Manage RBAC authorization for RAM users and roles - Container Service for Kubernetes

Accessing an ACK cluster requires two authorization layers: RAM and Kubernetes RBAC. By default, only the Alibaba Cloud account and the cluster creator have full administrative permissions. Other RAM users or RAM roles must first receive RAM permissions to access the cluster, then receive RBAC permissions to operate on Kubernetes resources within it.

This article covers:

How RAM and RBAC work together to control cluster access
How to grant RBAC permissions using an Alibaba Cloud account
How to delegate RBAC permission management to a designated permissions administrator

How it works

ACK's authorization model integrates two distinct layers: Alibaba Cloud RAM and Kubernetes RBAC. Both layers are required — neither alone is sufficient.

RAM: Controls who can access the cluster. It operates at the cloud resource level, managing permissions for API calls to ACK and its dependent services.
RBAC: Controls what a user can do inside the cluster. It provides fine-grained authorization within Kubernetes, defining which users can perform specific actions (such as create or delete) on specific types of resources (such as Pods or Deployments).

Kubernetes RBAC mechanism

RBAC permissions are managed through two pairs of objects:

ClusterRole and ClusterRoleBinding: A ClusterRole defines a set of permissions that apply cluster-wide. A ClusterRoleBinding binds it to a user or role.
Role and RoleBinding: A Role defines permissions scoped to a single namespace. A RoleBinding binds it to a user or role within that namespace.

Prerequisites

Before you begin, make sure you have:

An Alibaba Cloud account or a RAM identity with sufficient permissions to log on to the ACK console
RAM users or RAM roles that have already been granted RAM permissions to access the cluster

Grant RBAC permissions using an Alibaba Cloud account

Log on to the Container Service Management Console. In the left navigation pane, click Container Service Management ConsoleAuthorizations.
Grant permissions to a RAM user or RAM role:
- For a RAM user: On the RAM Users tab, find the user to authorize and click Modify Permissions in the Actions column.
- For a RAM role: On the RAM Roles tab, select the role to authorize and click Modify Permissions.
In the Permission Management panel, click + Add Permissions, select the scope (either a specific cluster or namespace), and choose a predefined role to grant the desired level of access.

Delegate RBAC permission management

By default, a RAM user or RAM role cannot grant RBAC permissions to other identities. To delegate this responsibility, designate a RAM user or role as a permissions administrator.

Step 1: Grant the necessary RAM permissions

A permissions administrator needs RAM permissions to view RAM identity information, cluster lists, and existing RBAC configurations, and to grant RBAC permissions in a cluster. Choose one of the following methods:

Method 1: Use system policies

Important

The AliyunRAMReadOnlyAccess and AliyunCSFullAccess system policies grant broad permissions. For fine-grained control, use Method 2: Use a custom policy.

Log on to the RAM console using an Alibaba Cloud account.
- For a RAM user: In the left navigation pane, choose Identities > Users, find the user to authorize, and click Add Permissions in the Actions column.
- For a RAM role: In the left navigation pane, choose Identities > Roles, find the role to authorize, and click Grant Permissions in the Actions column.
Set Resource Scope to Account. In the Policy section, select the AliyunRAMReadOnlyAccess and AliyunCSFullAccess system policies, and complete the authorization.

Method 2: Use a custom policy

A permissions administrator must have permissions to:

View information about other RAM identities
View cluster lists and details
View existing RBAC configurations for a cluster
Grant RBAC permissions in a cluster

Log on to the RAM console and attach the following custom policy to the target RAM user or role. For more information, see Grant permissions using custom policies.RAM console

{
    "Statement": [{
            "Action": [
                "ram:Get*",
                "ram:List*",
                "cs:Get*",
                "cs:Describe*",
                "cs:List*",
                "cs:GrantPermission"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ],
    "Version": "1"
}

Step 2: Grant the Administrator RBAC role

Log on to the ACK console using an Alibaba Cloud account and grant the predefined Administrator role to the designated RAM user or role at the cluster scope.

Log on to the Container Service Management Console. In the left navigation pane, click Authorizations.
Grant permissions to a RAM user or RAM role:
- For a RAM user: On the RAM Users tab, find the user to authorize and click Modify Permissions in the Actions column.
- For a RAM role: On the RAM Roles tab, select the role to authorize and click Modify Permissions.
In the Permission Management panel, click + Add Permissions, select the scope (either a specific cluster or namespace), and select Administrator from the predefined roles.
Granting this permission across all clusters automatically applies it to any new clusters created in the future.

Step 3: Grant RBAC permissions to other users

After setup is complete, the permissions administrator can log on to the ACK console and grant RBAC permissions to other RAM users or RAM roles on the Authorization page.

Apply in production

Follow these best practices to improve the security and maintainability of permission management:

Principle of least privilege: Only grant the minimum set of permissions required for a RAM user or role to perform their tasks. Avoid granting high-privilege roles such as Administrator indiscriminately.
Fine-grained authorization:
- Layered authorization: Differentiate responsibilities — use RAM for cloud resource access and RBAC for cluster resource access.
- Scope convergence: Use RoleBinding to grant permissions within a specific namespace instead of a cluster-wide ClusterRoleBinding wherever possible.
- Precise role selection: Start with the predefined ACK roles. If you create custom roles, define precise rules and avoid wildcards (*).
Continuous governance: Regularly audit permissions and revoke any that are redundant or excessive. Monitor and log all actions performed by high-privilege accounts such as permissions administrators.

Appendix: Predefined RBAC roles

ACK provides a set of predefined roles based on the RBAC mechanism to simplify permission management for common scenarios.

Predefined role	RBAC permissions on cluster resources
Administrator	Full read/write RBAC permissions for all Kubernetes resources in all namespaces, as well as for cluster-level resources including nodes, PVs, namespaces, and resource quotas.
Read-only Administrator	Read-only RBAC permissions for all Kubernetes resources in all namespaces, as well as for cluster-level resources including nodes, PVs, namespaces, and resource quotas.
O&M Engineer	Read/write access to all console-visible Kubernetes resources in all namespaces. Read and update access to cluster nodes, PVs, and namespaces. Read-only access to all other resources.
Developer	Read/write RBAC access to console-visible Kubernetes resources, scoped to either all namespaces or a selection of specific ones.
Restricted User	Read-only RBAC access to console-visible Kubernetes resources, scoped to either all namespaces or a selection of specific ones.
Custom	Permissions are determined by the ClusterRole you select. Verify the permissions defined in the selected ClusterRole before granting them to avoid assigning unintended permissions to a RAM user or role. For more information, see Use custom RBAC to restrict resource operations in a cluster. Important After you assign the `cluster-admin` role to a RAM user or RAM role, the user or role gains the same permissions as the Alibaba Cloud account to which they belong. This grants full control over all resources within the cluster. Exercise caution when assigning the `cluster-admin` role.

FAQ

What is the relationship between RAM and RBAC?

ACK uses a layered authorization model where both RAM and RBAC are required (logical AND):

RAM: Determines whether a user can see the cluster in the console or access it through OpenAPI.
RBAC: Determines which Kubernetes resources (such as Pods, ConfigMaps, and Secrets) a user can operate on within the cluster.

Who can grant RBAC permissions?

Alibaba Cloud account: Has full authority to grant permissions to any RAM user or role.
Cluster creator: By default, the RAM identity that creates the cluster is granted cluster-admin privileges for that specific cluster.
Permissions administrator: Any RAM user or role that has been granted the Administrator role can manage permissions for others.

Can I grant permissions to multiple clusters at once?

Yes. In the ACK console, select multiple clusters or choose All Clusters when configuring permissions. If you select All Clusters, the permissions are also automatically applied to any new clusters created in the future.

What should I do if I encounter a permission error?

If an operation through the console or OpenAPI fails due to missing RBAC permissions, the system returns a permission-denied error. Refer to the following table for common errors and their solutions:

Error code/message	Description	Solution
`ForbiddenCheckControlPlaneLog`	Not authorized to view control plane logs.	Grant the user the Administrator or O&M Engineer role.
`ForbiddenHelmUsage`	Not authorized to perform Helm operations.	Grant the user the Administrator role.
`ForbiddenRotateCert`	Not authorized to rotate certificates.	Grant the user the Administrator role.
`ForbiddenAttachInstance`	Not authorized to add nodes.	Grant the user the Administrator or O&M Engineer role.
`ForbiddenUpdateKMSState`	Not authorized to modify the cluster's KMS at-rest encryption status.	Grant the user the Administrator or O&M Engineer role.
`Forbidden get trigger`	Not authorized to get application trigger information.	Grant the user the Administrator, O&M Engineer, or Developer role.
`ForbiddenQueryClusterNamespace`	Not authorized to query cluster namespaces.	Grant the user the Administrator, O&M Engineer, Developer, or Restricted User role.

How do I create custom permissions if the predefined roles don't meet my needs?

Create a custom Role or ClusterRole through a YAML manifest — for example, a ClusterRole that only allows viewing Pods. Then, when assigning permissions, select the custom permission type and bind it to your newly created ClusterRole. See Use custom RBAC to restrict resource operations in a cluster.

Kubernetes RBAC policies are additive and only support allow rules. There is no explicit deny rule.

What's next

If the predefined roles are insufficient, see Use custom RBAC to restrict access to cluster resources.
For complete authorization guides covering both RAM and RBAC for different user roles, see:
For a list of service roles used by ACK, see ACK roles.
For troubleshooting other authorization-related issues, see Authorization management FAQs.