { "StringEquals": { "aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } }, { "Effect": "Allow", "Action": [ "ec2:ModifyInstanceAttribute" ], "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:security-group/*" ], "Condition": { "StringEquals": { "aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } } ] }' 更改下列內容:
API_POLICY:GKE Multi-Cloud API AWS IAM 政策的前置字串。ACCESS_CONTROL_TAG_KEY:適用於這項政策的標記鍵ACCESS_CONTROL_TAG_VALUE:適用於這項政策的標記值
您也可以選擇將這項政策進一步限制在 AWS 區域和帳戶 ID。如要將政策限制在特定區域和帳戶 ID,請將「資源」的值 (例如 arn:aws:ec2:*:*:security-group/*) 替換為 arn:aws:ec2:AWS_REGION:ACCOUNT_ID:security-group/*。
複製為這項政策建立的 ARN,以用於下列指令。
為標記的使用方式建立其他政策
如要使用標記限制存取權,請按照下列步驟建立其他政策。如果您使用預設政策,請跳至「將政策附加至 GKE Multi-Cloud API 角色」。
使用下列指令建立政策,控管 AWS IAM 的存取權:
aws iam create-policy --policy-name API_POLICY_iam \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["iam:CreateServiceLinkedRole"], "Resource": [ "arn:aws:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling" ], "Condition": { "StringEquals": { "iam:AWSServiceName": "autoscaling.amazonaws.com" } } }, { "Effect": "Allow", "Action": ["iam:CreateServiceLinkedRole"], "Resource": [ "arn:aws:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing" ], "Condition": { "StringEquals": { "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com" } } }, { "Effect": "Allow", "Action": ["iam:PassRole"], "Resource": ["arn:aws:iam::*:role/*"], "Condition": { "StringEquals": { "iam:PassedToService": "ec2.amazonaws.com" } } } , { "Effect": "Allow", "Action": ["iam:GetInstanceProfile"], "Resource": ["arn:aws:iam::*:instance-profile/*"] } ] }'使用下列指令建立政策,控管 AWS EC2 Auto Scaling 資源的存取權:
aws iam create-policy --policy-name API_POLICY_autoscaling \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["autoscaling:DescribeAutoScalingGroups"], "Resource": "*" }, { "Effect": "Allow", "Action": [ "autoscaling:CreateAutoScalingGroup", "autoscaling:CreateOrUpdateTags" ], "Resource": [ "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/gke-*" ], "Condition": { "StringEquals": { "aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } }, { "Effect": "Allow", "Action": [ "autoscaling:CreateOrUpdateTags", "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeleteTags", "autoscaling:DisableMetricsCollection", "autoscaling:EnableMetricsCollection", "autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup" ], "Resource": [ "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/gke-*" ], "Condition": { "StringEquals": { "aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } } ] }'請儲存這個指令產生的 ARN,稍後會用到。
建立政策,控管 AWS Elastic Load Balancer 資源的存取權。
aws iam create-policy --policy-name API_POLICY_elasticloadbalancing \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:AddTags" ], "Resource": ["arn:aws:elasticloadbalancing:*:*:targetgroup/gke-*"], "Condition": { "StringEquals": { "aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:AddTags", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:ModifyTargetGroupAttributes", "elasticloadbalancing:RemoveTags" ], "Resource": ["arn:aws:elasticloadbalancing:*:*:targetgroup/gke-*"], "Condition": { "StringEquals": { "aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:AddTags" ], "Resource": [ "arn:aws:elasticloadbalancing:*:*:listener/net/gke-*", "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/gke-*" ], "Condition": { "StringEquals": { "aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:AddTags", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:RemoveTags" ], "Resource": [ "arn:aws:elasticloadbalancing:*:*:listener/net/gke-*", "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/gke-*" ], "Condition": { "StringEquals": { "aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } } ] }'請儲存這個指令產生的 ARN,稍後會用到。
建立政策,控管 AWS Key Management Service 資源的存取權。
如要進一步瞭解各個金鑰的權限,請參閱「建立具有特定權限的 KMS 金鑰」。
aws iam create-policy --policy-name API_POLICY_kms \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["kms:DescribeKey"], "Resource": ["arn:aws:kms:*:*:key/*"] }, { "Effect": "Allow", "Action": ["kms:Encrypt"], "Resource": CONTROL_PLANE_CONFIG_KMS_KEY_ARN }, { "Effect": "Allow", "Action": ["kms:Encrypt"], "Resource": NODE_POOL_CONFIG_KMS_KEY_ARN }, { "Effect": "Allow", "Action": ["kms:GenerateDataKeyWithoutPlaintext"], "Resource": CONTROL_PLANE_MAIN_VOLUME_KMS_KEY_ARN } ] }'更改下列內容:
CONTROL_PLANE_CONFIG_KMS_KEY_ARN:您的 KMS 控制層設定加密金鑰 ARN。如果叢集只使用一個 KMS 金鑰,請為這裡的所有值使用該金鑰的 ARN。NODE_POOL_CONFIG_KMS_KEY_ARN:您的 KMS 節點集區設定加密金鑰 ARNCONTROL_PLANE_MAIN_VOLUME_KMS_KEY_ARN:您的 KMS 控制層主要磁碟區加密金鑰 ARN
請儲存這個指令產生的 ARN,稍後會用到。
將政策附加至 GKE Multi-cloud API 角色
針對您在先前步驟中建立的每項政策,執行下列指令,將政策附加至 GKE Multi-Cloud API 角色:
aws iam attach-role-policy \ --policy-arn API_POLICY_ARN \ --role-name API_ROLE 取代
API_POLICY_ARN,並提供您先前建立的每項政策的 API 政策 ARNAPI_ROLE,其中包含 GKE Multi-Cloud API 服務代理人角色名稱
建立叢集或節點集區
如果建立的角色和政策範圍限定為已加上標記的資源,建立叢集或節點集區時,就必須指定標記。您可以使用叢集和節點集區建立指令的 --tags 參數執行這項操作。
建立叢集
如要建立叢集,請按照操作說明建立叢集,並納入 --tags 參數,如下所示:
gcloud container aws clusters create CLUSTER_NAME \ ... --tags="ACCESS_CONTROL_TAG_KEY=ACCESS_CONTROL_TAG_VALUE" 更改下列內容:
ACCESS_CONTROL_TAG_KEY:適用於這項政策的標記鍵ACCESS_CONTROL_TAG_VALUE:適用於這項政策的標記值
建立節點集區
如要建立節點集區,請按照建立節點集區的指示操作,並加入 --tags 參數,如下所示:
gcloud container aws node-pools create NODE_POOL_NAME \ ... --tags "ACCESS_CONTROL_TAG_KEY=ACCESS_CONTROL_TAG_VALUE" 更改下列內容:
ACCESS_CONTROL_TAG_KEY:適用於這項政策的標記鍵ACCESS_CONTROL_TAG_VALUE:適用於這項政策的標記值
建立控制層角色
如要使用預設權限建立控制平面角色,請按照下列步驟操作:
如要建立這個角色,請執行下列指令:
aws iam create-role --role-name CONTROL_PLANE_ROLE \ --assume-role-policy-document '{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }'將
CONTROL_PLANE_ROLE替換為控制平面角色的名稱。為這個角色建立 IAM 政策。如果您為資料庫和設定加密建立多個 KMS 金鑰,請以逗號分隔清單的形式納入所有 ARN。
選擇直接連線至控制層,或直接連線至控制層並使用標記。
直接連線
aws iam create-policy --policy-name CONTROL_PLANE_POLICY \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Action": [ "ec2:AttachNetworkInterface", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateRoute", "ec2:CreateSecurityGroup", "ec2:CreateSnapshot", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteSnapshot", "ec2:DeleteTags", "ec2:DeleteVolume", "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeDhcpOptions", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeInternetGateways", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", "ec2:ModifyVolume", "ec2:RevokeSecurityGroupIngress", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags", "autoscaling:SetDesiredCapacity", "autoscaling:TerminateInstanceInAutoScalingGroup", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateLoadBalancerListeners", "elasticloadbalancing:CreateLoadBalancerPolicy", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteLoadBalancerListeners", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DetachLoadBalancerFromSubnets", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", "elasticfilesystem:CreateAccessPoint", "elasticfilesystem:DeleteAccessPoint", "elasticfilesystem:DescribeAccessPoints", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets", "kms:CreateGrant", "kms:Decrypt", "kms:Encrypt", "kms:GrantIsForAWSResource" ], "Resource": "*" } ] }'更改下列內容:
- 將
CONTROL_PLANE_POLICY替換為控制平面政策的名稱
直接 (含標記)
aws iam create-policy --policy-name CONTROL_PLANE_POLICY_autoscaling \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeTags" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "autoscaling:SetDesiredCapacity", "autoscaling:TerminateInstanceInAutoScalingGroup" ], "Resource": [ "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/gke-*" ], "Condition": { "StringEquals": { "aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE" } } } ] }' aws iam create-policy --policy-name CONTROL_PLANE_POLICY_ec2 \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeAccountAttributes", "ec2:DescribeAvailabilityZones", "ec2:DescribeDhcpOptions", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeInternetGateways", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeRegions", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSnapshots", "ec2:DescribeSubnets", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs" ], "Resource": "*" }, { "Effect": "Allow", "Action": ["ec2:AttachNetworkInterface"], "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:network-interface/*" ] }, { "Effect": "Allow", "Action": [ "ec2:CreateVolume", "ec2:CreateTags", "ec2:AttachVolume", "ec2:DeleteVolume", "ec2:DetachVolume", "ec2:ModifyVolume" ], "Resource": ["arn:aws:ec2:*:*:volume/*"] }, { "Effect": "Allow", "Action": ["ec2:AttachVolume", "ec2:DetachVolume"], "Resource": ["arn:aws:ec2:*:*:instance/*"] }, { "Effect": "Allow", "Action": ["ec2:CreateSecurityGroup", "ec2:CreateTags"], "Resource": ["arn:aws:ec2:*:*:security-group/*"] }, { "Effect": "Allow", "Action": ["ec2:CreateSecurityGroup"], "Resource": ["arn:aws:ec2:*:*:vpc/*"] }, { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:DeleteSecurityGroup", "ec2:RevokeSecurityGroupIngress" ], "Resource": ["arn:aws:ec2:*:*:security-group/*"] }, { "Effect": "Allow", "Action": ["ec2:CreateSnapshot", "ec2:CreateTags", "ec2:DeleteSnapshot"], "Resource": ["arn:aws:ec2:*:*:snapshot/*"] }, { "Effect": "Allow", "Action": ["ec2:CreateSnapshot"], "Resource": ["arn:aws:ec2:*:*:volume/*"] }, { "Effect": "Allow", "Action": ["ec2:CreateRoute", "ec2:DeleteRoute"], "Resource": ["arn:aws:ec2:*:*:route-table/*"] }, { "Effect": "Allow", "Action": ["ec2:ModifyInstanceAttribute"], "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:volume/*" ] }, { "Effect": "Allow", "Action": ["ec2:DeleteTags"], "Resource": [ "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:snapshot/*", "arn:aws:ec2:*:*:volume/*" ] } ] }' aws iam create-policy --policy-name CONTROL_PLANE_POLICY_elasticloadbalancing \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:AddTags", "elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateLoadBalancerPolicy", "elasticloadbalancing:CreateLoadBalancerListeners", "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteLoadBalancerListeners", "elasticloadbalancing:DetachLoadBalancerFromSubnets", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" ], "Resource": ["arn:aws:elasticloadbalancing:*:*:loadbalancer/*"] }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:RegisterTargets" ], "Resource": ["arn:aws:elasticloadbalancing:*:*:targetgroup/*"] }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:DeleteListener", "elasticloadbalancing:ModifyListener" ], "Resource": ["arn:aws:elasticloadbalancing:*:*:listener/*"] } ] }' aws iam create-policy --policy-name CONTROL_PLANE_POLICY_elasticfilesystem \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "elasticfilesystem:DescribeAccessPoints", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticfilesystem:CreateAccessPoint" ], "Resource": [ "arn:aws:elasticfilesystem:*:*:file-system/*" ] }, { "Effect": "Allow", "Action": [ "elasticfilesystem:DeleteAccessPoint" ], "Resource": [ "arn:aws:elasticfilesystem:*:*:access-point/*" ] } ] }' aws iam create-policy --policy-name CONTROL_PLANE_POLICY_kms \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["kms:Decrypt", "kms:Encrypt"], "Resource": DATABASE_KMS_KEY_ARN }, { "Effect": "Allow", "Action": ["kms:Decrypt"], "Resource": CONTROL_PLANE_CONFIG_KMS_KEY_ARN }, { "Effect": "Allow", "Action": ["kms:CreateGrant"], "Resource": CONTROL_PLANE_MAIN_VOLUME_KMS_KEY_ARN, "Condition": { "Bool": { "kms:GrantIsForAWSResource": "true" } } } ] }'更改下列內容:
CONTROL_PLANE_POLICY:控制平面政策的名稱ACCESS_CONTROL_TAG_KEY:適用於這項政策的標記鍵ACCESS_CONTROL_TAG_VALUE:適用於這項政策的標記值DATABASE_KMS_KEY_ARN:您的 KMS etcd 加密金鑰 ARNCONTROL_PLANE_CONFIG_KMS_KEY_ARN:您的 KMS 控制層加密金鑰 ARNCONTROL_PLANE_MAIN_VOLUME_KMS_KEY_ARN:您的 KMS 控制層主要磁碟區加密金鑰 ARN
複製每個
Policy.Arn的值,以供後續指令使用。- 將
如果您使用 HTTP Proxy,請為 AWS Secrets Manager 建立額外政策。
aws iam create-policy --policy-name CONTROL_PLANE_POLICY_secretsmanager \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": PROXY_CONFIG_ARN } ] }'更改下列內容:
KMS_KEY_ARN,並提供 KMS etcd 加密金鑰 ARN- 將
CONTROL_PLANE_POLICY替換為控制平面政策的名稱
複製每個
Policy.Arn的值,以供下一個指令使用。將新政策附加至對應角色。
aws iam attach-role-policy \ --policy-arn CONTROL_PLANE_POLICY_ARN \ --role-name CONTROL_PLANE_ROLE更改下列內容:
CONTROL_PLANE_ROLECONTROL_PLANE_POLICY_ARN替換為上一個指令中的Policy.Arn值
如要建立 IAM 執行個體設定檔,請執行下列指令。
aws iam create-instance-profile \ --instance-profile-name CONTROL_PLANE_PROFILE將
CONTROL_PLANE_PROFILE替換為 GKE Multi-Cloud 控制平面設定檔的名稱。最後,將新角色新增至您剛建立的執行個體設定檔。
aws iam add-role-to-instance-profile \ --instance-profile-name CONTROL_PLANE_PROFILE \ --role-name CONTROL_PLANE_ROLE更改下列內容:
CONTROL_PLANE_PROFILECONTROL_PLANE_ROLE
您稍後會在叢集建立期間使用這裡選擇的執行個體設定檔名稱。
建立節點集區角色
如要建立具有預設權限的節點集區角色,請按照下列步驟操作:
為節點集區中的 VM 建立要使用的角色。
aws iam create-role --role-name NODE_POOL_ROLE \ --assume-role-policy-document '{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }'將
NODE_POOL_ROLE替換為節點集區角色名稱。建立政策,並授予節點集區 VM 所需的權限。選擇是否要直接連線至控制層,或是使用 HTTP Proxy。
直接
aws iam create-policy --policy-name NODE_POOL_POLICY_kms \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["kms:Decrypt"], "Resource": NODE_POOL_CONFIG_KMS_KEY_ARN } ] }'更改下列內容:
NODE_POOL_POLICY:節點集區政策名稱。NODE_POOL_CONFIG_KMS_KEY_ARN:您的 KMS 節點集區設定加密金鑰 ARN。
HTTP Proxy
aws iam create-policy --policy-name NODE_POOL_POLICY_kms \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["kms:Decrypt"], "Resource": NODE_POOL_CONFIG_KMS_KEY_ARN } ] }' aws iam create-policy --policy-name NODE_POOL_POLICY_secretsmanager \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue" ], "Resource": PROXY_CONFIG_ARN } ] }'更改下列內容:
KMS_KEY_ARN:節點集區的 KMS 金鑰。NODE_POOL_POLICY:節點集區政策名稱。PROXY_CONFIG_ARN:Proxy 設定的 ARN。詳情請參閱「建立 Proxy 設定」。
複製每個 Policy.Arn 的值,以便在下一個指令中使用。
將角色附加至政策。
aws iam attach-role-policy --role-name NODE_POOL_ROLE \ --policy-arn "NODE_POOL_POLICY_ARN"更改下列內容:
NODE_POOL_ROLE:節點集區角色的名稱。NODE_POOL_POLICY_ARN:上一個指令的Policy.Arn值。
如果工作負載需要使用 ECR 容器登錄,請附加下列 ECR 存取政策:
公開登錄
建立具有下列權限的政策:
aws iam create-policy --policy-name NODE_POOL_POLICY_ecr \ --policy-document '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr-public:GetAuthorizationToken", "sts:GetServiceBearerToken" ], "Resource": "*" } ] }'將
Policy.Arn的值複製為NODE_POOL_ECR_POLICY_ARN將其附加至您建立的節點集區角色。
aws iam attach-role-policy --role-name NODE_POOL_ROLE \ --policy-arn "NODE_POOL_ECR_POLICY_ARN"更改下列內容:
NODE_POOL_ROLE:節點集區角色的名稱。NODE_POOL_ECR_POLICY_ARN:上一個指令的Policy.Arn值。
私人登錄檔
將 AmazonEC2ContainerRegistryReadOnly 附加至節點集區角色,以存取私人登錄檔:
aws iam attach-role-policy --role-name NODE_POOL_ROLE \ --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly將
NODE_POOL_ROLE替換為節點集區角色名稱。為這個角色建立執行個體設定檔。
aws iam create-instance-profile \ --instance-profile-name NODE_POOL_PROFILE將
NODE_POOL_PROFILE替換為節點集區設定檔的名稱。將新角色新增至執行個體設定檔。
aws iam add-role-to-instance-profile \ --instance-profile-name NODE_POOL_PROFILE \ --role-name NODE_POOL_ROLE更改下列內容:
NODE_POOL_PROFILE:節點集區設定檔的名稱。NODE_POOL_ROLE:節點集區角色的名稱。