Role-based access control (RBAC) controls resource access based on the roles of users. You can associate cluster roles with multiple permissions and configure different permission policies for different roles. This topic describes how to grant Resource Access Management (RAM) users or RAM roles RBAC permissions on a Container Service for Kubernetes (ACK) cluster.

Configurations

  • By default, a RAM user or RAM role does not have permissions to access the Kubernetes resources in a cluster if the cluster is not created by the RAM user or RAM role.
  • To grant RBAC permissions to a RAM user or RAM role, you must ensure that the RAM user or RAM role is granted at least read-only permissions on the specified cluster in the RAM console.
  • ACK allows you to assign the following predefined RBAC roles to RAM users or RAM roles: Administrator, O&M Engineer, Developer, Restricted User, and Custom. The Administrator role has permissions to access all Kubernetes resources in the cluster.
  • If a RAM user or RAM role assumes the Administrator role, the RAM user or RAM role can grant other RAM users or RAM roles all cluster-scoped permissions. Newly created clusters are automatically bound to existing ClusterRoles.
  • When a RAM user or RAM role assumes the O&M Engineer role to grant permissions to other RAM users or RAM roles, only the clusters and namespaces that the RAM user or RAM role is authorized to manage are listed in the console. In addition, the RAM user or RAM role must be assigned the Administrator or cluster-admin role of the specified cluster or namespace. Otherwise, the RAM user or RAM role cannot authorize other RAM users or RAM roles to access the specified cluster or namespace.
  • You can grant permissions to multiple RAM users or RAM roles at a time.
  • To ensure data security, you are not allowed to modify RAM policies that are attached to your RAM users or RAM roles in the ACK console. You must read the instructions on the authorization page, log on to the RAM console, and then modify the policies.

Procedure

  1. Log on to the ACK console.
  2. In the left-side navigation pane, click Authorizations to go to the Authorizations page.
  3. On the Select RAM User wizard page of the Authorizations page, grant permissions.
    • Grant permissions to RAM users:

      On the Select RAM User wizard page, click the RAM Users tab. Find the RAM user that you want to manage and click Modify Permissions to go to the Configure Role-Based Access Control (RBAC) wizard page.

    • Grant permissions to RAM roles:

      On the Select RAM User wizard page, click the RAM Roles tab. Enter the name of the RAM role that you want to manage and click Modify Permissions to go to the Configure Role-Based Access Control (RBAC) wizard page.

    Note If you log on to the ACK console as a RAM user or RAM role, make sure that the RAM user or RAM role has at least read-only permissions on the cluster that you want to manage. In addition, the RAM user or RAM role must be assigned the cluster-admin role or administrator role of the cluster. For more information, see Create a custom RAM policy.
  4. On the Configure Role-Based Access Control (RBAC) wizard page, click Add Permissions to add cluster-scoped or namespace-scoped permissions and select a predefined or custom RBAC role in the Permission column. You can also click the minus sign (-) to remove permissions. After you add the permissions, click Next Step.
    Note You can assign one predefined RBAC role and one or more custom RBAC roles to a RAM user or RAM role for a specific cluster or namespace.
    Authorization management
    The following table describes the permissions that the predefined and custom RBAC roles have on clusters and namespaces.
    Table 1. Roles and permissions
    RolePermission on cluster resources
    AdministratorRead and write permissions on resources in all namespaces.
    O&M engineerRead and write permissions on visible Kubernetes resources in the console in all namespaces and read-only permissions on nodes, persistent volumes (PVs), namespaces, and quotas.
    DeveloperRead and write permissions on visible resources in the console in all or specified namespaces.
    Restricted userRead-only permissions on visible resources in the console in all or specified namespaces.
    Custom roleThe permissions of a custom role are determined by the ClusterRole that you select. Before you select a ClusterRole, check the permissions of the ClusterRole and make sure that you grant only the required permissions to the RAM user or RAM role. For more information, see Customize an RBAC role.
  5. On the Submit Authorization wizard page, follow the instructions on the page.
    • If The authorization is complete is displayed, it indicates that the RBAC roles are assigned to the RAM user or RAM role.
    • If the result shown in the following figure is returned, it indicates that the RBAC roles are not assigned because the RAM user or RAM role is unauthorized to access the cluster. You must read the instructions on the returned page, log on to the RAM console, and then grant the RAM user or RAM role at least read-only permissions on the cluster. Authorization management
      1. On the Submit Authorization page, click Copy and click policy management to go to the Create Policy page in the RAM console.
      2. On the JSON tab of the Create Policy page, paste the content copied in the previous step to replace the original policy content, and then click Next to edit policy information. Then, click OK.
      3. In the left-side navigation pane of the RAM console, choose Identities > Users. Find the RAM user that you want to manage and click Add Permissions in the Actions column.
      4. In the Add Permissions panel, set Authorized Scope, select Custom Policy, and then search for the policy that you created. Click the name of the policy to move the policy to the Selected section on the right side of the page. Click OK to grant the RAM user or RAM role read-only permissions on the specified cluster. Authorization management
      5. Return to the ACK console. On the Submit Authorization wizard page, click Submit Authorization. The RBAC roles are assigned to the RAM user or RAM role.
    After the RAM user or RAM role is authorized, you can log on to the ACK console as the authorized RAM user or RAM role to manage the specified cluster.

Predefined and custom RBAC roles

ACK provides the following predefined RBAC roles: Administrator, O&M Engineer, Developer, and Restricted User. You can use these roles to regulate access to the ACK console in most scenarios. In addition, you can use custom roles to control permissions on clusters.

ACK provides a set of custom RBAC roles.
Note The cluster-admin role is similar to a super administrator. By default, the cluster-admin role has the permissions to manage all resources within a cluster.
Predefined and custom RBAC roles

View the permissions of a custom RBAC role

  • Click View Details on the right side of the custom RBAC role to view the permissions of the role.
  • Log on to a node and run the following command to view the RBAC roles in the cluster:
    kubectl get clusterrole

    Expected output:

    NAME                                                                   AGE
    admin                                                                  13d
    alibaba-log-controller                                                 13d
    alicloud-disk-controller-runner                                        13d
    cluster-admin                                                          13d
    cs:admin                                                               13d
    edit                                                                   13d
    flannel                                                                13d
    kube-state-metrics                                                     22h
    node-exporter                                                          22h
    prometheus-k8s                                                         22h
    prometheus-operator                                                    22h
    system:aggregate-to-admin                                              13d
    ....  
    system:volume-scheduler                                                13d
    view                                                                   13d         

    Run the following command to query the details of a role, for example, the cluster-admin role:

    Note After a RAM user or RAM role is assigned the cluster-admin role, the RAM user or RAM role has the same permissions as the Alibaba Cloud account to which the RAM user or RAM role belongs. The RAM user or RAM role has full control over all resources within the cluster. Proceed with caution.
    kubectl get clusterrole cluster-admin -o yaml

    Expected output:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      annotations:
        rbac.authorization.kubernetes.io/autoupdate: "true"
      creationTimestamp: 2018-10-12T08:31:15Z
      labels:
        kubernetes.io/bootstrapping: rbac-defaults
      name: cluster-admin
      resourceVersion: "57"
      selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-admin
      uid: 2f29f9c5-cdf9-11e8-84bf-00163e0b2f97
    rules:
    - apiGroups:
      - '*'
      resources:
      - '*'
      verbs:
      - '*'
    - nonResourceURLs:
      - '*'
      verbs:
      - '*'

Error codes for insufficient permissions

If you do not have the required permissions when you use the ACK console or call the ACK API to perform an operation, the console or API returns an error code that indicates the required permissions. The following table describes the error codes that indicate the required RBAC permissions on the cluster.

Error codeRequired RBAC permission on the cluster
ForbiddenCheckControlPlaneLogAdministrator or O&M engineer permissions are required.
ForbiddenHelmUsageAdministrator permissions are required.
ForbiddenRotateCertAdministrator permissions are required.
ForbiddenAttachInstanceAdministrator or O&M engineer permissions are required.
ForbiddenUpdateKMSStateAdministrator or O&M engineer permissions are required.
Forbidden get triggerAdministrator, O&M engineer, or developer permissions are required.
ForbiddenQueryClusterNamespaceAdministrator, O&M engineer, developer, or restricted user permissions are required.