All Products
Search

This Product

    Container Service for Kubernetes:Grant RBAC permissions to a RAM user or RAM role

    Document Center

    Container Service for Kubernetes:Grant RBAC permissions to a RAM user or RAM role

    Last Updated:Mar 26, 2026

    RAM system policies only control permissions for actions on ACK One cluster resources, such as creating instances or viewing instance lists. To manage Kubernetes resources within a cluster, such as creating GitOps Applications or Argo Workflows, a RAM user or RAM role also needs Role-Based Access Control (RBAC) permissions for that cluster and its namespaces. This topic describes how to grant these permissions.

    Usage notes

    Only an Alibaba Cloud account, the cluster creator, or a RAM user with cluster administrator permissions can grant permissions to a specified RAM user or RAM role. Regular RAM users cannot grant permissions.

    Prerequisites

    RBAC permissions supported by ACK One

    RBAC permissions for Fleet

    RBAC role

    Description

    admin (administrator)

    Grants read and write permissions on all cluster-scoped resources and on resources in all namespaces.

    dev (developer)

    Grants read and write permissions on resources within selected namespaces.

    gitops-dev (GitOps developer)

    Grants read and write permissions on application resources in the argocd namespace.

    Cluster-scoped and namespace-scoped resources

    • Cluster-scoped resources

      Kind

      apiVersion

      Namespace

      v1

      Managedcluster

      cluster.open-cluster-management.io

      MseIngressConfig

      mse.alibabacloud.com/v1alpha1

      IngressClass

      networking.k8s.io/v1

    • Namespace-scoped resources

      Kind

      apiVersion

      Deployment

      apps/v1

      Service

      v1

      Ingress

      networking.k8s.io/v1

      ConfigMap

      v1

      Secret

      v1

      StatefulSet

      apps/v1

      PersistentVolumeClaim

      v1

      ServiceExport

      multicluster.x-k8s.io/v1alpha1

      ServiceImport

      multicluster.x-k8s.io/v1alpha1

      HorizontalPodAutoscaler

      autoscaling/v1

      Application

      ApplicationSet

      Appproject

      argoproj.io

      Workflow

      argoproj.io

      Application

      core.oam.dev

    • Application resources in the argocd namespace

      Kind

      apiVersion

      Application

      argoproj.io

    RBAC permissions for workflow clusters

    RBAC role

    Description

    admin (administrator)

    Grants read and write permissions on all cluster-scoped resources and on resources in all namespaces.

    dev (developer)

    Grants read and write permissions on resources within selected namespaces.

    Cluster-scoped and namespace-scoped resources

    • Cluster-scoped resources

      Kind

      apiVersion

      Namespace

      v1

      PersistentVolumes

      v1

      ImageCaches

      eci.alibabacloud.com

    • Namespace-scoped resources

      Kind

      apiVersion

      ConfigMap

      v1

      Secret

      v1

      ServiceAccount

      v1

      PersistentVolumeClaim

      v1

      Pod

      v1

      Workflow

      WorkflowTemplate

      CronWorkflow

      argoproj.io

      EventSource

      EventBus

      Sensor

      argoproj.io

    RBAC permissions for registered clusters

    For more information, see Predefined RBAC roles for registered clusters.

    Grant RBAC permissions for Fleet

    Use the console

    1. Log on to the ACK One console.

    2. In the left-side navigation pane, choose Fleet > Permissions.

    3. On the Permissions page, click the Fleet tab, and then click the RAM User tab.

    4. Find the RAM user to authorize and click Manage Permissions in the Actions column.

    5. In the dialog box that appears, select the RAM Role and Namespace you want, and then click OK.

    Use the CLI

    Grant admin role

    aliyun adcp GrantUserPermission --UserId 1159648454****** --ClusterId c6caf48c192f7476****** --RoleType cluster --RoleName admin

    Grant dev role

    aliyun adcp GrantUserPermission --UserId 1159648454****** --ClusterId c6caf48c192f7476****** --RoleType namespace --Namespace default --RoleName dev

    Grant gitops-dev role

    aliyun adcp GrantUserPermission --UserId 1159648454****** --ClusterId c6caf48c192f7476****** --RoleType namespace --Namespace argocd --RoleName gitops-dev

    Parameters

    Parameter

    Type

    Required

    Description

    UserId

    string

    Yes

    The ID of the RAM user.

    ClusterId

    string

    Yes

    The ID of the target Fleet instance.

    RoleType

    string

    Yes

    The authorization type. Valid values:

    • cluster: Permissions are scoped to the Fleet instance.

    • namespace: Permissions are scoped to a namespace.

      Note

      • The authorization type for admin permissions must be the cluster Fleet instance scope, and cannot be the namespace scope.

      • The authorization type for the dev and gitops-dev permissions must be the namespace scope, not the Fleet instance scope.

    RoleName

    string

    Yes

    The predefined role name. Valid values:

    • admin: administrator.

    • dev: developer.

    • gitops-dev: GitOps developer.

    Namespace

    string

    No

    The namespace name.

    Note

    • This parameter is required if RoleType is set to namespace.

    • When the authorization dimension is namespace and the role type is GitOps developer, the namespace name must be set to argocd.

    • This parameter is not required if RoleType is set to cluster.

    Grant RBAC permissions for a workflow cluster

    Use the CLI

    Grant admin role

    aliyun adcp GrantUserPermission --UserId 1159648454****** --ClusterId c6caf48c192f7476****** --RoleType cluster --RoleName admin

    Grant dev role

    aliyun adcp GrantUserPermission --UserId 1159648454****** --ClusterId c6caf48c192f7476****** --RoleType namespace --Namespace default --RoleName dev

    Parameters

    Parameter

    Type

    Required

    Description

    UserId

    string

    Yes

    The ID of the RAM user.

    ClusterId

    string

    Yes

    The ID of the target workflow cluster.

    RoleType

    string

    Yes

    The authorization type. Valid values:

    • cluster: Permissions are scoped to the cluster.

    • namespace: Permissions are scoped to a namespace.

    Note

    • To grant the admin role, you must set this parameter to cluster.

    • The authorization type for dev permissions must be namespace, which is a namespace-level scope, and cannot be a cluster-level scope.

    RoleName

    string

    Yes

    The predefined role name. Valid values:

    • admin: administrator.

    • dev: developer.

    Namespace

    string

    No

    The namespace name.

      Note

      This parameter is required if RoleType is set to namespace.

      This parameter is not required if RoleType is set to cluster.

    Related operations

    Update RBAC permissions

    aliyun adcp UpdateUserPermission --UserId 1159648454****** --ClusterId c6caf48c192f7476****** --RoleType cluster --RoleName dev

    Query RBAC permissions

    aliyun adcp DescribeUserPermissions --UserId 1159648454******

    Revoke RBAC permissions

    aliyun adcp DeleteUserPermission --UserId 1159648454****** --ClusterId c6caf48c192f7476******