All Products
Search

This Product

    Container Service for Kubernetes:Fine-grained resource control with resource groups

    Document Center

    Container Service for Kubernetes:Fine-grained resource control with resource groups

    Last Updated:Apr 23, 2026

    When you use resource groups to organize resources, you can use them with RAM to implement resource isolation and fine-grained permission management within a single Alibaba Cloud account. This topic describes how ACK One supports resource groups and provides the steps to grant permissions at the resource group level.

    Note

    How it works

    You can use resource groups to organize and manage resources within your Alibaba Cloud account. For example, you can create a resource group for each project and move the project's resources into that group for centralized management. For more information, see What is a resource group?.

    After you group your resources, you can grant permissions on a specific resource group to different principals, such as RAM users, RAM user groups, or RAM roles. This ensures that the principal can manage only the resources within that resource group. For more information, see Resource grouping and authorization.

    This authorization method offers the following advantages:

    • Fine-grained permissions: Ensure that each identity has the precise access rights it needs, and isolates resources between projects.

    • Scalability: When you add new resources, you only need to add them to the resource group. The principal automatically gains the required permissions for these new resources.

    Grant resource group permissions to a RAM user

    This procedure uses a RAM user as an example to show how to grant permissions on ACK One resources within a specific resource group.

    1. Prerequisites

    1. Create a RAM user. For more information, see Create a RAM user.

    2. Create a resource group and transfer existing resources to the target resource group. For more information, see Create a resource group, Automatically move resources to a resource group, and Manually move resources to a resource group.

    2. Grant permissions at the resource group level

    You can grant permissions at the resource group level by using either of the following methods.

    Method 1: Resource Management console

    Use the permission management feature of a resource group to grant permissions to a specific RAM user. For more information, see Grant permissions on a resource group to a RAM identity.

    • Log on to the Resource Management console.

    • On the Resource Groups page, find the target resource group and click Manage Permissions in the Actions column.

    • On the Manage Permissions tab, click Grant Permission.

    • In the Grant Permission panel, set the principal and permission policy.

      • Principal: Select an existing RAM user.

      • Permission Policy: Select a system policy or an existing custom policy. For more information, see Create a custom permission policy.

    • Click OK.

    Method 2: RAM console

    Grant resource group-level permissions to a specific RAM user in the RAM console. For more information, see Manage RAM user permissions.

    • Log on to the RAM console by using your Alibaba Cloud account or a RAM administrator.

    • In the left-side navigation pane, choose Identities > Users. On the Users page, find the target RAM user and click Add Permissions in the Actions column.

    • In the Add Permissions panel, configure permissions for the RAM user.

      • Resource Scope: Select Resource Group.

      • Principal: The selected RAM user is displayed.

      • Permission Policy: Select a system policy or an existing custom policy. For more information, see Create a custom permission policy.

    • Click OK.

    Resource types that support resource groups

    The following table lists the ACK One resource types that you can manage by using resource groups.

    Cloud service

    Cloud service code

    Resource type

    ACK One

    ackone

    cluster: Cluster
    Note

    If a resource type you need does not support resource groups, you can submit feedback in the Resource Management console.

    image

    Operations without resource group-level authorization

    The following table lists the ACK One actions that do not support authorization at the resource group level.

    Action

    Description

    adcp:AbortComponentBaselineDeployBatch

    -

    adcp:AbortComponentBaselineDeployJob

    -

    adcp:AttachClusterToHub

    Attaches an ACK cluster to an ACK One Fleet instance.

    adcp:ChangeResourceGroup

    Updates a resource group.

    adcp:CheckSLRExists

    -

    adcp:CheckServiceRole

    -

    adcp:ComponentBaselinePreCheck

    -

    adcp:CreateComponentBaseline

    -

    adcp:CreateComponentBaselineDeployJob

    -

    adcp:DeleteComponentBaseline

    -

    adcp:DeleteComponentBaselineDeployJob

    -

    adcp:DeletePolicyInstance

    Deletes a policy rule instance from an associated cluster.

    adcp:DeleteUserPermission

    Deletes the RBAC authorization of a RAM user.

    adcp:DeployPolicyInstance

    Deploys a policy rule instance to a cluster associated with the master instance.

    adcp:DescribeClusterEvents

    -

    adcp:DescribeComponentBaselineDeployJobDetail

    -

    adcp:DescribeComponentBaselineDeployJobs

    -

    adcp:DescribeComponentBaselineDetail

    -

    adcp:DescribeComponentBaselines

    -

    adcp:DescribeComponentListOfHubCluster

    -

    adcp:DescribeHubClusterKubeconfig

    Obtains the kubeconfig of an ACK One cluster. In addition to managing clusters from the console, you can use kubectl, the Kubernetes command-line tool, to manage clusters and applications. To use kubectl, you must first obtain the cluster's kubeconfig to connect to the cluster.

    adcp:DescribeHubClusterLogs

    Obtains logs from the master instance of an ACK One fleet.

    adcp:DescribeManagedClusters

    Obtains the list of managed clusters in an ACK One Fleet instance.

    adcp:DescribePolicies

    Lists the policy governance rule libraries.

    adcp:DescribePolicyDetails

    Obtains the details of a policy governance rule template.

    adcp:DescribePolicyGovernanceInCluster

    Obtains the policy governance details of a cluster associated with the master instance.

    adcp:DescribePolicyInstances

    Queries the policy instances of the clusters associated with a master instance.

    adcp:DescribePolicyInstancesStatus

    Obtains the details of a specified policy rule instance in a cluster associated with a master instance.

    adcp:DescribeUserPermissions

    Displays the permissions granted to a RAM user.

    adcp:DetachClusterFromHub

    Removes a managed ACK cluster from an ACK One Fleet instance.

    adcp:GrantUserPermission

    Grants RBAC permissions to a RAM user or RAM role. RAM system policies control only the permissions to perform operations on ACK One resources, such as creating or viewing instances. To perform operations on Kubernetes resources within a specific cluster, such as creating GitOps applications or Argo Workflows, the principal also needs RBAC permissions for that ACK One cluster and its namespaces.

    adcp:GrantUserPermissions

    -

    adcp:ListTagResources

    -

    adcp:ResumeComponentBaselineDeployJob

    -

    adcp:RollbackComponentBaselineDeployBatch

    -

    adcp:StartComponentBaselineDeployBatch

    -

    adcp:StartComponentBaselineDeployJob

    -

    adcp:SuspendComponentBaselineDeployJob

    -

    adcp:TagResources

    -

    adcp:UntagResources

    -

    adcp:UpdateClusterTags

    -

    adcp:UpdateComponentBaseline

    -

    adcp:UpdateUserPermission

    Updates the RBAC authorization of a RAM user.

    For operations that do not support authorization at the resource group level, setting the resource scope to Resource Group has no effect. If a RAM user still requires permissions to perform these operations, you must create a custom permission policy and set the resource scope to Account when you grant the permissions.

    image.pngThe following code provides two examples of custom permission policies. You can modify the policies based on your business requirements.

    • Allow all read-only operations that do not support resource group-level authorization: The Action element lists all such read-only operations.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "adcp:CheckServiceRole",
        "adcp:DescribeClusterEvents",
        "adcp:DescribeComponentBaselineDeployJobDetail",
        "adcp:DescribeComponentBaselineDeployJobs",
        "adcp:DescribeComponentBaselineDetail",
        "adcp:DescribeComponentBaselines",
        "adcp:DescribeComponentListOfHubCluster",
        "adcp:DescribeHubClusterKubeconfig",
        "adcp:DescribeHubClusterLogs",
        "adcp:DescribeManagedClusters",
        "adcp:DescribePolicies",
        "adcp:DescribePolicyDetails",
        "adcp:DescribePolicyGovernanceInCluster",
        "adcp:DescribePolicyInstances",
        "adcp:DescribePolicyInstancesStatus",
        "adcp:DescribeUserPermissions",
        "adcp:ListTagResources"
      ],
      "Resource": "*"
    }
  ]
}

    • Allow all operations that do not support resource group-level authorization: The Action element lists all such operations.

      {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "adcp:AbortComponentBaselineDeployBatch",
        "adcp:AbortComponentBaselineDeployJob",
        "adcp:AttachClusterToHub",
        "adcp:ChangeResourceGroup",
        "adcp:CheckSLRExists",
        "adcp:CheckServiceRole",
        "adcp:ComponentBaselinePreCheck",
        "adcp:CreateComponentBaseline",
        "adcp:CreateComponentBaselineDeployJob",
        "adcp:DeleteComponentBaseline",
        "adcp:DeleteComponentBaselineDeployJob",
        "adcp:DeletePolicyInstance",
        "adcp:DeleteUserPermission",
        "adcp:DeployPolicyInstance",
        "adcp:DescribeClusterEvents",
        "adcp:DescribeComponentBaselineDeployJobDetail",
        "adcp:DescribeComponentBaselineDeployJobs",
        "adcp:DescribeComponentBaselineDetail",
        "adcp:DescribeComponentBaselines",
        "adcp:DescribeComponentListOfHubCluster",
        "adcp:DescribeHubClusterKubeconfig",
        "adcp:DescribeHubClusterLogs",
        "adcp:DescribeManagedClusters",
        "adcp:DescribePolicies",
        "adcp:DescribePolicyDetails",
        "adcp:DescribePolicyGovernanceInCluster",
        "adcp:DescribePolicyInstances",
        "adcp:DescribePolicyInstancesStatus",
        "adcp:DescribeUserPermissions",
        "adcp:DetachClusterFromHub",
        "adcp:GrantUserPermission",
        "adcp:GrantUserPermissions",
        "adcp:ListTagResources",
        "adcp:ResumeComponentBaselineDeployJob",
        "adcp:RollbackComponentBaselineDeployBatch",
        "adcp:StartComponentBaselineDeployBatch",
        "adcp:StartComponentBaselineDeployJob",
        "adcp:SuspendComponentBaselineDeployJob",
        "adcp:TagResources",
        "adcp:UntagResources",
        "adcp:UpdateClusterTags",
        "adcp:UpdateComponentBaseline",
        "adcp:UpdateUserPermission"
      ],
      "Resource": "*"
    }
  ]
}
    Important

    A RAM user or RAM role with account-level permissions can manage resources across the entire account. Grant these permissions with caution and always follow the principle of least privilege.

    FAQ

    Find a resource's resource group

    • Method 1: Click the resource name to open its details page, where the resource group is listed.

    • Method 2: Log on to the Resource Management console and choose Resource Center > Resource Search. In the left-side pane, select the account to which the resource belongs. The current account is selected by default. Use the filter conditions to locate the target resource and view its resource group.

    View resources by product and resource group

    • Method 1: Log on to the Resource Management console and choose Resource Center > Resource Search. In the left-side pane, under the resource's account (the current account is selected by default), click the name of the target resource group. Then, from the Select Resource Type drop-down list on the right, select the product to view all its resources in that resource group.

    • Method 2: Log on to the Resource Management console and choose Resource Groups > Resource Groups. Find the target resource group and click Manage Resources in the Actions column. On the Manage Resources page, select the product from the Product drop-down list to view all its resources in the specified resource group.

    Bulk move resources to another resource group

    Log on to the Resource Management console and choose Resource Groups > Resource Groups. In the row of the target resource group, click Manage Resources in the Actions column to open the resource management page. Use the filter conditions to find the resources, select the checkboxes of the resources, and then click Transfer Resource Group at the bottom of the page. Follow the on-screen instructions to complete the process.