This topic describes how to create custom authorization policies. The following example demonstrates how to grant RAM users permissions to query, expand, and delete clusters.

Prerequisites

Before you create custom authorization policies, we recommend that you learn the basic structure and syntax of the authorization policy language. For more information, see Policy elements.

Background information

Container Service provides a coarse-grained authorization system. If the system fails to meet your needs, you can create custom authorization policies. For example, to manage the permissions on individual clusters, you must create custom authorization policies.

Procedure

  1. Use an account with RAM permissions to log on to the RAM console.
  2. In the left-side navigation pane, choose Permissions > Policies to go to the Policies page.
  3. Click Create Policy to go to the Create Custom Policy page.
  4. Specify the Policy Name and set the Configuration Mode to Script. Enter your authorization details in the Policy Document field.
    Custom authorization policy
    {
     "Statement": [{
         "Action": [
             "cs:Get*",
             "cs:ScaleCluster",
             "cs:DeleteCluster"
         ],
         "Effect": "Allow",
         "Resource": [
             "acs:cs:*:*:cluster/cluster ID"
         ]
     }],
     "Version": "1"
    }
    Note the following parameters:
    • Action: Represents the permissions to be granted.
      Note All actions support wildcards.
    • Resource supports the following configuration methods.
      • Grant the permissions on a single cluster
        "Resource": [
             "acs:cs:*:*:cluster/cluster ID"
         ]
      • Grant the permissions on multiple clusters
        "Resource": [
             "acs:cs:*:*:cluster/cluster ID",
             "acs:cs:*:*:cluster/cluster ID"
         ]
      • Grant the permissions on all clusters
        "Resource": [
             "*"
         ]
        Replace the Cluster ID with the ID of the your cluster.
  5. After the configuration is complete, click OK.
    Expected results
    Go to the Policies page, and enter the Policy Name or Note in the search box to search for the new policy. You can see the newly created custom policy.

References

Table 1. RAM actions
Action Description
CreateCluster Create clusters.
ScaleOutCluster Expand clusters.
AttachInstances Add existing ECS instances to clusters.
DescribeClusterAttachScripts Query scripts for manually adding nodes to clusters.
DescribeClusterUserKubeconfig Query cluster kubeconfig.
ModifyClusterTags Modify cluster tags.
DescribeClusterDetail Query cluster details.
DescribeClusters Query all clusters.
DeleteClusterNodes Delete cluster nodes.
DeleteCluster Delete clusters.
DescribeClusterAddonUpgradeStatus Query upgrade status of cluster addons.
UnInstallClusterAddons Uninstall cluster addons.
DescribeClusterAddonsVersion Query cluster addon details.
ListTagResources List tag resources.
CancelClusterUpgrade Cancel cluster upgrade.
CreateTemplate Create deployment templates.
DeleteTemplate Delete deployment templates.
CreateTriggerHook Create triggers for applications.
DeleteTriggerHook Delete triggers for applications.
DescribeClusterLogs Query cluster logs.
DescribeExternalAgent Query external agents.
DescribeTemplates Query deployment templates.
DescribeUserQuota Query user quota.
GetUpgradeStatus Query upgrade status of clusters.
InstallClusterAddons Install cluster addons.
ModifyCluster Modify clusters.
PauseClusterUpgrade Pause cluster upgrade
RemoveClusterNodes Remove cluster nodes.
ResumeUpgradeCluster Resume upgrade clusters.
UpdateTemplate Update deployment templates.
UpgradeCluster Upgrade clusters.
DescribeClusterNodes Query cluster nodes.
UpgradeClusterAddons Upgrade cluster addons.