Role-based access control (RBAC) controls network access based on the roles of users. You can associate cluster roles with multiple permissions and configure different Resource Access Management (RAM) policies for different roles. This topic describes how to assign RBAC roles to RAM users.
Configurations
- By default, a RAM user does not have access permissions on the Kubernetes resources in clusters that are not created by the RAM user.
- To assign RBAC roles to a RAM user, make sure that the RAM user is granted at least read-only permissions on the particular cluster in the RAM console.
- Container Service for Kubernetes (ACK) allows you to assign the following predefined RBAC roles to RAM users: Administrator, O&M Engineer, Developer, Restricted User, and Custom. The Administrator role has access permissions on all Kubernetes resources in the cluster.
- If a RAM user assumes the Administrator role, the RAM user can grant other RAM users all cluster-wide permissions. Newly created clusters are automatically bound to existing ClusterRoles.
- When a RAM user assumes the O&M Engineer role to grant permissions to other RAM users, only the clusters and namespaces that the RAM user is authorized to manage are displayed in the console. In addition, the RAM user must be assigned the Administrator or cluster-admin role of the particular cluster or namespace. Otherwise, the RAM user cannot authorize other RAM users to access the particular cluster or namespace.
- ACK allows you to assign RBAC roles to multiple RAM users at a time.
- To ensure data security, you are not allowed to modify RAM policies that are attached to your RAM users in the ACK console. You must read the instructions on the authorization page, log on to the RAM console, and then modify the RAM policies.
Procedure
Predefined and custom RBAC roles
ACK provides the following predefined RBAC roles: Administrator, O&M Engineer, Developer, and Restricted User. You can use these roles to regulate access to the ACK console in most scenarios. In addition, you can use custom roles to control permissions on clusters.

You can log on to a master node of a cluster and run the following command to query the custom RBAC roles that are assigned to the current account:
kubectl get clusterrole
Expected output:
NAME AGE
admin 13d
alibaba-log-controller 13d
alicloud-disk-controller-runner 13d
cluster-admin 13d
cs:admin 13d
edit 13d
flannel 13d
kube-state-metrics 22h
node-exporter 22h
prometheus-k8s 22h
prometheus-operator 22h
system:aggregate-to-admin 13d
....
system:volume-scheduler 13d
view 13d
Run the following command to query the details of a role, for example, the cluster-admin role:
kubectl get clusterrole cluster-admin -o yaml
Expected output:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
rbac.authorization.kubernetes.io/autoupdate: "true"
creationTimestamp: 2018-10-12T08:31:15Z
labels:
kubernetes.io/bootstrapping: rbac-defaults
name: cluster-admin
resourceVersion: "57"
selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-admin
uid: 2f29f9c5-cdf9-11e8-84bf-00163e0b2f97
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
- nonResourceURLs:
- '*'
verbs:
- '*'