Configure RBAC permissions for Alibaba Cloud services to access ACK clusters - Container Service for Kubernetes

Container Service for Kubernetes (ACK) supports the native Kubernetes Role-Based Access Control (RBAC) authorization mechanism. RBAC authorization lets you grant different operation permissions on Kubernetes resources in the same cluster to different users. When other Alibaba Cloud services access an ACK cluster, you can bind a specific RBAC role to the service. This allows the service to access internal cluster resources using the RBAC permissions that correspond to its service role. This method provides resource permission isolation and adheres to the principle of least privilege.

Precautions

By default, an ACK cluster does not create RBAC roles for Alibaba Cloud services. The relevant Alibaba Cloud service triggers the creation of RBAC roles and the binding of authorization only after you grant a service role to the service and use its specific features.
The name of an RBAC role binding for an Alibaba Cloud service follows a fixed format: ${service-abbreviation}-${service-role-name}-clusterrolebinding or ${service-abbreviation}-${service-role-name}-rolebinding.
The RBAC roles described in this topic are only for least-privilege access required by specific features of Alibaba Cloud services. They do not affect the RBAC authorization for your regular business operations.
You can enable the cluster API Server audit log. The audit log lets you identify the name of the bound object from the subjects field of the RBAC role binding. You can then use the object name to retrieve the audit logs for the specified cloud product's access to resources within the cluster. For more information, see Use the cluster API Server audit feature.

Alibaba Cloud service role permission policies

After you grant an Alibaba Cloud service the corresponding service role listed in the table below, the service, by default, will access resources in the ACK cluster using the associated RBAC permissions.

Note

In the following table, the Applicable scope column indicates the scope in which the permissions take effect. The scope can be the cluster level or the namespace level.

Customize RBAC permissions for an Alibaba Cloud service to access an ACK cluster

To customize the operation permissions of an Alibaba Cloud service on ACK cluster resources, you can configure the corresponding ClusterRole for the service in the cluster. Add the annotation inner.service.alibabacloud.com/user-customized: "true" to the ClusterRole and define a custom access policy in the rules field. The following example shows the format.

Important

Customizing a specified RBAC role may affect the functionality of the corresponding Alibaba Cloud service. Test the features thoroughly and proceed with caution.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    inner.service.alibabacloud.com/user-customized: "true"
  name: test-aliyunserviceroleforarms-clusterrole
rules:
- apiGroups:
  - test
  resources:
  - '*'
  verbs:
  - '*'
...

Deny an Alibaba Cloud service access to an ACK cluster

Follow the instructions in Customize RBAC permissions for an Alibaba Cloud service to access an ACK cluster. Add the annotation inner.service.alibabacloud.com/user-customized: "true" to the ClusterRole of the specific Alibaba Cloud service and delete all permissions in the rules field. This purges all access permissions of the service to the ACK cluster.
You can also deny access by deleting the corresponding RAM service role for the Alibaba Cloud service in the Resource Access Management (RAM) console. For more information, see Delete a RAM role.

Cloud products	Service role name	Applicable scope	RBAC access policy
Application Real-Time Monitoring Service (ARMS)	arms-aliyunserviceroleforarms-clusterrolebinding	cluster	arms-aliyunserviceroleforarms-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: arms-aliyunserviceroleforarms-clusterrole rules: - apiGroups: ["vector.oam.dev"] resources: [""] verbs: [""] - apiGroups: ["o11y.aliyun.dev"] resources: [""] verbs: [""] - apiGroups: [""] resources: ["pods","replicationcontrollers","podtemplates", "nodes", "services","events","persistentvolumes","persistentvolumeclaims","componentstatuses","bindings", "namespaces","endpoints", "configmaps", "secrets", "resourcequotas", "serviceaccounts","pods/log","services/proxy"] verbs: [""] - apiGroups: [""] resources: ["nodes/metrics"] verbs: ["get"] - apiGroups: [""] resources: ["limitranges"] verbs: ["list", "watch"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] verbs: ["get", "list", "watch"] - apiGroups: ["extensions"] resources: ["ingresses"] verbs: ["list", "watch"] - apiGroups: ["batch"] resources: ["cronjobs", "jobs"] verbs: ["list", "watch"] - apiGroups: ["autoscaling"] resources: ["horizontalpodautoscalers"] verbs: ["list", "watch"] - apiGroups: ["policy"] resources: ["poddisruptionbudgets"] verbs: ["list", "watch"] - apiGroups: ["certificates.k8s.io"] resources: ["certificatesigningrequests"] verbs: ["list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses","volumeattachments"] verbs: ["get", "list", "watch"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "list", "watch"] - apiGroups: ["apps","extensions"] resources: ["deployments", "daemonsets", "statefulsets","replicasets","networkpolicies"] verbs: [""] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: [""] - apiGroups: ["monitoring.coreos.com"] resources: ["alertmanagers","podmonitors","prometheuses","prometheuses/finalizers","alertmanagers/finalizers","servicemonitors","prometheusrules","probes"] verbs: [""] - apiGroups: ["monitor.aliyun.com"] resources: ["alicloudpromrules","alicloudpromrules/status"] verbs: [""] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["rolebindings","roles","clusterroles","clusterrolebindings"] verbs: [""] - apiGroups: ["networking.k8s.io"] resources: ["networkpolicies","ingresses","ingressclasses"] verbs: [""] - apiGroups: ["apps.kruise.io"] resources: ["statefulsets"] verbs: [""] - apiGroups: ["nsm.alibabacloud.com"] resources: ["networkservices"] verbs: [""] - nonResourceURLs: - "/metrics" verbs: - get - apiGroups: [""] resources: ["serviceaccounts/token"] verbs: ["create"] - apiGroups: ["log.alibabacloud.com"] resources: [""] verbs: [""] - apiGroups: ["telemetry.alibabacloud.com"] resources: [""] verbs: ["*"] - apiGroups: ["discovery.k8s.io"] resources: ["endpointslices"] verbs: ["get", "list", "watch"]
E-MapReduce: An Open-Source Big Data Development Platform	emr-aliyunemronackdefaultrole-clusterrolebinding	cluster	emr-aliyunemronackdefaultrole-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: emr-aliyunemronackdefaultrole-clusterrole rules: - apiGroups: [""] resources: ["pods", "nodes", "services", "namespaces", "endpoints", "configmaps", "secrets", "resourcequotas", "serviceaccounts","persistentvolumes","persistentvolumeclaims"] verbs: [""] - apiGroups: ["apps"] resources: ["deployments", "daemonsets", "statefulsets"] verbs: [""] - apiGroups: ["extensions"] resources: ["ingresses"] verbs: [""] - apiGroups: ["networking.k8s.io"] resources: ["ingresses"] verbs: [""] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: [""] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["clusterroles", "clusterrolebindings", "roles", "rolebindings"] verbs: [""] - apiGroups: ["sparkoperator.k8s.io"] resources: [""] verbs: [""] - apiGroups: ["flink.apache.org"] resources: [""] verbs: [""]
Security Center	sas-aliyunserviceroleforsas-clusterrolebinding	cluster	sas-aliyunserviceroleforsas-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: sas-aliyunserviceroleforsas-clusterrole rules: - apiGroups: [""] resources: ["secrets"] verbs: ["create"] - apiGroups: [""] resources: ["secrets"] resourceNames: ["policygovernance-yundun-config"] verbs: ["get", "update", "patch"] - apiGroups: [""] resources: ["services","pods"] verbs: ["list"] - apiGroups: ["extensions"] resources: ["ingresses"] verbs: ["list"] - apiGroups: ["networking.k8s.io"] resources: ["ingresses"] verbs: ["list"]
ApsaraDB Tair	tair-aliyunserviceroleforkvstore-clusterrolebinding	cluster	tair-aliyunserviceroleforkvstore-clusterrole `apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: tair-aliyunserviceroleforkvstore-clusterrole rules: - apiGroups: - "" resources: - nodes verbs: - get - list - apiGroups: - admissionregistration.k8s.io resources: - validatingwebhookconfigurations - mutatingwebhookconfigurations verbs: - get - list`
ApsaraDB Tair	tair-aliyunserviceroleforkvstore-clusterrolebinding	ack-tair namespace	tair-aliyunserviceroleforkvstore-role apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: tair-aliyunserviceroleforkvstore-role namespace: ack-tair rules: - apiGroups: - batch resources: - jobs verbs: - get - list - create - delete - apiGroups: - "" resources: - events verbs: - create - patch - get - list - apiGroups: - apps resources: - statefulsets verbs: - create - delete - get - list - patch - update - apiGroups: - apps resources: - deployments verbs: - create - delete - get - list - patch - update - apiGroups: - "" resources: - configmaps verbs: - create - delete - get - list - patch - update - apiGroups: - "" resources: - pods verbs: - create - delete - get - list - patch - update - apiGroups: - "" resources: - pods/exec - pods/portforward - pods/proxy verbs: - create - get - apiGroups: - "" resources: - services verbs: - create - delete - get - list - patch - update - apiGroups: - "" resources: - services/proxy verbs: - create - get - apiGroups: - tair.alibabacloud.com resources: - tairclusters verbs: - create - delete - get - list - patch - update - watch - apiGroups: - tair.alibabacloud.com resources: - tairclusters/finalizers verbs: - update - apiGroups: - tair.alibabacloud.com resources: - tairclusters/status verbs: - get - patch - update - apiGroups: - "" resources: - persistentvolumeclaims verbs: - create - delete - get - list - patch - update - apiGroups: - "" resources: - persistentvolumeclaims/status verbs: - get - apiGroups: - scheduling.sigs.k8s.io resources: - reserveresourcesets verbs: - create - delete - get - list - patch - update - watch
Enterprise Distributed Application Service (EDAS)	edas-aliyunedasdefaultrole-clusterrolebinding	cluster	edas-aliyunedasdefaultrole-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: edas-aliyunedasdefaultrole-clusterrole rules: - apiGroups: [ "" ] resources: [ "nodes", "nodes/stats" ] verbs: [ "get", "list", "watch" ] - apiGroups: [ "" ] resources: [ "pods", "pods/exec", "pods/log", "pods/status", "limitranges", "services", "services/proxy", "namespaces", "endpoints", "configmaps", "secrets", "bindings", "resourcequotas", "serviceaccounts", "componentstatuses", "events", "persistentvolumeclaims", "persistentvolumes", "replicationcontrollers","podtemplates" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "apps" ] resources: [ "deployments","daemonsets","statefulsets","replicasets","deployments/scale","statefulsets/scale","statefulsets/status","deployments/status","controllerrevisions" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "extensions" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: ["batch"] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["apiregistration.k8s.io"] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["rbac.authorization.k8s.io"] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [ "events.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: ["apiextensions.k8s.io"] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["edas.aliyun.oam.com"] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["autoscaling"] resources: [""] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: ["oam-domain.alibabacloud.com" ] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["core.oam.dev"] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["flagger.app"] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [ "keda.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "log.alibabacloud.com" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "clm.cloudnativeapp.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "monitoring.coreos.com" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "admissionregistration.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "extension.oam.dev" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "authentication.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: ["discovery.k8s.io"] resources: [""] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [ "networking.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "scheduling.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "scheduling.sigs.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "snapshot.storage.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "storage.alibabacloud.com" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "storage.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "certificates.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "flowcontrol.apiserver.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "policy" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "authorization.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "external.metrics.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - nonResourceURLs: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "keda.sh" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "alibabacloud.com" ] resources: [ "albconfigs" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "autoscaling.alibabacloud.com" ] resources: [ "advancedhorizontalpodautoscalers" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete" ] - apiGroups: [ "metrics.alibabacloud.com" ] resources: [ "" ] verbs: [ "get", "list", "watch" ] - apiGroups: [ "metrics.k8s.io" ] resources: [ "pods","nodes" ] verbs: [ "get", "list", "watch" ] - apiGroups: [ "coordination.k8s.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "apps.kruise.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "edas.alibabacloud.com" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "istio.aliyun.cloud.com" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "nacos.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ]
ApsaraDB RDS	aliyunmybasecpaasdefaultrole-clusterrolebinding	cluster	rds-aliyunmybasecpaasdefaultrole-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: rds-aliyunmybasecpaasdefaultrole-clusterrole rules: - apiGroups: - '' resources: - nodes - namespaces - resourcequotas - limitranges - nodes/metrics - replicationcontrollers - nodes/proxy verbs: - list - get - watch - apiGroups: - '' resources: - services - configmaps - secrets - pods - pods/log - pods/exec - endpoints - persistentvolumes - persistentvolumeclaims - events verbs: - '' - apiGroups: - '' resources: - serviceaccounts verbs: - list - get - watch - create - apiGroups: - '' resourceNames: - mybase-operator - polardbx-operator - pre-install-kibana-kibana - filebeat-filebeat - post-delete-kibana-kibana resources: - serviceaccounts verbs: - '' - apiGroups: - '' resources: - namespaces verbs: - patch - list - create - watch - get - apiGroups: - coordination.k8s.io resources: - leases verbs: - '' - apiGroups: - apps resources: - deployments - daemonsets - statefulsets - controllerrevisions - replicasets verbs: - '' - apiGroups: - apps resourceNames: - filebeat-filebeat - logstash-logstash - kibana-kibana - elasticsearch-master resources: - deployments - daemonsets - statefulsets - replicasets verbs: - '' - apiGroups: - batch resources: - jobs - cronjobs verbs: - '' - apiGroups: - extensions resources: - ingresses verbs: - list - get - watch - apiGroups: - extensions resources: - deployments - daemonsets - statefulsets - controllerrevisions - replicasets verbs: - '' - apiGroups: - networking.k8s.io resources: - ingresses verbs: - list - get - watch - apiGroups: - events.k8s.io resources: - events verbs: - '' - apiGroups: - rbac.authorization.k8s.io resources: - clusterroles - clusterrolebindings - roles - rolebindings verbs: - list - get - watch - create - apiGroups: - rbac.authorization.k8s.io resourceNames: - mybase-operator - polardbx-operator - polardbx-controller-manager - mybase-monitoring - filebeat-filebeat-role - filebeat-filebeat-role-binding - filebeat-filebeat-cluster-role - filebeat-filebeat-cluster-role-binding - pre-install-kibana-kibana - post-delete-kibana-kibana resources: - clusterroles - clusterrolebindings - roles - rolebindings verbs: - '' - apiGroups: - apiextensions.k8s.io resources: - customresourcedefinitions verbs: - list - get - watch - create - apiGroups: - apiextensions.k8s.io resourceNames: - mybaseappinstancebackuppolicies.apps.k8s.mybase.aliyun.com - mybaseappdefinitions.apps.k8s.mybase.aliyun.com - mybaseappinstanceops.apps.k8s.mybase.aliyun.com - mybaseappinstances.apps.k8s.mybase.aliyun.com - polardbxbackupbinlogs.polardbx.aliyun.com - polardbxbackups.polardbx.aliyun.com - polardbxbackupschedules.polardbx.aliyun.com - polardbxclusterknobs.polardbx.aliyun.com - polardbxclusters.polardbx.aliyun.com - polardbxlogcollectors.polardbx.aliyun.com - polardbxmonitors.polardbx.aliyun.com - polardbxparameters.polardbx.aliyun.com - polardbxparametertemplates.polardbx.aliyun.com - systemtasks.polardbx.aliyun.com - xstorebackups.polardbx.aliyun.com - xstorefollowers.polardbx.aliyun.com - xstores.polardbx.aliyun.com resources: - customresourcedefinitions verbs: - '' - apiGroups: - monitoring.coreos.com resources: - '' verbs: - '' - apiGroups: - apps.k8s.mybase.aliyun.com resources: - '' verbs: - '' - apiGroups: - polardbx.aliyun.com resources: - '' verbs: - '' - apiGroups: - v1.admission.polardbx.aliyun.com resources: - '' verbs: - '' - apiGroups: - apiregistration.k8s.io resources: - apiservices verbs: - list - get - watch - create - apiGroups: - apiregistration.k8s.io resourceNames: - v1.admission.polardbx.aliyun.com resources: - apiservices verbs: - '' - apiGroups: - admissionregistration.k8s.io resources: - mutatingwebhookconfigurations - validatingwebhookconfigurations verbs: - list - get - watch - create - apiGroups: - admissionregistration.k8s.io resourceNames: - polardbxcluster-mutate.polardbx.aliyun.com - polardbxcluster-validate.polardbx.aliyun.com resources: - mutatingwebhookconfigurations - validatingwebhookconfigurations verbs: - '*' - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - list - get - watch - apiGroups: - policy resources: - poddisruptionbudgets verbs: - update - delete - patch - create - list - get - watch - nonResourceURLs: - /metrics verbs: - get
CloudMonitor	aliyunserviceroleforcloudmonitor-clusterrolebinding	cluster	cloudmonitor-aliyunserviceroleforcloudmonitor-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cloudmonitor-aliyunserviceroleforcloudmonitor-clusterrole rules: - apiGroups: ["vector.oam.dev"] resources: [""] verbs: [""] - apiGroups: ["o11y.aliyun.dev"] resources: [""] verbs: [""] - apiGroups: [""] resources: ["pods","replicationcontrollers","podtemplates", "nodes", "services","events","persistentvolumes","persistentvolumeclaims","componentstatuses","bindings", "namespaces","endpoints", "configmaps", "secrets", "resourcequotas", "serviceaccounts","pods/log","services/proxy"] verbs: [""] - apiGroups: [""] resources: ["nodes/metrics"] verbs: ["get"] - apiGroups: [""] resources: ["limitranges"] verbs: ["list", "watch"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] verbs: ["get", "list", "watch"] - apiGroups: ["extensions"] resources: ["ingresses"] verbs: ["list", "watch"] - apiGroups: ["batch"] resources: ["cronjobs", "jobs"] verbs: ["list", "watch"] - apiGroups: ["autoscaling"] resources: ["horizontalpodautoscalers"] verbs: ["list", "watch"] - apiGroups: ["policy"] resources: ["poddisruptionbudgets"] verbs: ["list", "watch"] - apiGroups: ["certificates.k8s.io"] resources: ["certificatesigningrequests"] verbs: ["list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["storageclasses","volumeattachments"] verbs: ["get", "list", "watch"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "list", "watch"] - apiGroups: ["apps","extensions"] resources: ["deployments", "daemonsets", "statefulsets","replicasets","networkpolicies"] verbs: [""] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: [""] - apiGroups: ["monitoring.coreos.com"] resources: ["alertmanagers","podmonitors","prometheuses","prometheuses/finalizers","alertmanagers/finalizers","servicemonitors","prometheusrules","probes"] verbs: [""] - apiGroups: ["monitor.aliyun.com"] resources: ["alicloudpromrules","alicloudpromrules/status"] verbs: [""] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["rolebindings","roles","clusterroles","clusterrolebindings"] verbs: [""] - apiGroups: ["networking.k8s.io"] resources: ["networkpolicies","ingresses","ingressclasses"] verbs: [""] - apiGroups: ["apps.kruise.io"] resources: ["statefulsets"] verbs: [""] - apiGroups: ["nsm.alibabacloud.com"] resources: ["networkservices"] verbs: [""] - nonResourceURLs: - "/metrics" verbs: - get - apiGroups: [""] resources: ["serviceaccounts/token"] verbs: ["create"] - apiGroups: ["log.alibabacloud.com"] resources: [""] verbs: [""] - apiGroups: ["telemetry.alibabacloud.com"] resources: [""] verbs: ["*"]
Microservices Engine (MSE)	mse-aliyunserviceroleformse-clusterrolebinding	cluster	mse-aliyunserviceroleformse-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: mse-aliyunserviceroleformse-clusterrole rules: # base - apiGroups: [""] resources: ["pods", "nodes", "services", "namespaces", "endpoints", "secrets", "configmaps"] verbs: ["get", "watch", "list"] - apiGroups: ["discovery.k8s.io"] resources: ["endpointslices"] verbs: ["get", "list", "watch"] # ingress - apiGroups: ["networking.k8s.io"] resources: ["ingresses", "ingressclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["networking.k8s.io"] resources: ["ingresses/status"] verbs: [""] # Use for Kubernetes Service APIs - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] resources: [""] verbs: ["get", "watch", "list"] - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] resources: [""] verbs: [""] # CRD - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] # istio - apiGroups: ["networking.istio.io"] verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] resources: [ "workloadentries" ] - apiGroups: ["networking.istio.io"] verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] resources: [ "workloadentries/status" ] # demo - apiGroups: [""] resources: ["services", "namespaces"] verbs: ["get", "list", "watch", "create"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list", "watch", "create"]
Microservices Engine (MSE)	mse-aliyunserviceroleformsediagnosis-clusterrolebinding	cluster	mse-aliyunserviceroleformsediagnosis-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: mse-aliyunserviceroleformsediagnosis-clusterrole rules: # base - apiGroups: [ "" ] resources: [ "nodes", "nodes/stats" ] verbs: [ "get", "watch" ] - apiGroups: [ "" ] resources: [ "pods", "pods/exec", "pods/log", "pods/status", "services", "services/proxy", "namespaces", "endpoints", "configmaps", "componentstatuses", "events","podtemplates" ] verbs: [ "get", "watch", "create"] - apiGroups: [ "apps" ] resources: [ "deployments","daemonsets","statefulsets","replicasets","statefulsets/status","deployments/status" ] verbs: [ "get", "watch", "create"]
API Gateway	apig-aliyunservicerolefornativeapigw-clusterrolebinding	cluster	apig-aliyunservicerolefornativeapigw-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: apig-aliyunservicerolefornativeapigw-clusterrole rules: # base - apiGroups: [""] resources: ["pods", "nodes", "services", "namespaces", "endpoints", "secrets", "configmaps"] verbs: ["get", "watch", "list"] - apiGroups: ["discovery.k8s.io"] resources: ["endpointslices"] verbs: ["get", "list", "watch"] # ingress - apiGroups: ["networking.k8s.io"] resources: ["ingresses", "ingressclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["networking.k8s.io"] resources: ["ingresses/status"] verbs: [""] # Use for Kubernetes Service APIs - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] resources: [""] verbs: ["get", "watch", "list"] - apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"] resources: [""] verbs: [""] # CRD - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] # istio - apiGroups: ["networking.istio.io"] verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] resources: [ "workloadentries" ] - apiGroups: ["networking.istio.io"] verbs: [ "get", "watch", "list", "update", "patch", "create", "delete" ] resources: [ "workloadentries/status" ] # demo - apiGroups: [""] resources: ["services", "namespaces"] verbs: ["get", "list", "watch", "create"] - apiGroups: ["apps"] resources: ["deployments"] verbs: ["get", "list", "watch", "create"]
Simple Log Service (SLS)	sls-aliyunserviceroleforslsaudit-clusterrolebinding	cluster	sls-aliyunserviceroleforslsaudit-role `apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: sls-aliyunserviceroleforslsaudit-role rules: - apiGroups: - "" resources: - "" verbs: - get - list - watch - apiGroups: - "*" resources: - namespaces - deployments - serviceaccounts - clusterroles - clusterrolebindings - daemonsets - services - aliyunlogconfigs verbs: - create - patch - delete - nonResourceURLs: - /metrics verbs: - get`
Alibaba Cloud Elasticsearch	elasticsearch-aliyunserviceroleforelasticsearchcollector-rolebinding	captain-system namespace	elasticsearch-aliyunserviceroleforelasticsearchcollector-role apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: elasticsearch-aliyunserviceroleforelasticsearchcollector-role namespace: captain-system rules: - apiGroups: - "" resources: - pods/attach - pods/exec - pods/portforward - pods/proxy - secrets - services/proxy verbs: - get - list - watch - apiGroups: - "" resources: - serviceaccounts verbs: - impersonate - apiGroups: - "" resources: - pods - pods/attach - pods/exec - pods/portforward - pods/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" resources: - configmaps - endpoints - persistentvolumeclaims - replicationcontrollers - replicationcontrollers/scale - secrets - serviceaccounts - services - services/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - apps resources: - daemonsets - deployments - deployments/rollback - deployments/scale - replicasets - replicasets/scale - statefulsets - statefulsets/scale verbs: - create - delete - deletecollection - patch - update - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - create - delete - deletecollection - patch - update - apiGroups: - batch resources: - cronjobs - jobs verbs: - create - delete - deletecollection - patch - update - apiGroups: - extensions resources: - daemonsets - deployments - deployments/rollback - deployments/scale - ingresses - networkpolicies - replicasets - replicasets/scale - replicationcontrollers/scale verbs: - create - delete - deletecollection - patch - update - apiGroups: - policy resources: - poddisruptionbudgets verbs: - create - delete - deletecollection - patch - update - apiGroups: - networking.k8s.io resources: - ingresses - networkpolicies verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" resources: - configmaps - endpoints - persistentvolumeclaims - persistentvolumeclaims/status - pods - replicationcontrollers - replicationcontrollers/scale - serviceaccounts - services - services/status verbs: - get - list - watch - apiGroups: - "" resources: - bindings - events - limitranges - namespaces/status - pods/log - pods/status - replicationcontrollers/status - resourcequotas - resourcequotas/status verbs: - get - list - watch - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - apps resources: - controllerrevisions - daemonsets - daemonsets/status - deployments - deployments/scale - deployments/status - replicasets - replicasets/scale - replicasets/status - statefulsets - statefulsets/scale - statefulsets/status verbs: - get - list - watch - apiGroups: - autoscaling resources: - horizontalpodautoscalers - horizontalpodautoscalers/status verbs: - get - list - watch - apiGroups: - batch resources: - cronjobs - cronjobs/status - jobs - jobs/status verbs: - get - list - watch - apiGroups: - extensions resources: - daemonsets - daemonsets/status - deployments - deployments/scale - deployments/status - ingresses - ingresses/status - networkpolicies - replicasets - replicasets/scale - replicasets/status - replicationcontrollers/scale verbs: - get - list - watch - apiGroups: - policy resources: - poddisruptionbudgets - poddisruptionbudgets/status verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses - ingresses/status - networkpolicies verbs: - get - list - watch - apiGroups: - authorization.k8s.io resources: - localsubjectaccessreviews verbs: - create - apiGroups: - rbac.authorization.k8s.io resources: - rolebindings - roles verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - app.alauda.io resources: - helmrequests verbs: - create - delete - deletecollection - get - list - patch - update - watch
	elasticsearch-aliyunserviceroleforelasticsearchcollector-rolebinding	logging namespace	elasticsearch-aliyunserviceroleforelasticsearchcollector-role apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: elasticsearch-aliyunserviceroleforelasticsearchcollector-role namespace: logging rules: - apiGroups: - "" resources: - pods/attach - pods/exec - pods/portforward - pods/proxy - secrets - services/proxy verbs: - get - list - watch - apiGroups: - "" resources: - serviceaccounts verbs: - impersonate - apiGroups: - "" resources: - pods - pods/attach - pods/exec - pods/portforward - pods/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" resources: - configmaps - endpoints - persistentvolumeclaims - replicationcontrollers - replicationcontrollers/scale - secrets - serviceaccounts - services - services/proxy verbs: - create - delete - deletecollection - patch - update - apiGroups: - apps resources: - daemonsets - deployments - deployments/rollback - deployments/scale - replicasets - replicasets/scale - statefulsets - statefulsets/scale verbs: - create - delete - deletecollection - patch - update - apiGroups: - autoscaling resources: - horizontalpodautoscalers verbs: - create - delete - deletecollection - patch - update - apiGroups: - batch resources: - cronjobs - jobs verbs: - create - delete - deletecollection - patch - update - apiGroups: - extensions resources: - daemonsets - deployments - deployments/rollback - deployments/scale - ingresses - networkpolicies - replicasets - replicasets/scale - replicationcontrollers/scale verbs: - create - delete - deletecollection - patch - update - apiGroups: - policy resources: - poddisruptionbudgets verbs: - create - delete - deletecollection - patch - update - apiGroups: - networking.k8s.io resources: - ingresses - networkpolicies verbs: - create - delete - deletecollection - patch - update - apiGroups: - "" resources: - configmaps - endpoints - persistentvolumeclaims - persistentvolumeclaims/status - pods - replicationcontrollers - replicationcontrollers/scale - serviceaccounts - services - services/status verbs: - get - list - watch - apiGroups: - "" resources: - bindings - events - limitranges - namespaces/status - pods/log - pods/status - replicationcontrollers/status - resourcequotas - resourcequotas/status verbs: - get - list - watch - apiGroups: - "" resources: - namespaces verbs: - get - list - watch - apiGroups: - apps resources: - controllerrevisions - daemonsets - daemonsets/status - deployments - deployments/scale - deployments/status - replicasets - replicasets/scale - replicasets/status - statefulsets - statefulsets/scale - statefulsets/status verbs: - get - list - watch - apiGroups: - autoscaling resources: - horizontalpodautoscalers - horizontalpodautoscalers/status verbs: - get - list - watch - apiGroups: - batch resources: - cronjobs - cronjobs/status - jobs - jobs/status verbs: - get - list - watch - apiGroups: - extensions resources: - daemonsets - daemonsets/status - deployments - deployments/scale - deployments/status - ingresses - ingresses/status - networkpolicies - replicasets - replicasets/scale - replicasets/status - replicationcontrollers/scale verbs: - get - list - watch - apiGroups: - policy resources: - poddisruptionbudgets - poddisruptionbudgets/status verbs: - get - list - watch - apiGroups: - networking.k8s.io resources: - ingresses - ingresses/status - networkpolicies verbs: - get - list - watch - apiGroups: - authorization.k8s.io resources: - localsubjectaccessreviews verbs: - create - apiGroups: - rbac.authorization.k8s.io resources: - rolebindings - roles verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - app.alauda.io resources: - helmrequests - releases verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - elasticsearch.kubernetes.aliyun.com resources: - logcollectors - indexlifecyclebindings - indexlifecyclepolicies verbs: - create - delete - deletecollection - get - list - patch - update - watch - apiGroups: - beat.kubernetes.aliyun.com resources: - beats verbs: - create - delete - deletecollection - get - list - patch - update - watch
	elasticsearch-aliyunserviceroleforelasticsearchcollector-clusterrolebinding	cluster	elasticsearch-aliyunserviceroleforelasticsearchcollector-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: elasticsearch-aliyunserviceroleforelasticsearchcollector-clusterrole rules: - apiGroups: [""] resources: ["pods", "nodes", "services", "namespaces", "endpoints", "configmaps", "secrets"] verbs: ["get", "list", "watch", "patch", "update", "create"] - apiGroups: ["apps"] resources: ["replicasets"] verbs: ["get", "list", "watch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: ["app.alauda.io"] resources: ["helmrequests"] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
Platform for AI	pai-aliyunpaidlcdefaultrole-clusterrolebinding	cluster	pai-aliyunpaidlcdefaultrole-clusterrole apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: pai-aliyunpaidlcdefaultrole-clusterrole rules: - apiGroups: [ "" ] resources: [ "secrets", "secrets/status", "services", "namespaces", "endpoints", "serviceaccounts", "configmaps/status", "persistentvolumes", "persistentvolumes/status", "events", "events/status", "persistentvolumeclaims", "pods", "pods/log", "replicationcontrollers", "bindings", "limitranges", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy", "services/proxy"] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "" ] resources: [ "serviceaccounts" ] verbs: [ "impersonate" ] - apiGroups: [ "" ] resources: [ "configmaps", "pods", "services", "secrets", "endpoints", "configmaps" ] verbs: [ "" ] - apiGroups: [ "" ] resources: [ "pods/status","pods/binding", "namespaces/status", "persistentvolumeclaims/status", "replicationcontrollers/scale", "replicationcontrollers/status", "resourcequotas", "resourcequotas/status", "services/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "" ] resources: [ "nodes", "nodes/status" ] verbs: [ "create", "delete", "update", "get", "list", "watch", "patch", "deletecollection" ] - apiGroups: [ "apps" ] resources: [ "statefulsets", "daemonsets", "deployments", "controllerrevisions", "replicasets" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "apps" ] resources: [ "statefulsets/status", "daemonsets/status", "deployments/scale", "deployments/status", "replicasets/scale", "replicasets/status", "statefulsets/scale", "deployments/rollback" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "rbac.authorization.k8s.io" ] resources: [ "clusterrolebindings", "clusterroles", "roles", "roles/status", "rolebindings", "rolebindings/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "authentication.k8s.io" ] resources: [ "tokenreviews" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "authorization.k8s.io" ] resources: [ "subjectaccessreviews" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "admissionregistration.k8s.io" ] resources: [ "mutatingwebhookconfigurations", "validatingwebhookconfigurations" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "networking.k8s.io" ] resources: [ "ingresses", "ingresses/status", "networkpolicies" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "apiextensions.k8s.io" ] resources: [ "customresourcedefinitions" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "batch" ] resources: [ "jobs", "cronjobs", "jobs/status", "cronjobs/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "batch/v1" ] resources: [ "jobs" ] verbs: [ "get", "create", "list", "watch", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "autoscaling" ] resources: [ "horizontalpodautoscalers", "horizontalpodautoscalers/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "coordination.k8s.io" ] resources: [ "leases", "leases/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "coordination.k8s.io" ] resources: [ "leases" ] verbs: [ "" ] - apiGroups: [ "data.fluid.io" ] resources: [ "datasets", "datasets/status", "jindoruntimes", "jindoruntimes/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "extensions" ] resources: [ "replicasets", "replicasets/status", "daemonsets", "daemonsets/status", "deployments", "deployments/scale", "deployments/status", "deployments/rollback", "ingresses", "ingresses/status", "networkpolicies", "replicasets/scale", "replicationcontrollers/scale" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "metrics.k8s.io" ] resources: [ "nodes", "pods" ] verbs: [ "get", "list", "watch" ] - apiGroups: [ "kubeflow.org" ] resources: [ "tfjobs", "pytorchjobs", "tfjobs/status", "pytorchjobs/status", "mpijobs", "mpijobs/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "xdl.kubedl.io" ] resources: [ "xdljobs", "xdljobs/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "xgboostjob.kubeflow.org" ] resources: [ "xgboostjobs", "xgboostjobs/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "events.k8s.io" ] resources: [ "events" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "policy" ] resources: [ "poddisruptionbudgets", "poddisruptionbudgets/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "apps.kruise.io" ] resources: [ "statefulsets" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "scheduling.alibabacloud.com" ] resources: [ "gpudevices", "allocgroups", "allocgroups/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "gputopology.kubedl.io" ] resources: [ "gputopologies" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "storage.k8s.io" ] resources: [ "storageclasses", "csinodes", "volumeattachments" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "scheduling.k8s.io" ] resources: [ "priorityclasses" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "scheduling.x-k8s.io" ] resources: [ "queueunits", "queueunits/status", "queues" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "scheduling.sigs.k8s.io" ] resources: [ "elasticquotatrees" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "certificates.k8s.io" ] resources: [ "certificatesigningrequests", "certificatesigningrequests/approval", "signers" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection", "approve" ] - apiGroups: [ "discovery.k8s.io" ] resources: [ "endpointslices" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "monitoring.coreos.com" ] resources: [ "servicemonitors" ] verbs: [ "get", "create", "list", "watch", "update", "patch", "delete", "deletecollection"] - apiGroups: [ "inference.kubedl.io" ] resources: [ "elasticbatchjobs", "elasticbatchjobs/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "gateway.solo.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "argoproj.io" ] resources: [ "clusterworkflowtemplates", "clusterworkflowtemplates/finalizers", "cronworkflows", "cronworkflows/finalizers", "workflows", "workflows/finalizers", "workflowtemplates", "workflowtemplates/finalizers" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "paiflow.alibaba-inc.com" ] resources: [ "clusterworkflowtemplates", "clusterworkflowtemplates/finalizers", "cronworkflows", "cronworkflows/finalizers", "workflows", "workflows/finalizers", "workflowtemplates", "workflowtemplates/finalizers", "workfloweventbindings", "workfloweventbindings/finalizers" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "dlc.alibaba.com" ] resources: [ "datasources", "datasources/status", "dlcinstanceresourcepatches", "dlcinstanceresourcepatches/status", "dlcinstances", "dlcinstances/status", "resourcegroups", "resourcegroups/status", "tensorboards", "tensorboards/status"] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "eas.alibaba-inc.k8s.io" ] resources: [ "resourcemigrations", "resourcemigrations/status", "tenantresources", "tenantresources/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "paiflow.pai.alibaba-inc.com" ] resources: [ "aiworkspaces" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "gloo.solo.io", "enterprise.gloo.solo.io", "graphql.gloo.solo.io" ] resources: [ "" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "ratelimit.solo.io" ] resources: [ "ratelimitconfigs","ratelimitconfigs/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "dsw.alibaba.com" ] resources: [ "dswinstances", "dswinstances/status", "idleinstancecullers", "idleinstancecullers/status", "images", "images/status", "notebooks", "notebooks/status", "credentials", "credentials/status", "nasvolumes", "nasvolumes/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: [ "training.pai.alibaba-inc.com" ] resources: [ "trainingjobs", "trainingjobs/status" ] verbs: [ "get", "list", "watch", "create", "update", "patch", "delete", "deletecollection" ] - apiGroups: ["scheduling.sigs.k8s.io"] resources: ["podgroups"] verbs: ["get", "delete"]
Cloud-native Application Assembly Platform (BizWorks)	bizworks-aliyunserviceroleforbizworks-clusterrolebinding	cluster	This role has the highest level of permissions and can install any Helm chart. bizworks-aliyunserviceroleforbizworks-clusterrole `apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: bizworks-aliyunserviceroleforbizworks-clusterrole rules: - apiGroups: - '' resources: - '' verbs: - '' - nonResourceURLs: - '' verbs: - '*'`