Grant a RAM user the permissions to manage ACK One Fleet instances -

By default, only an Alibaba Cloud account and the account that creates a Distributed Cloud Container Platform for Kubernetes (ACK One) Fleet instance have administrator permissions on the Kubernetes resources on the Fleet instance. You must grant the required permissions to a Resource Access Management (RAM) user before you can use the RAM user to create and delete Fleet instances, associate clusters with a Fleet instance, or disassociate clusters from a Fleet instance. This topic describes how to grant RAM permissions and role-based access control (RBAC) permissions to a RAM user.

Prerequisites

Alibaba Cloud CLI 3.0.159 or later is installed and credentials are configured for Alibaba Cloud CLI. For more information, see Install Alibaba Cloud CLI and Configure credentials.

Usage notes for authorization

By default, only an Alibaba Cloud account and the account that creates a Fleet instance have administrator permissions on the Kubernetes resources on the Fleet instance. RAM users other than the creator of a Fleet instance cannot access Kubernetes resources on the Fleet instance.
The administrator or the Fleet instance creator can authorize a RAM user to access and manage the Fleet instance by using one of the following methods:
1. Step 1: Grant RAM permissions to a RAM user: After you grant RAM permissions to a RAM user, the RAM user can view or modify the Fleet instance in the ACK One console.
2. Step 2: Grant a RAM user RBAC permissions on the Fleet instance: After the authorization is complete, the RAM user can run kubectl commands to use the features of the Fleet instance, such as application distribution, GitOps, and multi-cluster Services (MCS).

Step 1: Grant RAM permissions to a RAM user

By default, the AliyunAdcpFullAccess and AliyunAdcpReadOnlyAccess RAM policies are created for Fleet instances of ACK One. You can directly attach the RAM policies to a RAM user. For more information about how to attach RAM policies to a RAM user, see Grant permissions to the RAM user.

System policy	System permission	Description
AliyunAdcpFullAccess	This policy provides full access to Fleet instances, including the permissions to grant permissions to RAM users and the permissions to enable, disable, create, delete, and view Fleet instances.	If you want to set a RAM user as an administrator of a Fleet instance, attach the AliyunAdcpFullAccess policy to the RAM user.
AliyunAdcpReadOnlyAccess	This policy provides read-only access to Fleet instances, including the permissions to view Fleet instances and query the kubeconfig files of Fleet instances.	If you want to set a RAM user as a developer, attach the AliyunAdcpReadOnlyAccess policy to the RAM user. This way, you can use the RAM user to manage applications based on GitOps, distribute applications to associated clusters, and use the MCS feature.

Step 2: Grant a RAM user RBAC permissions on the Fleet instance

Fleet instances of ACK One provide three predefined RBAC roles: admin, dev, and gitops-dev. You can assign the RBAC roles to a RAM user.

RBAC role	Description
admin	This role provides read and write permissions on cluster-wide resources and resources in all namespaces.
dev	This role provides read and write permissions on Kubernetes resources in a specified namespace.
gitops-dev	This role provides read and write permissions on Kubernetes resources in the argocd namespace.

Cluster-wide resources
Kind
apiVersion
Namespace
v1
Managedcluster
cluster.open-cluster-management.io
MseIngressConfig
mse.alibabacloud.com/v1alpha1
IngressClass
networking.k8s.io/v1

Namespace-scoped resources

Kind	apiVersion
Deployment	apps/v1
Service	v1
Ingress	networking.k8s.io/v1
ConfigMap	v1
Secret	v1
StatefulSet	apps/v1
PersistentVolumeClaim	v1
ServiceExport	multicluster.x-k8s.io/v1alpha1
ServiceImport	multicluster.x-k8s.io/v1alpha1
HorizontalPodAutoscaler	autoscaling/v1
Application ApplicationSet Appproject	argoproj.io
Application	core.oam.dev

Resources in the argocd namespace
Kind
apiVersion
Application
argoproj.io

The following section describes how to assign a role to a RAM user.

Note

To grant admin permissions, you must set the RoleType parameter to cluster.
To grant dev or gitops-dev permissions, you must set the RoleType parameter to namespace.

Grant admin permissions on Fleet instances

aliyun adcp GrantUserPermission --UserId 2176*** --ClusterId <clusterid> --RoleType cluster --RoleName admin

Grant dev permissions on the namespaces of Fleet instances

aliyun adcp GrantUserPermission --UserId 2176*** --ClusterId <your-fleet-id> --RoleType namespace --Namespace default --RoleName dev

Grant gitops-dev permissions on the argocd namespace

aliyun adcp GrantUserPermission --UserId 2176*** --ClusterId <your-fleet-id> --RoleType namespace --Namespace argocd --RoleName gitops-dev

Request parameters

Parameter	Type	Required	Description
UserId	string	Yes	The RAM user ID.
ClusterId	string	Yes	The ID of the Fleet instance that you want to authorize the RAM user to manage.
RoleType	string	Yes	The authorization type. Valid values: `cluster`: The permissions are scoped to a Fleet instance. `namespace`: The permissions are scoped to a namespace. Note To grant admin permissions, you must set the RoleType parameter to `cluster`. To grant dev or gitops-dev permissions, you must set the RoleType parameter to `namespace`.
RoleName	string	Yes	The predefined role name. Valid values: `admin`: administrator `dev`: developer `gitops-dev`: GitOps developer Note To grant gitops-dev permissions, you must set the RoleType parameter to `namespace` and the `namespace` parameter to `argocd`.
Namespace	string	No	The namespace to which the permissions are scoped. Leave this parameter empty when the RoleType parameter is set to cluster.

What to do next

Query the RBAC permissions of a RAM user

Sample command

aliyun adcp DescribeUserPermissions --UserId 2176***

Request parameters

Parameter	Type	Required	Description
UserId	string	Yes	The RAM user ID.

Response parameters

Parameter	Type	Description	Example
RequestId	string	The request ID.	EA06613B-37A3-549E-BAE0-E4AD8A6E93D7
Permissions	Object	None	None
RoleType	string	The role type. Valid values: `admin`: administrator `dev`: developer `gitops-dev`: GitOps developer	dev
ResourceType	string	The authorization type. Valid values: `cluster`: The permissions are scoped to a Fleet instance. `namespace`: The permissions are scoped to a namespace.	namespace
ResourceId	string	The access configuration. When the permissions are scoped to a cluster, the value is in the `{cluster_id}` format. When the permissions are scoped to a namespace, the value is in the `{cluster_id}/{namespace}` format.	cffef3c9c7ba145b083292942a2c3****/test

Revoke RBAC permissions from a RAM user

Sample command

aliyun adcp DeleteUserPermission --UserId 2176*** --ClusterId <clusterid>

Request parameters

Parameter	Type	Required	Description
UserId	string	Yes	The RAM user ID.
ClusterId	string	Yes	The ID of the Fleet instance.

Response parameters

Parameter	Type	Description	Example
RequestId	string	The request ID.	EA06613B-37A3-549E-BAE0-E4AD8A6E93D7

Kind	apiVersion
Namespace	v1
Managedcluster	cluster.open-cluster-management.io
MseIngressConfig	mse.alibabacloud.com/v1alpha1
IngressClass	networking.k8s.io/v1