Container Service for Kubernetes:[Product Changes] Permissions of the worker RAM role of ACK managed clusters are revoked

Affected versions

ACK managed clusters, including ACK standard clusters and ACK Pro clusters, that are created from July 17, 2023 and are of version 1.22.15-aliyun.1 or later.

Impact

Before the update, the worker RAM role of ACK managed clusters is granted limited permissions by default.

After the update, no permission is granted to the worker RAM role of newly created ACK managed clusters by default.

• If your application needs to access OpenAPI Explorer from the ACK cluster, we recommend that you use the RAM Roles for Service Accounts (RRSA) feature to obtain the credentials to access OpenAPI Explorer. For more information, see Use RRSA to authorize different pods to access different cloud services.

• If your application relies on the worker RAM role, you need to manually grant the permissions that are required by the application to the worker RAM role. For more information, see the Grant permissions to the worker RAM role section of this topic.

• If you want to install the aliyun-acr-credential-helper component in a newly created cluster, make sure that you install the latest version of the component.

Grant permissions to the worker RAM role

Step 1: Create a custom policy

For more information about how to create a custom policy, see Create custom policies.

Step 2: Attach the custom policy to the worker RAM role

1. Log on to the ACK console. In the left-side navigation pane, click Cluster.

2. On the Clusters page, the cluster that you want to manage and click its name. On the page that appears, click the Cluster Resources tab.

3. On the Cluster Resources tab, click the hyperlink next to Worker RAM Role field to log on to the RAM console.

4. On the Permissions tab, click Grant Permission. In the Grant Permission panel, select Custom Policy from the drop-down list and select the custom policy that you created in the previous step.

5. Click Grant permissions.

6. Click Close.