The default permission policy WorkerRolePolicy attached to worker roles in a managed
Kubernetes cluster has high permissions. To facilitate data security and resource
isolation in multi-tenancy scenarios, Container Service for Kubernetes (ACK) reduces
the permissions of Resource Access Management (RAM) roles assigned to the worker roles
in managed Kubernetes clusters.
Assign RAM roles
ACK removes the permissions required for add-on management from worker RAM roles,
and introduces new system roles to manage permissions on different add-on components.
After the permissions are reduced, the following message appears when you create new
managed Kubernetes clusters in the ACK console. You can log on with your Alibaba Cloud
account or as a RAM user that is attached with the AliyunRAMFullAccess
policy and click Go to the RAM console to perform authorization
If you create ACK clusters by calling the API, click here
to assign the required RAM roles.
At the bottom of the Cloud Resource Access Authorization page, click Confirm Authorization Policy. Then, log on to the the ACK console again to create ACK clusters.
The preceding operation assigns the following system roles to your account. These
roles are required for add-on management by calling the API.
The following code block shows the default RAM policy that is attached to the worker
roles of your ACK cluster after the permissions are reduced: