To further limit the permissions of the worker RAM role of Container Service for Kubernetes (ACK) managed clusters, ACK plans to perform a phased release for the aliyun-acr-credential-helper component on April 3, 2023. The new aliyun-acr-credential-helper version will no longer rely on the permission policy attached to the worker RAM role of ACK managed clusters. To use the new aliyun-acr-credential-helper version as normal, you must assign the system role AliyunCSManagedAcrRole to ACK.
Scope of impact
Only ACK managed clusters, including ACK standard and ACK Pro clusters, that are created no earlier than April 3, 2023 and use aliyun-acr-credential-helper are affected.
Impact
If you do not Assign the AliyunCSManagedAcrRole role to ACK before April 3, 2023, you cannot install or update the aliyun-acr-credential-helper component in ACK managed clusters that are created no earlier than April 3, 2023.
In this scenario, the console will display Failed to pass the precheck. for the component. You can click View Report and follow the instructions on the page to Assign the AliyunCSManagedAcrRole role to ACK.
The change does not affect the clusters that are created before April 3, 2023. These clusters can continue to use aliyun-acr-credential-helper as before. For clusters that are created on April 3, 2023 and later, image pulling by using aliyun-acr-credential-helper is affected. The following table describes the impact and suggestions.| Image pulling scenario | Implementation | Status of the permission policy attached to the worker RAM role | Impact and suggestion |
|---|---|---|---|
| Pull images within the same account | The policy is not modified. | No impact. You can use the default method to install and use the new component version. | |
| The policy is modified to support Container Registry permission policy customization. | By default, the new component version does not support Container Registry permission policy customization. You can want to customize a Container Registry permission policy, take note of the following suggestions:
| ||
| Pull images from a different account | Assume the worker RAM role | The policy is modified. In this scenario, you need to modify the worker RAM role. | If you want to pull images from a different account, take note of the following suggestions:
|
| Use the RRSA mode | The policy is not modified. You do not need to modify the worker RAM role. | No impact. You can continue to use this method to pull images. | |
| Use the AccessKey ID and AccessKey secret of a RAM user | The policy is not modified. You do not need to modify the worker RAM role. | No impact. You can continue to use this method to pull images. | |
| Pull images across regions | The policy is not modified. | No impact. You can use the default method to install and use the new component version. | |
| The policy is modified to support Container Registry permission policy customization. | By default, the new component version does not support Container Registry permission policy customization. You can want to customize a Container Registry permission policy, take note of the following suggestions:
| ||
Assign the AliyunCSManagedAcrRole role to ACK
You can still assign the system role AliyunCSManagedAcrRole to ACK after April 3, 2023. To ensure that you can install and update the aliyun-acr-credential-helper component in clusters that are created no earlier than April 3, 2023 after the new component version is released, we recommend that you assign the AliyunCSManagedAcrRole role to ACK before April 3, 2023. This section describes how to assign the AliyunCSManagedAcrRole role to ACK.Procedure
- Log on to the Cloud Resource Access Authorization console by using an Alibaba Cloud account or a RAM user that has the AdministratorAccess permission.
- On the Cloud Resource Access Authorization page, click Confirm Authorization Policy to assign the AliyunCSManagedAcrRole role to ACK.
Permission policy
{
"Action": [
"cr:GetAuthorizationToken",
"cr:ListInstanceEndpoint",
"cr:PullRepository"
],
"Resource": [
"*"
],
"Effect": "Allow"
}