FAQ about authorization management - User Guide for Kubernetes Clusters| Alibaba Cloud Documentation Center

Can I grant permissions on applications?
How do I grant a RAM user the permissions to create clusters?
How can I go to the RAM authorization page?
Why is a RAM user that has the cs:admin permission fail to create custom resource definitions (CRDs) in ACK?
What do I do if the APISERVER_403 error occurs?
How do I reassign a RAM role to an ECS instance?
The RAM user is granted read-only permissions on all clusters but still fail to query all clusters
How do I assign custom RAM roles in an ACK cluster?
How does a RAM user assign RBAC roles to other RAM users?
How do I fix the "You have no permission to perform this operation. Contact the Alibaba Cloud account owner or an authorized RAM user to request permission." error?

Can I grant permissions on applications?

Yes. You can grant permissions on applications. You can create a custom ClusterRole and define a rule to grant permissions on individual applications. You can use the resourceNames field to specify the applications.

Log on to the ACK console.
In the left-side navigation pane, click Authorizations.
On the Authorizations page, select the RAM user that you want to manage on the Select RAM User wizard page and click Modify Permissions.

Note If you log on as a RAM user, make sure that the RAM user has at least read-only permissions on the cluster that you want to manage. In addition, the RAM user must be assigned the cluster-admin role or predefined RBAC administrator role. For more information, see Create a custom RAM policy.

On the Configure Role-Based Access Control (RBAC) wizard page, click 122

Add Permissions. Select the cluster and namespace, and then select Custom. Select the ClusterRole that you want to manage from the Custom drop-down list and click Next Step.

Note You can assign one predefined RBAC role and one or more custom RBAC roles in the specified cluster and namespace to a RAM user.

The following table describes the permissions that the predefined and custom RBAC roles have on clusters and namespaces.

Table 1. Roles and permissions
Role	RBAC permissions on cluster resources
Administrator	Read and write permissions on resources in all namespaces.
O&M Engineer	Read and write permissions on visible resources in the console in all namespaces and read-only permissions on nodes, persistent volumes (PVs), namespaces, and quotas.
Developer	Read and write permissions on visible resources in the console in all or specified namespaces.
Restricted User	Read-only permissions on visible resources in the console in all or specified namespaces.
Custom	The permissions of a custom role are determined by the ClusterRole that you select. Before you select a ClusterRole, check the permissions of the ClusterRole and make sure that you grant only the required permissions to the RAM user. For more information, see Create a custom RAM policy.

For more information about the subsequent steps, see Assign RBAC roles to a RAM user.

How do I grant a RAM user the permissions to create clusters?

Use your Alibaba Cloud account to grant permissions to the system roles used by Container Service for Kubernetes (ACK).
- You need only to grant permissions to the system roles once. If you are not sure whether the permissions are granted, log on using your Alibaba Cloud account and see: https://ur.alipay.com/1paTcxSWdAEW70GVH5TZiO.
- For more information about the default system roles, see ACK default roles.
Use your Alibaba Cloud account to assign custom RAM policies to the RAM user.
Make sure that the RAM user has the cs:CreateCluster permission. For more information, see Create a custom RAM policy.

The following YAML template is provided as an example.
```
{
 "Statement": [{
     "Action": [
         "cs:*"
     ],
     "Effect": "Allow",
     "Resource": [
         "CreateCluster"
     ]
 }],
 "Version": "1"
}
```
Note
- When you create a cluster, you must assign cloud resources such as virtual private cloud (VPC) resources to the cluster. Make sure that the RAM user is granted the required permissions to access cloud resources.
- Make sure that the RAM user has the List permission on VPC resources. To grant this permission, you can attach the AliyunVPCReadOnlyAccess policy to the RAM user.
- If you want to configure other resources for the cluster, check the corresponding permission policy or documents on authorization. For more information, see RAM authorization.

How can I go to the RAM authorization page?

If you revoked the permissions granted to the system roles used by ACK, you must grant the permissions again.

For more information, see Step 1: Assign the default roles.

Note You must use your Alibaba Cloud account to grant the permissions.

Why is a RAM user that has the `cs:admin` permission fail to create custom resource definitions (CRDs) in ACK?

The default administrator of clusters that are created before May 2019 does not have access permissions on all Kubernetes resources. To fix this issue, you can assign a custom cluster-admin role to the RAM user, or delete the existing cs:admin ClusterRole and create a ClusterRole.

The following YAML template is provided as an example.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cs:admin
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
- nonResourceURLs:
  - '*'
  verbs:
  - '*'

What do I do if the APISERVER_403 error occurs?

The current RAM user is not granted the required RBAC permissions on the Kubernetes cluster. You must go to the Authorizations page to grant permissions to the RAM user. For more information, see Assign RBAC roles to a RAM user.

How do I reassign a RAM role to an ECS instance?

When the application that runs on an Elastic Compute Service (ECS) instance sends requests to metadata api 100, the 404 error code or the following error message is returned: Message:Node condition RAMRoleError is now: True, reason: NodeHasNoRAMRole. You can reassign a RAM role to an ECS instance by using the following methods:

If the RAM role of an ECS instance is deleted, you must reassign the RAM role of the corresponding node to the ECS instance. For more information, see Replace an instance RAM role.
- If the ECS instance serves as a master node in your cluster, you must assign the master role to the ECS instance. Choose Cluster Information > Cluster Resources > Master RAM Role.
- If the ECS instance serves as a worker node in your cluster, you must assign the worker role to the ECS instance. Choose Cluster Information > Cluster Resources > Worker RAM Role.
If you modified the policies of the RAM role, check whether the modified content is valid.
If you modified the policies of the RAM role before errors occurred, try to roll back the policies to the original version.

The RAM user is granted read-only permissions on all clusters but still fail to query all clusters

Problem

The RAM user is granted read-only permissions on all clusters by using the RAM console, and access permissions on specified namespaces of two clusters by using RBAC. Previously, the RAM user can query all clusters in the console. However, the RAM user can query only some of the clusters now. The permissions of the RAM user are not recently modified.

Cause

You did not log on to the console by using the RAM user that has read-only permissions on all clusters. Alternatively, you did not select to display All Resources in the console.

Solution

Log on to the ACK console.
In the top navigation bar, choose All Resources > All Resources.
Move the pointer over the avatar in the upper-right corner and make sure that you are logged on as the RAM user.

How do I assign custom RAM roles in an ACK cluster?

You cannot assign custom RAM roles in an ACK cluster. However, you can attach custom permission policies to the worker RAM role that is automatically created when you create worker nodes in the cluster.

Log on to the ACK console.
In the left-side navigation pane of the ACK console, click Clusters.
On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
In the left-side navigation pane of the details page, click Cluster Information.
On the Cluster Information page, click the Cluster Resources tab and click the link to the right of Worker RAM Role.
You are redirected to the RAM console. On the Permissions tab, click the name in the Policy column.
On the details page of the policy, click Modify Policy Document. In the Modify Policy Document pane, paste the following content into the Policy Document code editor and click OK. In this example, the permissions to scale and delete clusters are added to the policy. For more information, see Create a custom RAM policy.
```
{
            "Action": [
              "cs:ScaleCluster",
              "cs:DeleteCluster"
            ],
            "Resource": "*",
            "Effect": "Allow"
         }
```

How does a RAM user assign RBAC roles to other RAM users?

By default, you can use only an Alibaba Cloud account to assign RBAC roles to other RAM users. To allow a RAM user to assign RBAC roles to other RAM users, you must first assign the predefined RBAC administrator role or cluster-admin role to the RAM user. This way, the RAM user has the permissions to manage the cluster or namespace. In addition, you must attach a RAM permission policy to the RAM user. The permission policy must contain the following content:

The permissions to view other RAM users that belong to the current Alibaba Cloud account.
The permissions to attach permission policies to other RAM users.
The permissions to view configurations of RBAC roles.
The permissions to assign RBAC roles to other RAM users.

Grant RAM permissions to the RAM user:

Log on to the RAM console and grant RAM permissions to the RAM user. For more information, see Create a custom RAM policy.

Example:

{
    "Statement": [{
            "Action": [
                "ram:Get*",
                "ram:List*",
                "cs:GetUserPermissions",
                "cs:GetSubUsers",
                "cs:GrantPermission"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ram:AttachPolicyToUser",
                "ram:AttachPolicy"
            ],
            "Effect": "Allow",
            "Resource":  [
                "acs:ram:*:*:policy/xxxxxx",
                "acs:*:*:*:user/*"
            ]
        }
    ],
    "Version": "1"
}

Note Replace xxxxxx with the name of the permission policy that you want to allow the RAM user to attach to other RAM users. If you replace xxxxxx with an asterisk (*), it indicates that the RAM user is authorized to attach all permission policies to other RAM users.

Use the RAM user to grant permissions to other RAM users.
After the RAM user is attached with the preceding policy, the RAM user is authorized to attach the specified permission policies to other RAM users and assign RBAC roles to other RAM users. For more information about how to assign RBAC roles to a RAM user, see Assign RBAC roles to a RAM user.