本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
ROSA 傳統運算子政策
本節提供ROSA傳統所需的運算子政策詳細資訊。您必須先將這些政策連接至相關的運算子角色,才能建立ROSA傳統叢集。每個叢集都需要一組唯一的運算子角色。
需要這些許可才能允許 OpenShift 運算子管理ROSA傳統叢集節點。您可以為政策名稱指派自訂字首,以簡化政策管理 (例如 ManagedOpenShift-openshift-ingress-operator-cloud-credentials)。
【字首】-openshift-ingress-operator-cloud-憑證
您可以[Prefix]-openshift-ingress-operator-cloud-credentials連接至您的IAM實體。此政策授予輸入運算子必要的許可,以佈建和管理外部叢集存取的負載平衡器和DNS組態。此政策也允許輸入運算子讀取和篩選 Route 53 資源標籤值,以探索託管區域。如需有關運算子的詳細資訊,請參閱 OpenShift GitHub 文件中的OpenShift 輸入運算子
此政策文件中定義的許可會指定允許或拒絕的動作。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "elasticloadbalancing:DescribeLoadBalancers", "route53:ListHostedZones", "route53:ListTagsForResources", "route53:ChangeResourceRecordSets", "tag:GetResources" ], "Effect": "Allow", "Resource": "*" } ] }
【字首】-openshift-cluster-csi-drivers-ebs-cloud-credentials
您可以[Prefix]-openshift-cluster-csi-drivers-ebs-cloud-credentials連接至您的IAM實體。此政策會授予驅動程式運算子所需的許可 Amazon EBS CSI, Amazon EBS CSI以在ROSA傳統叢集上安裝和維護驅動程式。如需 運算子的詳細資訊,請參閱 OpenShift GitHub 文件中的 aws-ebs-csi-driver運算子
此政策文件中定義的許可會指定允許或拒絕的動作。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:AttachVolume", "ec2:CreateSnapshot", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteSnapshot", "ec2:DeleteTags", "ec2:DeleteVolume", "ec2:DescribeAvailabilityZones", "ec2:DescribeInstances", "ec2:DescribeSnapshots", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DetachVolume", "ec2:EnableFastSnapshotRestores", "ec2:ModifyVolume" ], "Effect": "Allow", "Resource": "*" } ] }
【字首】-openshift-machine-api-aws-cloud-credentials
您可以[Prefix]-openshift-machine-api-aws-cloud-credentials連接至您的IAM實體。此政策會授予 Machine Config Operator 所需的許可,以描述、執行和終止以工作節點管理的 Amazon EC2 執行個體。此政策也授予許可,允許使用 對工作者節點根磁碟區進行磁碟加密 AWS KMS keys。如需 運算子的詳細資訊,請參閱 OpenShift GitHub 文件machine-config-operator
此政策文件中定義的許可會指定允許或拒絕的動作。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:CreateTags", "ec2:DescribeAvailabilityZones", "ec2:DescribeDhcpOptions", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInternetGateways", "ec2:DescribeInstanceTypes", "ec2:DescribeSecurityGroups", "ec2:DescribeRegions", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:RunInstances", "ec2:TerminateInstances", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:DeregisterTargets", "iam:PassRole", "iam:CreateServiceLinkedRole" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "kms:Decrypt", "kms:Encrypt", "kms:GenerateDataKey", "kms:GenerateDataKeyWithoutPlainText", "kms:DescribeKey" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "kms:RevokeGrant", "kms:CreateGrant", "kms:ListGrants" ], "Effect": "Allow", "Resource": "*", "Condition": { "Bool": { "kms:GrantIsForAWSResource": true } } } ] }
【字首】-openshift-cloud-credential-operator-cloud-credentials
您可以[Prefix]-openshift-cloud-credential-operator-cloud-credentials連接至您的IAM實體。此政策授予 Cloud Credential Operator 必要的許可,以擷取 IAM 使用者 詳細資訊,包括存取金鑰 IDs、附加的內嵌政策文件、使用者的建立日期、路徑、使用者 ID 和 Amazon Resource Name (ARN)。如需 運算子的詳細資訊,請參閱 OpenShift GitHub 文件cloud-credential-operator
此政策文件中定義的許可會指定允許或拒絕的動作。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "iam:GetUser", "iam:GetUserPolicy", "iam:ListAccessKeys" ], "Effect": "Allow", "Resource": "*" } ] }
【字首】-openshift-image-registry-installer-cloud-credentials
您可以[Prefix]-openshift-image-registry-installer-cloud-credentials連接至您的IAM實體。此政策會授予 Image Registry Operator 必要的許可,以佈建和管理ROSA傳統叢集內映像登錄檔和相依服務的資源,包括 Amazon S3。這是必要的,以便運算子可以安裝和維護ROSA傳統叢集的內部登錄檔。如需有關運算子的詳細資訊,請參閱 OpenShift GitHub 文件中的映像登錄運算子
此政策文件中定義的許可會指定允許或拒絕的動作。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "s3:CreateBucket", "s3:DeleteBucket", "s3:PutBucketTagging", "s3:GetBucketTagging", "s3:PutBucketPublicAccessBlock", "s3:GetBucketPublicAccessBlock", "s3:PutEncryptionConfiguration", "s3:GetEncryptionConfiguration", "s3:PutLifecycleConfiguration", "s3:GetLifecycleConfiguration", "s3:GetBucketLocation", "s3:ListBucket", "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListBucketMultipartUploads", "s3:AbortMultipartUpload", "s3:ListMultipartUploadParts" ], "Effect": "Allow", "Resource": "*" } ] }
【字首】-openshift-cloud-network-config-controller-cloud-cr
您可以[Prefix]-openshift-cloud-network-config-controller-cloud-cr連接至您的IAM實體。此政策會授予所需的許可給 Cloud Network Config Controller Operator,以佈建和管理供ROSA傳統叢集聯網覆蓋使用的聯網資源。運算子使用這些許可來管理 Amazon EC2 執行個體的私有 IP 地址,作為ROSA傳統叢集的一部分。如需 運算子的詳細資訊,請參閱 OpenShift GitHub 文件中的 Cloud-network-config-controller
此政策文件中定義的許可會指定允許或拒絕的動作。
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:DescribeInstances", "ec2:DescribeInstanceStatus", "ec2:DescribeInstanceTypes", "ec2:UnassignPrivateIpAddresses", "ec2:AssignPrivateIpAddresses", "ec2:UnassignIpv6Addresses", "ec2:AssignIpv6Addresses", "ec2:DescribeSubnets", "ec2:DescribeNetworkInterfaces" ], "Effect": "Allow", "Resource": "*" } ] }
