This topic describes how to create a custom Resource Access Management (RAM) policy. In this topic, a custom RAM policy is created and attached to a RAM user to grant the RAM user the permissions to query, modify, and delete Container Service for Kubernetes (ACK) clusters.

Prerequisites

You have a basic knowledge of policy elements, structure, and syntax before you create a custom policy. For more information, see Policy language.

Background information

The system policies provided by ACK are coarse-grained. If the system policies cannot meet your requirements, you can create custom policies to implement fine-grained access control for your ACK clusters. For example, if you want to control the operation permissions on a specified cluster, you must create a custom policy to meet this requirement for fine-grained management.

Before you use role-based access control (RBAC) to authorize a RAM user to manage a cluster, you must authorize the RAM user to manage the cluster in the RAM console. You can grant the RAM user read and write permissions on the cluster based on your requirements.
  • Read permissions: view basic information about a specified cluster, such as cluster configurations and the kubeconfig file.
  • Write permissions: manage a specified cluster, such as scaling and upgrading the cluster, and adding nodes to and removing nodes from the cluster.
Before you perform RBAC authorization for the RAM user, make sure that the RAM user has read-only permissions on the cluster that you want to manage.
{
  "Statement": [
    {
      "Action": [
        "cs:Get*",
        "cs:List*",
        "cs:Describe*"
      ],
      "Effect": "Allow",
      "Resource": [
        "acs:cs:*:*:cluster/<yourclusterID>"
      ]
    }
  ],
  "Version": "1"
}

After the RAM user is granted the required RAM permissions on the cluster, use RBAC to authorize the RAM user to manage cluster resources. For more information, see Assign RBAC roles to RAM users.

Create a custom policy

  1. Log on to the RAM console by using your Alibaba Cloud account or as an authorized RAM user.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Custom Policy page, set Policy Name and set Configuration Mode to Script. Then, enter the policy content in the Policy Document code editor.
    Custom policy
    {
     "Statement": [{
         "Action": [
             "cs:Get*",
             "cs:List*",
             "cs:Describe*",
             "cs:ScaleCluster",
             "cs:DeleteCluster"
         ],
         "Effect": "Allow",
         "Resource": [
             "acs:cs:*:*:cluster/Cluster ID"
         ]
     }],
     "Version": "1"
    }
    Configure the policy based on the following description:
    • Enter the permissions that you want to grant in the Action field.
      Note You can use wildcard characters in the Action field.
    • Set the Resource field based on your requirements:
      • Grant permissions on one cluster
        "Resource": [
             "acs:cs:*:*:cluster/Cluster ID"
         ]
      • Grant permissions on multiple clusters
        "Resource": [
             "acs:cs:*:*:cluster/Cluster ID",
             "acs:cs:*:*:cluster/Cluster ID"
         ]
      • Grant permissions on all clusters
        "Resource": [
             "*"
         ]
        Replace Cluster ID with the ID of your cluster.
  5. Click OK.
    Return to the Policies page. You can enter the policy name or note in the search box and click the search icon to find the newly created policy. Policy management

References

Mappings between RAM actions and API operations

Operation RAM Action Description Cluster-specific
DescribeEvents cs:DescribeEvents Queries user events. No
StartAlert cs:StartAlert Enables an alert rule. No
StopAlert cs:StopAlert Disables an alert rule. No
UpdateContactGroupForAlert cs:UpdateContactGroupForAlert Updates an alert contact group. No
DeleteAlertContact cs:DeleteAlertContact Deletes an alert contact. No
DeleteAlertContactGroup cs:DeleteAlertContactGroup Deletes an alert contact group. No
DescribeUserPermission cs:DescribeUserPermission Queries the permissions that are granted to a RAM user to manage clusters. No
OpenAckService cs:OpenAckService Activates ACK. No
GrantPermissions cs:GrantPermissions Updates the permissions that are granted to a RAM user to manage clusters. No
CreateCluster cs:CreateCluster Creates an ACK cluster. The supported cluster types include dedicated Kubernetes cluster, managed Kubernetes cluster, serverless Kubernetes (ASK) cluster, managed edge Kubernetes cluster. You can also create a cluster registration proxy to register an external Kubernetes cluster. No
DescribeClusterResources cs:DescribeClusterResources Queries all resources in a cluster by cluster ID. Yes
DescribeClusterDetail cs:DescribeClusterDetail Queries the details about a cluster by cluster ID. Yes
DescribeUserQuota cs:DescribeUserQuota Queries resource quotas. No
DescribeClustersV1 cs:DescribeClustersV1 and cs:GetClusters Queries the details about all clusters. No
DescribeExternalAgent cs:DescribeExternalAgent Queries a cluster registration proxy by cluster ID. Yes
DescribeClusterLogs cs:DescribeClusterLogs Queries cluster logs by cluster ID. Yes
DescribeTaskInfo cs:DescribeTaskInfo Queries the execution details about a task by task ID. No
DescribeKubernetesVersionMetadata cs:DescribeKubernetesVersionMetadata Queries the Kubernetes versions supported by ACK. No
DescribeClusterUserKubeconfig cs:DescribeClusterUserKubeconfig Queries the kubeconfig file of a cluster by cluster ID. Yes
DescribeClusterAddonUpgradeStatus cs:DescribeClusterAddonUpgradeStatus Queries the upgrade progress of a cluster component. Yes
DescribeClusters cs:DescribeClusters and cs:GetClusters Queries all clusters within the account, including Kubernetes clusters and Swarm clusters. No
DescribeClusterNamespaces cs:DescribeClusterNamespaces Queries the namespaces in a cluster. Yes
ScaleOutCluster cs:ScaleOutCluster Scales out a cluster by cluster ID. Yes
ModifyCluster cs:ModifyCluster Modifies the cluster configurations by cluster ID. Yes
MigrateCluster cs:MigrateCluster Migrates a cluster. Yes
ScaleCluster cs:ScaleCluster Adds nodes to a cluster. Yes
UpdateK8sClusterUserConfigExpire cs:UpdateK8sClusterUserConfigExpire Updates the expiration time of a user-defined configuration. Yes
DeleteCluster cs:DeleteCluster Deletes a cluster by cluster ID and releases all nodes in the cluster. Yes
DescribeClusterNodes cs:DescribeClusterNodes Queries the details about all nodes in a cluster by cluster ID. Yes
AttachInstances cs:AttachInstances Adds existing ECS instances to a cluster. Yes
DescribeClusterAttachScripts cs:DescribeClusterAttachScripts Queries the script that is used to add instances to a cluster. Yes
DeleteClusterNodes cs:DeleteClusterNodes Removes specified nodes from a cluster by node names. Yes
RemoveClusterNodes cs:RemoveClusterNodes Removes specified extra nodes from a cluster by node names. Yes
CreateClusterNodePool cs:CreateClusterNodePool Creates a node pool for a cluster. Yes
DescribeClusterNodePools cs:DescribeClusterNodePools Queries the details about all nodes in a cluster by cluster ID. Yes
DescribeClusterNodePoolDetail cs:DescribeClusterNodePoolDetail Queries the details about a node pool in a cluster by node pool ID. Yes
ScaleClusterNodePool cs:ScaleClusterNodePool Scales out a node pool by node pool ID. Yes
ModifyClusterNodePool cs:ModifyClusterNodePool Modifies the node pool configurations by node pool ID. Yes
DeleteClusterNodepool cs:DeleteClusterNodepool Deletes a node pool by node pool ID. Yes
GetUpgradeStatus cs:GetUpgradeStatus Queries the upgrade progress of a cluster by cluster ID. Yes
ResumeUpgradeCluster cs:ResumeUpgradeCluster Resumes the upgrade of a cluster by cluster ID. Yes
UpgradeCluster cs:UpgradeCluster Upgrades a cluster by cluster ID. Yes
PauseClusterUpgrade cs:PauseClusterUpgrade Suspends the upgrade of a cluster. Yes
CancelClusterUpgrade cs:CancelClusterUpgrade Cancels the upgrade of a cluster. Yes
CreateTemplate cs:CreateTemplate Creates an orchestration template. No
DescribeTemplates cs:DescribeTemplates Queries the details about all orchestration templates. No
DescribeTemplateAttribute cs:DescribeTemplateAttribute Queries the details about an orchestration template by template ID. No
UpdateTemplate cs:UpdateTemplate Updates an orchestration template by template ID. No
DeleteTemplate cs:DeleteTemplate Deletes an orchestration template by template ID. No
InstallClusterAddons cs:InstallClusterAddons Installs a component. Yes
DescribeAddons cs:DescribeAddons Queries the details about all components that are supported by ACK. No
DescribeClusterAddonsUpgradeStatus cs:DescribeClusterAddonsUpgradeStatus Queries the upgrade progress of a component by component name. Yes
DescribeClusterAddonsVersion cs:DescribeClusterAddonsVersion Queries the details about all components that are installed in a cluster by cluster ID. Yes
ModifyClusterConfiguration cs:ModifyClusterConfiguration Modifies the configurations of a managed Kubernetes cluster. Yes
UpgradeClusterAddons cs:UpgradeClusterAddons Upgrades a component to a specified version by component name. Yes
PauseComponentUpgrade cs:PauseComponentUpgrade Suspends the upgrade of a component. Yes
ResumeComponentUpgrade cs:ResumeComponentUpgrade Resumes the upgrade of a component. Yes
CancelComponentUpgrade cs:CancelComponentUpgrade Cancels the upgrade of a cluster component. Yes
UnInstallClusterAddons cs:UnInstallClusterAddons Uninstalls a component by component name. Yes
ListTagResources cs:ListTagResources Queries the labels of a cluster by cluster ID. No
TagResources cs:TagResources Adds labels to resources. No
ModifyClusterTags cs:ModifyClusterTags Modifies the labels of a cluster by cluster ID. Yes
UntagResources cs:UntagResources Removes labels from resources. No
CreateTrigger cs:CreateTrigger Creates an application trigger. Yes
DescribeTrigger cs:DescribeTrigger Queries application triggers. Yes
DeleteTrigger cs:DeleteTrigger Deletes an application trigger. Yes

Authorize a RAM user to call non-cluster-specific API operations

If you want to authorize a RAM user to call non-cluster-specific API operations, such as DescribeEvents, do not specify cluster IDs in the Resource field of the policy content.

The following code block shows the current RAM policy:
{
    "Statement": [
        {
            "Action": [
                "cs:Get*",
                "cs:List*",
                "cs:Describe*"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:cs:*:*:cluster/c2e63856bcd714197****"
            ]
        }
    ],
    "Version": "1"
}
To grant the permissions to call the DescribeEvents operation, you must add the corresponding RAM action cs:DescribeEvents to the RAM policy, as shown in the following code block:
{
    "Statement": [
        {
            "Action": [
                "cs:DescribeEvents"
            ],
            "Effect": "Allow",
            "Resource": [
              "*"
            ]
        },
        {
            "Action": [
                "cs:Get*",
                "cs:List*",
                "cs:Describe*"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:cs:*:*:cluster/c2e63856bcd714197****"
            ]
        }
    ],
    "Version": "1"
}