Starting January 30, 2023, Container Service for Kubernetes (ACK) will check your permissions when you use the Secret encryption feature in ACK Pro clusters. To enable or disable Secret encryption for an ACK Pro cluster, the Resource Access Management (RAM) user or RAM role that you use must have the required RAM permissions and be assigned the predefined role-based access control (RBAC) administrator role or O&M engineer role.
Impact
If you want to use a RAM user or RAM role to enable or disable Secret encryption for an ACK Pro cluster, the RAM user or RAM role must meet the following requirements:
The RAM policy that is attached to the RAM user or RAM role must provide the cs:UpdateKMSEncryption permission.
The RAM user or RAM role is assigned the predefined RBAC administrator role or O&M engineer role in the ACK Pro cluster.
You can enable or disable Secret encryption for an ACK Pro cluster before this requirement takes effect. After the requirement takes effect, you may fail to enable or disable Secret encryption for an ACK Pro cluster if the RAM user or RAM role that you use does not meet the permission requirements. If the ACK console displays the following errors, you must grant the RAM user or RAM role the required permissions:
If the RAM policy Forbidden for action cs:UpdateKMSEncryption error is displayed, see Modify the RAM policy attached to the RAM user or RAM role.
If the Forbidden update kms cluster, this operation need Ops rbac binding at least error is displayed, see Assign a required RBAC role to the RAM user or RAM role.
Modify the RAM policy attached to the RAM user or RAM role
Add the following content to the RAM policy that is attached to the RAM user or RAM role. For more information, see Modify the document and description of a custom policy.
{
"Action": [
"cs:UpdateKMSEncryption"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
Assign a required RBAC role to the RAM user or RAM role
Assign the predefined RBAC administrator role or O&M engineer role that grants access to all namespaces in the ACK Pro cluster to the RAM user or RAM role. For more information, see Grant RBAC permissions to RAM users or RAM roles.