Amazon Elastic Kubernetes Service 的Amazon托管策略 - Amazon EKS
Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 Amazon Web Services 服务入门

Amazon Elastic Kubernetes Service 的Amazon托管策略

要向用户、组和角色添加权限,与自己编写策略相比,使用 Amazon 托管策略更简单。创建仅为团队提供所需权限的 IAM 客户托管策略需要时间和专业知识。要快速入门,您可以使用我们的 Amazon 托管策略。这些策略涵盖常见使用案例,可在您的 Amazon 账户中使用。有关 Amazon 托管策略的更多信息,请参阅 IAM 用户指南中的 Amazon 托管策略

Amazon 服务负责维护和更新 Amazon 托管策略。您无法更改 Amazon 托管策略中的权限。服务偶尔会向 Amazon 托管式策略添加额外权限以支持新功能。此类更新会影响附加策略的所有身份(用户、组和角色)。当启动新功能或新操作可用时,服务最有可能会更新 Amazon 托管式策略。服务不会从 Amazon 托管式策略中删除权限,因此策略更新不会破坏您的现有权限。

此外,Amazon 还支持跨多种服务的工作职能的托管策略。例如,ReadOnlyAccess Amazon 托管策略提供对所有 Amazon 服务和资源的只读访问权限。当服务启动新功能时,Amazon 会为新操作和资源添加只读权限。有关工作职能策略的列表和说明,请参阅 IAM 用户指南中的适用于工作职能的 Amazon 托管策略

Amazon托管策略:AmazonEKS_CNI_Policy

您可以将 AmazonEKS_CNI_Policy 附加到 IAM 实体。在创建 Amazon EC2 节点组之前,此策略必须附加到节点 IAM 角色,或 Amazon VPC CNI plugin for Kubernetes 专用的 IAM 角色。这样它可以代表您执行操作。我们建议您将策略附加到仅由插件使用的角色。有关更多信息,请参阅 Amazon EKS 中使用适用于 Kubernetes 的 Amazon VPC CNI 插件的 Pod 联网配置 Amazon VPC CNI plugin for Kubernetes 将 IAM 角色用于服务账户

权限详细信息

此策略包含允许 Amazon EKS 完成以下任务的以下权限:

  • ec2 – 允许 Amazon VPC CNI 插件执行操作,例如为 pods 预置弹性网络接口和 IP 地址,以便为在 Amazon EKS 中运行的应用程序提供联网。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:AssignPrivateIpAddresses", "ec2:AttachNetworkInterface", "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DescribeInstances", "ec2:DescribeTags", "ec2:DescribeNetworkInterfaces", "ec2:DescribeInstanceTypes", "ec2:DetachNetworkInterface", "ec2:ModifyNetworkInterfaceAttribute", "ec2:UnassignPrivateIpAddresses" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:*:*:network-interface/*" ] } ] }

Amazon托管策略:AmazonEKSClusterPolicy

您可以将 AmazonEKSClusterPolicy 附加到您的 IAM 实体。在创建集群之前,您必须拥有附加了此策略的集群 IAM 角色。由 Amazon EKS 托管的 Kubernetes 集群会代表您调用其他 Amazon 服务。它们这样做的目的是为了管理您与服务一起使用的资源。

此策略包含允许 Amazon EKS 完成以下任务的以下权限:

  • autoscaling – 读取和更新 Auto Scaling 组的配置。Amazon EKS 不使用这些权限,但它们保留在策略中,以确保向后兼容。

  • ec2 – 使用与 Amazon EC2 节点关联的卷和网络资源执行工作。此为必需操作,以便 Kubernetes 控制面板可以将实例加入到集群,并动态预置和管理 Kubernetes 持久卷请求的 Amazon EBS 卷。

  • elasticloadbalancing – 使用 Elastic Load Balancer 并将节点添加到其中作为目标。此为必需操作,以便 Kubernetes 控制面板能够动态预置 Kubernetes 服务请求的 Elastic Load Balancer。

  • iam – 创建服务相关角色。此为必需操作,以便 Kubernetes 控制面板能够动态预置 Kubernetes 服务请求的 Elastic Load Balancer。

  • kms – 从 Amazon KMS 中读取密钥。这对于 Kubernetes 控制面板是必需的,以支持 etcd 中存储的 Kubernetes 密钥的密钥加密

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "autoscaling:DescribeAutoScalingGroups", "autoscaling:UpdateAutoScalingGroup", "ec2:AttachVolume", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateRoute", "ec2:CreateSecurityGroup", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteVolume", "ec2:DescribeInstances", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", "ec2:DescribeDhcpOptions", "ec2:DescribeNetworkInterfaces", "ec2:DetachVolume", "ec2:ModifyInstanceAttribute", "ec2:ModifyVolume", "ec2:RevokeSecurityGroupIngress", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeInternetGateways", "elasticloadbalancing:AddTags", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:AttachLoadBalancerToSubnets", "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateLoadBalancerListeners", "elasticloadbalancing:CreateLoadBalancerPolicy", "elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteLoadBalancerListeners", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancerPolicies", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DetachLoadBalancerFromSubnets", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:ModifyTargetGroupAttributes", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", "kms:DescribeKey" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringEquals": { "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com" } } } ] }

Amazon托管策略:AmazonEKSFargatePodExecutionRolePolicy

您可以将 AmazonEKSFargatePodExecutionRolePolicy 附加到您的 IAM 实体。在创建 Fargate 配置文件之前,您必须创建 Fargate pod 执行角色并将此策略附加到其上。有关更多信息,请参阅 创建 Fargate pod 执行角色Amazon Fargate 配置文件

此策略向该角色授予权限,以提供对必须在 Fargate 上运行 Amazon EKS pods 的其他 Amazon 服务资源的访问权限。

权限详细信息

此策略包含允许 Amazon EKS 完成以下任务的以下权限:

  • ecr – 允许在 Fargate 上运行的容器组(pod)提取存储在 Amazon ECR 中的容器镜像。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:BatchGetImage" ], "Resource": "*" } ] }

Amazon托管策略:AmazonEKSForFargateServiceRolePolicy

您不能将 AmazonEKSForFargateServiceRolePolicy 附加到您的 IAM 实体。将此策略附加到允许 Amazon EKS 代表您执行操作的服务相关角色。有关更多信息,请参阅 AWSServiceRoleforAmazonEKSForFargate。

此策略授予 Amazon EKS 运行 Fargate 任务所必要的权限。仅当您具有 Fargate 节点时,才会使用此策略。

权限详细信息

此策略包含允许 Amazon EKS 完成以下任务的以下权限。

  • ec2 – 创建和删除弹性网络接口,并描述弹性网络接口和资源。此为必需操作,以便 Amazon EKS Fargate 服务可以配置 Fargate 容器组(pod)所需的 VPC 联网。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterface", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeDhcpOptions", "ec2:DescribeRouteTables" ], "Resource": "*" } ] }

Amazon托管策略:AmazonEKSServicePolicy

您可以将 AmazonEKSServicePolicy 附加到您的 IAM 实体。在 2020 年 4 月 16 日之前创建的集群需要您创建 IAM 角色并向其附加此策略。在 2020 年 4 月 16 日或之后创建的集群无需您创建角色,也不需要您分配此策略。当您使用具有 iam:CreateServiceLinkedRole 权限的 IAM 委托人创建集群时,将会自动为您创建 AmazonServiceRoleforAmazonEKS 服务相关角色。服务相关角色附加了 Amazon托管策略:AmazonEKSServiceRolePolicy

此策略允许 Amazon EKS 创建和管理运行 Amazon EKS 集群所需的资源。

权限详细信息

此策略包含允许 Amazon EKS 完成以下任务的以下权限。

  • eks – 启动更新后,更新您的集群的 Kubernetes 版本。Amazon EKS 不使用此权限,但其仍保留在策略中,以确保向后兼容。

  • ec2 – 使用弹性网络接口和其他网络资源和标签。此为必需操作,以便 Amazon EKS 配置联网,促进节点与 Kubernetes 控制面板之间的通信。

  • route53 – 将 VPC 与托管区域关联。此为必需操作,以便 Amazon EKS 为 Kubernetes 集群 API 服务器启用私有端点联网。

  • logs – 录入事件。此为必需操作,这样 Amazon EKS 就可以将 Kubernetes 控制面板日志发送到 CloudWatch。

  • iam – 创建服务相关角色。此为必需操作,以便 Amazon EKS 可以代表您创建 AWSServiceRoleForAmazonEKS 服务相关角色。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterface", "ec2:DescribeInstances", "ec2:DescribeNetworkInterfaces", "ec2:DetachNetworkInterface", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:ModifyNetworkInterfaceAttribute", "iam:ListAttachedRolePolicies", "eks:UpdateClusterVersion" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": [ "arn:aws:ec2:*:*:vpc/*", "arn:aws:ec2:*:*:subnet/*" ] }, { "Effect": "Allow", "Action": "route53:AssociateVPCWithHostedZone", "Resource": "*" }, { "Effect": "Allow", "Action": "logs:CreateLogGroup", "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/eks/*:*" }, { "Effect": "Allow", "Action": "logs:PutLogEvents", "Resource": "arn:aws:logs:*:*:log-group:/aws/eks/*:*:*" }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "*", "Condition": { "StringLike": { "iam:AWSServiceName": "eks.amazonaws.com" } } } ] }

Amazon托管策略:AmazonEKSServiceRolePolicy

您不能将 AmazonEKSServiceRolePolicy 附加到您的 IAM 实体。将此策略附加到允许 Amazon EKS 代表您执行操作的服务相关角色。有关更多信息,请参阅Amazon EKS 的服务相关角色权限。当您使用具有 iam:CreateServiceLinkedRole 权限的 IAM 委托人创建集群时,将会自动为您创建 AmazonServiceRoleforAmazonEKS 服务相关角色,而且此策略会附加到该角色。

此策略允许服务相关角色代表您调用Amazon服务。

权限详细信息

此策略包含允许 Amazon EKS 完成以下任务的以下权限。

  • ec2 – 创建和描述弹性网络接口和 Amazon EC2 实例、集群安全组及创建集群所需的 VPC。

  • iam – 列出附加到 IAM 角色的所有托管策略。此为必需操作,以便 Amazon EKS 能够列出和验证创建集群所需的所有托管策略和权限。

  • 将 VPC 与托管区关联 – 此为必需操作,以便 Amazon EKS 为 Kubernetes 集群 API 服务器启用私有端点联网。

  • 录入事件 – 此为必需操作,这样 Amazon EKS 就可以将 Kubernetes 控制面板日志发送到 CloudWatch。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:DetachNetworkInterface", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DescribeInstances", "ec2:DescribeNetworkInterfaces", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:CreateNetworkInterfacePermission", "iam:ListAttachedRolePolicies", "ec2:CreateSecurityGroup" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:DeleteSecurityGroup", "ec2:RevokeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupIngress" ], "Resource": "arn:aws:ec2:*:*:security-group/*", "Condition": { "ForAnyValue:StringLike": { "ec2:ResourceTag/Name": "eks-cluster-sg*" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": [ "arn:aws:ec2:*:*:vpc/*", "arn:aws:ec2:*:*:subnet/*" ], "Condition": { "ForAnyValue:StringLike": { "aws:TagKeys": [ "kubernetes.io/cluster/*" ] } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": [ "arn:aws:ec2:*:*:security-group/*" ], "Condition": { "ForAnyValue:StringLike": { "aws:TagKeys": [ "kubernetes.io/cluster/*" ], "aws:RequestTag/Name": "eks-cluster-sg*" } } }, { "Effect": "Allow", "Action": "route53:AssociateVPCWithHostedZone", "Resource": "arn:aws:route53:::hostedzone/*" }, { "Effect": "Allow", "Action": "logs:CreateLogGroup", "Resource": "arn:aws:logs:*:*:log-group:/aws/eks/*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogStream", "logs:DescribeLogStreams" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/eks/*:*" }, { "Effect": "Allow", "Action": "logs:PutLogEvents", "Resource": "arn:aws:logs:*:*:log-group:/aws/eks/*:*:*" } ] }

Amazon托管策略:AmazonEKSVPCResourceController

您可以将 AmazonEKSVPCResourceController 策略附加得到 IAM 身份。如果您使用适用于 pods 的安全组,您必须将此策略附加到您的 Amazon EKS 集群 IAM 角色,以便其代表您执行操作。

此策略授予集群角色管理弹性网络接口和节点 IP 地址的权限。

权限详细信息

此策略包含允许 Amazon EKS 完成以下任务的以下权限:

  • ec2 – 管理弹性网络接口和 IP 地址,以支持 pod 安全组和 Windows 节点。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:CreateNetworkInterfacePermission", "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "ec2:ResourceTag/eks:eni:owner": "eks-vpc-resource-controller" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface", "ec2:DetachNetworkInterface", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DeleteNetworkInterface", "ec2:AttachNetworkInterface", "ec2:UnassignPrivateIpAddresses", "ec2:AssignPrivateIpAddresses" ], "Resource": "*" } ] }

Amazon托管策略:AmazonEKSWorkerNodePolicy

您可以将 AmazonEKSWorkerNodePolicy 附加到 IAM 实体。您必须将此策略附加到您在创建允许 Amazon EKS 代表您执行操作的 Amazon EC2 节点时指定的节点 IAM 角色。如果您使用 eksctl 创建节点组,则其会创建节点 IAM 角色并自动将此策略附加到角色。

此策略授予 Amazon EKS Amazon EC2 节点连接到 Amazon EKS 集群的权限。

权限详细信息

此策略包含允许 Amazon EKS 完成以下任务的以下权限:

  • ec2 – 读取实例卷和网络信息。此为必需操作,以便 Kubernetes 节点能够描述有关节点加入 Amazon EKS 集群所需的 Amazon EC2 资源的信息。

  • eks – 可选地将集群描述为节点引导启动的一部分。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", "eks:DescribeCluster" ], "Resource": "*" } ] }

Amazon托管策略:AWSServiceRoleForAmazonEKSNodegroup

您不能将 AmazonServiceRoleForAmazonEKSNodegroup 附加到您的 IAM 实体。将此策略附加到允许 Amazon EKS 代表您执行操作的服务相关角色。有关更多信息,请参阅Amazon EKS 的服务相关角色权限

此策略授予 AmazonServiceRoleForAmazonEKSNodegroup 角色权限,允许其在您的账户中创建和管理 Amazon EC2 节点组。

权限详细信息

此策略包含允许 Amazon EKS 完成以下任务的以下权限:

  • ec2 – 使用安全组、标签和启动模板。这对于 Amazon EKS 托管节点组启用远程访问配置是必需的。此外,Amazon EKS 托管节点组会代表您创建启动模板。这样做的目的是配置为每个托管节点组提供支持的 Amazon EC2 Auto Scaling 组。

  • iam – 创建服务相关角色并传递角色。这是 Amazon EKS 托管节点组管理创建托管节点组时传递的角色的实例配置文件所必需的。此实例配置文件由作为托管节点组的一部分启动的 Amazon EC2 实例使用。Amazon EKS 需要为其他服务(如 Amazon EC2 Auto Scaling 组)创建服务相关角色。这些权限用于创建托管节点组。

  • autoscaling – 使用安全 Auto Scaling 组。这是 Amazon EKS 托管节点组管理支持每个托管节点组的 Amazon EC2 Auto Scaling 组所必需的。它还用于支持一些功能,例如,在节点组更新期间终止或回收节点时移出 pods。

{ "Version": "2012-10-17", "Statement": [ { "Sid": "SharedSecurityGroupRelatedPermissions", "Effect": "Allow", "Action": [ "ec2:RevokeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:DescribeInstances", "ec2:RevokeSecurityGroupEgress", "ec2:DeleteSecurityGroup" ], "Resource": "*", "Condition": { "StringLike": { "ec2:ResourceTag/eks": "*" } } }, { "Sid": "EKSCreatedSecurityGroupRelatedPermissions", "Effect": "Allow", "Action": [ "ec2:RevokeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:DescribeInstances", "ec2:RevokeSecurityGroupEgress", "ec2:DeleteSecurityGroup" ], "Resource": "*", "Condition": { "StringLike": { "ec2:ResourceTag/eks:nodegroup-name": "*" } } }, { "Sid": "LaunchTemplateRelatedPermissions", "Effect": "Allow", "Action": [ "ec2:DeleteLaunchTemplate", "ec2:CreateLaunchTemplateVersion" ], "Resource": "*", "Condition": { "StringLike": { "ec2:ResourceTag/eks:nodegroup-name": "*" } } }, { "Sid": "AutoscalingRelatedPermissions", "Effect": "Allow", "Action": [ "autoscaling:UpdateAutoScalingGroup", "autoscaling:DeleteAutoScalingGroup", "autoscaling:TerminateInstanceInAutoScalingGroup", "autoscaling:CompleteLifecycleAction", "autoscaling:PutLifecycleHook", "autoscaling:PutNotificationConfiguration", "autoscaling:EnableMetricsCollection" ], "Resource": "arn:aws:autoscaling:*:*:*:autoScalingGroupName/eks-*" }, { "Sid": "AllowAutoscalingToCreateSLR", "Effect": "Allow", "Condition": { "StringEquals": { "iam:AWSServiceName": "autoscaling.amazonaws.com" } }, "Action": "iam:CreateServiceLinkedRole", "Resource": "*" }, { "Sid": "AllowASGCreationByEKS", "Effect": "Allow", "Action": [ "autoscaling:CreateOrUpdateTags", "autoscaling:CreateAutoScalingGroup" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:TagKeys": [ "eks", "eks:cluster-name", "eks:nodegroup-name" ] } } }, { "Sid": "AllowPassRoleToAutoscaling", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "autoscaling.amazonaws.com" } } }, { "Sid": "AllowPassRoleToEC2", "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEqualsIfExists": { "iam:PassedToService": [ "ec2.amazonaws.com", "ec2.amazonaws.com.cn" ] } } }, { "Sid": "PermissionsToManageResourcesForNodegroups", "Effect": "Allow", "Action": [ "iam:GetRole", "ec2:CreateLaunchTemplate", "ec2:DescribeInstances", "iam:GetInstanceProfile", "ec2:DescribeLaunchTemplates", "autoscaling:DescribeAutoScalingGroups", "ec2:CreateSecurityGroup", "ec2:DescribeLaunchTemplateVersions", "ec2:RunInstances", "ec2:DescribeSecurityGroups", "ec2:GetConsoleOutput", "ec2:DescribeRouteTables", "ec2:DescribeSubnets" ], "Resource": "*" }, { "Sid": "PermissionsToCreateAndManageInstanceProfiles", "Effect": "Allow", "Action": [ "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:AddRoleToInstanceProfile" ], "Resource": "arn:aws:iam::*:instance-profile/eks-*" }, { "Sid": "PermissionsToManageEKSAndKubernetesTags", "Effect": "Allow", "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": "*", "Condition": { "ForAnyValue:StringLike": { "aws:TagKeys": [ "eks", "eks:cluster-name", "eks:nodegroup-name", "kubernetes.io/cluster/*" ] } } } ] }

Amazon 托管策略:AmazonEBSCSIDriverPolicy

AmazonEBSCSIDriverPolicy 策略允许 Amazon EBS Container Storage Interface (CSI) 驱动程序代表您创建、修改、附加、分离和删除卷。它还授予 EBS CSI 驱动程序创建和删除快照以及列出实例、卷和快照的权限。

AmazonEBSCSIDriverPolicy 包含以下权限:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:CreateSnapshot", "ec2:AttachVolume", "ec2:DetachVolume", "ec2:ModifyVolume", "ec2:DescribeAvailabilityZones", "ec2:DescribeInstances", "ec2:DescribeSnapshots", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:snapshot/*" ], "Condition": { "StringEquals": { "ec2:CreateAction": [ "CreateVolume", "CreateSnapshot" ] } } }, { "Effect": "Allow", "Action": [ "ec2:DeleteTags" ], "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:snapshot/*" ] }, { "Effect": "Allow", "Action": [ "ec2:CreateVolume" ], "Resource": "*", "Condition": { "StringLike": { "aws:RequestTag/ebs.csi.aws.com/cluster": "true" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateVolume" ], "Resource": "*", "Condition": { "StringLike": { "aws:RequestTag/CSIVolumeName": "*" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateVolume" ], "Resource": "*", "Condition": { "StringLike": { "aws:RequestTag/kubernetes.io/cluster/*": "owned" } } }, { "Effect": "Allow", "Action": [ "ec2:DeleteVolume" ], "Resource": "*", "Condition": { "StringLike": { "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" } } }, { "Effect": "Allow", "Action": [ "ec2:DeleteVolume" ], "Resource": "*", "Condition": { "StringLike": { "ec2:ResourceTag/CSIVolumeName": "*" } } }, { "Effect": "Allow", "Action": [ "ec2:DeleteVolume" ], "Resource": "*", "Condition": { "StringLike": { "ec2:ResourceTag/kubernetes.io/cluster/*": "owned" } } }, { "Effect": "Allow", "Action": [ "ec2:DeleteSnapshot" ], "Resource": "*", "Condition": { "StringLike": { "ec2:ResourceTag/CSIVolumeSnapshotName": "*" } } }, { "Effect": "Allow", "Action": [ "ec2:DeleteSnapshot" ], "Resource": "*", "Condition": { "StringLike": { "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" } } } ] }

Amazon 托管策略:AmazonEKSLocalOutpostClusterPolicy

您可以将此策略附加到 IAM 实体。在创建本地集群之前,您必须将此策略附加到您的集群角色。由 Amazon EKS 托管的 Kubernetes 集群会代表您调用其他 Amazon 服务。它们这样做的目的是为了管理您与服务一起使用的资源。

AmazonEKSLocalOutpostClusterPolicy 包含以下权限:

  • ec2 – Amazon EC2 实例作为控制面板实例成功加入集群所需的权限。

  • ssm - 允许通向控制面板实例的 Amazon EC2 Systems Manager 连接,Amazon EKS 使用该连接与您账户中的本地集群通信并对其进行管理。

  • logs - 允许实例将日志推送到 Amazon CloudWatch。

  • secretsmanager - 允许实例安全地从 Amazon Secrets Manager 中获取和删除控制面板实例的引导数据。

  • ecr - 允许 pods 和在控制面板实例上运行的容器拉取存储在 Amazon Elastic Container Registry 中的容器映像。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeRouteTables", "ec2:DescribeTags", "ec2:DescribeNetworkInterfaces", "ec2:DescribeInstanceTypes", "ec2messages:AcknowledgeMessage", "ec2messages:DeleteMessage", "ec2messages:FailMessage", "ec2messages:GetEndpoint", "ec2messages:GetMessages", "ec2messages:SendReply", "ssmmessages:CreateControlChannel", "ssmmessages:CreateDataChannel", "ssmmessages:OpenControlChannel", "ssmmessages:OpenDataChannel", "ssm:DescribeInstanceProperties", "ssm:DescribeDocumentParameters", "ssm:ListInstanceAssociations", "ssm:RegisterManagedInstance", "ssm:UpdateInstanceInformation", "ssm:UpdateInstanceAssociationStatus", "ssm:PutComplianceItems", "ssm:PutInventory", "ecr-public:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:GetAuthorizationToken" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ecr:BatchGetImage" ], "Resource": [ "arn:aws:ecr:*:*:repository/eks/eks-certificates-controller-public", "arn:aws:ecr:*:*:repository/bottlerocket-admin", "arn:aws:ecr:*:*:repository/kubelet-config-updater", "arn:aws:ecr:*:*:repository/bottlerocket-control-eks", "arn:aws:ecr:*:*:repository/diagnostics-collector-eks" ] }, { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:DeleteSecret" ], "Resource": "arn:*:secretsmanager:*:*:secret:eks-local.cluster.x-k8s.io/*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogGroup" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/eks/*" }, { "Effect": "Allow", "Action": [ "logs:PutLogEvents", "logs:CreateLogStream", "logs:DescribeLogStreams" ], "Resource": "arn:aws:logs:*:*:log-group:/aws/eks/*:*" } ] }

Amazon 托管策略:AmazonEKSLocalOutpostServiceRolePolicy

您不能将此策略附加到您的 IAM 实体。当您使用具有 iam:CreateServiceLinkedRole 权限的 IAM 主体创建集群时,Amazon EKS 将自动为您创建 AWSServiceRoleforAmazonEKSLocalOutpost 服务相关角色,并将此策略附加到该角色。此策略允许该服务相关角色代表您为本地集群调用 Amazon 服务。

AmazonEKSLocalOutpostServiceRolePolicy 包含以下权限:

  • ec2 - 允许 Amazon EKS 使用安全、网络和其他资源,成功启动和管理您的账户中的控制面板实例。

  • ssm - 允许通向控制面板实例的 Amazon EC2 Systems Manager 连接,Amazon EKS 使用该连接与您账户中的本地集群通信并对其进行管理。

  • iam - 允许 Amazon EKS 管理与控制面板实例关联的实例配置文件。

  • secretsmanager - 允许 Amazon EKS 将控制面板实例的引导数据放入 Amazon Secrets Manager,以便能在实例引导期间安全地引用它。

  • outposts - 允许 Amazon EKS 从您的账户中获取 Outpost 信息,以便在 Outpost 中成功启动本地集群。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeRouteTables", "ec2:DescribeAddresses", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeNetworkInterfaces", "ec2:DescribeNetworkInterfaceAttribute", "ec2:DescribeSecurityGroups" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface" ], "Resource": "arn:aws:ec2:*:*:network-interface/*", "Condition": { "StringLike": { "aws:RequestTag/eks-local:controlplane-name": "*" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateNetworkInterface" ], "Resource": [ "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:subnet/*" ] }, { "Effect": "Allow", "Action": [ "ec2:ModifyNetworkInterfaceAttribute" ], "Resource": [ "arn:aws:ec2:*:*:instance/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:network-interface/*" ], "Condition": { "StringLike": { "aws:ResourceTag/eks-local:controlplane-name": "*" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup" ], "Resource": "arn:aws:ec2:*:*:security-group/*", "Condition": { "StringLike": { "aws:RequestTag/eks-local:controlplane-name": "*" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup" ], "Resource": "arn:aws:ec2:*:*:vpc/*" }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringLike": { "aws:RequestTag/eks-local:controlplane-name": "*" } } }, { "Effect": "Allow", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:*:*:volume/*", "arn:aws:ec2:*:*:image/*", "arn:aws:ec2:*:*:launch-template/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:subnet/*" ] }, { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress", "ec2:DeleteNetworkInterface", "ec2:DeleteSecurityGroup", "ec2:TerminateInstances" ], "Resource": "*", "Condition": { "StringLike": { "aws:ResourceTag/eks-local:controlplane-name": "*" } } }, { "Effect": "Allow", "Action": "ec2:CreateTags", "Resource": [ "arn:aws:ec2:*:*:security-group/*", "arn:aws:ec2:*:*:network-interface/*", "arn:aws:ec2:*:*:instance/*" ], "Condition": { "ForAnyValue:StringLike": { "aws:TagKeys": [ "kubernetes.io/cluster/*", "eks*" ] }, "StringEquals": { "ec2:CreateAction": [ "CreateNetworkInterface", "CreateSecurityGroup", "RunInstances" ] } } }, { "Effect": "Allow", "Action": [ "secretsmanager:TagResource" ], "Resource": "arn:aws:secretsmanager:*:*:secret:eks-local.cluster.x-k8s.io/*", "Condition": { "ForAnyValue:StringLike": { "aws:TagKeys": [ "kubernetes.io/cluster/*", "eks*" ] } } }, { "Effect": "Allow", "Action": [ "secretsmanager:CreateSecret" ], "Resource": "arn:aws:secretsmanager:*:*:secret:eks-local.cluster.x-k8s.io/*", "Condition": { "StringLike": { "aws:RequestTag/eks-local:controlplane-name": "*" } } }, { "Effect": "Allow", "Action": [ "secretsmanager:DeleteSecret" ], "Resource": "arn:aws:secretsmanager:*:*:secret:eks-local.cluster.x-k8s.io/*", "Condition": { "StringLike": { "aws:ResourceTag/eks-local:controlplane-name": "*" } } }, { "Effect": "Allow", "Action": [ "iam:PassRole" ], "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "ec2.amazonaws.com" } } }, { "Effect": "Allow", "Action": [ "iam:GetInstanceProfile", "iam:DeleteInstanceProfile", "iam:RemoveRoleFromInstanceProfile" ], "Resource": "arn:aws:iam::*:instance-profile/eks-local-*" }, { "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": "arn:aws:ec2:*:*:instance/*", "Condition": { "StringLike": { "ssm:resourceTag/eks-local:controlplane-name": "*" } } }, { "Effect": "Allow", "Action": [ "ssm:StartSession" ], "Resource": "arn:aws:ssm:*::document/AmazonEKS-ControlPlaneInstanceProxy" }, { "Effect": "Allow", "Action": [ "ssm:ResumeSession", "ssm:TerminateSession" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "outposts:GetOutpost" ], "Resource": "*" } ] }

Amazon托管策略的 Amazon EKS 更新

查看有关 Amazon EKS(自从其开始跟踪更新更改以来)的Amazon托管策略的更新的详细信息。有关此页面更改的自动提示,请订阅 Amazon EKS 文档历史记录页面上的 RSS 源。

更改 说明 日期

将权限添加到了 AmazonEKSLocalOutpostClusterPolicy

添加了 arn:aws:ecr:*:*:repository/kubelet-config-updater Amazon Elastic Container Registry 存储库,以便集群控制面板实例能够更新某些 kubelet 参数。 2022 年 8 月 31 日

引入了 AmazonEKSLocalOutpostClusterPolicy

Amazon 引入了 AmazonEKSLocalOutpostClusterPolicy 2022 年 8 月 24 日

引入了 AmazonEKSLocalOutpostServiceRolePolicy

Amazon 引入了 AmazonEKSLocalOutpostServiceRolePolicy 2022 年 8 月 23 日

引入的 AmazonEBSCSIDriverPolicy

Amazon 引入了 AmazonEBSCSIDriverPolicy 2022 年 4 月 22 日

已添加权限到 AmazonEKSWorkerNodePolicy

增加了 ec2:DescribeInstanceTypes 以启用能够自动发现实例级别属性的 Amazon EKS 优化版 AMI。

2022 年 3 月 21 日

已将权限添加至 AWSServiceRoleForAmazonEKSNodegroup

添加了 autoscaling:EnableMetricsCollection 权限以允许 Amazon EKS 启用指标收集。

2021 年 12 月 13 日

已将权限添加至 AmazonEKSClusterPolicy

添加了 ec2:DescribeAccountAttributesec2:DescribeAddressesec2:DescribeInternetGateways 权限,以允许 Amazon EKS 为 Network Load Balancer 创建服务相关角色。 2021 年 6 月 17 日

Amazon EKS 已开始跟踪更改。

Amazon EKS 开始跟踪其Amazon托管策略的更改。

2021 年 6 月 17 日