This topic describes how to assign role-based access control (RBAC) roles to Resource Access Management (RAM) users. Different RBAC roles have different permissions on clusters of Container Service for Kubernetes (ACK) and namespaces.
Prerequisites
- An Alibaba Cloud account is created and one or more RAM users are created under the Alibaba Cloud account.
- The current account (Alibaba Cloud account or RAM user) is granted at least read-only permissions on specified ACK clusters.
- RAM authorization regulates cluster-level access control. You can grant read and write
permissions on the clusters that you want to manage in the RAM console.
- Read-only policy: grants read-only permissions on specified clusters, for example, the permissions to view the configurations and kubeconfig file of a cluster.
- Read-write policy: grants read and write permissions on specified clusters, for example, the permissions to scale, upgrade, delete, and add nodes.
For more information, see Customize RAM permission policies.
- If you assign the cluster-admin role or the predefined RBAC administrator role to a RAM user that has read-only permissions on a cluster or namespace, the RAM user can assign RBAC roles to other RAM users. RAM users that are assigned RBAC roles have limited permissions to manage the same cluster or namespace. For more information, see Customize RAM permission policies.
- To ensure data security, you are not allowed to modify RAM permission policies that are attached to your RAM users in the ACK console. You must read the instructions on the authorization page, log on to the RAM console, and modify the permission policies accordingly.
Announcements
- Unauthorized RAM users are not allowed to access cluster resources. You can authorize your RAM users to access clusters and cloud resources in the RAM console.
- RAM users are granted limited permissions only on clusters within the authorization realm. RAM users are not allowed to access clusters outside the authorization realm in compatibility mode.
Procedure
Predefined and custom RBAC roles
ACK provides the following predefined RBAC roles: administrator, O&M engineer, developer, and restricted user. You can use these roles to regulate ACK access control in most scenarios. In addition, you can use custom roles to customize permissions on clusters.

You can log on to a master node of a cluster and run the following command to view the custom RBAC roles that are assigned to the current account.
kubectl get clusterrole
kubectl get clusterrole
NAME AGE
admin 13d
alibaba-log-controller 13d
alicloud-disk-controller-runner 13d
cluster-admin 13d
cs:admin 13d
edit 13d
flannel 13d
kube-state-metrics 22h
node-exporter 22h
prometheus-k8s 22h
prometheus-operator 22h
system:aggregate-to-admin 13d
....
system:volume-scheduler 13d
view 13d
Run the following command to view the details of a role, for example, the cluster-admin role:
kubectl get clusterrole cluster-admin -o yaml
kubectl get clusterrole cluster-admin -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: 2018-10-12T08:31:15Z
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: cluster-admin
resourceVersion: "57"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-admin
uid: 2f29f9c5-cdf9-11e8-84bf-00163e0b2f97
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'