All Products
Search
Document Center

Container Service for Kubernetes:Grant RBAC permissions to RAM users or RAM roles

Last Updated:Jul 10, 2023

Role-based access control (RBAC) regulates access to resources based on the roles of users. You can grant multiple permissions to cluster roles and configure different permission policies for different roles. This topic describes how to grant Resource Access Management (RAM) users or RAM roles RBAC permissions on a Container Service for Kubernetes (ACK) cluster.

Table of contents

Configurations

Configuration item

Description

Default permissions

  • By default, only Alibaba Cloud accounts and cluster owners have administrator permissions on Kubernetes resources in ACK clusters.

  • By default, RAM users or RAM roles other than the cluster owners do not have the permissions to access Kubernetes resources in ACK clusters.

Authorization methods

Note

To assign RBAC roles to a RAM user or RAM role, make sure that the RAM user or RAM role is granted at least read-only permissions on the specified cluster in the RAM console.

Authorization models

You can grant permissions to one or multiple RAM users or RAM roles at a time.

Note

To ensure data security, you are not allowed to modify RAM policies that are attached to your RAM users or RAM roles in the ACK console. You must read the instructions on the authorization page, log on to the RAM console, and then modify the RAM policies.

Grant RBAC permissions to RAM users or RAM roles

  1. Log on to the ACK console and click Authorizations in the left-side navigation pane.

  2. On the Select RAM User wizard page of the Authorizations page, grant permissions.

    • Grant permissions to a RAM user

      Click the RAM Users tab. Find the RAM user that you want to manage and click Modify Permissions to go to the Configure Role-Based Access Control (RBAC) wizard page.

    • Grant permissions to a RAM role

      Click the RAM Roles tab. Enter the name of the RAM role that you want to manage and click the search icon. After the RAM role appears, click Modify Permissions to go to the Configure Role-Based Access Control (RBAC) wizard page.

    Note

    If you want to use a RAM user or RAM role to grant permissions to other RAM users or RAM roles, make sure that the RAM user or RAM role has the required RAM permissions on the cluster that you want to manage. For more information, see Create a custom RAM policy. In addition, the RAM user or RAM role must be assigned the cluster-admin role or administrator role of the cluster.

  3. Click the Configure Role-Based Access Control (RBAC) wizard page, click Add Permissions to add cluster-scoped or namespace-scoped permissions, select a predefined or custom role in the Permission column, and then click Next Step.

    Note
    • ACK provides the following predefined roles: Administrator, O&M Engineer, Developer, and Restricted User. You can use these roles to regulate access to resources in the ACK console in most scenarios. In addition, you can use custom roles to control permissions on clusters.

    • You can assign one predefined role and multiple custom roles of a cluster or namespace to a RAM user or RAM role.

    • If you want to authorize a RAM user or RAM role to manage all clusters including newly created clusters, select All Clusters in the Clusters column when you assign a predefined role to the RAM user or RAM role.

    Show the description of predefined roles

    Predefined role

    Permission on cluster resources

    Administrator

    Read and write permissions on resources in all namespaces.

    O&M Engineer

    Read and write permissions on visible Kubernetes resources in the console in all namespaces and read-only permissions on nodes, persistent volumes (PVs), namespaces, and quotas.

    Developer

    Read and write permissions on visible resources in the console in all or specified namespaces.

    Restricted User

    Read-only permissions on visible resources in the console in all or specified namespaces.

    Custom

    The permissions of a custom role are determined by the ClusterRole that you select. Before you select a ClusterRole, check the permissions of the ClusterRole and make sure that you grant only the required permissions to the RAM user or RAM role. The following section describes how to view the permissions of a custom role.

    Important

    After a RAM user or RAM role is assigned the cluster-admin role, the RAM user or RAM role has the same permissions as the Alibaba Cloud account to which the RAM user or RAM role belongs. The RAM user or RAM role has full control over all resources within the cluster. Exercise caution if you want to assign the cluster-admin role to a RAM user or RAM role.

    Show how to view the permissions of a custom role

    1. Click Custom and then click ViewYAML to view the permissions of the custom role.

    2. Log on to a node and run the following command to view the RBAC roles in the cluster:

      kubectl get clusterrole

      Expected output:

      NAME                                                                   AGE
      admin                                                                  13d
      alibaba-log-controller                                                 13d
      alicloud-disk-controller-runner                                        13d
      cluster-admin                                                          13d
      cs:admin                                                               13d
      edit                                                                   13d
      flannel                                                                13d
      kube-state-metrics                                                     22h
      node-exporter                                                          22h
      prometheus-k8s                                                         22h
      prometheus-operator                                                    22h
      system:aggregate-to-admin                                              13d
      ....  
      system:volume-scheduler                                                13d
      view                                                                   13d         

      Run the following command to query the details of a role, for example, the cluster-admin role:

      Important

      After a RAM user or RAM role is assigned the cluster-admin role, the RAM user or RAM role has the same permissions as the Alibaba Cloud account to which the RAM user or RAM role belongs. The RAM user or RAM role has full control over all resources within the cluster. Exercise caution if you want to assign the cluster-admin role to a RAM user or RAM role.

      kubectl get clusterrole cluster-admin -o yaml

      Expected output:

      apiVersion: rbac.authorization.k8s.io/v1
      kind: ClusterRole
      metadata:
        annotations:
          rbac.authorization.kubernetes.io/autoupdate: "true"
        creationTimestamp: 2022-12-30T08:31:15Z
        labels:
          kubernetes.io/bootstrapping: rbac-defaults
        name: cluster-admin
        resourceVersion: "57"
        selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-admin
        uid: 2f29f9c5-cdf9-11e8-84bf-00163e0b2f97
      rules:
      - apiGroups:
        - '*'
        resources:
        - '*'
        verbs:
        - '*'
      - nonResourceURLs:
        - '*'
        verbs:
        - '*'
  4. On the Submit Authorization wizard page, follow the instructions on the page.

    • If The authorization is complete is displayed, it indicates that the RBAC role is assigned to the RAM user or RAM role.

    • If the result shown in the following figure is returned, it indicates that the RBAC role is not assigned to the RAM user or RAM role. You must read the instructions on the page, log on to the RAM console, and then grant read-only permissions on the cluster to the RAM user or RAM role.授权管理

      1. On the Submit Authorization wizard page, click Copy and click policy management to go to the Create Policy page in the RAM console.

      2. On the JSON tab, paste the content copied in the previous step to replace the original policy content, click Next to edit policy information, and then click OK.

      3. In the left-side navigation pane of the RAM console, choose Identities > Users. Find the RAM user that you want to manage and click Add Permissions in the Actions column.

      4. In the Add Permissions panel, set Authorized Scope, select Custom Policy, and then search for the policy that you created. Click the name of the policy to move the policy to the Selected section on the right side of the page. Then, click OK. After the policy is attached, click Complete.

      5. Return to the ACK console. On the Submit Authorization wizard page, click Submit Authorization to assign the RBAC roles to the RAM user or RAM role.

    After the authorization is complete, you can log on to the ACK console as the RAM user or RAM role to manage the specified cluster.

Use a RAM user or RAM role to grant RBAC permissions to other RAM users or RAM roles

By default, you cannot use a RAM user or RAM role to grant RBAC permissions to other RAM users or RAM roles. If you want to use a RAM user or RAM role to grant RBAC permissions to other RAM users or RAM roles, you must first use the Alibaba Cloud account or a RAM user that is assigned the Administrator role of all clusters to grant the required permissions to the RAM user or RAM role.

RAM permissions

You must attach a RAM policy to the RAM user or RAM role. The RAM policy must provide the following permissions:

  • The permissions to view other RAM users that belong to the same Alibaba Cloud account.

  • The permissions to attach RAM policies to other RAM users.

  • The permissions to view information about ACK clusters.

  • The permissions to view permissions of RBAC roles.

  • The permissions to assign RBAC roles to other RAM users.

Log on to the RAM console, create a RAM policy based on the following content, and then attach the RAM policy to the RAM user or RAM role. For more information, see Create a custom RAM policy.

Note

Replace xxxxxx with the name of the RAM policy you want to authorize the RAM user or RAM role to attach to other RAM users. If you replace xxxxxx with an asterisk (*), the RAM user or RAM role is authorized to attach all RAM policies to other RAM users.

{
    "Statement": [{
            "Action": [
                "ram:Get*",
                "ram:List*",
                "cs:Get*",
                "cs:Describe*",
                "cs:List*",
                "cs:GrantPermission"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ram:AttachPolicyToUser",
                "ram:AttachPolicy"
            ],
            "Effect": "Allow",
            "Resource":  [
                "acs:ram:*:*:policy/xxxxxx",
                "acs:*:*:*:user/*"
            ]
        }
    ],
    "Version": "1"
}

After the RAM policy is attached to the RAM user or RAM role, you can use the RAM user or RAM role to attach specified RAM policies to other RAM users.

RBAC permissions

After you attach the preceding RAM policy to the RAM user or RAM role, you must assign the Administrator or cluster-admin role to the RAM user or RAM role to allow them to access the specified cluster or namespace. For more information, see Grant RBAC permissions to RAM users or RAM roles.

Set a RAM user or RAM role as a permission administrator

After you set a RAM user or RAM role as a permission administrator, you can use the RAM user or RAM role to grant permissions to other RAM users or RAM roles.

  1. Log on to the RAM console and find the RAM user or RAM role that you want to use.

    • RAM user

      In the left-side navigation pane of the RAM console, choose Identities > Users. Find the RAM user that you want to use and click Add Permissions in the Actions column.

    • RAM role

      In the left-side navigation pane of the RAM console, choose Identities > Roles. Find the RAM role that you want to use and click Add Permissions in the Actions column.

  2. In the Add Permissions panel, set Authorized Scope, select System Policy, and then search for the AliyunRAMFullAccess and AliyunCSFullAccess policies. Click the name of each policy to move the policy to the Selected section on the right side of the page. Then, click OK. After the policies are attached, click Complete.

  3. Log on to the ACK console and assign the Administrator role to the RAM user or RAM role to allow them to access all clusters.

    For more information, see Grant RBAC permissions to RAM users or RAM roles.

    After the preceding steps are complete, the RAM user or RAM role is set as a permission administrator. You can use the RAM user or RAM role to grant RAM permissions and RBAC permissions to other RAM users or RAM roles.

Error codes for insufficient permissions

If you do not have the required permissions when you use the ACK console or call the ACK API to perform an operation, the console or API returns an error code that indicates the required permissions. The following table describes the error codes that indicate the required RBAC permissions on the cluster.

Error code or error message

Required RBAC permission on the cluster

ForbiddenCheckControlPlaneLog

Administrator or O&M engineer permissions are required.

ForbiddenHelmUsage

Administrator permissions are required.

ForbiddenRotateCert

Administrator permissions are required.

ForbiddenAttachInstance

Administrator or O&M engineer permissions are required.

ForbiddenUpdateKMSState

Administrator or O&M engineer permissions are required.

Forbidden get trigger

Administrator, O&M engineer, or developer permissions are required.

ForbiddenQueryClusterNamespace

Administrator, O&M engineer, developer, or restricted user permissions are required.

References