When an Alibaba Cloud service integrates with an ACK cluster, ACK uses Kubernetes Role-Based Access Control (RBAC) to grant that service scoped access to cluster resources. Each service gets a dedicated ClusterRole or Role bound to its RAM service role, applying only the permissions required for its specific features and following the principle of least privilege.
Usage notes
-
ACK does not pre-create RBAC roles for Alibaba Cloud services. Roles are created and bound only after you grant the service role to the service and activate the relevant feature.
-
RBAC role binding names follow this pattern:
${service-abbreviation}-${service-role-name}-clusterrolebindingor${service-abbreviation}-${service-role-name}-rolebinding. -
These RBAC roles are scoped to the minimum permissions required by each service's specific features. They have no effect on RBAC permissions used in your regular business operations.
-
To audit which resources a cloud service has accessed, enable cluster API server audit logs. Identify the bound principal from the
subjectsfield of the relevant RoleBinding, then filter audit logs by that principal. For details, see Use the cluster API server audit feature.
RBAC permissions by cloud service
After you grant the corresponding service role to an Alibaba Cloud service, the service accesses your ACK cluster using the RBAC permissions listed below. The Scope column indicates whether permissions apply cluster-wide or within a specific namespace.
Application Real-Time Monitoring Service (ARMS)
ARMS requires cluster-level permissions to deploy and configure observability agents, manage Prometheus monitoring resources, and handle RBAC for its own components.
| Binding name | Scope | ClusterRole name |
|---|---|---|
arms-aliyunserviceroleforarms-clusterrolebinding |
Cluster | arms-aliyunserviceroleforarms-clusterrole |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: arms-aliyunserviceroleforarms-clusterrole
rules:
- apiGroups: ["vector.oam.dev"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["o11y.aliyun.dev"]
resources: ["*"]
verbs: ["*"]
- apiGroups: [""]
resources: ["pods","replicationcontrollers","podtemplates", "nodes", "services","events","persistentvolumes","persistentvolumeclaims","componentstatuses","bindings", "namespaces","endpoints", "configmaps", "secrets", "resourcequotas", "serviceaccounts","pods/log","services/proxy"]
verbs: ["*"]
- apiGroups: [""]
resources: ["nodes/metrics"]
verbs: ["get"]
- apiGroups: [""]
resources: ["limitranges"]
verbs: ["list", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["list", "watch"]
- apiGroups: ["batch"]
resources: ["cronjobs", "jobs"]
verbs: ["list", "watch"]
- apiGroups: ["autoscaling"]
resources: ["horizontalpodautoscalers"]
verbs: ["list", "watch"]
- apiGroups: ["policy"]
resources: ["poddisruptionbudgets"]
verbs: ["list", "watch"]
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests"]
verbs: ["list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses","volumeattachments"]
verbs: ["get", "list", "watch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps","extensions"]
resources: ["deployments", "daemonsets", "statefulsets","replicasets","networkpolicies"]
verbs: ["*"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["*"]
- apiGroups: ["monitoring.coreos.com"]
resources: ["alertmanagers","podmonitors","prometheuses","prometheuses/finalizers","alertmanagers/finalizers","servicemonitors","prometheusrules","probes"]
verbs: ["*"]
- apiGroups: ["monitor.aliyun.com"]
resources: ["alicloudpromrules","alicloudpromrules/status"]
verbs: ["*"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["rolebindings","roles","clusterroles","clusterrolebindings"]
verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
resources: ["networkpolicies","ingresses","ingressclasses"]
verbs: ["*"]
- apiGroups: ["apps.kruise.io"]
resources: ["statefulsets"]
verbs: ["*"]
- apiGroups: ["nsm.alibabacloud.com"]
resources: ["networkservices"]
verbs: ["*"]
- nonResourceURLs:
- "/metrics"
verbs:
- get
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
- apiGroups: ["log.alibabacloud.com"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["telemetry.alibabacloud.com"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]E-MapReduce (EMR)
EMR requires cluster-level access to deploy Spark and Flink operators, manage workload resources, and handle RBAC for its job scheduling components.
| Binding name | Scope | ClusterRole name |
|---|---|---|
emr-aliyunemronackdefaultrole-clusterrolebinding |
Cluster | emr-aliyunemronackdefaultrole-clusterrole |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: emr-aliyunemronackdefaultrole-clusterrole
rules:
- apiGroups: [""]
resources: ["pods", "nodes", "services", "namespaces", "endpoints", "configmaps", "secrets", "resourcequotas", "serviceaccounts","persistentvolumes","persistentvolumeclaims"]
verbs: ["*"]
- apiGroups: ["apps"]
resources: ["deployments", "daemonsets", "statefulsets"]
verbs: ["*"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["*"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["*"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["clusterroles", "clusterrolebindings", "roles", "rolebindings"]
verbs: ["*"]
- apiGroups: ["sparkoperator.k8s.io"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["flink.apache.org"]
resources: ["*"]
verbs: ["*"]Security Center
Security Center requires minimal cluster-level permissions to manage its policy governance Secret and list network-exposed workloads for security scanning.
| Binding name | Scope | ClusterRole name |
|---|---|---|
sas-aliyunserviceroleforsas-clusterrolebinding |
Cluster | sas-aliyunserviceroleforsas-clusterrole |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: sas-aliyunserviceroleforsas-clusterrole
rules:
- apiGroups: [""]
resources: ["secrets"]
verbs: ["create"]
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["policygovernance-yundun-config"]
verbs: ["get", "update", "patch"]
- apiGroups: [""]
resources: ["services","pods"]
verbs: ["list"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["list"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["list"]ApsaraDB Tair
ApsaraDB Tair uses two roles: a cluster-level role for node discovery and webhook configuration checks, and a namespace-scoped role in ack-tair for managing its database operator resources.
| Binding name | Scope | Role name |
|---|---|---|
tair-aliyunserviceroleforkvstore-clusterrolebinding |
Cluster | tair-aliyunserviceroleforkvstore-clusterrole |
tair-aliyunserviceroleforkvstore-clusterrolebinding |
ack-tair namespace |
tair-aliyunserviceroleforkvstore-role |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: tair-aliyunserviceroleforkvstore-clusterrole
rules:
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- list
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
- mutatingwebhookconfigurations
verbs:
- get
- listApsaraDB Tair
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: tair-aliyunserviceroleforkvstore-role
namespace: ack-tair
rules:
- apiGroups:
- batch
resources:
- jobs
verbs:
- get
- list
- create
- delete
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- get
- list
- apiGroups:
- apps
resources:
- statefulsets
verbs:
- create
- delete
- get
- list
- patch
- update
- apiGroups:
- apps
resources:
- deployments
verbs:
- create
- delete
- get
- list
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- delete
- get
- list
- patch
- update
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- delete
- get
- list
- patch
- update
- apiGroups:
- ""
resources:
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- create
- get
- apiGroups:
- ""
resources:
- services
verbs:
- create
- delete
- get
- list
- patch
- update
- apiGroups:
- ""
resources:
- services/proxy
verbs:
- create
- get
- apiGroups:
- tair.alibabacloud.com
resources:
- tairclusters
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- tair.alibabacloud.com
resources:
- tairclusters/finalizers
verbs:
- update
- apiGroups:
- tair.alibabacloud.com
resources:
- tairclusters/status
verbs:
- get
- patch
- update
- apiGroups:
- ""
resources:
- persistentvolumeclaims
verbs:
- create
- delete
- get
- list
- patch
- update
- apiGroups:
- ""
resources:
- persistentvolumeclaims/status
verbs:
- get
- apiGroups:
- scheduling.sigs.k8s.io
resources:
- reserveresourcesets
verbs:
- create
- delete
- get
- list
- patch
- update
- watchEnterprise Distributed Application Service (EDAS)
EDAS requires extensive cluster-level permissions to manage the full application lifecycle: deploying and scaling workloads, managing service mesh configurations, handling RBAC for its components, and supporting multiple extension frameworks including OAM, Kruise, and KEDA.
| Binding name | Scope | ClusterRole name |
|---|---|---|
edas-aliyunedasdefaultrole-clusterrolebinding |
Cluster | edas-aliyunedasdefaultrole-clusterrole |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: edas-aliyunedasdefaultrole-clusterrole
rules:
- apiGroups: [ "" ]
resources: [ "nodes", "nodes/stats" ]
verbs: [ "get", "list", "watch" ]
- apiGroups: [ "" ]
resources: [ "pods", "pods/exec", "pods/log", "pods/status", "limitranges", "services", "services/proxy", "namespaces", "endpoints", "configmaps", "secrets", "bindings", "resourcequotas", "serviceaccounts", "componentstatuses", "events", "persistentvolumeclaims", "persistentvolumes", "replicationcontrollers","podtemplates" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "apps" ]
resources: [ "deployments","daemonsets","statefulsets","replicasets","deployments/scale","statefulsets/scale","statefulsets/status","deployments/status","controllerrevisions" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "extensions" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: ["batch"]
resources: ["*"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["apiregistration.k8s.io"]
resources: ["*"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["*"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [ "events.k8s.io" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["*"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["edas.aliyun.oam.com"]
resources: ["*"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["autoscaling"]
resources: ["*"]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
- apiGroups: ["oam-domain.alibabacloud.com" ]
resources: ["*"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["core.oam.dev"]
resources: ["*"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["flagger.app"]
resources: ["*"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [ "keda.k8s.io" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
- apiGroups: [ "log.alibabacloud.com" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
- apiGroups: [ "clm.cloudnativeapp.io" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
- apiGroups: [ "monitoring.coreos.com" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
- apiGroups: [ "admissionregistration.k8s.io" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
- apiGroups: [ "extension.oam.dev" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
- apiGroups: [ "authentication.k8s.io" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
- apiGroups: ["discovery.k8s.io"]
resources: ["*"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [ "networking.k8s.io" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "scheduling.k8s.io" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
- apiGroups: [ "scheduling.sigs.k8s.io" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
- apiGroups: [ "snapshot.storage.k8s.io" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
- apiGroups: [ "storage.alibabacloud.com" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
- apiGroups: [ "storage.k8s.io" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
- apiGroups: [ "certificates.k8s.io" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
- apiGroups: [ "flowcontrol.apiserver.k8s.io" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
- apiGroups: [ "policy" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
- apiGroups: [ "authorization.k8s.io" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
- apiGroups: [ "external.metrics.k8s.io" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
- nonResourceURLs: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
- apiGroups: [ "keda.sh" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
- apiGroups: [ "alibabacloud.com" ]
resources: [ "albconfigs" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
- apiGroups: [ "autoscaling.alibabacloud.com" ]
resources: [ "advancedhorizontalpodautoscalers" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ]
- apiGroups: [ "metrics.alibabacloud.com" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch" ]
- apiGroups: [ "metrics.k8s.io" ]
resources: [ "pods","nodes" ]
verbs: [ "get", "list", "watch" ]
- apiGroups: [ "coordination.k8s.io" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "apps.kruise.io" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "edas.alibabacloud.com" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "istio.aliyun.cloud.com" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "nacos.io" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]ApsaraDB RDS
ApsaraDB RDS requires cluster-level permissions to deploy its database operators (mybase and PolarDB-X), manage monitoring with Prometheus, and handle related RBAC and webhook configurations. Write permissions for specific named resources (such as the PolarDB-X webhook) are scoped by resourceNames to limit blast radius.
| Binding name | Scope | ClusterRole name |
|---|---|---|
aliyunmybasecpaasdefaultrole-clusterrolebinding |
Cluster | rds-aliyunmybasecpaasdefaultrole-clusterrole |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: rds-aliyunmybasecpaasdefaultrole-clusterrole
rules:
- apiGroups:
- ''
resources:
- nodes
- namespaces
- resourcequotas
- limitranges
- nodes/metrics
- replicationcontrollers
- nodes/proxy
verbs:
- list
- get
- watch
- apiGroups:
- ''
resources:
- services
- configmaps
- secrets
- pods
- pods/log
- pods/exec
- endpoints
- persistentvolumes
- persistentvolumeclaims
- events
verbs:
- '*'
- apiGroups:
- ''
resources:
- serviceaccounts
verbs:
- list
- get
- watch
- create
- apiGroups:
- ''
resourceNames:
- mybase-operator
- polardbx-operator
- pre-install-kibana-kibana
- filebeat-filebeat
- post-delete-kibana-kibana
resources:
- serviceaccounts
verbs:
- '*'
- apiGroups:
- '*'
resources:
- namespaces
verbs:
- patch
- list
- create
- watch
- get
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- '*'
- apiGroups:
- apps
resources:
- deployments
- daemonsets
- statefulsets
- controllerrevisions
- replicasets
verbs:
- '*'
- apiGroups:
- apps
resourceNames:
- filebeat-filebeat
- logstash-logstash
- kibana-kibana
- elasticsearch-master
resources:
- deployments
- daemonsets
- statefulsets
- replicasets
verbs:
- '*'
- apiGroups:
- batch
resources:
- jobs
- cronjobs
verbs:
- '*'
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- list
- get
- watch
- apiGroups:
- extensions
resources:
- deployments
- daemonsets
- statefulsets
- controllerrevisions
- replicasets
verbs:
- '*'
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- list
- get
- watch
- apiGroups:
- events.k8s.io
resources:
- events
verbs:
- '*'
- apiGroups:
- rbac.authorization.k8s.io
resources:
- clusterroles
- clusterrolebindings
- roles
- rolebindings
verbs:
- list
- get
- watch
- create
- apiGroups:
- rbac.authorization.k8s.io
resourceNames:
- mybase-operator
- polardbx-operator
- polardbx-controller-manager
- mybase-monitoring
- filebeat-filebeat-role
- filebeat-filebeat-role-binding
- filebeat-filebeat-cluster-role
- filebeat-filebeat-cluster-role-binding
- pre-install-kibana-kibana
- post-delete-kibana-kibana
resources:
- clusterroles
- clusterrolebindings
- roles
- rolebindings
verbs:
- '*'
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- get
- watch
- create
- apiGroups:
- apiextensions.k8s.io
resourceNames:
- mybaseappinstancebackuppolicies.apps.k8s.mybase.aliyun.com
- mybaseappdefinitions.apps.k8s.mybase.aliyun.com
- mybaseappinstanceops.apps.k8s.mybase.aliyun.com
- mybaseappinstances.apps.k8s.mybase.aliyun.com
- polardbxbackupbinlogs.polardbx.aliyun.com
- polardbxbackups.polardbx.aliyun.com
- polardbxbackupschedules.polardbx.aliyun.com
- polardbxclusterknobs.polardbx.aliyun.com
- polardbxclusters.polardbx.aliyun.com
- polardbxlogcollectors.polardbx.aliyun.com
- polardbxmonitors.polardbx.aliyun.com
- polardbxparameters.polardbx.aliyun.com
- polardbxparametertemplates.polardbx.aliyun.com
- systemtasks.polardbx.aliyun.com
- xstorebackups.polardbx.aliyun.com
- xstorefollowers.polardbx.aliyun.com
- xstores.polardbx.aliyun.com
resources:
- customresourcedefinitions
verbs:
- '*'
- apiGroups:
- monitoring.coreos.com
resources:
- '*'
verbs:
- '*'
- apiGroups:
- apps.k8s.mybase.aliyun.com
resources:
- '*'
verbs:
- '*'
- apiGroups:
- polardbx.aliyun.com
resources:
- '*'
verbs:
- '*'
- apiGroups:
- v1.admission.polardbx.aliyun.com
resources:
- '*'
verbs:
- '*'
- apiGroups:
- apiregistration.k8s.io
resources:
- apiservices
verbs:
- list
- get
- watch
- create
- apiGroups:
- apiregistration.k8s.io
resourceNames:
- v1.admission.polardbx.aliyun.com
resources:
- apiservices
verbs:
- '*'
- apiGroups:
- admissionregistration.k8s.io
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- list
- get
- watch
- create
- apiGroups:
- admissionregistration.k8s.io
resourceNames:
- polardbxcluster-mutate.polardbx.aliyun.com
- polardbxcluster-validate.polardbx.aliyun.com
resources:
- mutatingwebhookconfigurations
- validatingwebhookconfigurations
verbs:
- '*'
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- list
- get
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- update
- delete
- patch
- create
- list
- get
- watch
- nonResourceURLs:
- /metrics
verbs:
- getCloudMonitor
CloudMonitor requires the same permission set as ARMS to deploy monitoring agents, manage Prometheus resources, and handle RBAC for its observability components.
| Binding name | Scope | ClusterRole name |
|---|---|---|
aliyunserviceroleforcloudmonitor-clusterrolebinding |
Cluster | cloudmonitor-aliyunserviceroleforcloudmonitor-clusterrole |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cloudmonitor-aliyunserviceroleforcloudmonitor-clusterrole
rules:
- apiGroups: ["vector.oam.dev"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["o11y.aliyun.dev"]
resources: ["*"]
verbs: ["*"]
- apiGroups: [""]
resources: ["pods","replicationcontrollers","podtemplates", "nodes", "services","events","persistentvolumes","persistentvolumeclaims","componentstatuses","bindings", "namespaces","endpoints", "configmaps", "secrets", "resourcequotas", "serviceaccounts","pods/log","services/proxy"]
verbs: ["*"]
- apiGroups: [""]
resources: ["nodes/metrics"]
verbs: ["get"]
- apiGroups: [""]
resources: ["limitranges"]
verbs: ["list", "watch"]
- apiGroups: ["admissionregistration.k8s.io"]
resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"]
verbs: ["get", "list", "watch"]
- apiGroups: ["extensions"]
resources: ["ingresses"]
verbs: ["list", "watch"]
- apiGroups: ["batch"]
resources: ["cronjobs", "jobs"]
verbs: ["list", "watch"]
- apiGroups: ["autoscaling"]
resources: ["horizontalpodautoscalers"]
verbs: ["list", "watch"]
- apiGroups: ["policy"]
resources: ["poddisruptionbudgets"]
verbs: ["list", "watch"]
- apiGroups: ["certificates.k8s.io"]
resources: ["certificatesigningrequests"]
verbs: ["list", "watch"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses","volumeattachments"]
verbs: ["get", "list", "watch"]
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps","extensions"]
resources: ["deployments", "daemonsets", "statefulsets","replicasets","networkpolicies"]
verbs: ["*"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["*"]
- apiGroups: ["monitoring.coreos.com"]
resources: ["alertmanagers","podmonitors","prometheuses","prometheuses/finalizers","alertmanagers/finalizers","servicemonitors","prometheusrules","probes"]
verbs: ["*"]
- apiGroups: ["monitor.aliyun.com"]
resources: ["alicloudpromrules","alicloudpromrules/status"]
verbs: ["*"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources: ["rolebindings","roles","clusterroles","clusterrolebindings"]
verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
resources: ["networkpolicies","ingresses","ingressclasses"]
verbs: ["*"]
- apiGroups: ["apps.kruise.io"]
resources: ["statefulsets"]
verbs: ["*"]
- apiGroups: ["nsm.alibabacloud.com"]
resources: ["networkservices"]
verbs: ["*"]
- nonResourceURLs:
- "/metrics"
verbs:
- get
- apiGroups: [""]
resources: ["serviceaccounts/token"]
verbs: ["create"]
- apiGroups: ["log.alibabacloud.com"]
resources: ["*"]
verbs: ["*"]
- apiGroups: ["telemetry.alibabacloud.com"]
resources: ["*"]
verbs: ["*"]Microservices Engine (MSE)
MSE uses two roles. The primary role covers service discovery, ingress management, and Istio workload entry management for its gateway capabilities. The diagnosis role is read-only — it collects node stats and workload state for MSE's diagnostic tools.
| Binding name | Scope | ClusterRole name |
|---|---|---|
mse-aliyunserviceroleformse-clusterrolebinding |
Cluster | mse-aliyunserviceroleformse-clusterrole |
mse-aliyunserviceroleformsediagnosis-clusterrolebinding |
Cluster | mse-aliyunserviceroleformsediagnosis-clusterrole |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: mse-aliyunserviceroleformse-clusterrole
rules:
# base
- apiGroups: [""]
resources: ["pods", "nodes", "services", "namespaces", "endpoints", "secrets", "configmaps"]
verbs: ["get", "watch", "list"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
# ingress
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses", "ingressclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
# Use for Kubernetes Service APIs
- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
resources: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
resources: ["*"]
verbs: ["*"]
# CRD
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
# istio
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries" ]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries/status" ]
# demo
- apiGroups: [""]
resources: ["services", "namespaces"]
verbs: ["get", "list", "watch", "create"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create"]Microservices Engine (MSE)
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: mse-aliyunserviceroleformsediagnosis-clusterrole
rules:
# base
- apiGroups: [ "" ]
resources: [ "nodes", "nodes/stats" ]
verbs: [ "get", "watch" ]
- apiGroups: [ "" ]
resources: [ "pods", "pods/exec", "pods/log", "pods/status", "services", "services/proxy", "namespaces", "endpoints", "configmaps", "componentstatuses", "events","podtemplates" ]
verbs: [ "get", "watch", "create"]
- apiGroups: [ "apps" ]
resources: [ "deployments","daemonsets","statefulsets","replicasets","statefulsets/status","deployments/status" ]
verbs: [ "get", "watch", "create"]API Gateway
API Gateway requires the same permission set as MSE, covering service discovery, ingress management, Kubernetes Gateway API resources, and Istio workload entry management to support its native gateway mode.
| Binding name | Scope | ClusterRole name |
|---|---|---|
apig-aliyunservicerolefornativeapigw-clusterrolebinding |
Cluster | apig-aliyunservicerolefornativeapigw-clusterrole |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: apig-aliyunservicerolefornativeapigw-clusterrole
rules:
# base
- apiGroups: [""]
resources: ["pods", "nodes", "services", "namespaces", "endpoints", "secrets", "configmaps"]
verbs: ["get", "watch", "list"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
# ingress
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses", "ingressclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
# Use for Kubernetes Service APIs
- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
resources: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
resources: ["*"]
verbs: ["*"]
# CRD
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
# istio
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries" ]
- apiGroups: ["networking.istio.io"]
verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ]
resources: [ "workloadentries/status" ]
# demo
- apiGroups: [""]
resources: ["services", "namespaces"]
verbs: ["get", "list", "watch", "create"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create"]Simple Log Service (SLS)
SLS requires cluster-wide read access plus write permissions on specific resources to deploy its log collection agents (DaemonSets, ServiceAccounts, ClusterRoles) and manage log configuration CRDs.
| Binding name | Scope | ClusterRole name |
|---|---|---|
sls-aliyunserviceroleforslsaudit-clusterrolebinding |
Cluster | sls-aliyunserviceroleforslsaudit-role |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: sls-aliyunserviceroleforslsaudit-role
rules:
- apiGroups:
- "*"
resources:
- "*"
verbs:
- get
- list
- watch
- apiGroups:
- "*"
resources:
- namespaces
- deployments
- serviceaccounts
- clusterroles
- clusterrolebindings
- daemonsets
- services
- aliyunlogconfigs
verbs:
- create
- patch
- delete
- nonResourceURLs:
- /metrics
verbs:
- getElasticsearch (ES)
Elasticsearch uses three roles for its log collector integration: two namespace-scoped roles (in captain-system and logging) with full workload management permissions, and one cluster-level role for cross-namespace resource discovery and CRD management.
| Binding name | Scope | Role name |
|---|---|---|
elasticsearch-aliyunserviceroleforelasticsearchcollector-rolebinding |
captain-system namespace |
elasticsearch-aliyunserviceroleforelasticsearchcollector-role |
elasticsearch-aliyunserviceroleforelasticsearchcollector-rolebinding |
logging namespace |
elasticsearch-aliyunserviceroleforelasticsearchcollector-role |
elasticsearch-aliyunserviceroleforelasticsearchcollector-clusterrolebinding |
Cluster | elasticsearch-aliyunserviceroleforelasticsearchcollector-clusterrole |
# Role applied in captain-system namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: elasticsearch-aliyunserviceroleforelasticsearchcollector-role
namespace: captain-system
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- persistentvolumeclaims/status
- pods
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
- services/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- controllerrevisions
- daemonsets
- daemonsets/status
- deployments
- deployments/scale
- deployments/status
- replicasets
- replicasets/scale
- replicasets/status
- statefulsets
- statefulsets/scale
- statefulsets/status
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
- horizontalpodautoscalers/status
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- cronjobs/status
- jobs
- jobs/status
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- daemonsets/status
- deployments
- deployments/scale
- deployments/status
- ingresses
- ingresses/status
- networkpolicies
- replicasets
- replicasets/scale
- replicasets/status
- replicationcontrollers/scale
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
- poddisruptionbudgets/status
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingresses/status
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- authorization.k8s.io
resources:
- localsubjectaccessreviews
verbs:
- create
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- app.alauda.io
resources:
- helmrequests
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watchElasticsearch (ES)
# Role applied in logging namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: elasticsearch-aliyunserviceroleforelasticsearchcollector-role
namespace: logging
rules:
- apiGroups:
- ""
resources:
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
- secrets
- services/proxy
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- serviceaccounts
verbs:
- impersonate
- apiGroups:
- ""
resources:
- pods
- pods/attach
- pods/exec
- pods/portforward
- pods/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
- secrets
- serviceaccounts
- services
- services/proxy
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- apps
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- replicasets
- replicasets/scale
- statefulsets
- statefulsets/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- extensions
resources:
- daemonsets
- deployments
- deployments/rollback
- deployments/scale
- ingresses
- networkpolicies
- replicasets
- replicasets/scale
- replicationcontrollers/scale
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- networkpolicies
verbs:
- create
- delete
- deletecollection
- patch
- update
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- persistentvolumeclaims
- persistentvolumeclaims/status
- pods
- replicationcontrollers
- replicationcontrollers/scale
- serviceaccounts
- services
- services/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- bindings
- events
- limitranges
- namespaces/status
- pods/log
- pods/status
- replicationcontrollers/status
- resourcequotas
- resourcequotas/status
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- controllerrevisions
- daemonsets
- daemonsets/status
- deployments
- deployments/scale
- deployments/status
- replicasets
- replicasets/scale
- replicasets/status
- statefulsets
- statefulsets/scale
- statefulsets/status
verbs:
- get
- list
- watch
- apiGroups:
- autoscaling
resources:
- horizontalpodautoscalers
- horizontalpodautoscalers/status
verbs:
- get
- list
- watch
- apiGroups:
- batch
resources:
- cronjobs
- cronjobs/status
- jobs
- jobs/status
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- daemonsets
- daemonsets/status
- deployments
- deployments/scale
- deployments/status
- ingresses
- ingresses/status
- networkpolicies
- replicasets
- replicasets/scale
- replicasets/status
- replicationcontrollers/scale
verbs:
- get
- list
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
- poddisruptionbudgets/status
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
- ingresses/status
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- authorization.k8s.io
resources:
- localsubjectaccessreviews
verbs:
- create
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- app.alauda.io
resources:
- helmrequests
- releases
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- elasticsearch.kubernetes.aliyun.com
resources:
- logcollectors
- indexlifecyclebindings
- indexlifecyclepolicies
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watch
- apiGroups:
- beat.kubernetes.aliyun.com
resources:
- beats
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- update
- watchElasticsearch (ES)
# ClusterRole for cluster-wide resource discovery
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: elasticsearch-aliyunserviceroleforelasticsearchcollector-clusterrole
rules:
- apiGroups: [""]
resources: ["pods", "nodes", "services", "namespaces", "endpoints", "configmaps", "secrets"]
verbs: ["get", "list", "watch", "patch", "update", "create"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: ["app.alauda.io"]
resources: ["helmrequests"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]Platform for AI (PAI)
PAI requires cluster-level permissions to support AI/ML workloads: managing training jobs (TFJob, PyTorchJob, MPIJob), running workflows (Argo, PAIFlow), handling dataset management via Fluid, and supporting model serving with Gloo.
| Binding name | Scope | ClusterRole name |
|---|---|---|
pai-aliyunpaidlcdefaultrole-clusterrolebinding |
Cluster | pai-aliyunpaidlcdefaultrole-clusterrole |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: pai-aliyunpaidlcdefaultrole-clusterrole
rules:
- apiGroups: [ "" ]
resources: [ "secrets", "secrets/status", "services", "namespaces", "endpoints", "serviceaccounts", "configmaps/status",
"persistentvolumes", "persistentvolumes/status", "events", "events/status", "persistentvolumeclaims", "pods", "pods/log", "replicationcontrollers", "bindings",
"limitranges", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy", "services/proxy"]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "" ]
resources: [ "serviceaccounts" ]
verbs: [ "impersonate" ]
- apiGroups: [ "" ]
resources: [ "configmaps", "pods", "services", "secrets", "endpoints", "configmaps" ]
verbs: [ "*" ]
- apiGroups: [ "" ]
resources: [ "pods/status","pods/binding", "namespaces/status", "persistentvolumeclaims/status", "replicationcontrollers/scale",
"replicationcontrollers/status", "resourcequotas", "resourcequotas/status", "services/status" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "" ]
resources: [ "nodes", "nodes/status" ]
verbs: [ "create", "delete", "update", "get", "list", "watch", "patch", "deletecollection" ]
- apiGroups: [ "apps" ]
resources: [ "statefulsets", "daemonsets", "deployments", "controllerrevisions", "replicasets" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "apps" ]
resources: [ "statefulsets/status", "daemonsets/status", "deployments/scale", "deployments/status",
"replicasets/scale", "replicasets/status", "statefulsets/scale", "deployments/rollback" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "rbac.authorization.k8s.io" ]
resources: [ "clusterrolebindings", "clusterroles", "roles", "roles/status", "rolebindings", "rolebindings/status" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "authentication.k8s.io" ]
resources: [ "tokenreviews" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "authorization.k8s.io" ]
resources: [ "subjectaccessreviews" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "admissionregistration.k8s.io" ]
resources: [ "mutatingwebhookconfigurations", "validatingwebhookconfigurations" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "networking.k8s.io" ]
resources: [ "ingresses", "ingresses/status", "networkpolicies" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "apiextensions.k8s.io" ]
resources: [ "customresourcedefinitions" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "batch" ]
resources: [ "jobs", "cronjobs", "jobs/status", "cronjobs/status" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "batch/v1" ]
resources: [ "jobs" ]
verbs: [ "get", "create", "list", "watch", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "autoscaling" ]
resources: [ "horizontalpodautoscalers", "horizontalpodautoscalers/status" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "coordination.k8s.io" ]
resources: [ "leases", "leases/status" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "coordination.k8s.io" ]
resources: [ "leases" ]
verbs: [ "*" ]
- apiGroups: [ "data.fluid.io" ]
resources: [ "datasets", "datasets/status", "jindoruntimes", "jindoruntimes/status" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "extensions" ]
resources: [ "replicasets", "replicasets/status", "daemonsets", "daemonsets/status", "deployments",
"deployments/scale", "deployments/status", "deployments/rollback", "ingresses", "ingresses/status", "networkpolicies",
"replicasets/scale", "replicationcontrollers/scale" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "metrics.k8s.io" ]
resources: [ "nodes", "pods" ]
verbs: [ "get", "list", "watch" ]
- apiGroups: [ "kubeflow.org" ]
resources: [ "tfjobs", "pytorchjobs", "tfjobs/status", "pytorchjobs/status", "mpijobs", "mpijobs/status" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "xdl.kubedl.io" ]
resources: [ "xdljobs", "xdljobs/status" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "xgboostjob.kubeflow.org" ]
resources: [ "xgboostjobs", "xgboostjobs/status" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "events.k8s.io" ]
resources: [ "events" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "policy" ]
resources: [ "poddisruptionbudgets", "poddisruptionbudgets/status" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "apps.kruise.io" ]
resources: [ "statefulsets" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "scheduling.alibabacloud.com" ]
resources: [ "gpudevices", "allocgroups", "allocgroups/status" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "gputopology.kubedl.io" ]
resources: [ "gputopologies" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "storage.k8s.io" ]
resources: [ "storageclasses", "csinodes", "volumeattachments" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "scheduling.k8s.io" ]
resources: [ "priorityclasses" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "scheduling.x-k8s.io" ]
resources: [ "queueunits", "queueunits/status", "queues" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "scheduling.sigs.k8s.io" ]
resources: [ "elasticquotatrees" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "certificates.k8s.io" ]
resources: [ "certificatesigningrequests", "certificatesigningrequests/approval", "signers" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection", "approve" ]
- apiGroups: [ "discovery.k8s.io" ]
resources: [ "endpointslices" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "monitoring.coreos.com" ]
resources: [ "servicemonitors" ]
verbs: [ "get", "create", "list", "watch", "update", "patch", "delete", "deletecollection"]
- apiGroups: [ "inference.kubedl.io" ]
resources: [ "elasticbatchjobs", "elasticbatchjobs/status" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "gateway.solo.io" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "argoproj.io" ]
resources: [ "clusterworkflowtemplates", "clusterworkflowtemplates/finalizers", "cronworkflows", "cronworkflows/finalizers",
"workflows", "workflows/finalizers", "workflowtemplates", "workflowtemplates/finalizers" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "paiflow.alibaba-inc.com" ]
resources: [ "clusterworkflowtemplates", "clusterworkflowtemplates/finalizers", "cronworkflows", "cronworkflows/finalizers",
"workflows", "workflows/finalizers", "workflowtemplates", "workflowtemplates/finalizers",
"workfloweventbindings", "workfloweventbindings/finalizers" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "dlc.alibaba.com" ]
resources: [ "datasources", "datasources/status", "dlcinstanceresourcepatches", "dlcinstanceresourcepatches/status",
"dlcinstances", "dlcinstances/status", "resourcegroups", "resourcegroups/status", "tensorboards", "tensorboards/status"]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "eas.alibaba-inc.k8s.io" ]
resources: [ "resourcemigrations", "resourcemigrations/status", "tenantresources", "tenantresources/status" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "paiflow.pai.alibaba-inc.com" ]
resources: [ "aiworkspaces" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "gloo.solo.io", "enterprise.gloo.solo.io", "graphql.gloo.solo.io" ]
resources: [ "*" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "ratelimit.solo.io" ]
resources: [ "ratelimitconfigs","ratelimitconfigs/status" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "dsw.alibaba.com" ]
resources: [ "dswinstances", "dswinstances/status", "idleinstancecullers", "idleinstancecullers/status",
"images", "images/status", "notebooks", "notebooks/status", "credentials", "credentials/status",
"nasvolumes", "nasvolumes/status" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: [ "training.pai.alibaba-inc.com" ]
resources: [ "trainingjobs", "trainingjobs/status" ]
verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
- apiGroups: ["scheduling.sigs.k8s.io"]
resources: ["podgroups"]
verbs: ["get", "delete"]Cloud-native Application Assembly Platform (BizWorks)
Important
BizWorks is granted the highest level of permissions — full access to all API groups, resources, and non-resource URLs. This is required because BizWorks can install any Helm chart into your cluster. Review your Helm chart content carefully before using BizWorks to deploy workloads.
| Binding name | Scope | ClusterRole name |
|---|---|---|
bizworks-aliyunserviceroleforbizworks-clusterrolebinding |
Cluster | bizworks-aliyunserviceroleforbizworks-clusterrole |
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: bizworks-aliyunserviceroleforbizworks-clusterrole
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'Customize RBAC permissions for a cloud service
To restrict what an Alibaba Cloud service can do in your cluster, configure a custom ClusterRole for that service. Add the annotation inner.service.alibabacloud.com/user-customized: "true" and define the permissions you want to allow in the rules field.
Important
Modifying a service's RBAC role may break its features. Test thoroughly before applying changes to production clusters.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
inner.service.alibabacloud.com/user-customized: "true"
name: test-aliyunserviceroleforarms-clusterrole
rules:
- apiGroups:
- test
resources:
- '*'
verbs:
- '*'
...Deny a cloud service access to your cluster
Use either of the following methods:
-
Remove all rules in the custom ClusterRole: Follow the steps in Customize RBAC permissions for a cloud service. Set the annotation
inner.service.alibabacloud.com/user-customized: "true"and leave therulesfield empty. This removes all permissions the service has in the cluster. -
Delete the RAM service role: Remove the corresponding RAM service role from the RAM console. This revokes the service's ability to assume the role and access the cluster.