All Products
Search
Document Center

Container Service for Kubernetes:Create a custom RAM policy

Last Updated:Aug 09, 2023

This topic describes how to create a custom Resource Access Management (RAM) policy. In this topic, a custom RAM policy is created and attached to a RAM user or RAM role to grant the RAM user or RAM role the permissions to query, modify, and delete Container Service for Kubernetes (ACK) clusters.

Prerequisites

You have a basic knowledge of policy elements, structure, and syntax before you create a custom policy. For more information, see Policy elements.

Background information

The system policies provided by ACK are coarse-grained. If the system policies cannot meet your requirements, you can create custom policies to implement fine-grained access control for your ACK clusters. For example, if you want to control the operation permissions on a specified cluster, you must create a custom policy to meet this requirement for fine-grained management.

Before you use role-based access control (RBAC) to authorize a RAM user or RAM role to manage a cluster, you must authorize the RAM user or RAM role to manage the cluster in the RAM console. You can grant the RAM user or RAM role read and write permissions on the cluster based on your requirements.

  • Read permissions: view basic information about a specified cluster, such as cluster configurations and the kubeconfig file.

  • Write permissions: manage a specified cluster, such as scaling and upgrading the cluster, and adding nodes to and removing nodes from the cluster.

Before you perform RBAC authorization for the RAM user or RAM role, make sure that the RAM user or RAM role has read-only permissions on the cluster that you want to manage.

{
  "Statement": [
    {
      "Action": [
        "cs:Get*",
        "cs:List*",
        "cs:Describe*"
      ],
      "Effect": "Allow",
      "Resource": [
        "acs:cs:*:*:cluster/<yourclusterID>"
      ]
    }
  ],
  "Version": "1"
}

After the RAM user or RAM role is granted the required RAM permissions on the cluster, use RBAC to authorize the RAM user or RAM role to manage cluster resources. For more information, see Grant RBAC permissions to RAM users or RAM roles.

Create a custom policy

  1. Log on to the RAM console by using your Alibaba Cloud account or as an authorized RAM user or RAM role.

  2. In the left-side navigation pane, choose Permissions > Policies.

  3. On the Policies page, click Create Policy.

  4. On the Create Policy Page, click JSON. Then, enter the policy content in the Policy Document code editor.

    {
     "Statement": [{
         "Action": [
             "cs:Get*",
             "cs:List*",
             "cs:Describe*",
             "cs:ScaleCluster",
             "cs:DeleteCluster"
         ],
         "Effect": "Allow",
         "Resource": [
             "acs:cs:*:*:cluster/Cluster ID"
         ]
     }],
     "Version": "1"
    }

    Configure the policy based on the following description:

    • Enter the permissions that you want to grant in the Action field.

      Note

      You can use wildcard characters in the Action field.

    • Set the Resource field based on your requirements:

      • Grant permissions on one cluster

        "Resource": [
             "acs:cs:*:*:cluster/Cluster ID"
         ]
      • Grant permissions on multiple clusters

        "Resource": [
             "acs:cs:*:*:cluster/Cluster ID",
             "acs:cs:*:*:cluster/Cluster ID"
         ]
      • Grant permissions on all clusters

        "Resource": [
             "*"
         ]

        Replace Cluster ID with the ID of your cluster.

  5. After editing the policy, click Next to edit policy information, enter the Name and then click OK.

  6. Return to the Policies page. You can enter the policy name or note in the search box and click the search icon to find the newly created policy.

References

Authorize a RAM user or RAM role to call non-cluster-specific API operations

If you want to authorize a RAM user or RAM role to call non-cluster-specific API operations, such as DescribeEvents, do not specify cluster IDs in the Resource field of the policy content.

The following code block shows the current RAM policy:

{
    "Statement": [
        {
            "Action": [
                "cs:Get*",
                "cs:List*",
                "cs:Describe*"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:cs:*:*:cluster/c2e63856bcd714197****"
            ]
        }
    ],
    "Version": "1"
}

To grant the permissions to call the DescribeEvents operation, you must add the corresponding RAM action cs:DescribeEvents to the RAM policy, as shown in the following code block:

{
    "Statement": [
        {
            "Action": [
                "cs:DescribeEvents"
            ],
            "Effect": "Allow",
            "Resource": [
              "*"
            ]
        },
        {
            "Action": [
                "cs:Get*",
                "cs:List*",
                "cs:Describe*"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:cs:*:*:cluster/c2e63856bcd714197****"
            ]
        }
    ],
    "Version": "1"
}