ack-ram-tool

module
v0.9.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 28, 2022 License: Apache-2.0

README 

ack-ram-tool
=============

A command line utility and library for using RAM、Credential and permission related features in Alibaba Cloud Container Service For Kubernetes (ACK).

.. contents::

`中文文档 <README.zh-cn.rst>`__

Installation
--------------

You can download the latest release from `Releases <https://github.com/AliyunContainerService/ack-ram-tool/releases>`__ page.


Credential
-------------

You can reuse ``~/.aliyun/config.json`` file from aliyun cli (For detailed configuration instructions, please visit the document
`Configuration Alibaba Cloud CLI <https://www.alibabacloud.com/help/doc-detail/110341.htm>`__ ).


Or use ``~/.alibabacloud/credentials`` file (this path can be overridden using the ``--profile-file`` flag):

.. code-block:: shell

    $ cat ~/.alibabacloud/credentials

    [default]
    type = access_key
    access_key_id = foo
    access_key_secret = bar

Or environment variables (also support credential related environment variables from `aliyun cli <https://github.com/aliyun/aliyun-cli#support-for-environment-variables>`__):

.. code-block:: shell

    # access key id
    $ export ALIBABA_CLOUD_ACCESS_KEY_ID=foo
    # access key secret
    $ export ALIBABA_CLOUD_ACCESS_KEY_SECRET=bar
    # sts token (optional)
    $ export ALIBABA_CLOUD_SECURITY_TOKEN=foobar

    # or use credentials URI: https://github.com/aliyun/aliyun-cli#use-credentials-uri
    $ export ALIBABA_CLOUD_CREDENTIALS_URI=http://localhost:6666/?user=jacksontian


Usage
--------


kubectl/client-go credential plugin
+++++++++++++++++++++++++++++++++++++

A `kubectl/client-go credential plugin <https://kubernetes.io/docs/reference/access-authn-authz/authentication/#client-go-credential-plugins>`__ for ACK。

Get a kubeconfig with exec credential plugin format:

.. code-block:: shell

    ack-ram-tool credential-plugin get-kubeconfig --cluster-id <clusterId> > kubeconfig


Use this kubeconfig to access cluster:

.. code-block:: shell

    kubectl --kubeconfig=kubeconfig get ns


Remove cached credentials:

.. code-block:: shell

    rm ~/.kube/cache/ack-ram-tool/credential-plugin/*.json



RAM Roles for Service Accounts (RRSA)
++++++++++++++++++++++++++++++++++++++++

Enable `RRSA feature <https://www.alibabacloud.com/help/doc-detail/356611.html>`__ :

.. code-block:: shell

    $ ack-ram-tool rrsa enable -c <clusterId>

    ? Are you sure you want to enable RRSA feature? Yes
    Enable RRSA feature for cluster c86fdd*** successfully



Check status of RRSA feature:

.. code-block:: shell

    $ ack-ram-tool rrsa status -c <clusterId>

    RRSA feature:          enabled
    OIDC Provider Name:    ack-rrsa-c86fdd***
    OIDC Provider Arn:     acs:ram::18***:oidc-provider/ack-rrsa-c86fdd***
    OIDC Token Issuer:     https://oidc-ack-***/c86fdd***


Associate an RAM Role to a service account (use the ``--create-role-if-not-exist`` flag to
auto create an RAM Role when it doesn't exist):

.. code-block:: shell

    $ ack-ram-tool rrsa associate-role --create-role-if-not-exist \
        -c <clusterId> -r <roleName> -n <namespace> -s <serviceAccount>

    ? Are you sure you want to associate RAM Role test-rrsa to service account test-serviceaccount (namespace: test-namespace)? Yes
    Will change the assumeRolePolicyDocument of RAM Role test-rrsa with blow content:
    {
      "Statement": [
       {
        "Action": "sts:AssumeRole",
        "Effect": "Allow",
        "Principal": {
         "RAM": [
          "acs:ram::18***:root"
         ]
        }
       },
       {
        "Action": "sts:AssumeRole",
        "Condition": {
         "StringEquals": {
          "oidc:aud": "sts.aliyuncs.com",
          "oidc:iss": "https://oidc-ack-**/c86fdd***",
          "oidc:sub": "system:serviceaccount:test-namespace:test-serviceaccount"
         }
        },
        "Effect": "Allow",
        "Principal": {
         "Federated": [
          "acs:ram::18***:oidc-provider/ack-rrsa-c86fdd***"
         ]
        }
       }
      ],
      "Version": "1"
     }
    ? Are you sure you want to associate RAM Role test-rrsa to service account test-serviceaccount (namespace: test-namespace)? Yes
    Associate RAM Role test-rrsa to service account test-serviceaccount (namespace: test-namespace) successfully


Testing assume role with give OIDC token:

.. code-block:: shell

    $ ack-ram-tool rrsa assume-role -r <roleArn> -p <oidcProviderArn> -t <oidcTokenFile>

    Retrieved a STS token:
    AccessKeyId:       STS.***
    AccessKeySecret:   7UVy***
    SecurityToken:     CAIS***
    Expiration:        2021-12-03T05:51:37Z


The `setup-addon` command allows you to quickly configure the RAM-related configuration
required for the cluster components to use the RRSA feature.
For example, configure the RAM configuration required for the `kritis-validation-hook` 
component (needs to be configured before installing the component):

.. code-block:: shell

    ack-ram-tool rrsa setup-addon --addon-name kritis-validation-hook -c <clusterId>


Disable RRSA feature:

.. code-block:: shell

    $ ack-ram-tool rrsa disable -c <clusterId>

    ? Are you sure you want to disable RRSA feature? Yes
    Disable RRSA feature for cluster c86fdd*** successfully

Directories

Path Synopsis
cmd
ack-ram-tool
examples
rrsa/go-sdk Module
pkg
credentials/alibabacloudgo
credentials/alibabacloudsdkgo
credentials/oidctoken
ctl
ctl/common
ctl/credentialplugin
ctl/rrsa
ctl/rrsa/addon
ctl/version
log
openapi
types
utils
version
credentials/alibabacloudgo/helper Module
credentials/alibabacloudsdkgo/helper Module
credentials/provider Module

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.