Configure RBAC permissions for RAM users - User Guide for Kubernetes Clusters| Alibaba Cloud Documentation Center

Configure RBAC permissions for RAM users

Edit in GitHub

Last Updated: Jul 30, 2020 Edit in GitHub

This topic describes how to configure RBAC permissions for RAM users.

Before you begin

You must have an Alibaba Cloud account and one or multiple RAM user accounts.
Make sure to grant a RAM user at least the read-only access to the target cluster in the RAM console.
RAM authorization controls access to clusters by using the cluster management API. You can manage access to clusters by creating RAM policies as follows:
- Read policy: Specify the permissions to query information such as cluster configuration and kubeconfig.
- Write policy: Specify the permissions to scale, upgrade, delete, or add nodes to the cluster.
For more information, see Custom RAM policies.
If a RAM user has been granted the built-in administrator role or the cluster-admin role within a cluster or namespace, and the required permissions introduced in Custom RAM policies, the RAM user can grant permissions to other RAM users within the cluster or namespace.
Due to the security restrictions of RAM, when your authorizations in the Container Service console require permission changes to RAM users, you need to go to the RAM console and manually grant required permissions to RAM users.

Announcements

Container Service has changed the policy regarding the permissions to access clusters as follows:

Unauthorized RAM users are not allowed to access clusters. You must grant RAM users the required RBAC and RAM permissions to give them access to clusters.
Authorized RAM users can only access the clusters specified in the authorization.

Procedure

Log on to the Container Service console.
In the left-side navigation pane, choose Clusters > Authorizations to go to the Authorizations page.
In the RAM Users list, select the target RAM user and click Modify Permissions to go to the Configure Role-Based Access Control (RBAC) page.

Note If you are logged on as a RAM user, make sure that the RAM user has been granted the required permissions introduced in Custom RAM policies and the built-in administrator role or the cluster-admin role within the cluster.

Click Add Permissions on the Configure Role-Based Access Control (RBAC) page. Specify the cluster and namespace based on your needs, and select the built-in role. You can also click the minus icon to delete the entry. After the configuration is complete, click Next Step.

Note Currently, you can grant a RAM user one built-in role and multiple custom roles within the selected cluster or namespace.

For more information about the built-in roles and their permissions, see the following table:

Table 1. Roles and permissions
Role	Permission
Administrator	Read-write access to resources in all namespaces.
O&M Engineer	Read-write access to resources in all namespaces. Read-only access to nodes, PVs, namespaces, and quotas.
Developer	Read-write access to resources in specific namespaces.
Restricted User	Read-only access to resources in specific namespaces.
Custom	The permissions are determined by the ClusterRole you select. Make sure that you know all the permissions of the selected ClusterRole and do not grant unnecessary permissions to RAM users. For more information, see Custom RAM policies.

On the Submit Authorization page, if the following message appears: The authorization is complete, it indicates that the RAM user had been granted the required RAM permissions, and the RBAC authorization is complete. If the following message appears: Figure 1, it indicates that the RAM user had not been granted the required RAM permissions. You need to follow the instructions on the page and grant the RAM user read-only access to the target cluster in the RAM console. For more information, see Custom RAM policies.
1. On the Submit Authorization page, click Copy and then click Policy Management.
  
  Figure 1. Policy management
2. You are redirected to the RAM console. In the left-side navigation pane, choose Permissions > Policies to go to the Policies page. Then click Create Policy.
3. On the Create Custom Policy page, specify the Policy Name and set the Configuration Mode to Script. Use the Ctrl + V command to paste the copied content to the Policy Document field and then click OK. For more information, see Custom RAM policies.
4. In the left-side navigation pane, choose Identities > Users. Select the target user and click Add Permissions in the Actions column.
5. On the Add Permissions page that appears, choose Custom Policy. Find the policy you want to add in the table below and click it to add the policy to the Selected area. Click OK to grant the RAM user read-only access to the specified cluster.
6. Go to the Container Service console. On the Submit Authorization page, click Submit Authorization to complete the RBAC authorization.
After the configuration is complete, you can log on to the Container Service console as the RAM user and perform related operations.

Custom permissions

Container Service provides the following built-in roles: administrator, O&M engineer, developer, and restricted user. Each role has different permissions that you can use to perform most of the operations in the Container Service console. If you want to define custom permissions on clusters, you can use custom roles.

Container Service provides some custom roles that have different permissions.

Note Note that the cluster-admin role represents the super administrator and has access to all resources within the cluster.

You can log on to a master node in the cluster and run the following command to view details about custom roles.

# kubectl get clusterrole

# kubectl get clusterrole
NAME                                                                   AGE
admin                                                                  13d
alibaba-log-controller                                                 13d
alicloud-disk-controller-runner                                        13d
cluster-admin                                                          13d
cs:admin                                                               13d
edit                                                                   13d
flannel                                                                13d
kube-state-metrics                                                     22h
node-exporter                                                          22h
prometheus-k8s                                                         22h
prometheus-operator                                                    22h
system:aggregate-to-admin                                              13d
....  
system:volume-scheduler                                                13d
view                                                                   13d

You can run the following command to query the permissions of a role. The following code uses the cluster-admin role as an example.

# kubectl get clusterrole cluster-admin -o yaml

Note After a RAM user is granted this role, it has the same cluster permissions as your Alibaba Cloud account. This means that the RAM user has access to all resources in the cluster. We recommend that you exercise caution when you grant this role to RAM users.

# kubectl get clusterrole cluster-admin  -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: 2018-10-12T08:31:15Z
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: cluster-admin
  resourceVersion: "57"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-admin
  uid: 2f29f9c5-cdf9-11e8-84bf-00163e0b2f97
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
- nonResourceURLs:
  - '*'
  verbs:
  - '*'