All Products
Search
Document Center

Container Service for Kubernetes:Authorization overview

Last Updated:Mar 13, 2024

The authorization system of Container Service for Kubernetes (ACK) consists of Resource Access Management (RAM) authorization and role-based access control (RBAC) authorization. RAM authorization is used to grant permissions on cloud resources. RBAC authorization is used to grant permissions on resources within an ACK cluster. This topic describes RAM authorization and RBAC authorization and how to perform these authorizations.

ACK authorization system

The authorization system of ACK consists of RAM authorization and RBAC authorization. RAM authorization is used to grant permissions on cloud resources. RBAC authorization is used to grant permissions on Kubernetes resources within a cluster. The following figure shows the authorization system of ACK.授权体系

  • RAM authorization is used to grant permissions on the API operations of ACK and other Alibaba Cloud services. You can call these API operations to perform the following O&M operations:

    • Create, view, upgrade, and delete clusters.

    • Create, modify, and scale node pools.

    • Manage authorization.

    • Monitor clusters and collect logs and events.

  • RBAC authorization is used to grant namespace-level or cluster-wide permissions on Kubernetes resources in ACK clusters. This allows you to grant the permissions to create, delete, modify, and view the following types of Kubernetes resources:

    • Workload resources: Deployment, StatefulSet, DaemonSet, Job, CronJob, ReplicaSet, Horizontal Pod Autoscaler (HPA), and pod.

    • Network resources: Service, Ingress, and NetworkPolicy.

    • Storage resources: persistent volume (PV), persistent volume claim (PVC), and StorageClass.

    • Namespace, ConfigMap, and Secret.

If you want to use a RAM user or RAM role to manage a cluster and applications in the cluster, you must perform both RAM authorization and RBAC authorization on the RAM user or RAM role. Before you perform RBAC authorization, you must complete RAM authorization. Refer to the following topics to complete the authorization in different scenarios:

Important

Deleting a RAM user or RAM role does not delete the RBAC permissions of the RAM user or RAM role from the kubeconfig file of the ACK cluster. Therefore, before you delete the RAM user or RAM role of a user, you must revoke the kubeconfig file of the user. For more information, see Revoke a KubeConfig credential.

RAM authorization

When an enterprise interfaces its system with RAM, the O&M engineer needs to use a RAM user or RAM role to manage cloud resources. By default, RAM users or RAM roles do not have permissions to use cloud service APIs. You must first grant the required permissions to the RAM user or RAM role.

If you want to scale a cluster, add nodes to a cluster, or access the cluster as a RAM user, you must perform RAM authorization. For more information, see Create a custom RAM policy.

You can perform RAM authorization by using one of the following methods:

  • Attach system policies: You can use this method to grant a RAM user or RAM role the read and write permissions on global resources. We recommend that you use system policies to grant O&M permissions on all ACK clusters that belong to your Alibaba Cloud. For more information about how to attach a system policy to a RAM user or RAM role, see Grant permissions to a RAM user.

    The following table describes the commonly used system policies related to ACK. You can select the system policies based on your requirements.

    System policy

    Description

    AliyunCSFullAccess

    This policy provides permissions to call all ACK API operations.

    Note

    This policy provides only the permissions that are related to ACK. If you want to manage applications in an ACK cluster, you must perform RBAC authorization. For more information, see RBAC authorization.

    AliyunVPCReadOnlyAccess

    This policy provides permissions to specify a virtual private cloud (VPC) for an ACK cluster to be created.

    AliyunECSReadOnlyAccess

    This policy provides permissions to add existing nodes to an ACK cluster or view the detailed information about nodes.

    AliyunContainerRegistryFullAccess

    This policy provides permissions to manage all images that belong to an Alibaba Cloud account.

    AliyunLogReadOnlyAccess

    This policy provides permissions to select an existing log project to store logs for an ACK cluster to be created or view the configuration inspection information of an ACK cluster.

    AliyunAHASReadOnlyAccess

    This policy provides permissions to use the cluster topology feature.

    AliyunRAMFullAccess

    This policy provides permissions to manage all authorizations within an Alibaba Cloud account.

    AliyunYundunSASReadOnlyAccess

    This policy provides permissions to view the runtime monitoring data of an ACK cluster.

    AliyunARMSReadOnlyAccess

    This policy provides permissions to view the monitoring data of the Managed Service for Prometheus plug-in in an ACK cluster.

    AliyunKMSReadOnlyAccess

    This policy provides permissions to enable the Secret encryption feature for an ACK Pro cluster to be created.

    AliyunESSReadOnlyAccess

    This policy provides permissions to perform node pool operations, such as viewing, modifying, and scaling node pools.

  • Attach custom policies: You can use this method to control the permissions of a RAM user or RAM role on cloud resources in a fine-grained manner. If the RAM user or RAM role needs to develop applications based on SDKs, you can use custom policies to control permissions on API operations.

    For example, you can use the following policy to grant read permissions to a RAM user or RAM role on an Object Storage Service (OSS) bucket:

    {
        "Version": "1",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                          "oss:ListBuckets",
                          "oss:GetBucketStat",
                          "oss:GetBucketInfo",
                          "oss:GetBucketTagging",
                          "oss:GetBucketAcl" 
                          ],    
                "Resource": "acs:oss:*:*:*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:ListObjects",
                    "oss:GetBucketAcl"
                ],
                "Resource": "acs:oss:*:*:myphotos"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "oss:GetObject",
                    "oss:GetObjectAcl"
                ],
                "Resource": "acs:oss:*:*:myphotos/*"
            }
        ]
    }

Roles and ClusterRoles

A Role or ClusterRole in RBAC contains rules that represent a set of permissions. These permissions do not contain rules that forbid operations.

A Role is a namespaced resource and defines permissions within a particular namespace. When you create a Role, you must specify the namespace to which the Role belongs.

A ClusterRole is a non-namespaced resource and defines cluster-wide permissions. The two types of roles have different names because a Kubernetes object must be either namespaced or non-namespaced.

A ClusterRole has several uses. You can use a ClusterRole to configure permissions in the following ways:

  • Define permissions on namespaced resources in a ClusterRole and then use the ClusterRole to grant the permissions within individual namespaces.

  • Define permissions on namespaced resources in a ClusterRole and then use the ClusterRole to grant the permissions across all namespaces.

  • Define permissions on cluster-scoped resources.

If you want to define a role within a namespace, use a Role. If you want to define a cluster-wide role, use a ClusterRole.

For more information about how to create a Kubernetes ClusterRole or Role, see Customize an RBAC role.

For more information about how to attach a Kubernetes custom permission policy to a RAM user or RAM role, see Grant RBAC permissions to RAM users or RAM roles.

Important

ACK allows you to use only ClusterRoles to grant RBAC permissions. You cannot use Roles to grant RBAC permissions.

RBAC authorization

To authorize a RAM user or RAM role to manage the specified Kubernetes resources in an ACK cluster, such as obtaining the pod and node information, you need to go to the authorization page of the ACK console and grant the RAM user or RAM role permissions on data plane resources.

You can assign the following predefined roles to the RAM user or RAM role. For more information, see Grant RBAC permissions to RAM users or RAM roles.

The following table describes the permissions of the roles.

Role

RBAC permission on cluster resources

Administrator

Read and write permissions on resources in all namespaces.

O&M engineer

Read and write permissions on visible resources in the console in all namespaces and read-only permissions on nodes, PVs, namespaces, and quotas.

Developer

Read and write permissions on visible resources in the console in a specified namespace or all namespaces.

Restricted user

Read-only permissions on visible resources in the console in a specified namespace or all namespaces.

Custom role

The permissions of a custom role are determined by the ClusterRole that you select. Before you select a ClusterRole, check the permissions of the ClusterRole and make sure that you grant only the required permissions to the RAM user or RAM role. For more information about ClusterRoles, see Customize an RBAC role.