Container Service for Kubernetes:[Product Changes] Permissions required for using Secret encryption in ACK Pro clusters

Impact

If you want to use a RAM user or RAM role to enable or disable Secret encryption for an ACK Pro cluster, the RAM user or RAM role must meet the following requirements:

1. The RAM policy that is attached to the RAM user or RAM role must provide the cs:UpdateKMSEncryption permission.

2. The RAM user or RAM role is assigned the predefined RBAC administrator role or O&M engineer role in the ACK Pro cluster.

You can enable or disable Secret encryption for an ACK Pro cluster before this requirement takes effect. After the requirement takes effect, you may fail to enable or disable Secret encryption for an ACK Pro cluster if the RAM user or RAM role that you use does not meet the permission requirements. If the ACK console displays the following errors, you must grant the RAM user or RAM role the required permissions:

• If the RAM policy Forbidden for action cs:UpdateKMSEncryption error is displayed, see Modify the RAM policy attached to the RAM user or RAM role.

• If the Forbidden update kms cluster, this operation need Ops rbac binding at least error is displayed, see Assign a required RBAC role to the RAM user or RAM role.

Modify the RAM policy attached to the RAM user or RAM role

Add the following content to the RAM policy that is attached to the RAM user or RAM role. For more information, see Modify the document and description of a custom policy.

  {
      "Action": [
          "cs:UpdateKMSEncryption"
      ],
      "Effect": "Allow",
      "Resource": [
          "*"
      ]
  }

Assign a required RBAC role to the RAM user or RAM role

Assign the predefined RBAC administrator role or O&M engineer role that grants access to all namespaces in the ACK Pro cluster to the RAM user or RAM role. For more information, see Grant RBAC permissions to RAM users or RAM roles.