Role-based access control (RBAC) controls resource access based on the roles of users. You can associate cluster roles with multiple permissions and configure different permission policies for different roles. This topic describes how to grant Resource Access Management (RAM) users or RAM roles RBAC permissions on a Container Service for Kubernetes (ACK) cluster.
Configurations
- By default, a RAM user or RAM role does not have permissions to access the Kubernetes resources in a cluster if the cluster is not created by the RAM user or RAM role.
- To grant RBAC permissions to a RAM user or RAM role, you must ensure that the RAM user or RAM role is granted at least read-only permissions on the specified cluster in the RAM console.
- ACK allows you to assign the following predefined RBAC roles to RAM users or RAM roles: Administrator, O&M Engineer, Developer, Restricted User, and Custom. The Administrator role has permissions to access all Kubernetes resources in the cluster.
- If a RAM user or RAM role assumes the Administrator role, the RAM user or RAM role can grant other RAM users or RAM roles all cluster-scoped permissions. Newly created clusters are automatically bound to existing ClusterRoles.
- When a RAM user or RAM role assumes the O&M Engineer role to grant permissions to other RAM users or RAM roles, only the clusters and namespaces that the RAM user or RAM role is authorized to manage are listed in the console. In addition, the RAM user or RAM role must be assigned the Administrator or cluster-admin role of the specified cluster or namespace. Otherwise, the RAM user or RAM role cannot authorize other RAM users or RAM roles to access the specified cluster or namespace.
- You can grant permissions to multiple RAM users or RAM roles at a time.
- To ensure data security, you are not allowed to modify RAM policies that are attached to your RAM users or RAM roles in the ACK console. You must read the instructions on the authorization page, log on to the RAM console, and then modify the policies.
Procedure
- Log on to the ACK console.
- In the left-side navigation pane, click Authorizations to go to the Authorizations page.
- On the Select RAM User wizard page of the Authorizations page, grant permissions.
- Grant permissions to RAM users:
On the Select RAM User wizard page, click the RAM Users tab. Find the RAM user that you want to manage and click Modify Permissions to go to the Configure Role-Based Access Control (RBAC) wizard page.
- Grant permissions to RAM roles:
On the Select RAM User wizard page, click the RAM Roles tab. Enter the name of the RAM role that you want to manage and click Modify Permissions to go to the Configure Role-Based Access Control (RBAC) wizard page.
Note If you log on to the ACK console as a RAM user or RAM role, make sure that the RAM user or RAM role has at least read-only permissions on the cluster that you want to manage. In addition, the RAM user or RAM role must be assigned the cluster-admin role or administrator role of the cluster. For more information, see Create a custom RAM policy. - Grant permissions to RAM users:
- On the Configure Role-Based Access Control (RBAC) wizard page, click Add Permissions to add cluster-scoped or namespace-scoped permissions and select a predefined or custom RBAC role in the Permission column. You can also click the minus sign (-) to remove permissions. After you add the permissions, click Next Step. Note You can assign one predefined RBAC role and one or more custom RBAC roles to a RAM user or RAM role for a specific cluster or namespace.
The following table describes the permissions that the predefined and custom RBAC roles have on clusters and namespaces.Table 1. Roles and permissions Role Permission on cluster resources Administrator Read and write permissions on resources in all namespaces. O&M engineer Read and write permissions on visible Kubernetes resources in the console in all namespaces and read-only permissions on nodes, persistent volumes (PVs), namespaces, and quotas. Developer Read and write permissions on visible resources in the console in all or specified namespaces. Restricted user Read-only permissions on visible resources in the console in all or specified namespaces. Custom role The permissions of a custom role are determined by the ClusterRole that you select. Before you select a ClusterRole, check the permissions of the ClusterRole and make sure that you grant only the required permissions to the RAM user or RAM role. For more information, see Customize an RBAC role. - On the Submit Authorization wizard page, follow the instructions on the page.
- If The authorization is complete is displayed, it indicates that the RBAC roles are assigned to the RAM user or RAM role.
- If the result shown in the following figure is returned, it indicates that the RBAC roles are not assigned because the RAM user or RAM role is unauthorized to access the cluster. You must read the instructions on the returned page, log on to the RAM console, and then grant the RAM user or RAM role at least read-only permissions on the cluster.
- On the Submit Authorization page, click Copy and click policy management to go to the Create Policy page in the RAM console.
- On the JSON tab of the Create Policy page, paste the content copied in the previous step to replace the original policy content, and then click Next to edit policy information. Then, click OK.
- In the left-side navigation pane of the RAM console, choose . Find the RAM user that you want to manage and click Add Permissions in the Actions column.
- In the Add Permissions panel, set Authorized Scope, select Custom Policy, and then search for the policy that you created. Click the name of the policy to move the policy to the Selected section on the right side of the page. Click OK to grant the RAM user or RAM role read-only permissions on the specified cluster.
- Return to the ACK console. On the Submit Authorization wizard page, click Submit Authorization. The RBAC roles are assigned to the RAM user or RAM role.
After the RAM user or RAM role is authorized, you can log on to the ACK console as the authorized RAM user or RAM role to manage the specified cluster.
Predefined and custom RBAC roles
ACK provides the following predefined RBAC roles: Administrator, O&M Engineer, Developer, and Restricted User. You can use these roles to regulate access to the ACK console in most scenarios. In addition, you can use custom roles to control permissions on clusters.
ACK provides a set of custom RBAC roles.
Note The cluster-admin role is similar to a super administrator. By default, the cluster-admin role has the permissions to manage all resources within a cluster.
View the permissions of a custom RBAC role
- Click View Details on the right side of the custom RBAC role to view the permissions of the role.
- Log on to a node and run the following command to view the RBAC roles in the cluster:
kubectl get clusterroleExpected output:
NAME AGE admin 13d alibaba-log-controller 13d alicloud-disk-controller-runner 13d cluster-admin 13d cs:admin 13d edit 13d flannel 13d kube-state-metrics 22h node-exporter 22h prometheus-k8s 22h prometheus-operator 22h system:aggregate-to-admin 13d .... system:volume-scheduler 13d view 13dRun the following command to query the details of a role, for example, the cluster-admin role:
Note After a RAM user or RAM role is assigned the cluster-admin role, the RAM user or RAM role has the same permissions as the Alibaba Cloud account to which the RAM user or RAM role belongs. The RAM user or RAM role has full control over all resources within the cluster. Proceed with caution.kubectl get clusterrole cluster-admin -o yamlExpected output:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: rbac.authorization.kubernetes.io/autoupdate: "true" creationTimestamp: 2018-10-12T08:31:15Z labels: kubernetes.io/bootstrapping: rbac-defaults name: cluster-admin resourceVersion: "57" selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-admin uid: 2f29f9c5-cdf9-11e8-84bf-00163e0b2f97 rules: - apiGroups: - '*' resources: - '*' verbs: - '*' - nonResourceURLs: - '*' verbs: - '*'
Error codes for insufficient permissions
If you do not have the required permissions when you use the ACK console or call the ACK API to perform an operation, the console or API returns an error code that indicates the required permissions. The following table describes the error codes that indicate the required RBAC permissions on the cluster.
| Error code | Required RBAC permission on the cluster |
|---|---|
| ForbiddenCheckControlPlaneLog | Administrator or O&M engineer permissions are required. |
| ForbiddenHelmUsage | Administrator permissions are required. |
| ForbiddenRotateCert | Administrator permissions are required. |
| ForbiddenAttachInstance | Administrator or O&M engineer permissions are required. |
| ForbiddenUpdateKMSState | Administrator or O&M engineer permissions are required. |
| Forbidden get trigger | Administrator, O&M engineer, or developer permissions are required. |
| ForbiddenQueryClusterNamespace | Administrator, O&M engineer, developer, or restricted user permissions are required. |