本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# ROSA 傳統運算子政策
<a name="security-iam-rosa-classic-operator-policies"></a>

本節提供 ROSA 傳統所需的運算子政策詳細資訊。您必須先將這些政策連接到相關的運算子角色，才能建立 ROSA 傳統叢集。每個叢集都需要一組唯一的運算子角色。

需要這些許可才能允許 OpenShift 運算子管理 ROSA 傳統叢集節點。您可以將自訂字首指派給政策名稱，以簡化政策管理 （例如 `ManagedOpenShift-openshift-ingress-operator-cloud-credentials`)。

## 【字首】-openshift-ingress-operator-cloud-credentials
<a name="security-iam-id-based-policy-examples-rosa-classic-ingress-operator-policy"></a>

您可以將 `[Prefix]-openshift-ingress-operator-cloud-credentials` 連接到 IAM 實體。此政策會將必要的許可授予輸入運算子，以佈建和管理負載平衡器和 DNS 組態以進行外部叢集存取。此政策也允許輸入運算子讀取和篩選 Route 53 資源標籤值，以探索託管區域。如需 運算子的詳細資訊，請參閱 [OpenShift GitHub 文件中的 OpenShift 傳入運算](https://github.com/openshift/cluster-ingress-operator)子。 OpenShift GitHub 

### 許可政策
<a name="ingress-operator-permissions-policy"></a>

此政策文件中定義的許可會指定允許或拒絕哪些動作。

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "elasticloadbalancing:DescribeLoadBalancers",
                "route53:ListHostedZones",
                "route53:ListTagsForResources",
                "route53:ChangeResourceRecordSets",
                "tag:GetResources"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
```

## 【字首】-openshift-cluster-csi-drivers-ebs-cloud-credentials
<a name="security-iam-id-based-policy-examples-rosa-classic-csi-operator-policy"></a>

您可以將 `[Prefix]-openshift-cluster-csi-drivers-ebs-cloud-credentials` 連接到 IAM 實體。此政策會將必要的許可授予 Amazon EBS CSI Driver Operator，以在 ROSA 傳統叢集上安裝和維護 Amazon EBS CSI 驅動程式。如需 運算子的詳細資訊，請參閱 OpenShift GitHub 文件中的 [aws-ebs-csi-driver-operator](https://github.com/openshift/aws-ebs-csi-driver-operator#aws-ebs-csi-driver-operator)。

### 許可政策
<a name="ebs-csi-driver-operator-permissions-policy"></a>

此政策文件中定義的許可會指定允許或拒絕哪些動作。

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "ec2:AttachVolume",
                "ec2:CreateSnapshot",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:DeleteSnapshot",
                "ec2:DeleteTags",
                "ec2:DeleteVolume",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeInstances",
                "ec2:DescribeSnapshots",
                "ec2:DescribeTags",
                "ec2:DescribeVolumes",
                "ec2:DescribeVolumesModifications",
                "ec2:DetachVolume",
                "ec2:EnableFastSnapshotRestores",
                "ec2:ModifyVolume"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
```

## 【字首】-openshift-machine-api-aws-cloud-credentials
<a name="security-iam-id-based-policy-examples-rosa-classic-machine-config-operator-policy"></a>

您可以將 `[Prefix]-openshift-machine-api-aws-cloud-credentials` 連接到 IAM 實體。此政策會將必要的許可授予 Machine Config Operator，以描述、執行和終止以工作者節點管理的 Amazon EC2 執行個體。此政策也授予許可，允許使用 對工作者節點根磁碟區進行磁碟加密 AWS KMS keys。如需 運算子的詳細資訊，請參閱 OpenShift GitHub 文件中的 [machine-config-operator](https://github.com/openshift/machine-config-operator)。

### 許可政策
<a name="machine-config-operator-permissions-policy"></a>

此政策文件中定義的許可會指定允許或拒絕哪些動作。

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "ec2:CreateTags",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeImages",
                "ec2:DescribeInstances",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeRegions",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
                "elasticloadbalancing:RegisterTargets",
                "elasticloadbalancing:DeregisterTargets",
                "iam:CreateServiceLinkedRole"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt",
                "kms:GenerateDataKey",
                "kms:GenerateDataKeyWithoutPlainText",
                "kms:DescribeKey"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "kms:RevokeGrant",
                "kms:CreateGrant",
                "kms:ListGrants"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": true
                }
            }
        }
    ]
}
```

## 【字首】-openshift-cloud-credential-operator-cloud-credentials
<a name="security-iam-id-based-policy-examples-rosa-classic-cloud-credential-operator-policy"></a>

您可以將 `[Prefix]-openshift-cloud-credential-operator-cloud-credentials` 連接到 IAM 實體。此政策授予 Cloud Credential Operator 擷取 IAM 使用者 詳細資訊的必要許可，包括存取金鑰 IDs、連接的內嵌政策文件、使用者的建立日期、路徑、使用者 ID 和 Amazon Resource Name (ARN)。如需 運算子的詳細資訊，請參閱 OpenShift GitHub 文件中的 [cloud-credential-operator](https://github.com/openshift/cloud-credential-operator)。

### 許可政策
<a name="cloud-credential-operator-permissions-policy"></a>

此政策文件中定義的許可會指定允許或拒絕哪些動作。

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "iam:GetUser",
                "iam:GetUserPolicy",
                "iam:ListAccessKeys"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
```

## 【字首】-openshift-image-registry-installer-cloud-credentials
<a name="security-iam-id-based-policy-examples-rosa-classic-image-registry-operator-policy"></a>

您可以將 `[Prefix]-openshift-image-registry-installer-cloud-credentials` 連接到 IAM 實體。此政策會將必要的許可授予映像登錄運算子，以佈建和管理 ROSA Classic 叢集內映像登錄檔和相依服務的資源，包括 Amazon S3。這是必要的，以便運算子可以安裝和維護 ROSA 傳統叢集的內部登錄檔。如需 運算子的詳細資訊，請參閱 OpenShift GitHub 文件中的[映像登錄運算子](https://github.com/openshift/cluster-image-registry-operator#image-registry-operator)。

### 許可政策
<a name="image-registry-operator-permissions-policy"></a>

此政策文件中定義的許可會指定允許或拒絕哪些動作。

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:PutBucketTagging",
                "s3:GetBucketTagging",
                "s3:PutBucketPublicAccessBlock",
                "s3:GetBucketPublicAccessBlock",
                "s3:PutEncryptionConfiguration",
                "s3:GetEncryptionConfiguration",
                "s3:PutLifecycleConfiguration",
                "s3:GetLifecycleConfiguration",
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:ListBucketMultipartUploads",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
```

## 【字首】-openshift-cloud-network-config-controller-cloud-cr
<a name="security-iam-id-based-policy-examples-rosa-classic-cloud-network-config-controller-policy"></a>

您可以將 `[Prefix]-openshift-cloud-network-config-controller-cloud-cr` 連接到 IAM 實體。此政策會將必要的許可授予 Cloud Network Config Controller Operator，以佈建和管理供 ROSA 傳統叢集聯網浮水印使用的聯網資源。運算子使用這些許可來管理 Amazon EC2 執行個體的私有 IP 地址，做為 ROSA 傳統叢集的一部分。如需 運算子的詳細資訊，請參閱 OpenShift GitHub 文件中的 [Cloud-network-config-controller](https://github.com/openshift/cloud-network-config-controller#cloud-network-config-controller-cncc)。

### 許可政策
<a name="cloud-network-config-controller-permissions-policy"></a>

此政策文件中定義的許可會指定允許或拒絕哪些動作。

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInstanceTypes",
                "ec2:UnassignPrivateIpAddresses",
                "ec2:AssignPrivateIpAddresses",
                "ec2:UnassignIpv6Addresses",
                "ec2:AssignIpv6Addresses",
                "ec2:DescribeSubnets",
                "ec2:DescribeNetworkInterfaces"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
```