This topic provides answers to some frequently asked questions about authorization management.

Can I grant permissions on applications?

Yes. You can grant permissions on applications. You can create a custom ClusterRole and define a rule to grant permissions on individual applications. You can use the resourceNames field to specify the applications.

  1. Log on to the ACK console.
  2. In the left-side navigation pane, click Authorizations.
  3. On the Authorizations page, select the Resource Access Management (RAM) user that you want to manage on the Select RAM User wizard page and click Modify Permissions.
    Note If you log on to the Container Service for Kubernetes (ACK) console as a RAM user, make sure that the RAM user has at least read-only permissions on the cluster that you want to manage. In addition, the RAM user must be assigned the cluster-admin role or Administrator role of the cluster. For more information, see Create a custom RAM policy.
  4. On the Configure Role-Based Access Control (RBAC) wizard page, click 122Add Permissions. Select the cluster and namespace, and then select Custom. Select the ClusterRole that you want to manage from the Custom drop-down list and click Next Step.
    AN13
    Note You can assign one predefined RBAC role and one or more custom RBAC roles in the specified cluster and namespace to a RAM user.
    The following table describes the permissions that the predefined and custom RBAC roles have on clusters and namespaces.
    Table 1. Roles and permissions
    Role Permissions on cluster resources
    Administrator Read and write permissions on resources in all namespaces.
    O&M Engineer Read and write permissions on visible resources in the console in all namespaces and read-only permissions on nodes, persistent volumes (PVs), namespaces, and quotas.
    Developer Read and write permissions on visible resources in the console in all or specified namespaces.
    Restricted User Read-only permissions on visible resources in the console in all or specified namespaces.
    Custom The permissions of a custom role are determined by the ClusterRole that you select. Before you select a ClusterRole, check the permissions of the ClusterRole and make sure that you grant only the required permissions to the RAM user. For more information, see Create a custom RAM policy.

    For more information about the subsequent steps, see Assign RBAC roles to RAM users.

How do I grant a RAM user the permissions to create clusters?

  1. Use your Alibaba Cloud account to assign the system roles to ACK.
    • You only need to grant permissions to the system roles once. If you are not sure whether the permissions are granted, log on by using your Alibaba Cloud account and visit ur.alipay.com/1paTcxSWdAEW70GVH5TZiO
    • For more information about the default system roles, see ACK default roles.
  2. Use your Alibaba Cloud account to assign custom RAM policies to the RAM user.

    Make sure that the RAM user has the cs:CreateCluster permission. For more information, see Create a custom RAM policy.

    The following YAML template is provided as an example:

    {
     "Statement": [{
         "Action": [
             "cs:*"
         ],
         "Effect": "Allow",
         "Resource": [
             "CreateCluster"
         ]
     }],
     "Version": "1"
    }
    Note
    • When a cluster is created, the system associates cloud resources with the cluster, such as virtual private clouds (VPCs). Make sure that the RAM user is granted the required permissions to access cloud resources.
    • Make sure that the RAM user has the List permission on VPCs. To grant this permission, you can attach the AliyunVPCReadOnlyAccess policy to the RAM user.
    • If you want to grant permissions on other resources, check the documentation on the system policies and authorizations related to the corresponding cloud services. For more information, see RAM authorization.

How do I go to the RAM authorization page?

If you revoke the permissions granted to the system roles used by ACK, you must grant the permissions again.

For more information, see Step 2: Assign the default roles.
Note You must use an Alibaba Cloud account to grant the permissions again.

Why does a RAM user that is assigned the cs:admin role fail to create CustomResourceDefinition (CRD) objects in Kubernetes clusters?

If your cluster is created before May 2019, the default administrator role of the cluster is not allowed to access some Kubernetes resources. You can assign the cluster-admin role to the RAM user. You can also delete the cs:admin ClusterRole and then recreate the ClusterRole.

The following YAML template is provided as an example:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cs:admin
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
- nonResourceURLs:
  - '*'
  verbs:
  - '*'

What do I do if the APISERVER_403 error occurs?

The current RAM user is not assigned the required RBAC role on the Kubernetes cluster. You must go to the Authorizations page to assign the required RBAC role. For more information, see Assign RBAC roles to RAM users.

What do I do if a RAM role is revoked from an ECS instance?

When an application that runs on an Elastic Compute Service (ECS) instance sends requests to metadata api 100, the 404 error code or the following error message is returned: Message:Node condition RAMRoleError is now: True, reason: NodeHasNoRAMRole. You can reassign a RAM role to an ECS instance by using the following methods:

  • If a RAM role is revoked from an ECS instance, you must reassign the RAM role to the ECS instance. For more information, see Replace an instance RAM role.
    • If the ECS instance serves as a master node in your cluster, you must assign the master RAM role to the ECS instance. Go to the cluster details page and choose Cluster Information > Cluster Resources > Master RAM Role.
    • If the ECS instance serves as a worker node in your cluster, you must assign the worker RAM role to the ECS instance. Go to the cluster details page and choose Cluster Information > Cluster Resources > Worker RAM Role.
  • If you modified the policies of the RAM role, check whether the modified content contains the required permissions.
  • If you modified the policies of the RAM role before the error occurs, try to roll back the policies to the original version.

Why does a RAM user that has read-only permissions on all clusters fail to view some clusters?

Symptom

A RAM user is granted read-only permissions on all clusters by using the RAM console, and access permissions on specified namespaces of two clusters by using RBAC. Previously, the RAM user can query all clusters in the console. However, the RAM user can query only some of the clusters now. The permissions of the RAM user are not recently modified.

Cause

You logged on to the ACK console by using another RAM user or you selected a resource group. In this case, you must log on to the ACK console by using the RAM user to which you have granted permissions and select All Resources at the top of the ACK console.

Solution

  1. Log on to the ACK console.
  2. In the top navigation bar, choose All Resources > All Resources.
    11
  3. Move the pointer over the avatar in the upper-right corner and make sure that you are logged on as the RAM user.

How do I assign a custom RAM role to an ACK cluster?

You cannot assign a custom RAM role to an ACK cluster. However, you can attach custom RAM policies to the worker RAM role that is automatically created and assigned to the cluster when you create worker nodes.

  1. Log on to the ACK console.
  2. In the left-side navigation pane of the ACK console, click Clusters.
  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
  4. On the cluster details page, click the Cluster Resources tab.
  5. On the Cluster Resources tab, click the link to the right side of Worker RAM Role.
  6. On the RAM Roles page, click the policy name.
  7. On the details page of the policy, click Modify Policy Document. In the Modify Policy Document pane, copy the following content into the Policy Document code editor and click OK. In this example, the permissions to scale and delete clusters are added to the policy. For more information, see Create a custom RAM policy.
    {
                "Action": [
                  "cs:ScaleCluster",
                  "cs:DeleteCluster"
                ],
                "Resource": "*",
                "Effect": "Allow"
             }
    Modify permissions

How do I use a RAM user to assign RBAC roles to other RAM users?

By default, you can use only an Alibaba Cloud account to assign RBAC roles to other RAM users. To allow a RAM user, for example, RAM User A, to assign RBAC roles to other RAM users, you must first assign the predefined RBAC administrator role or cluster-admin role to RAM User A. This way, RAM User A has the permissions to manage the cluster or namespace. In addition, you must attach a RAM policy to RAM User A. The policy must contain the following permissions:
  • The permissions to view other RAM users
  • The permissions to attach RAM policies to other RAM users
  • The permissions to view configurations of RBAC roles
  • The permissions to assign RBAC roles to other RAM users
  1. Attach a custom RAM policy to RAM User A.
    Log on to the RAM console and attach a custom RAM policy to the RAM user. For more information, see Create a custom RAM policy.
    Use the following template to create the custom RAM policy:
    {
        "Statement": [{
                "Action": [
                    "ram:Get*",
                    "ram:List*",
                    "cs:GetUserPermissions",
                    "cs:GetSubUsers",
                    "cs:GrantPermission"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "ram:AttachPolicyToUser",
                    "ram:AttachPolicy"
                ],
                "Effect": "Allow",
                "Resource":  [
                    "acs:ram:*:*:policy/xxxxxx",
                    "acs:*:*:*:user/*"
                ]
            }
        ],
        "Version": "1"
    }
                                
    Note Replace xxxxxx with the name of the RAM policy that you want to allow the RAM user to attach to other RAM users. If you replace xxxxxx with an asterisk (*), it indicates that the RAM user is authorized to attach all RAM policies to other RAM users.
  2. Use RAM User A to assign roles to other RAM users
    After you attach the preceding RAM policy to RAM User A, RAM User A is authorized to assign specified RAM policies and RBAC roles to other RAM users. For more information about how to assign RAM policies to other RAM users, see Assign RBAC roles to RAM users.

How do I determine whether an authorization error is caused by RAM policies or RBAC roles?

You can determine whether an authorization error is caused by RAM policies or RBAC roles based on the error message returned by the API or the console.
  • Caused by RAM policies

    Symptom

    The API or console returns the following error message:
    RAM policy Forbidden for action cs:DescribeEvents
    STSToken policy Forbidden for action cs:DescribeClusterNodes

    Cause

    The error message indicates that the RAM policy attached to the RAM user does not contain the cs:DescribeEvents action.

    Solution

    If the error message returned by the API or the console contains RAM policy Forbidden or STSToken policy Forbidden, it indicates that the RAM policy attached to the RAM user does not contain required actions. Add the required actions to the RAM policy attached to the RAM user. For more information, see Create a custom RAM policy.

  • Caused by RBAC roles

    Symptom

    The API or console returns the following error message:
    events is forbidden: User "<uid>" cannot list resource "events" in API group "" at the cluster scope
    ForbiddenQueryClusterNamespace, Forbidden query namespaces

    Cause

    The error message indicates that the RBAC role assigned to the RAM user <uid> does not have the permissions to list resource events.

    Solution

    If the error message returned by the API or the console contains APISERVER_403, User "xxx" cannot xx resource "xx" in API group, or ForbiddenQueryClusterNamespace, it indicates that the RBAC role assigned to the RAM user does not have the required permissions. Add the required permissions to the RBAC role assigned to the RAM user. For more information, see Assign RBAC roles to RAM users.