All Products
Search

This Product

    Container Service for Kubernetes:Grant an ACK dedicated cluster access to the ALB Ingress controller

    Document Center

    Container Service for Kubernetes:Grant an ACK dedicated cluster access to the ALB Ingress controller

    Last Updated:Nov 21, 2025

    Before you can use an ALB Ingress to access services in an ACK dedicated cluster, you must grant the required permissions to the ALB Ingress controller. This topic describes how to grant permissions to the ALB Ingress controller component in an ACK dedicated cluster.

    Prerequisites

    Usage notes

    You must grant access permissions to the ALB Ingress controller only for ACK dedicated clusters. For ACK managed clusters and ACK Serverless clusters, you can use an ALB Ingress without granting permissions to the ALB Ingress controller.

    Procedure

    1. Create a custom policy.

      1. Log on to the RAM console as a RAM user who has administrative rights.

      2. In the left-side navigation pane, choose Permissions > Policies.

      3. On the Policies page, click Create Policy.

        image

      4. On the Create Policy page, click the JSON tab.

        image

      5. Enter the following policy document. Then, on the Create Policy page, click OK.

        {
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "alb:EnableLoadBalancerIpv6Internet",
                "alb:DisableLoadBalancerIpv6Internet",
                "alb:CreateAcl",
                "alb:DeleteAcl",
                "alb:ListAcls",
                "alb:ListAclRelations",
                "alb:AddEntriesToAcl",
                "alb:AssociateAclsWithListener",
                "alb:ListAclEntries",
                "alb:RemoveEntriesFromAcl",
                "alb:DissociateAclsFromListener",
                "alb:TagResources",
                "alb:UnTagResources",
                "alb:ListServerGroups",
                "alb:ListServerGroupServers",
                "alb:AddServersToServerGroup",
                "alb:RemoveServersFromServerGroup",
                "alb:ReplaceServersInServerGroup",
                "alb:CreateLoadBalancer",
                "alb:DeleteLoadBalancer",
                "alb:UpdateLoadBalancerAttribute",
                "alb:UpdateLoadBalancerEdition",
                "alb:EnableLoadBalancerAccessLog",
                "alb:DisableLoadBalancerAccessLog",
                "alb:EnableDeletionProtection",
                "alb:DisableDeletionProtection",
                "alb:ListLoadBalancers",
                "alb:GetLoadBalancerAttribute",
                "alb:ListListeners",
                "alb:CreateListener",
                "alb:GetListenerAttribute",
                "alb:UpdateListenerAttribute",
                "alb:ListListenerCertificates",
                "alb:AssociateAdditionalCertificatesWithListener",
                "alb:DissociateAdditionalCertificatesFromListener",
                "alb:DeleteListener",
                "alb:CreateRule",
                "alb:DeleteRule",
                "alb:UpdateRuleAttribute",
                "alb:CreateRules",
                "alb:UpdateRulesAttribute",
                "alb:DeleteRules",
                "alb:ListRules",
                "alb:UpdateListenerLogConfig",
                "alb:CreateServerGroup",
                "alb:DeleteServerGroup",
                "alb:UpdateServerGroupAttribute",
                "alb:UpdateLoadBalancerAddressTypeConfig",
                "alb:AttachCommonBandwidthPackageToLoadBalancer",
                "alb:DetachCommonBandwidthPackageFromLoadBalancer",
                "alb:UpdateServerGroupServersAttribute",
                "alb:MoveResourceGroup",
                "alb:DescribeZones",
                "alb:ListAScripts",
                "alb:CreateAScripts",
                "alb:UpdateAScripts",
                "alb:DeleteAScripts"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": [
                        "alb.aliyuncs.com",
                        "audit.log.aliyuncs.com",
                        "nlb.aliyuncs.com",
                        "logdelivery.alb.aliyuncs.com"
                    ]
                }
            }
        },
        {
            "Action": [
                "log:GetProductDataCollection",
                "log:OpenProductDataCollection",
                "log:CloseProductDataCollection"
            ],
            "Resource": "acs:log:*:*:project/*/logstore/alb_*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "yundun-cert:DescribeSSLCertificateList",
                "yundun-cert:DescribeSSLCertificatePublicKeyDetail",
                "yundun-cert:CreateSSLCertificateWithName",
                "yundun-cert:DeleteSSLCertificate"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "vpc:DescribeVSwitches",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ecs:DescribeNetworkInterfaces",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
        Note

        Separate multiple policy statements with commas (,).

      6. In the Create Policy dialog box, enter a Policy Name and Description, and then click OK.

    2. Grant permissions to the worker RAM role of the cluster.

      1. Log on to the ACK console. In the left navigation pane, click Clusters.

      2. On the Clusters page, click the name of the target cluster, and then click the Basic Information tab.

      3. On the Basic Information tab, click the link to the right of Worker RAM Role to go to the RAM console.

      4. On the Permissions tab, click Grant Permission. In the Grant Permission panel, find and select the custom policy that you created in the previous step in the Policy section.

      5. Click Grant Permissions.

      6. Click Close.

    3. Confirm the status of the instance RAM role.

      1. In the left-side navigation pane of the details page, choose Nodes > Nodes.

      2. On the Nodes page, click the instance ID of the target node, for example, i-2ze5d2qi9iy90pzb****.

      3. On the instance details page, click the Instance Details tab. In the Other Information section, check whether a RAM role is displayed to the right of RAM Role.

        If no RAM role is attached, attach a RAM role to the ECS instance. For more information, see Detach or change an instance RAM role.

    4. Delete and recreate the alb-ingress-controller pod to ensure that the component is working correctly.

      Important

      Perform this operation during off-peak hours.

      1. Query the name of the alb-ingress-controller pod.

        kubectl -n kube-system get pod | grep alb-ingress-controller

        Expected output:

        NAME                          READY   STATUS    RESTARTS   AGE
alb-ingress-controller-***    1/1     Running   0          60s

      2. Delete the alb-ingress-controller pod.

        Replace alb-ingress-controller-*** with the value that you obtained in the previous step.

        kubectl -n kube-system delete pod alb-ingress-controller-***

        Expected output:

        pod "alb-ingress-controller-***" deleted

      3. After a few minutes, check the status of the recreated pod.

        kubectl -n kube-system get pod

        Expected output:

        NAME                          READY   STATUS    RESTARTS   AGE
alb-ingress-controller-***2    1/1     Running   0          60s

        The output shows that the status of the recreated pod is Running and the component is working correctly.

    What to do next

    To learn how to use an ALB Ingress to access services in an ACK dedicated cluster, see Expose services with an ALB Ingress.