ack-ram-authenticator is a component that can help authenticate requests sent to the API server of a Container Service for Kubernetes (ACK) managed cluster by using webhooks and Resource Access Management (RAM). This topic describes the features, usage notes, and release notes of ack-ram-authenticator.
Introduction
ack-ram-authenticator is an authentication component for ACK managed clusters. The component can help authenticate requests sent to the API server of an ACK managed cluster by using Kubernetes-native webhook token authentication and RAM. The component allows you to define mappings between RAM identities and role-based access control (RBAC) permissions by using custom resource definitions (CRDs). This helps you verify the RBAC permissions of different RAM identities in a more flexible manner.
When a user assumes an Alibaba Cloud single sign-on (SSO) role to access the API server of an ACK managed cluster, ack-ram-authenticator passes the name of the session that corresponds to the user identity to the API server. This helps the API server authenticate the requests sent to the API server by users that assume the same role.
The following figure shows how webhook authentication works in an ACK managed cluster that installs ack-ram-authenticator.
If you use a tool such as kubectl to authenticate to the API server of an ACK managed cluster, the kubectl client runs the
execcommand in the kubeconfig file and calls ack-ram-tool to generate a signed Security Token Service (STS) token URL.After the kubectl client sends the authentication webhook to the API server, the API server routes the webhook to ack-ram-authenticator.
ack-ram-authenticator then calls the GetCallerIdentity operation of RAM to obtain the identity information about the caller based on the received token URL. After the GetCallerIdentity operation returns the identity information about the caller, ack-ram-authenticator matches the RAM identity of the caller with the identity mappings defined in the RAMIdentityMapping configurations.
The API server verifies the RBAC permissions of the RAM user or user group in the matching mapping and then returns the authentication result to the kubectl client.
Usage notes
For more information, see Use ack-ram-authenticator to help the API server in an ACK managed cluster complete webhook authentication.
Configuration
The ack-ram-authenticator component supports the following configurations:
Parameter | Type | Description |
EnableNonBootstrapMapping | boolean | Specifies whether to enable the RAM role-to-RBAC mappings configured in Step 5: Map RAM identities to RBAC permissions.
Note This configuration applies to v0.4.0.0-g33f30dac-aliyun and later. |
Release notes
April 2025
Version | Description | Release date | Impact |
v0.4.1.0-g8023a0b5-aliyun | This version is in canary release.
| 2025-04-29 | Installing or uninstalling ack-ram-authenticator triggers a control plane restart, disrupting persistent API server connections. Perform these operations during off-peak hours to minimize service impact. |
March 2025
Version | Description | Release date | Impact |
v0.4.0.0-g33f30dac-aliyun | A new parameter | 2025-03-31 | Installing or uninstalling ack-ram-authenticator triggers a control plane restart, disrupting persistent API server connections. Perform these operations during off-peak hours to minimize service impact. |
September 2024
Version | Description | Release date | Impact |
v0.3.0.0-gea598ff0-aliyun | The version of Golang used in the component is updated to 1.22.7 to improve stability. | 2024-09-09 | Installing or uninstalling ack-ram-authenticator triggers a control plane restart, disrupting persistent API server connections. Perform these operations during off-peak hours to minimize service impact. |
April 2024
Version | Description | Release date | Impact |
v0.2.1.3-g694325a9-aliyun | When the GetCallerIdentity operation is called, the version information about ack-ram-authenticator is delivered for troubleshooting. | 2024-04-12 | Installing or uninstalling ack-ram-authenticator triggers a control plane restart, disrupting persistent API server connections. Perform these operations during off-peak hours to minimize service impact. |
v0.2.0.3-gcea89d25-aliyun | This version is in canary release. Support for the ARM architecture. | 2024-04-10 |
November 2023
Version | Description | Release date | Impact |
v0.2.0.0-g9cf9d682-aliyun |
| 2023-11-15 | Installing or uninstalling ack-ram-authenticator triggers a control plane restart, disrupting persistent API server connections. Perform these operations during off-peak hours to minimize service impact. |
May 2023
Version | Description | Release date | Impact |
v0.1.0.5-g6e50a122-aliyun | The ack-ram-authenticator component is released. | 2023-05-18 | Installing or uninstalling ack-ram-authenticator triggers a control plane restart, disrupting persistent API server connections. Perform these operations during off-peak hours to minimize service impact. |