This topic describes how to create a custom Resource Access Management (RAM) policy. In this topic, a custom RAM policy is created and attached to a RAM user or RAM role to grant the RAM user or RAM role the permissions to query, modify, and delete Container Service for Kubernetes (ACK) clusters.
Prerequisites
You have a basic knowledge of policy elements, structure, and syntax before you create a custom policy. For more information, see Policy elements.
Background information
The system policies provided by ACK are coarse-grained. If the system policies cannot meet your requirements, you can create custom policies to implement fine-grained access control for your ACK clusters. For example, if you want to control the operation permissions on a specified cluster, you must create a custom policy to meet this requirement for fine-grained management.
Before you use role-based access control (RBAC) to authorize a RAM user or RAM role
to manage a cluster, you must authorize the RAM user or RAM role to manage the cluster
in the RAM console. You can grant the RAM user or RAM role read and write permissions
on the cluster based on your requirements.
- Read permissions: view basic information about a specified cluster, such as cluster configurations and the kubeconfig file.
- Write permissions: manage a specified cluster, such as scaling and upgrading the cluster, and adding nodes to and removing nodes from the cluster.
Before you perform RBAC authorization for the RAM user or RAM role, make sure that
the RAM user or RAM role has read-only permissions on the cluster that you want to
manage.
{
"Statement": [
{
"Action": [
"cs:Get*",
"cs:List*",
"cs:Describe*"
],
"Effect": "Allow",
"Resource": [
"acs:cs:*:*:cluster/<yourclusterID>"
]
}
],
"Version": "1"
}After the RAM user or RAM role is granted the required RAM permissions on the cluster, use RBAC to authorize the RAM user or RAM role to manage cluster resources. For more information, see Assign RBAC roles to RAM users or RAM roles.
Create a custom policy
References
Mappings between RAM actions and API operations
| Operation | RAM Action | Description | Cluster-specific |
|---|---|---|---|
| DescribeEvents | cs:DescribeEvents |
Queries user events. | No |
| StartAlert | cs:StartAlert |
Enables an alert rule. | No |
| StopAlert | cs:StopAlert |
Disables an alert rule. | No |
| UpdateContactGroupForAlert | cs:UpdateContactGroupForAlert |
Updates an alert contact group. | No |
| DeleteAlertContact | cs:DeleteAlertContact |
Deletes an alert contact. | No |
| DeleteAlertContactGroup | cs:DeleteAlertContactGroup |
Deletes an alert contact group. | No |
| DescribeUserPermission | cs:DescribeUserPermission |
Queries the permissions that are granted to a RAM user or RAM role to manage clusters. | No |
| OpenAckService | cs:OpenAckService |
Activates ACK. | No |
| GrantPermissions | cs:GrantPermissions |
Updates the permissions that are granted to a RAM user or RAM role to manage clusters. | No |
| CreateCluster | cs:CreateCluster |
Creates an ACK cluster. The supported cluster types include dedicated Kubernetes cluster, managed Kubernetes cluster, serverless Kubernetes (ASK) cluster, managed edge Kubernetes cluster. You can also create a cluster registration proxy to register an external Kubernetes cluster. | No |
| DescribeClusterResources | cs:DescribeClusterResources |
Queries all resources in a cluster by cluster ID. | Yes |
| DescribeClusterDetail | cs:DescribeClusterDetail |
Queries the details about a cluster by cluster ID. | Yes |
| DescribeUserQuota | cs:DescribeUserQuota |
Queries resource quotas. | No |
| DescribeClustersV1 | cs:DescribeClustersV1 and cs:GetClusters |
Queries the details about all clusters. | No |
| DescribeExternalAgent | cs:DescribeExternalAgent |
Queries a cluster registration proxy by cluster ID. | Yes |
| DescribeClusterLogs | cs:DescribeClusterLogs |
Queries cluster logs by cluster ID. | Yes |
| DescribeTaskInfo | cs:DescribeTaskInfo |
Queries the execution details about a task by task ID. | No |
| DescribeKubernetesVersionMetadata | cs:DescribeKubernetesVersionMetadata |
Queries the Kubernetes versions supported by ACK. | No |
| DescribeClusterUserKubeconfig | cs:DescribeClusterUserKubeconfig |
Queries the kubeconfig file of a cluster by cluster ID. | Yes |
| DescribeClusterAddonUpgradeStatus | cs:DescribeClusterAddonUpgradeStatus |
Queries the upgrade progress of a cluster component. | Yes |
| DescribeClusters | cs:DescribeClusters and cs:GetClusters |
Queries all clusters within the account, including Kubernetes clusters and Swarm clusters. | No |
| DescribeClusterNamespaces | cs:DescribeClusterNamespaces |
Queries the namespaces in a cluster. | Yes |
| ScaleOutCluster | cs:ScaleOutCluster |
Scales out a cluster by cluster ID. | Yes |
| ModifyCluster | cs:ModifyCluster |
Modifies the cluster configurations by cluster ID. | Yes |
| MigrateCluster | cs:MigrateCluster |
Migrates a cluster. | Yes |
| ScaleCluster | cs:ScaleCluster |
Adds nodes to a cluster. | Yes |
| DeleteCluster | cs:DeleteCluster |
Deletes a cluster by cluster ID and releases all nodes in the cluster. | Yes |
| DescribeClusterNodes | cs:DescribeClusterNodes |
Queries the details about all nodes in a cluster by cluster ID. | Yes |
| AttachInstances | cs:AttachInstances |
Adds existing ECS instances to a cluster. | Yes |
| DescribeClusterAttachScripts | cs:DescribeClusterAttachScripts |
Queries the script that is used to add instances to a cluster. | Yes |
| DeleteClusterNodes | cs:DeleteClusterNodes |
Removes specified nodes from a cluster by node names. | Yes |
| RemoveClusterNodes | cs:RemoveClusterNodes |
Removes specified extra nodes from a cluster by node names. | Yes |
| CreateClusterNodePool | cs:CreateClusterNodePool |
Creates a node pool for a cluster. | Yes |
| DescribeClusterNodePools | cs:DescribeClusterNodePools |
Queries the details about all nodes in a cluster by cluster ID. | Yes |
| DescribeClusterNodePoolDetail | cs:DescribeClusterNodePoolDetail |
Queries the details about a node pool in a cluster by node pool ID. | Yes |
| ScaleClusterNodePool | cs:ScaleClusterNodePool |
Scales out a node pool by node pool ID. | Yes |
| ModifyClusterNodePool | cs:ModifyClusterNodePool |
Modifies the node pool configurations by node pool ID. | Yes |
| DeleteClusterNodepool | cs:DeleteClusterNodepool |
Deletes a node pool by node pool ID. | Yes |
| GetUpgradeStatus | cs:GetUpgradeStatus |
Queries the upgrade progress of a cluster by cluster ID. | Yes |
| ResumeUpgradeCluster | cs:ResumeUpgradeCluster |
Resumes the upgrade of a cluster by cluster ID. | Yes |
| UpgradeCluster | cs:UpgradeCluster |
Upgrades a cluster by cluster ID. | Yes |
| PauseClusterUpgrade | cs:PauseClusterUpgrade |
Suspends the upgrade of a cluster. | Yes |
| CancelClusterUpgrade | cs:CancelClusterUpgrade |
Cancels the upgrade of a cluster. | Yes |
| CreateTemplate | cs:CreateTemplate |
Creates an orchestration template. | No |
| DescribeTemplates | cs:DescribeTemplates |
Queries the details about all orchestration templates. | No |
| DescribeTemplateAttribute | cs:DescribeTemplateAttribute |
Queries the details about an orchestration template by template ID. | No |
| UpdateTemplate | cs:UpdateTemplate |
Updates an orchestration template by template ID. | No |
| DeleteTemplate | cs:DeleteTemplate |
Deletes an orchestration template by template ID. | No |
| InstallClusterAddons | cs:InstallClusterAddons |
Installs a component. | Yes |
| DescribeAddons | cs:DescribeAddons |
Queries the details about all components that are supported by ACK. | No |
| DescribeClusterAddonsUpgradeStatus | cs:DescribeClusterAddonsUpgradeStatus |
Queries the upgrade progress of a component by component name. | Yes |
| DescribeClusterAddonsVersion | cs:DescribeClusterAddonsVersion |
Queries the details about all components that are installed in a cluster by cluster ID. | Yes |
| ModifyClusterConfiguration | cs:ModifyClusterConfiguration |
Modifies the configurations of a managed Kubernetes cluster. | Yes |
| UpgradeClusterAddons | cs:UpgradeClusterAddons |
Upgrades a component to a specified version by component name. | Yes |
| PauseComponentUpgrade | cs:PauseComponentUpgrade |
Suspends the upgrade of a component. | Yes |
| ResumeComponentUpgrade | cs:ResumeComponentUpgrade |
Resumes the upgrade of a component. | Yes |
| CancelComponentUpgrade | cs:CancelComponentUpgrade |
Cancels the upgrade of a cluster component. | Yes |
| UnInstallClusterAddons | cs:UnInstallClusterAddons |
Uninstalls a component by component name. | Yes |
| ListTagResources | cs:ListTagResources |
Queries the labels of a cluster by cluster ID. | No |
| TagResources | cs:TagResources |
Adds labels to resources. | No |
| ModifyClusterTags | cs:ModifyClusterTags |
Modifies the labels of a cluster by cluster ID. | Yes |
| UntagResources | cs:UntagResources |
Removes labels from resources. | No |
| CreateTrigger | cs:CreateTrigger |
Creates an application trigger. | Yes |
| DescribeTrigger | cs:DescribeTrigger |
Queries application triggers. | Yes |
| DeleteTrigger | cs:DeleteTrigger |
Deletes an application trigger. | Yes |
Authorize a RAM user or RAM role to call non-cluster-specific API operations
If you want to authorize a RAM user or RAM role to call non-cluster-specific API operations, such as DescribeEvents, do not specify cluster IDs in the Resource field of the policy content.
The following code block shows the current RAM policy:
{
"Statement": [
{
"Action": [
"cs:Get*",
"cs:List*",
"cs:Describe*"
],
"Effect": "Allow",
"Resource": [
"acs:cs:*:*:cluster/c2e63856bcd714197****"
]
}
],
"Version": "1"
}To grant the permissions to call the DescribeEvents operation, you must add the corresponding RAM action
cs:DescribeEvents to the RAM policy, as shown in the following code block:{
"Statement": [
{
"Action": [
"cs:DescribeEvents"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"cs:Get*",
"cs:List*",
"cs:Describe*"
],
"Effect": "Allow",
"Resource": [
"acs:cs:*:*:cluster/c2e63856bcd714197****"
]
}
],
"Version": "1"
}