By default, the worker Resource Access Management (RAM) role of Container Service for Kubernetes (ACK) managed clusters is granted limited permissions. To reinforce security, ACK is expected to revoke the permissions granted to the worker RAM role of ACK managed clusters starting from July 17, 2023.

Affected versions

ACK managed clusters, including ACK standard clusters and ACK Pro clusters, that are created on July 17, 2023 or later and whose version is 1.22.15-aliyun.1 or later.

Important The following clusters are not affected:
  • Clusters that are created before July 17, 2023.
  • Clusters whose version is earlier than 1.22.15-aliyun.1.
  • Clusters created by Alibaba Cloud accounts that are not eligible for this update.


Before the update, the worker RAM role of ACK managed clusters is granted limited permissions by default.

After the update, no permission is granted to the worker RAM role of newly created ACK managed clusters by default.

  • If your application needs to access OpenAPI Explorer from the ACK cluster, we recommend that you use the RAM Roles for Service Accounts (RRSA) feature to obtain the credentials to access OpenAPI Explorer. For more information, see Use RRSA to authorize pods to access different cloud services.
  • If your application relies on the worker RAM role, you need to manually grant the permissions that are required by the application to the worker RAM role. For more information, see Grant permissions to the worker RAM role.
  • If you want to install the aliyun-acr-credential-helper component in a newly created cluster, make sure that you install the latest version of the component.

Grant permissions to the worker RAM role

Step 1: Create a custom policy

  1. Log on to the RAM console by using an Alibaba Cloud account.
  2. In the left-side navigation pane, choose Permissions > Policies.
  3. On the Policies page, click Create Policy.
  4. On the Create Policy page, click the JSON tab.
  5. Enter the policy content and click Next to edit policy information.
  6. Configure the Name and Note parameters for the policy.
  7. Click OK.

Step 2: Attach the custom policy to the worker RAM role

  1. Log on to the ACK console and click Clusters in the left-side navigation pane.
  2. On the Clusters page, click the name of the cluster that you want to manage. On the details page of the cluster, click the Cluster Resources tab.
  3. On the Cluster Resources tab, click the role name next to Worker RAM Role to log on to the RAM console.
  4. On the Permissions tab, click Grant Permission. On the Custom Policy tab of the panel that appears, select the custom policy that you created in the previous step.
  5. Click OK.
  6. Click Complete.