Resource Access Management (RAM) system permission policies can control permissions only on Distributed Cloud Container Platform for Kubernetes (ACK One) resources, such as the permissions to create or view instances. If a RAM user or RAM role wants to manage Kubernetes resources in the specified ACK One Fleet instance, such as creating GitOps applications or Argo workflows, you need to grant the RAM user or RAM role Role-Based Access Control (RBAC) permissions on the ACK One Fleet instance and its namespace. This topic describes how to grant RBAC permissions to a RAM user or RAM role.
Usage notes
To grant permissions to a RAM user or RAM role, you must use an Alibaba Cloud account, the account of the Fleet instance creator, or a RAM user that has administrator permissions on the Fleet instance. You cannot grant permissions to a RAM user or RAM role by using another RAM user.
Prerequisites
The RAM user or RAM role is granted permissions on ACK One Fleet instances. For more information, see Attach a system permission policy to a RAM user or RAM role.
Alibaba Cloud CLI 3.0.159 or later is installed and credentials are configured if you want to use a CLI to grant permissions. For more information, see Install Alibaba Cloud CLI and Configure credentials.
RBAC permissions supported by ACK One
RBAC permissions on Fleet instances
RBAC role | Permission |
admin (administrator) | Provides read and write permissions on cluster-wide resources and resources in all namespaces. |
dev (developer) | Provides read and write permissions on resources in the specified namespace. |
gitops-dev (GitOps developer) | Provides read and write permissions on application resources in the argocd namespace. |
RBAC permissions on workflow clusters
RBAC role | Permission |
admin (administrator) | Provides read and write permissions on cluster-wide resources and resources in all namespaces. |
dev (developer) | Provides read and write permissions on resources in the specified namespace. |
RBAC permissions on registered clusters
For more information, see Grant RBAC permissions to RAM users or RAM roles.
Grant a RAM user or RAM role RBAC permissions on Fleet instances
Use the console
Log on to the ACK One console.
In the left-side navigation pane, choose .
On the Permissions page, click the Fleet tab and then click the RAM User tab.
Find the RAM user that you want to authorize in the list and click Manage Permissions in the Actions column.
In the dialog box that appears, specify RAM Role and Namespaces and click OK.
Use Alibaba Cloud CLI
Grant admin permissions on Fleet instances
aliyun adcp GrantUserPermission --UserId 2176*** --ClusterId <clusterid> --RoleType cluster --RoleName adminGrant dev permissions on the namespaces of Fleet instances
aliyun adcp GrantUserPermission --UserId 2176*** --ClusterId <your-fleet-id> --RoleType namespace --Namespace default --RoleName devGrant gitops-dev permissions on the argocd namespace
aliyun adcp GrantUserPermission --UserId 2176*** --ClusterId <your-fleet-id> --RoleType namespace --Namespace argocd --RoleName gitops-devGrant a RAM user or RAM role RBAC permissions on workflow clusters
Use Alibaba Cloud CLI
Grant admin permissions on workflow clusters
aliyun adcp GrantUserPermission --UserId 2176*** --ClusterId <clusterid> --RoleType cluster --RoleName adminGrant dev permissions on the namespaces of workflow clusters
To grant dev permissions, you must set the RoleType parameter to namespace.
aliyun adcp GrantUserPermission --UserId 2176*** --ClusterId <clusterid> --RoleType namespace --Namespace default --RoleName devWhat to do next
Modify the RBAC permissions of a RAM user
aliyun adcp UpdateUserPermission --UserId 2176*** --ClusterId abc --RoleType cluster --RoleName devQuery the RBAC permissions of a RAM user
aliyun adcp DescribeUserPermissions --UserId 2176***Revoke RBAC permissions from a RAM user
aliyun adcp DeleteUserPermission --UserId 2176*** --ClusterId abc