Authorization overview - Container Service for Kubernetes

ACK authorization system

The authorization system of ACK consists of RAM authorization and RBAC authorization. RAM authorization is used to grant permissions on cloud resources. RBAC authorization is used to grant permissions on Kubernetes resources within a cluster. The following figure shows the authorization system of ACK.

RAM authorization is used to grant permissions on the API operations of ACK and other Alibaba Cloud services. You can call these API operations to perform the following O&M operations:
- Create, view, upgrade, and delete clusters.
- Create, modify, and scale node pools.
- Manage authorizations
- Monitor clusters, collect the cluster log, and record cluster events.
RBAC authorization is used to grant namespace-level or cluster-wide permissions on Kubernetes resources in ACK clusters. This allows you to grant the permissions to create, delete, modify, and view the following types of Kubernetes resources:
- Workload resources: Deployment, StatefulSet, DaemonSet, Job, CronJob, ReplicaSet, HorizontalPodAutoscaler (HPA), and pod.
- Network resources: Service, Ingress, and NetworkPolicy.
- Storage resources: persistent volume (PV), persistent volume claim (PVC), and StorageClass.
- Namespace, ConfigMap, and Secret.

If you want to use a RAM user or RAM role to manage a cluster and applications in the cluster, you must firstly perform RAM authorization and then RBAC authorization on the RAM user or RAM role. You can grant permissions according to one of the following typical scenarios.

RAM authorization

In scenarios where RAM is integrated with enterprise account systems, O&M engineers frequently manage cloud resources by using RAM users or RAM roles. By default, a RAM user or RAM role is not authorized to call the APIs of Alibaba Cloud services. To allow a RAM user or RAM role to call an API, you must grant the required permissions to the RAM user or RAM role.

If you want to scale a cluster, add nodes to a cluster, or access the cluster as a RAM user or RAM role , you must grant the required permissions to the RAM user or RAM role. For more information, see Create a custom RAM policy.

You can perform RAM authorization by using one of the following methods:

Attach system policies: You can use this method to grant a RAM user or RAM role the read and write permissions on all clusters that belong to the current Alibaba Cloud account. To grant a RAM user or RAM role the permissions to manage all clusters that belong to the current Alibaba Cloud account, we recommend that you attach system policies to the RAM user or RAM role. For more information about how to attach system policies to a RAM user or RAM role, see Grant permissions to a RAM user or RAM role.

The following table describes the commonly used system policies related to ACK. You can select the system policies based on your requirements.


System policy	Description
AliyunCSFullAccess	Allows a RAM user or RAM role to fully control all ACK clusters that belong to the current Alibaba Cloud account. Note This policy contains only the permissions that are related to ACK. If you want to manage applications in an ACK cluster, you must perform RBAC authorization. For more information, see RBAC authorization.
AliyunVPCReadOnlyAccess	Allows a RAM user or RAM role to specify a virtual private cloud (VPC) when the RAM user or RAM role creates a cluster.
AliyunECSReadOnlyAccess	Allows a RAM user or RAM role to add existing nodes to a specified cluster and view the details about nodes.
AliyunContainerRegistryFullAccess	Allows a RAM user or RAM role to fully control all images that belong to the current Alibaba Cloud account.
AliyunLogReadOnlyAccess	Allows a RAM user or RAM role to specify an existing Log Service project to store the audit log when the RAM user or RAM role creates a cluster, and view the inspection details about a specified cluster.
AliyunAHASReadOnlyAccess	Allows a RAM user or RAM role to enable the cluster topology feature.
AliyunRAMFullAccess	Allows a RAM user or RAM role to manage the authorization of all RAM users or RAM roles of the current Alibaba Cloud account.
AliyunYundunSASReadOnlyAccess	Allows a RAM user or RAM role to view the runtime monitoring data of a specified cluster.
AliyunARMSReadOnlyAccess	Allows a RAM user or RAM role to view the Prometheus monitoring status of a specified cluster.
AliyunKMSReadOnlyAccess	Allows a RAM user or RAM role to enable Secret encryption when the RAM user or RAM role creates an ACK Pro cluster.
AliyunESSReadOnlyAccess	Allows a RAM user or RAM role to perform node pool related operations, such as viewing, editing, and scaling.

Attach custom policies: You can use this method to implement fine-grained access control on cloud resources for a RAM user or RAM role. If a RAM user or RAM role requires permissions for custom development by using SDKs, you can use this method to grant the RAM user or RAM role the permissions to call specified API operations.
- For more information about how to attach custom policies to a RAM user or RAM role for cluster-level access control, see Create a custom RAM policy.
- In terms of application-level access control, you can attach custom policies to RAM roles for service accounts (RRSA) to achieve pod-level access isolation. For more information, see Configure the RAM policy of a service account by using RRSA to enforce access control.
For example, if a RAM user or RAM role requires the read permissions on a specified Object Storage Service (OSS) bucket, you can create a custom policy based on the following content and then attach the policy to the RAM user or RAM role.
```
{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                      "oss:ListBuckets",
                      "oss:GetBucketStat",
                      "oss:GetBucketInfo",
                      "oss:GetBucketTagging",
                      "oss:GetBucketAcl" 
                      ],    
            "Resource": "acs:oss:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss:ListObjects",
                "oss:GetBucketAcl"
            ],
            "Resource": "acs:oss:*:*:myphotos"
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss:GetObject",
                "oss:GetObjectAcl"
            ],
            "Resource": "acs:oss:*:*:myphotos/*"
        }
    ]
}
```

Roles and ClusterRoles

An RBAC Role or ClusterRole contains rules that represent a set of permissions. These permissions are additive and do not contain rules that deny actions.

A Role is namespaced and defines permissions within a particular namespace. When you create a Role, you must specify the namespace to which the Role belongs.

In contrast, a ClusterRole is non-namespaced and defines cluster-wide permissions. The two types of roles have different names because a Kubernetes object must be either namespaced or non-namespaced.

A ClusterRole has several uses. You can use a ClusterRole to configure permissions in the following ways:

Define permissions on namespaced resources in a ClusterRole and then use the ClusterRole to grant the permissions within individual namespaces.
Define permissions on namespaced resources in a ClusterRole and then use the ClusterRole to grant the permissions across all namespaces.
Define permissions on cluster-scoped resources.

If you want to define a role within a namespace, use a Role. If you want to define a cluster-wide role, use a ClusterRole.

For more information about how to define permissions in Roles and ClusterRoles, see Customize an RBAC role.

For more information about how to assign RBAC roles to RAM users or RAM roles, see Assign RBAC roles to RAM users or RAM roles.

Notice ACK allows you to assign only ClusterRoles to RAM users or RAM roles. You cannot assign Roles to RAM users or RAM roles in ACK.

RBAC authorization

If a RAM user or RAM role requires the permissions to manage Kubernetes resources in a specified cluster, you must go to the Authorizations page of the Container Service for Kubernetes (ACK) console console and grant the RAM user or RAM role resource-level permissions, such as the permissions to view information about pods and nodes.

You can assign the following predefined roles to a RAM user or RAM role. For more information, see Assign RBAC roles to RAM users or RAM roles.

Table 1. Roles and permissions
Role	Permissions on cluster resources
Administrator	Read and write permissions on resources in all namespaces.
O&M engineer	Read and write permissions on visible resources in the console in all namespaces and read-only permissions on nodes, PVs, namespaces, and quotas.
Developer	Read and write permissions on visible resources in the console in a specified namespace or all namespaces.
Restricted user	Read-only permission on visible resources in the console in a specified namespace or all namespaces.
Custom	The permissions of a custom role are determined by the ClusterRole that you select. Before you select a ClusterRole, check the permissions of the ClusterRole and make sure that you grant only the required permissions to the RAM user or RAM role. For more information about ClusterRoles, see Customize an RBAC role.