FAQ about authorization - User Guide for Kubernetes Clusters| Alibaba Cloud Documentation Center

How to assign custom RAM roles to ACK clusters?
How to use a RAM user to assign RBAC roles to other RAM users?

How to assign custom RAM roles to ACK clusters?

You cannot assign custom Resource Access Management (RAM) roles to clusters of Container Service for Kubernetes (ACK). However, you can attach custom permission policies to the worker role that is automatically created by the system when the system creates worker nodes.

Log on to the ACK console.
In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of a cluster or click Details in the Actions column. The details page of the cluster appears.
In the left-side navigation pane of the details page, click Cluster Information.
On the Cluster Information page, click the Cluster Resources tab and click the name of the worker RAM role on the tab.
You are then redirected to the RAM console. On the Permissions tab, click the name in the Policy column.
On the details page of the policy, click Modify Policy Document. On the Modify Policy Document pane, paste the following code block into the Policy Document code editor and click OK. In this example, the permissions to scale and delete clusters are added to the policy. For more information, see Customize RAM permission policies.
```
{
            "Action": [
              "cs:ScaleCluster",
              "cs:DeleteCluster"
            ],
            "Resource": "*",
            "Effect": "Allow"
         }
```

How to use a RAM user to assign RBAC roles to other RAM users?

By default, you can use only an Alibaba Cloud account to assign RBAC roles to other RAM users. To use a RAM user to assign RBAC roles to other RAM users, you must first assign the predefined RBAC administrator role or cluster-admin role to the RAM user. This way, the RAM user has permissions to manage the cluster or namespace that you want other RAM users to manage. In addition, you must attach a RAM permission policy to the RAM user. The permission policy must contain the following content:

The permissions to view other RAM users under the current Alibaba Cloud account.
The permissions to attach permission policies to other RAM users.
The permissions to view configurations of RBAC roles.
The permissions to assign RBAC roles to other RAM users.

Note You must assign the predefined RBAC administrator role or the cluster-admin role to the RAM user so that the RAM user can manage the corresponding cluster or namespace.

Grant the required permissions to the RAM user.

Log on to the RAM console and attach a permission policy that contains the preceding permissions to the RAM user. For more information, see Create custom RAM permission policies.

The following is an example of the policy content:

{
    "Statement": [{
            "Action": [
                "ram:Get*",
                "ram:List*",
                "cs:GetUserPermissions",
                "cs:GetSubUsers",
                "cs:GrantPermission"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ram:AttachPolicyToUser",
                "ram:AttachPolicy"
            ],
            "Effect": "Allow",
            "Resource":  [
                "acs:ram:*:*:policy/xxxxxx",
                "acs:*:*:*:user/*"
            ]
        }
    ],
    "Version": "1"
}

Note Replace xxxxxx with the name of the permission policy that you want to attach to other RAM users. If you replace with an asterisk (*), it indicates that the RAM user is authorized to attach all permission policies to other RAM users.

Use the RAM user to authorize other RAM users.
After the RAM user is attached with the preceding permission policy, the RAM user is authorized to assign RBAC roles to other RAM users and grant them limited permissions. For more information about how to assign RBAC roles to a RAM user, see Assign RBAC roles to a RAM user.