Role-based access control (RBAC) regulates access to resources based on the roles of users. You can grant multiple permissions to cluster roles and configure different permission policies for different roles. This topic describes how to grant Resource Access Management (RAM) users or RAM roles RBAC permissions on a Container Service for Kubernetes (ACK) cluster.
Table of contents
Configurations
Configuration item | Description |
Default permissions |
|
Authorization methods |
Note To assign RBAC roles to a RAM user or RAM role, make sure that the RAM user or RAM role is granted at least read-only permissions on the specified cluster in the RAM console. |
Authorization models | You can grant permissions to one or more RAM users or RAM roles at a time. |
To ensure data security, you are not allowed to modify RAM policies that are attached to your RAM users or RAM roles in the ACK console. You must read the instructions on the authorization page, log on to the RAM console, and then modify the RAM policies.
Grant RBAC permissions to RAM users or RAM roles
Log on to the ACK console. In the left-side navigation pane, click Authorizations.
On the Select RAM User wizard page of the Authorizations page, grant permissions.
Grant permissions to a RAM user
Click the RAM Users tab, find the RAM user that you want to manage in the list, and then click Modify Permissions to open the Permission Management panel.
Grant permissions to a RAM role
Click the RAM Roles tab, specify RAM Role Name, and then click Modify Permissions to open the Permission Management panel.
NoteIf you want to use a RAM user or RAM role to grant permissions to other RAM users or RAM roles, make sure that the RAM user or RAM role has the required RAM permissions on the cluster that you want to manage. For more information, see Create a custom RAM policy. In addition, the RAM user or RAM role must be assigned the cluster-admin role or administrator role of the cluster.
Click Add Permissions, specify Clusters and Namespace for the RAM user or RAM role, select a predefined role, and then click Submit.
NoteACK provides the following predefined roles: Administrator, O&M Engineer, Developer, and Restricted User. You can use these roles to regulate access to resources in the ACK console in most scenarios. In addition, you can use custom roles to control permissions on clusters.
You can assign one predefined role and multiple custom roles of a cluster or namespace to a RAM user or RAM role.
If you want to authorize a RAM user or RAM role to manage all clusters (including newly created clusters), select All Clusters in the Clusters column when you assign a predefined role to the RAM user or RAM role.
After you click Submit, follow the on-screen instructions.
If the page displays that the authorization is complete, the RBAC role is assigned to the RAM user or RAM role.
After the authorization is complete, you can log on to the ACK console as the RAM user or RAM role to manage the specified cluster.
Use a RAM user or RAM role to grant RBAC permissions to other RAM users or RAM roles
By default, you cannot use a RAM user or RAM role to grant RBAC permissions to other RAM users or RAM roles. If you want to use a RAM user or RAM role to grant RBAC permissions to other RAM users or RAM roles, you must first use the Alibaba Cloud account or a RAM user that is assigned the Administrator role of all clusters to grant the required permissions to the RAM user or RAM role.
RAM permissions
You must attach a RAM policy to the RAM user or RAM role. The RAM policy must provide the following permissions:
The permissions to view other RAM users that belong to the same Alibaba Cloud account.
The permissions to attach RAM policies to other RAM users or RAM roles.
The permissions to view information about ACK clusters.
The permissions to view permissions of RBAC roles.
The permissions to assign RBAC roles to other RAM users or RAM roles.
Log on to the RAM console, create a RAM policy based on the following content, and then attach the RAM policy to the RAM user or RAM role. For more information, see Create a custom RAM policy.
Replace xxxxxx
with the name of the RAM policy you want to authorize the RAM user or RAM role to attach to other RAM users or RAM roles. If you replace xxxxxx with an asterisk (*), the RAM user or RAM role is authorized to attach all RAM policies to other RAM users or RAM roles.
{
"Statement": [{
"Action": [
"ram:Get*",
"ram:List*",
"cs:Get*",
"cs:Describe*",
"cs:List*",
"cs:GrantPermission"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ram:AttachPolicyToUser",
"ram:AttachPolicy"
],
"Effect": "Allow",
"Resource": [
"acs:ram:*:*:policy/xxxxxx",
"acs:*:*:*:user/*"
]
}
],
"Version": "1"
}
After the RAM policy is attached to the RAM user or RAM role, you can use the RAM user or RAM role to attach specified RAM policies to other RAM users or RAM roles.
RBAC permissions
After you attach the preceding RAM policy to the RAM user or RAM role, you must assign the Administrator or cluster-admin role to the RAM user or RAM role to allow them to access the specified cluster or namespace. For more information, see Grant RBAC permissions to RAM users or RAM roles.
Set a RAM user or RAM role as a permission administrator
If you do not want to use an Alibaba Cloud account to assign RBAC roles to RAM users or RAM roles, you can set a RAM user or RAM role as a permission administrator and then use the RAM user or RAM role to grant permissions to other RAM users or RAM roles.
Log on to the RAM console and find the RAM user or RAM role that you want to use.
RAM user
In the left-side navigation pane of the RAM console, choose
. Find the RAM user that you want to use and click Add Permissions in the Actions column.RAM role
In the left-side navigation pane of the RAM console, choose
. Find the RAM role that you want to use and click Add Permissions in the Actions column.
In the Add Permissions panel, specify Authorized Scope, select System Policy, find and click the AliyunRAMReadOnlyAccess and AliyunCSFullAccess system policies to add them to the right-side Selected list, and then click OK. After the policies are attached, click Complete.
Log on to the ACK console with your Alibaba Cloud account and assign the Administrator role of all clusters to the RAM user or RAM role.
For more information, see Grant RBAC permissions to RAM users or RAM roles.
After the preceding steps are complete, the RAM user or RAM role is set as a permission administrator. You can use the RAM user or RAM role to grant RAM permissions and RBAC permissions to other RAM users or RAM roles.
Error codes for insufficient permissions
If you do not have the required permissions when you use the ACK console or call the ACK API to perform an operation, the console or API returns an error code that indicates the required permissions. The following table describes the error codes that indicate the required RBAC permissions on the cluster.
Error code or error message | Required RBAC permission on the cluster |
ForbiddenCheckControlPlaneLog | Administrator or O&M engineer permissions are required. |
ForbiddenHelmUsage | Administrator permissions are required. |
ForbiddenRotateCert | Administrator permissions are required. |
ForbiddenAttachInstance | Administrator or O&M engineer permissions are required. |
ForbiddenUpdateKMSState | Administrator or O&M engineer permissions are required. |
Forbidden get trigger | Administrator, O&M engineer, or developer permissions are required. |
ForbiddenQueryClusterNamespace | Administrator, O&M engineer, developer, or restricted user permissions are required. |