This topic describes how Container Service manages access to Kubernetes clusters and how to authorize users to access clusters.

Container Service allows you to use RAM authorization and RBAC authorization to control access to clusters.

RAM authorization

RAM authorization controls access to clusters by using the cluster management API. You can use Custom RAM policies to acquire permissions to query, scale, or add nodes to clusters. For more information, see Custom RAM policies.

RBAC authorization

RBAC authorization manages access to cluster resources through the API server based on the roles of individual users. You can grant the following roles to RAM users through the console:
Table 1. Roles and permissions
Role Permission
Administrator Read-write access to resources in all namespaces.
O&M Engineer Read-write access to resources that are both visible in the console and in all namespaces. Read-only access to nodes, PVs, namespaces, and quotas.
Developer Read-write access to resources that are both visible in the console and in specific namespaces.
Restricted User Read-only access to resources that are both visible in the console and in specific namespaces.
Custom The permissions are determined by the ClusterRole you select. Make sure that you know all the permissions of the selected ClusterRole and do not grant unnecessary permissions to RAM users.

How to authorize RAM users to access clusters

  • Before you use RBAC authorization, you must authorize a RAM user to manage the target cluster by creating RAM policies as follows:
    • Read policy: Specify the permissions to query information such as cluster configuration and kubeconfig.
    • Write policy: Specify the permissions to scale, upgrade, delete, or add nodes to the cluster.
    Before you submit RBAC authorization, make sure that the RAM user has been granted read-only access to the target cluster. A sample policy is as follows:
    {
      "Statement": [
        {
          "Action": "cs:Get*",
          "Effect": "Allow",
          "Resource": [
            "acs:cs:*:*:cluster/<yourclusterID>"
          ]
        }
      ],
      "Version": "1"
    }

    For more information about RAM authorization, see Custom RAM policies.

  • After the RAM authorization is complete, you can then perform RBAC authorization to manage access to specific resources in the cluster. For more information, see Configure RBAC permissions for RAM users.