All Products
Search

This Product

    Container Service for Kubernetes:Best practices of authorization

    Document Center

    Container Service for Kubernetes:Best practices of authorization

    Last Updated:Sep 08, 2023

    The authorization system of Container Service for Kubernetes (ACK) consists of Resource Access Management (RAM) authorization and role-based access control (RBAC) authorization. RAM authorization is used to grant permissions on cloud resources. RBAC authorization is used to grant permissions on Kubernetes resources in a cluster. You can use the two methods to grant permissions to a user based on the role and requirements of the user. This topic describes the best practices of RAM authorization and RBAC authorization that you can use to grant O&M engineers, developers, and authorization administrators the permissions to manage your clusters and applications.

    ACK authorization system

    The authorization system of ACK consists of RAM authorization and RBAC authorization. RAM authorization is used to grant permissions on cloud resources. RBAC authorization is used to grant permissions on Kubernetes resources within a cluster. The following figure shows the authorization system of ACK. Authorization system

    • RAM authorization is used to grant permissions on the API operations of ACK and other Alibaba Cloud services. You can call these API operations to perform the following O&M operations:

      • Create, view, upgrade, and delete clusters.

      • Create, modify, and scale node pools.

      • Manage authorizations

      • Monitor clusters, collect the cluster log, and record cluster events.

    • RBAC authorization is used to grant namespace-level or cluster-wide permissions on Kubernetes resources in ACK clusters. This allows you to grant the permissions to create, delete, modify, and view the following types of Kubernetes resources:

      • Workload resources: Deployment, StatefulSet, DaemonSet, Job, CronJob, ReplicaSet, HorizontalPodAutoscaler (HPA), and pod.

      • Network resources: Service, Ingress, and NetworkPolicy.

      • Storage resources: persistent volume (PV), persistent volume claim (PVC), and StorageClass.

      • Namespace, ConfigMap, and Secret.

    If you want to use a RAM user or RAM role to manage a cluster and applications in the cluster, you must firstly perform RAM authorization and then RBAC authorization on the RAM user or RAM role. You can grant permissions according to one of the following typical scenarios.

    Scenario 1: Grant O&M engineers the permissions to manage clusters and applications

    O&M engineers require the permissions to manage and maintain clusters and applications. You must perform both RAM authorization and RBAC authorization.

    1. RAM authorization

      You can use the AliyunCSFullAccess and AliyunCSReadOnlyAccess RAM policies to grant ACK-related permissions:

      • AliyunCSFullAccess contains the permissions to call all the API operations of ACK.

      • AliyunCSReadOnlyAccess contains the permissions to call API operations of ACK for read-only access.

      You can attach the AliyunCSFullAccess or AliyunCSReadOnlyAccess policy to a RAM user or RAM role in the RAM console. For more information, see Grant permissions to a RAM user and Grant permissions to a RAM role.

      If you require fine-grained access control, you can attach custom policies. For more information, see Create a custom RAM policy.

      In this case, you can attach the following policy to the RAM user or RAM role that you want to use: For more information about the RAM actions in RAM policies, see Action description. 

      {
  "Statement": [
    {
      "Action": [
        "cs:GetClusters",
        "cs:DescribeClustersV1",
        "cs:DescribeClusterNodes",
        "cs:DescribeClusterUserKubeconfig",
        "cs:DescribeClustersV1",
        "cs:DescribeClusterResources",
        "cs:DescribeUserQuota",
        "cs:DescribeClusterLogs",
        "cs:ModifyCluster",
        "cs:UpgradeCluster",
        "cs:GetUpgradeStatus",
        "cs:ResumeUpgradeCluster",
        "cs:PauseClusterUpgrade",
        "cs:CancelClusterUpgrade",
        "cs:InstallClusterAddons",
        "cs:UpgradeClusterAddons",
        "cs:DescribeClusterAddonsUpgradeStatus",
        "cs:DescribeAddons",
        "cs:RemoveClusterNodes",
        "cs:CreateClusterNodePool",
        "cs:DescribeClusterNodePools",
        "cs:DescribeClusterNodePoolDetail",
        "cs:ScaleClusterNodePool",
        "cs:ModifyClusterNodePool",
        "cs:DeleteClusterNodepool",
        "cs:UnInstallClusterAddons"
      ],
      "Effect": "Allow",
      "Resource": [
        "acs:cs:*:*:cluster/<yourclusterID>"
      ]
    }
  ],
  "Version": "1"
}

      For more information about the API operations of ACK, see [Product Changes] ACK API enhances user authentication and List of operations by function.

    2. RBAC authorization

      After you perform RAM authorization, you must perform RBAC authorization on the RAM user or RAM role. The following table describes the predefined RBAC roles that are provided by ACK.

      Role

      Permission on cluster resources

      Administrator

      Read and write permissions on resources in all namespaces.

      O&M engineer

      Read and write permissions on visible Kubernetes resources in the console in all namespaces and read-only permissions on nodes, persistent volumes (PVs), namespaces, and quotas.

      Developer

      Read and write permissions on visible resources in the console in all or specified namespaces.

      Restricted user

      Read-only permissions on visible resources in the console in all or specified namespaces.

      On the Authorizations page of the ACK console, grant the O&M Engineer permission to the RAM user or RAM role and specify the cluster and namespace within which the role is applied. RBAC

      After you assign the predefined role, ACK automatically creates a ClusterRoleBinding object for the RAM user or RAM role. The following sample code shows the permissions provided by the O&M Engineer role: 

      apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cs:ops
rules:
- apiGroups: [""]
  resources:  ["pods", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
  resources:  ["configmaps", "endpoints", "persistentvolumeclaims", "replicationcontrollers", "replicationcontrollers/scale", "secrets", "serviceaccounts", "services", "services/proxy"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
  resources:  ["bindings", "events", "limitranges", "namespaces/status", "replicationcontrollers/status", "pods/log", "pods/status", "resourcequotas", "resourcequotas/status", "componentstatuses"]
  verbs: ["get", "list", "watch"]
- apiGroups: [""]
  resources:  ["namespaces", "nodes", "persistentvolumes"]
  verbs: ["get", "list", "watch", "patch"]
- apiGroups: ["coordination.k8s.io"]
  resources:  ["leases"]
  verbs: ["get"]
- apiGroups: ["apps"]
  resources:  ["daemonsets", "deployments", "deployments/rollback", "deployments/scale", "replicasets", "replicasets/scale", "statefulsets"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["autoscaling"]
  resources:  ["horizontalpodautoscalers"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["batch"]
  resources:  ["cronjobs", "jobs"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["extensions"]
  resources:  ["daemonsets", "deployments", "deployments/rollback", "deployments/scale","ingresses","replicasets", "replicasets/scale", "replicationcontrollers/scale"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["networking.k8s.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["servicecatalog.k8s.io"]
  resources:  ["clusterserviceclasses", "clusterserviceplans", "clusterservicebrokers", "serviceinstances", "servicebindings"]
  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["servicecatalog.k8s.io"]
  resources:  ["clusterservicebrokers/status", "clusterserviceclasses/status", "clusterserviceplans/status", "serviceinstances/status", "serviceinstances/reference", "servicebindings/status",]
  verbs: ["update"]
- apiGroups: ["storage.k8s.io"]
  resources:  ["storageclasses"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["alicloud.com"]
  resources:  ["*"]
  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["policy"]
  resources:  ["poddisruptionbudgets"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["metrics.k8s.io"]
  resources: ["pods", "nodes"]
  verbs: ["get", "watch", "list"]
- apiGroups: ["networking.istio.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["config.istio.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["rbac.istio.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["istio.alibabacloud.com"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["authentication.istio.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["log.alibabacloud.com"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["monitoring.kiali.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["kiali.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
  resources: ["customresourcedefinitions"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["serving.knative.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["eventing.knative.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["messaging.knative.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["sources.eventing.knative.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["tekton.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["alert.alibabacloud.com"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]

      If you require fine-grained access control, you can create a custom ClusterRole. For more information, see RBAC. After you create a custom ClusterRole, go to the Authorizations page of the ACK console, select Custom, and then select the ClusterRole that you created from the drop-down list. For more information, see Customize an RBAC role.

    Scenario 2: Grant developers the permissions to manage your clusters and applications

    Developers require only the permissions to manage Kubernetes resources in ACK clusters. Therefore, you need only to perform RBAC authorization.

    Important

    Before you perform the authorization, you must grant the RAM user or RAM role read-only access to ACK. To do this, you must attach a RAM policy to the RAM user or RAM role.

    1. RAM authorization

      Go to the RAM console and create a custom policy. Then, attach the policy to the RAM user or RAM role that you want to use. For more information, see Create a custom RAM policy. Example:

      {
  "Statement": [
    {
      "Action": [
        "cs:Get*",
        "cs:List*",
        "cs:Describe*"
      ],
      "Effect": "Allow",
      "Resource": [
        "acs:cs:*:*:cluster/c5cc77f5180a449a4a48cf8001831xxxx" # Replace the cluster ID with the ID of the cluster that you want to manage. 
      ]
    }
  ],
  "Version": "1"
}
      Note

      To grant the RAM user or RAM role read-only permissions on all ACK clusters, attach the AliyunCSReadOnlyAccess policy to the RAM user or RAM role.

    2. RBAC authorization

      On the Authorizations page of the ACK console, grant the Developer permission to the RAM user or RAM role and specify the cluster and namespace within which the role is applied. developer

      After you assign the predefined role, ACK automatically creates a ClusterRoleBinding object for the RAM user or RAM role. The following sample code shows the permissions provided by the Developer role: 

      apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cs:ns:dev
rules:
- apiGroups: [""]
  resources:  ["pods", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
  resources:  ["configmaps", "endpoints", "persistentvolumeclaims", "replicationcontrollers", "replicationcontrollers/scale", "secrets", "serviceaccounts", "services", "services/proxy"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: [""]
  resources:  ["events", "replicationcontrollers/status", "pods/log", "pods/status"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
  resources:  ["daemonsets", "deployments", "deployments/rollback", "deployments/scale", "replicasets", "replicasets/scale", "statefulsets"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["autoscaling"]
  resources:  ["horizontalpodautoscalers"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["batch"]
  resources:  ["cronjobs", "jobs"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["extensions"]
  resources:  ["daemonsets", "deployments", "deployments/rollback", "deployments/scale","ingresses","replicasets", "replicasets/scale", "replicationcontrollers/scale"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["networking.k8s.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["servicecatalog.k8s.io"]
  resources:  ["clusterserviceclasses", "clusterserviceplans", "clusterservicebrokers", "serviceinstances", "servicebindings"]
  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["servicecatalog.k8s.io"]
  resources:  ["clusterservicebrokers/status", "clusterserviceclasses/status", "clusterserviceplans/status", "serviceinstances/status", "serviceinstances/reference", "servicebindings/status",]
  verbs: ["update"]
- apiGroups: ["alicloud.com"]
  resources:  ["*"]
  verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
- apiGroups: ["policy"]
  resources:  ["poddisruptionbudgets"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["networking.istio.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["config.istio.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["rbac.istio.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["istio.alibabacloud.com"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["authentication.istio.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["log.alibabacloud.com"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["monitoring.kiali.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["kiali.io"]
  resources:  ["*"]
  verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
- apiGroups: ["apiextensions.k8s.io"]
  resources: ["customresourcedefinitions"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["serving.knative.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["eventing.knative.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["messaging.knative.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["sources.eventing.knative.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["tekton.dev"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
- apiGroups: ["alert.alibabacloud.com"]
  resources: ["*"]
  verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]

      If you require fine-grained access control, you can create a custom ClusterRole. For more information, see RBAC. After you create a custom ClusterRole, go to the Authorizations page of the ACK console, select Custom, and then select the ClusterRole that you created from the drop-down list. For more information, see Customize an RBAC role.

    Scenario 3: Grant authorization administrators the permissions to manage the permissions of RAM users and RAM roles

    Permission administrators require the permissions to manage RBAC permissions of other RAM users and roles. By default, you cannot use a RAM user or RAM role to grant RBAC permissions to other RAM users or RAM roles. On the Authorizations page of the ACK console console, the system prompts the following message: The current RAM user account has no permission to manage authorizations. Contact the Alibaba Cloud account owner or authorized RAM user to request permission. This indicates that the RAM user that you use does not have the required RAM permissions and RBAC permissions.

    1. RAM authorization

      You must add the following permissions to the policy that is attached to the RAM user or RAM role that you want to use:

      • Query other RAM users or RAM roles that belong to the Alibaba Cloud account.

      • Attach RAM policies to a specified RAM user or RAM role.

      • Query the RBAC permissions of a RAM user or RAM role.

      • Grant RBAC permissions to other RAM users or RAM roles.

      Go to the RAM console and create a custom policy. Then, attach the policy to the RAM user or RAM role that you want to use. For more information, see Create a custom RAM policy. Example: 

      {
    "Statement": [{
            "Action": [
                "ram:Get*",
                "ram:List*",
                "cs:GetUserPermissions",
                "cs:GetSubUsers",
                "cs:GrantPermission"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ram:AttachPolicyToUser",
                "ram:AttachPolicyToRole"
            ],
            "Effect": "Allow",
            "Resource":  [
                "acs:ram:*:*:policy/xxxxxx", # Replace xxxxxx with the name of the RAM policy that you want to attach. If you replace xxxxxx with an asterisk (*), the RAM user or RAM role is authorized to attach all RAM policies to other RAM users or RAM roles. 
                "acs:*:*:*:user/*"
            ]
        }
    ],
    "Version": "1"
}

    2. RBAC authorization

      You must grant the Administrator permission or the cluster-admin permission to the RAM user or RAM role and specify the cluster and namespace within which the role is applied.

      Note

      By default, Alibaba Cloud accounts and cluster owners are assigned the cluster-admin role and therefore have full access to all Kubernetes resources in the cluster.

      cluster-admin

    After you perform RAM authorization and RBAC authorization on a RAM user or RAM role, you can use the RAM user or RAM role to grant other RAM users or RAM roles RBAC permissions that take effect within the specified scope. For more information, see Grant RBAC permissions to RAM users or RAM roles.