By default, ACK managed clusters create a single worker Resource Access Management (RAM) role shared by all nodes. Every node in the cluster inherits the same permissions, which can result in unintentional over-permissioning. Assigning a custom worker RAM role to each node pool isolates permissions at the node-pool level, reducing the risk of all nodes in the cluster sharing the same permissions.
Prerequisites
Before you begin, make sure you have:
-
An ACK managed cluster running Kubernetes 1.22 or later. See Create an ACK managed cluster
Limitations
-
A custom worker RAM role can only be assigned when creating a cluster or a node pool. You cannot change the worker RAM role of an existing node pool.
Step 1: Create a RAM role
The RAM role must meet two requirements:
-
The role name must not start with
KubernetesMasterRole-orKubernetesWorkerRole-. -
The trusted service must be Elastic Compute Service.
Use one of the following methods to create the role.
Console
Follow the instructions in Create a regular service role. When prompted to select a trusted service, choose Elastic Compute Service.
OpenAPI or Terraform
Create the role using OpenAPI or Terraform, then configure the trust policy as follows. For details on editing the trust policy, see Edit the trust policy of a RAM role.
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"ecs.aliyuncs.com"
]
}
}
],
"Version": "1"
}Step 2: Assign the role when creating a node pool
In the ACK console, when creating a cluster or a node pool, expand Advanced Options and set Worker RAM Role to the role you created in Step 1.
For field-by-field guidance, see:
Grant the ram:PassRole permission to RAM users or roles
If you are operating as a RAM user or RAM role, you also need the ram:PassRole permission to assign a worker RAM role during node pool creation.
If the RAM user or RAM role already has the AliyunCSFullAccess permission, the ram:PassRole permission is not required.
Use one of the following permission policy examples. For instructions on creating and attaching policies, see Create a custom policy, Grant permissions to a RAM user, and Grant permissions to a RAM role.
Authorize a specific RAM role
Replace <role_arn> with the ARN of your RAM role. To find the ARN, see How do I view the ARN of a RAM role?
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": [
"<role_arn>"
],
"Condition": {
"StringEquals": {
"acs:Service": [
"cs.aliyuncs.com"
]
}
}
}
]
}Authorize all RAM roles
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "ram:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"acs:Service": [
"cs.aliyuncs.com"
]
}
}
}
]
}What's next
A newly created RAM role has no permissions by default. Grant the permissions the node pool needs and revoke any that are no longer needed.
Grant permissions
-
Console: Create a custom policy and Grant permissions to a RAM role
-
OpenAPI: CreatePolicy and AttachPolicyToRole
-
Terraform: Create a RAM role and grant permissions using Terraform
Revoke permissions
Revoke permissions that are no longer needed as soon as possible. See Revoke permissions from a RAM role.