To enhance security and isolation in multi-tenant scenarios, Container Service for Kubernetes reduces the permissions of worker RAM roles in managed clusters.

Assign roles to Alibaba Cloud accounts

Container Service for Kubernetes removes the permissions required for add-on management from worker RAM roles, and introduces new system roles to manage permissions on different add-on components. After the permissions are reduced, the following message appears when you create new managed clusters in the Container Service for Kubernetes console. You can use your Alibaba Cloud account or RAM users with AliyunRAMFullAccess or AdministratorAccess to Go to the RAM console and perform authorization.
Note If you use API operations to create clusters, click here to perform authorization.
Assign roles

At the bottom of the Cloud Resource Access Authorization page, click Confirm Authorization Policy. Then, log on to the again to create clusters.

Assign roles
The preceding operation assigns the following system roles to your account. These roles are required for add-on management through API operations.
  • AliyunCSManagedLogRole
  • AliyunCSManagedCmsRole
  • AliyunCSManagedCsiRole
  • AliyunCSManagedVKRole
  • AliyunCSManagedNetworkRole
  • AliyunCSManagedArmsRole
The policy of the default worker RAM role is defined as follows after the permissions are reduced:
{
  "Version": "1",
  "Statement": [{
      "Action": [
        "ecs:DescribeInstanceAttribute",
        "ecs:DescribeInstanceTypesNew",
        "ecs:DescribeInstances"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "log:GetProject",
        "log:GetLogStore",
        "log:GetConfig",
        "log:GetMachineGroup",
        "log:GetAppliedMachineGroups",
        "log:GetAppliedConfigs",
        "log:GetIndex",
        "log:GetSavedSearch",
        "log:GetDashboard",
        "log:GetJob"
      ],
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
    },
    {
      "Action": [
        "cr:GetAuthorizationToken",
        "cr:ListInstanceEndpoint"
        "cr:PullRepository"
      ],  
      "Resource": [
        "*"
      ],
      "Effect": "Allow"
     }
  ]
}