Customize an RBAC role - User Guide for Kubernetes Clusters| Alibaba Cloud Documentation Center

The Roles and ClusterRoles provided by role-based access control (RBAC) contains a set of permissions. A Role defines permissions within a particular namespace. A ClusterRole defines permissions on cluster-scoped resources. This topic describes how to customize a Role and a ClusterRole.

Prerequisites

The Security > Roles component of the Container Service for Kubernetes (ACK) console is in the canary release stage. To use this component, Submit a ticket to apply to be added to a whitelist.

How to create an RBAC role

You can create an RBAC role by using a YAML file or in the Container Service for Kubernetes (ACK) console.

Create a Role

If you want to define permissions within a particular namespace, create a Role.

The following YAML template provides an example on how to create a Role in the default namespace. You can use this Role to grant all permissions on pods in the default namespace.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: test-role
  namespace: default
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch

Create a ClusterRole

If you want to define cluster-wide permissions, create a ClusterRole.

The following YAML template provides an example on how to create a ClusterRole. You can use this ClusterRole to grant all permissions on pods in an individual namespace.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: test-clusterrole
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch

For more information about Roles and ClusterRoles, see Roles and ClusterRoles.

Create a custom RBAC role

Note This section shows how to create a custom ClusterRole. The steps to create a ClusterRole are similar to the steps to create a Role.

Log on to the ACK console.
In the left-side navigation pane of the ACK console, click Clusters.
On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
In the left-side navigation pane of the cluster details page, choose Security > Role.
On the Role page, click the Cluster Role tab.
On the Cluster Role tab, click Create.
In the Create YAML pane, enter the content of the ClusterRole and click OK to create the ClusterRole.
In this step, the YAML template used in the Create a ClusterRole section of How to create an RBAC role is used. After the ClusterRole is created, you can view the created ClusterRole test-clusterrole on the Cluster Role tab.

What to do next

For more information about how to assign RBAC roles to Resource Access Management (RAM) users or RAM roles, see Assign RBAC roles to RAM users or RAM roles.

Notice ACK allows you to assign only ClusterRoles to RAM users or RAM roles. You cannot assign Roles to RAM users or RAM roles in ACK.