Cluster and cloud resource permissions - Container Service for Kubernetes

By default, Resource Access Management (RAM) users and RAM roles do not have permissions to call the OpenAPI of Alibaba Cloud services. You must grant system policies or custom policies to a RAM user or RAM role before the user or role can call the OpenAPI of Container Service for Kubernetes (ACK). This topic describes how to grant permissions on clusters and cloud resources to RAM users and RAM roles.

Grant permissions using system policies

System policies grant read and write permissions on global resources. You can use system policies for quick authorization if a RAM user or RAM role requires operations management permissions on all clusters that belong to your Alibaba Cloud account. The following table lists common system policies for ACK.

Important

Full access permissions in system policies pose high security risks. Grant these permissions with caution.

Click to view common system policies for ACK

System policy name	Description
AliyunCSFullAccess	Grants a RAM user or RAM role access permissions to all OpenAPI operations of ACK. Note This system policy includes only RAM authorization for ACK. To perform O&M on applications in an ACK cluster, you must also grant RBAC authorization. For more information, see RBAC authorization.
AliyunVPCReadOnlyAccess	Lets a RAM user or RAM role select a specific VPC when creating a cluster.
AliyunECSReadOnlyAccess	Lets a RAM user or RAM role add existing nodes to a cluster or view node details.
AliyunContainerRegistryFullAccess	Lets a RAM user or RAM role globally manage business images within an Alibaba Cloud account.
AliyunLogReadOnlyAccess	Lets a RAM user or RAM role select an existing Log Service project to store audit logs when creating a cluster, or view configuration checks for a specific cluster.
AliyunAHASReadOnlyAccess	Lets a RAM user or RAM role use the cluster topology feature.
AliyunRAMFullAccess	Lets a RAM user or RAM role manage global authorization within an Alibaba Cloud account.
AliyunYundunSASReadOnlyAccess	Lets a RAM user or RAM role view runtime security monitoring for a specific cluster.
AliyunARMSReadOnlyAccess	Lets a RAM user or RAM role view the monitoring status of the Prometheus plug-in for a cluster.
AliyunKMSReadOnlyAccess	Lets a RAM user or RAM role enable encryption for secrets at rest when creating a Pro cluster.
AliyunESSReadOnlyAccess	Lets a RAM user or RAM role perform operations on node pools, such as viewing, editing, and scaling.

Note

An Alibaba Cloud account has full administrative permissions over all resources in the account. Alternatively, you can create a RAM user and grant the AdministratorAccess permission to designate it as an account administrator. This administrator can manage all cloud resources within the account. For more information, see Create a RAM user as an account administrator.

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Grant Permissions panel, grant permissions to the RAM user.
1. Configure the Resource Scope parameter.
  - Account: The authorization takes effect on the current Alibaba Cloud account.
  - ResourceGroup: The authorization takes effect on a specific resource group.
    Important
    If you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
2. Configure the Principal parameter.
  The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.
3. Select the system policies to grant.
4. Click Grant permissions.
Click Close.

Grant permissions using custom policies

Custom policies provide fine-grained access control over cloud resources for a RAM user or RAM role. Different cloud resources may have different security and access control requirements. To implement fine-grained access control, such as restricting the permissions of a user on a specific cluster, you can create a custom policy. If the RAM user or RAM role requires custom development based on a software development kit (SDK), you can also implement API-level permission control. For information about the authorization items that RAM supports, see Authorization information.

Note

Before you create a custom policy, you must understand the basic structure and syntax of the policy language. For more information, see Basic elements of an access policy.

Step 1: Create a custom policy

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.

On the Create Policy page, click the JSON tab and enter your policy document.

{
 "Statement": [{
     "Action": [
         "cs:Get*",
         "cs:List*",
         "cs:Describe*",
         "cs:ScaleCluster",
         "cs:DeleteCluster"
     ],
     "Effect": "Allow",
     "Resource": [
         "acs:cs:*:*:cluster/cluster-id"
     ]
 }],
 "Version": "1"
}

Parameter

Description

Action

The permissions to grant. All actions support the wildcard character (*).

Resource

You can configure this parameter in the following ways. Replace cluster-id with your actual cluster ID.

Grant permissions to a single cluster

"Resource": [
     "acs:cs:*:*:cluster/cluster-id"
 ]

Grant permissions to multiple clusters

"Resource": [
     "acs:cs:*:*:cluster/cluster-id",
     "acs:cs:*:*:cluster/cluster-id"
 ]

Grant permissions to all clusters
```
"Resource": [
     "*"
 ]
```

On the Create Policy page, click OK.
In the Create Policy dialog box, enter a Policy Name and Description, and then click OK.

Step 2: Grant the custom policy to a RAM user or RAM role

The procedure for granting a custom policy is the same as the procedure for granting a system policy. When you select a policy, choose the custom policy that you created. For more information, see Grant permissions using system policies.

Custom policy authorization examples

Example 1: Grant read-only permissions to a specific cluster

{
  "Statement": [
    {
      "Action": [
        "cs:Get*",
        "cs:List*",
        "cs:Describe*"
      ],
      "Effect": "Allow",
      "Resource": [
        "acs:cs:*:*:cluster/<YOUR-CLUSTER-ID>" # The ID of the target cluster.
      ]
    }
  ],
  "Version": "1"
}

Example 2: Grant read permissions to a specific OSS bucket

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                      "oss:ListBuckets",
                      "oss:GetBucketStat",
                      "oss:GetBucketInfo",
                      "oss:GetBucketTagging",
                      "oss:GetBucketAcl" 
                      ],    
            "Resource": "acs:oss:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss:ListObjects",
                "oss:GetBucketAcl"
            ],
            "Resource": "acs:oss:*:*:myphotos"
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss:GetObject",
                "oss:GetObjectAcl"
            ],
            "Resource": "acs:oss:*:*:myphotos/*"
        }
    ]
}

Example 3: Grant permissions for OpenAPI operations that do not support cluster-level restrictions

Some OpenAPI operations, such as DescribeEvents, do not support cluster-level authorization. To grant a RAM user or RAM role permissions on these operations, do not specify a cluster ID in the Resource element. The following table compares the RAM access policy before and after the modification.

RAM access policy before modification

RAM access policy after modification

{
    "Statement": [
        {
            "Action": [
                "cs:Get*",
                "cs:List*",
                "cs:Describe*"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:cs:*:*:cluster/c2e63856bcd714197****"
            ]
        }
    ],
    "Version": "1"
}

{
    "Statement": [
        {
            "Action": [
                "cs:DescribeEvents"
            ],
            "Effect": "Allow",
            "Resource": [
              "*"
            ]
        },
        {
            "Action": [
                "cs:Get*",
                "cs:List*",
                "cs:Describe*"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:cs:*:*:cluster/c2e63856bcd714197****"
            ]
        }
    ],
    "Version": "1"
}

What to do next

After you grant RAM authorization, you must configure RBAC authorization to access Kubernetes resources within the cluster. For more information, see Use RBAC to authorize operations on resources in a cluster.
To improve the security of applications that run in an ACK cluster and access other Alibaba Cloud services, you can configure RAM permissions for a ServiceAccount to isolate pod permissions using RRSA. For more information, see Use RRSA to configure RAM permissions for a ServiceAccount and isolate pod permissions.
For fine-grained RAM authorization, see Implement fine-grained permission management using tags and Manually converge the permissions of the Worker RAM role for an ACK managed cluster.
For information about how to resolve issues that may occur during the authorization process, see Authorization management FAQ.