After you create a Container Service for Kubernetes (ACK) dedicated cluster, Resource Access Management (RAM) roles are automatically assigned to the nodes in the cluster. The RAM roles have more permissions than necessary. To enhance the default security of ACK dedicated clusters, ACK reduces the permissions of the RAM roles that are assigned to nodes in ACK dedicated clusters.
Impact
This change applies only to newly created ACK dedicated clusters. ACK managed clusters and ACK Serverless clusters are not affected.
This change does not apply to existing ACK dedicated cluster. If you want to reduce the permissions of the RAM roles that are assigned to nodes in existing ACK dedicated clusters, you can modify the RAM policies that are attached to the RAM roles. For more information, see The permissions of master RAM roles and The permissions of worker RAM roles.
ImportantBefore you reduce the permissions of the RAM roles that are assigned to nodes in existing ACK dedicated clusters, make sure that the components in the cluster do not require the permissions that you want to remove. If the permissions that you want to remove are still required, we recommend that you back up the policy content before you modify the RAM policy, in case you need to roll back the RAM policy.
The permissions of master RAM roles
After this permission change is applied, master RAM roles have only the minimum permissions that are required by the cloud controller manager (CCM), Container Storage Interface (CSI) drivers, network components, and logging components.
Policy content for the minimum permissions required by the CCM
{ "Version": "1", "Statement": [ { "Action": [ "ecs:Describe*", "ecs:CreateRouteEntry", "ecs:DeleteRouteEntry", "ecs:CreateNetworkInterface", "ecs:DeleteNetworkInterface", "ecs:CreateNetworkInterfacePermission", "ecs:DeleteNetworkInterfacePermission", "ecs:ModifyInstanceAttribute", "ecs:AttachKeyPair", "ecs:StopInstance", "ecs:StartInstance", "ecs:ReplaceSystemDisk" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "slb:Describe*", "slb:CreateLoadBalancer", "slb:DeleteLoadBalancer", "slb:ModifyLoadBalancerInternetSpec", "slb:RemoveBackendServers", "slb:AddBackendServers", "slb:RemoveTags", "slb:AddTags", "slb:StopLoadBalancerListener", "slb:StartLoadBalancerListener", "slb:SetLoadBalancerHTTPListenerAttribute", "slb:SetLoadBalancerHTTPSListenerAttribute", "slb:SetLoadBalancerTCPListenerAttribute", "slb:SetLoadBalancerUDPListenerAttribute", "slb:CreateLoadBalancerHTTPSListener", "slb:CreateLoadBalancerHTTPListener", "slb:CreateLoadBalancerTCPListener", "slb:CreateLoadBalancerUDPListener", "slb:DeleteLoadBalancerListener", "slb:CreateVServerGroup", "slb:DescribeVServerGroups", "slb:DeleteVServerGroup", "slb:SetVServerGroupAttribute", "slb:DescribeVServerGroupAttribute", "slb:ModifyVServerGroupBackendServers", "slb:AddVServerGroupBackendServers", "slb:ModifyLoadBalancerInstanceSpec", "slb:ModifyLoadBalancerInternetSpec", "slb:SetLoadBalancerModificationProtection", "slb:SetLoadBalancerDeleteProtection", "slb:SetLoadBalancerName", "slb:ModifyLoadBalancerInstanceChargeType", "slb:RemoveVServerGroupBackendServers" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "vpc:Describe*", "vpc:DeleteRouteEntry", "vpc:CreateRouteEntry" ], "Resource": [ "*" ], "Effect": "Allow" } ] }Policy content for the minimum permissions required by CSI drivers
{ "Version": "1", "Statement": [ { "Action": [ "ecs:DescribeDisks", "ecs:DescribeInstances", "ecs:DescribeAvailableResource", "ecs:DescribeInstanceTypes", "nas:DescribeFileSystems", "ecs:AttachDisk", "ecs:CreateDisk", "ecs:CreateSnapshot", "ecs:DeleteDisk", "ecs:DeleteSnapshot", "ecs:DetachDisk" ], "Resource": [ "*" ], "Effect": "Allow" } ] }Policy content for the minimum permissions required by network components
{ "Version": "1", "Statement": [ { "Action": [ "ecs:CreateNetworkInterface", "ecs:DescribeNetworkInterfaces", "ecs:AttachNetworkInterface", "ecs:DetachNetworkInterface", "ecs:DeleteNetworkInterface", "ecs:DescribeInstanceAttribute", "ecs:DescribeInstanceTypes", "ecs:AssignPrivateIpAddresses", "ecs:UnassignPrivateIpAddresses", "ecs:DescribeInstances", "ecs:ModifyNetworkInterfaceAttribute" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "vpc:DescribeVSwitches" ], "Resource": [ "*" ], "Effect": "Allow" } ] }Policy content for the minimum permissions required by logging components
{ "Version": "1", "Statement": [ { "Action": [ "log:CreateProject", "log:GetProject", "log:DeleteProject", "log:CreateLogStore", "log:GetLogStore", "log:UpdateLogStore", "log:DeleteLogStore", "log:CreateConfig", "log:UpdateConfig", "log:GetConfig", "log:DeleteConfig", "log:CreateMachineGroup", "log:UpdateMachineGroup", "log:GetMachineGroup", "log:DeleteMachineGroup", "log:ApplyConfigToGroup", "log:GetAppliedMachineGroups", "log:GetAppliedConfigs", "log:RemoveConfigFromMachineGroup", "log:CreateIndex", "log:GetIndex", "log:UpdateIndex", "log:DeleteIndex", "log:CreateSavedSearch", "log:GetSavedSearch", "log:UpdateSavedSearch", "log:DeleteSavedSearch", "log:CreateDashboard", "log:GetDashboard", "log:UpdateDashboard", "log:DeleteDashboard", "log:CreateJob", "log:GetJob", "log:DeleteJob", "log:UpdateJob", "log:PostLogStoreLogs", "log:CreateSortedSubStore", "log:GetSortedSubStore", "log:ListSortedSubStore", "log:UpdateSortedSubStore", "log:DeleteSortedSubStore", "log:CreateApp", "log:UpdateApp", "log:GetApp", "log:DeleteApp", "log:GetLogStoreLogs", "log:TagResources", "log:ListJobs", "log:ListTagResources", "log:UntagResources", "log:CreateResourceRecord", "log:UpdateResourceRecord", "log:UpsertResourceRecord", "log:GetResourceRecord", "log:DeleteResourceRecord", "log:ListResourceRecords", "log:ListResources", "log:GetResource", "cs:UpdateContactGroup", "cs:DescribeTemplates", "cs:DescribeTemplateAttribute", "eventbridge:PutEvents" ], "Resource": [ "*" ], "Effect": "Allow" } ] }
The permissions of worker RAM roles
After this permission change is applied, worker RAM roles have only the minimum permissions that are required by the CCM, CSI drivers, network components, and logging components.
Policy content for the minimum permissions required by CSI drivers
{ "Version": "1", "Statement": [ { "Action": [ "ecs:DescribeDisks", "ecs:DescribeInstances", "ecs:DescribeAvailableResource", "ecs:DescribeInstanceTypes", "nas:DescribeFileSystems", "ecs:AttachDisk", "ecs:CreateDisk", "ecs:CreateSnapshot", "ecs:DeleteSnapshot", "ecs:DetachDisk" ], "Resource": [ "*" ], "Effect": "Allow" } ] }Policy content for the minimum permissions required by network components
{ "Version": "1", "Statement": [ { "Action": [ "ecs:CreateNetworkInterface", "ecs:DescribeNetworkInterfaces", "ecs:AttachNetworkInterface", "ecs:DetachNetworkInterface", "ecs:DeleteNetworkInterface", "ecs:DescribeInstanceAttribute", "ecs:DescribeInstanceTypes", "ecs:AssignPrivateIpAddresses", "ecs:UnassignPrivateIpAddresses", "ecs:DescribeInstances", "ecs:ModifyNetworkInterfaceAttribute" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Action": [ "vpc:DescribeVSwitches" ], "Resource": [ "*" ], "Effect": "Allow" } ] }Policy content for the minimum permissions required by logging components
{ "Version": "1", "Statement": [ { "Action": [ "log:CreateProject", "log:GetProject", "log:DeleteProject", "log:CreateLogStore", "log:GetLogStore", "log:UpdateLogStore", "log:DeleteLogStore", "log:CreateConfig", "log:UpdateConfig", "log:GetConfig", "log:DeleteConfig", "log:CreateMachineGroup", "log:UpdateMachineGroup", "log:GetMachineGroup", "log:DeleteMachineGroup", "log:ApplyConfigToGroup", "log:GetAppliedMachineGroups", "log:GetAppliedConfigs", "log:RemoveConfigFromMachineGroup", "log:CreateIndex", "log:GetIndex", "log:UpdateIndex", "log:DeleteIndex", "log:CreateSavedSearch", "log:GetSavedSearch", "log:UpdateSavedSearch", "log:DeleteSavedSearch", "log:CreateDashboard", "log:GetDashboard", "log:UpdateDashboard", "log:DeleteDashboard", "log:CreateJob", "log:GetJob", "log:DeleteJob", "log:UpdateJob", "log:PostLogStoreLogs", "log:CreateSortedSubStore", "log:GetSortedSubStore", "log:ListSortedSubStore", "log:UpdateSortedSubStore", "log:DeleteSortedSubStore", "log:CreateApp", "log:UpdateApp", "log:GetApp", "log:DeleteApp", "log:GetLogStoreLogs", "log:TagResources", "log:ListJobs", "log:ListTagResources", "log:UntagResources", "log:CreateResourceRecord", "log:UpdateResourceRecord", "log:UpsertResourceRecord", "log:GetResourceRecord", "log:DeleteResourceRecord", "log:ListResourceRecords", "log:ListResources", "log:GetResource", "cs:UpdateContactGroup", "cs:DescribeTemplates", "cs:DescribeTemplateAttribute", "eventbridge:PutEvents" ], "Resource": [ "*" ], "Effect": "Allow" } ] }