FAQ about authorizations - User Guide for Kubernetes Clusters| Alibaba Cloud Documentation Center

How to define custom RAM roles in Kubernetes clusters?
How to use a RAM user to manage RBAC authorizations to other RAM users?

How to define custom RAM roles in Kubernetes clusters?

Currently, you cannot define custom RAM roles for Kubernetes clusters. However, when you create worker nodes for a cluster, the system automatically creates a RAM role. You can modify RAM policies to grant permissions to the RAM role.

Log on to the Container Service console.
In the left-side navigation pane, choose Clusters > Clusters. On the Clusters page, select the target cluster and click the cluster name.
On the Basic Information page, click the Worker RAM Role under Cluster Resources.
You are redirected to the RAM console. On the RAM Roles page, click the policy name.
On the Policies page, click Modify Policy Document and enter the following content for the policy. Then click OK. This example grants the RAM role the permissions to scale and delete clusters. For more information about permissions, see Table 1.
```
{
            "Action": [
              "cs:ScaleCluster",
              "cs:DeleteCluster"
            ],
            "Resource": "*",
            "Effect": "Allow"
         }
```

How to use a RAM user to manage RBAC authorizations to other RAM users?

To enable a RAM user to manage RBAC authorizations to other RAM users, you need to grant the RAM user the built-in administrator role or the cluster-admin role within the target cluster or namespace. Besides, you need to grant the RAM user the following permissions:

Query other RAM users.
Bind RAM policies to other RAM users.
Query RBAC permissions.
Manage RBAC authorizations.

Note The RAM user must have been granted the built-in administrator role or the cluster-admin role within the target cluster or namespace.

Grant the required permissions to the RAM user.

Log on to the RAM console and grant the required permissions to the RAM user. For more information, see Custom RAM policies.

A sample policy is provided as follows:

{
    "Statement": [{
            "Action": [
                "ram:Get*",
                "ram:List*",
                "cs:GetUserPermissions",
                "cs:GetSubUsers",
                "cs:GrantPermission"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ram:AttachPolicyToUser",
                "ram:AttachPolicy"
            ],
            "Effect": "Allow",
            "Resource":  [
                "acs:ram:*:*:policy/xxxxxx",
                "acs:*:*:*:user/*"
            ]
        }
    ],
    "Version": "1"
}

Note Replace xxxxxx with the RAM policies that you want to bind to other RAM users. For example, if you replace it with *, it indicates that the RAM user has the permissions to bind all RAM policies to other RAM users.

The RAM user grants permissions to other RAM users.
After the RAM user is granted the above roles and permissions, the user can bind the specified policies to other RAM users and manage RBAC authorizations to other RAM users within the target cluster. For more information about how to grant permissions to other RAM users, see Configure RBAC permissions for RAM users.