This topic provides answers to some commonly asked questions about authorization.
How to assign custom RAM roles to ACK clusters?
You cannot assign custom Resource Access Management (RAM) roles to clusters of Container Service for Kubernetes (ACK). However, you can attach custom permission policies to the worker role that is automatically created by the system when the system creates worker nodes.
How to use a RAM user to assign RBAC roles to other RAM users?
By default, you can use only an Alibaba Cloud account to assign RBAC roles to other
RAM users. To use a RAM user to assign RBAC roles to other RAM users, you must first
assign the predefined RBAC administrator role or cluster-admin role to the RAM user.
This way, the RAM user has permissions to manage the cluster or namespace that you
want other RAM users to manage. In addition, you must attach a RAM permission policy
to the RAM user. The permission policy must contain the following content:
- The permissions to view other RAM users under the current Alibaba Cloud account.
- The permissions to attach permission policies to other RAM users.
- The permissions to view configurations of RBAC roles.
- The permissions to assign RBAC roles to other RAM users.
Note You must assign the predefined RBAC administrator role or the cluster-admin role to
the RAM user so that the RAM user can manage the corresponding cluster or namespace.