You can use the RAM Roles for Service Accounts (RRSA) feature to enforce access control on pods that are deployed in a Container Service for Kubernetes (ACK) cluster. This feature allows you to authorize pods to call the APIs of different cloud resources. This topic describes how to use RRSA.

Prerequisites

Only ACK clusters that run Kubernetes 1.22 or later versions support RRSA. The ACK clusters include ACK standard clusters, ACK Pro clusters, Serverless Kubernetes (ASK) standard clusters, and ASK Pro clusters.

Background information

Elastic container instances run on ECS instances. Elastic Compute Service (ECS) instance metadata contains information about ECS instances on Alibaba Cloud. You can log on to a running ECS instance and view its metadata, and then configure or manage the ECS instance based on the metadata. Applications deployed in an ACK cluster can use ECS instance metadata to obtain Security Token Service (STS) tokens that are used to assume different Resource Access Management (RAM) roles. This way, the applications can call the APIs of different cloud services. For more information, see Overview of ECS instance metadata

1

In multi-tenant scenarios, ECS instance metadata cannot meet the requirements for controlling the pods of different applications to access different cloud services. In scenarios where ASK clusters or elastic container instances are used, ECS instance metadata cannot meet the requirements for using STS tokens because RAM roles cannot be assigned to elastic container instances. To address these issues, ACK releases the RRSA feature which is developed based on RAM. This feature allows you to control the pods of different applications to access different cloud services and use STS tokens as temporary access tokens when ASK clusters and elastic container instances are used.

By using the RRSA feature, you can allow applications in an ACK cluster to assume specific RAM roles. The applications can obtain STS tokens, use the tokens to assume specific RAM roles, and then access relevant cloud services. This enforces the principle of least privilege and fine-grained access control on the pods of different applications in multi-tenant scenarios. For more information about how the RRSA feature is implemented, see Enable service account token volume projection and Overview of OIDC-based SSO.

3
The following steps show how an application accesses a cloud resource when RRSA is used to enforce access control:
  1. The tenant deploys a pod for which the feature of service account token volume projection is enabled.
  2. The ACK cluster creates a service account OpenID Connect (OIDC) token file and mounts the token file to the pod.
  3. The application in the pod uses the OIDC token file to call the AssumeRoleWithOIDC API operation of STS and obtain the STS token that is used to assume a specific RAM role. To enable the application to complete these tasks, you must first create an OIDC identity provider and allow the service account used by the pod to assume the specified RAM role. For more information, see AssumeRoleWithOIDC
  4. The application in the pod uses the obtained STS token to assume the specified RAM role and then calls the API of the relevant cloud service.

Enable RRSA

Method 1: Enable RRSA in the ACK console

  1. Log on to the ACK console.
  2. In the left-side navigation pane of the ACK console, click Clusters.
  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
  4. On the cluster details page, click the Basic Information tab and then click Enable RRSA next to URL of RRSA OIDC Provider.
  5. In the Enable RRSA dialog box, click Confirm.
    After the cluster status changes from Updating to Running, the RRSA feature is enabled for the cluster and the OIDC Issuer URL is displayed next to URL of RRSA OIDC Provider.

Method 2: Enable RRSA by using ack-ram-tool

You can enable RRSA by using the ack-ram-tool CLI. For more information, see ack-ram-tool.

When you enable RRSA for an ACK cluster, ACK performs the following steps in the background:

  1. Automatically creates an OIDC Issuer Service that is dedicated to the cluster. This Service is managed by ACK. For more information, see OIDC Issuer.
  2. Enables the feature of service account token volume projection for your cluster. If your cluster already has this feature enabled, ACK overwrites the value of service-account-issuer with the setting of the OIDC Issuer created in the preceding step. For more information, see Enable service account token volume projection.
  3. Creates a RAM role identity provider within your account. The identity provider uses the created OIDC Issuer for single sign-on. The identity provider is named ack-rrsa-<cluster_id>. <cluster_id> indicates the ID of your cluster. For more information, see Manage an OIDC IdP.

Work with RRSA

After you enable RRSA for your cluster, perform the following steps to enable the applications in the cluster to obtain STS tokens through RRSA. The STS tokens are used to call the APIs of specific cloud services.

  1. Create a RAM role.

    Create a RAM role for the service account that is used by the application. Then, the application obtains an STS token that is used to assume the RAM role. For more information, see Create a RAM role for a trusted Alibaba Cloud account

  2. Modify the trust policy of the RAM role.

    Make sure that the application with the specified service account has the permissions to obtain the STS token that is used to assume the RAM role. For more information, see Edit the trust policy of a RAM role

    The following code block shows the content of the trust policy. You can also use ack-ram-tool to automatically configure the policy.

    Notice Replace the following fields as required:
    • Replace <oidc_issuer_url> with the OIDC Issuer URL of your cluster. You can obtain the URL on the Basic Information tab of the cluster details page.
    • Replace <namespace> with the namespace to which the application belongs.
    • Replace <service_account> with the service account used by the application.
    • Replace <account_uid> with the UID of your Alibaba Cloud account.
    • Replace <cluster_id> with the ID of your cluster.
    {
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Condition": {
            "StringEquals": {
              "oidc:aud": "sts.aliyuncs.com",
              "oidc:iss": "<oidc_issuer_url>",
              "oidc:sub": "system:serviceaccount:<namespace>:<service_account>"
            }
          },
          "Effect": "Allow",
          "Principal": {
            "Federated": [
              "acs:ram::<account_uid>:oidc-provider/ack-rrsa-<cluster_id>"
            ]
          }
        }
      ],
      "Version": "1"
    }
  3. Grant permissions to the RAM role.

    Specify the cloud services that the RAM role is allowed to access. For more information, see Grant permissions to a RAM role

  4. Deploy the application.

    When you deploy the application, you must modify the application template so that the system can automatically generate an OIDC token. For more information, see Enable service account token volume projection.

    Notice
    • The value of the audience parameter must be set to sts.aliyuncs.com.
    • The maximum value of the expirationSeconds parameter is 43200 (12 hours). If you specify a value that is greater than 43200, the validity period of the OIDC token is 12 hours.

    The following code block shows an example:

    apiVersion: v1
    kind: Pod
    metadata:
      name: test-rrsa
    spec:
      containers:
      - image: alpine:3.14
        command:
        - sh
        - -c
        - 'sleep inf'
        name: test
        volumeMounts:
        - mountPath: /var/run/secrets/tokens
          name: oidc-token
      serviceAccountName: build-robot
      volumes:
      - name: oidc-token     # The configurations that you add. 
        projected:
          sources:
          - serviceAccountToken:
              path: oidc-token
              expirationSeconds: 7200    # The validity period of the OIDC token in seconds. 
              audience: "sts.aliyuncs.com"

    After you provision the pod, the application in the pod can use the OIDC token in the /var/run/secrets/tokens/oidc-token token file to call the AssumeRoleWithOIDC API operation of STS and obtain an STS token. This way, the application can use the obtained STS token to assume the specified RAM role and call the API of the relevant cloud service. For more information, see AssumeRoleWithOIDC.

Alibaba Cloud SDKs that support the OIDC token authentication of RRSA

Some Alibaba Cloud SDKs allow applications to call the APIs of specific cloud resources by using the OIDC tokens of RRSA. The following table describes the supported SDK versions.

Programming language Supported SDK version Example
Go Alibaba Cloud Credentials for Go 1.2.2 and later versions Example for SDK for Go
Java Alibaba Cloud Credentials for Java 0.2.8 and later versions Example for SDK for Java
Node.js and TypeScript Alibaba Cloud Credentials for TypeScript/Node.js 2.2.1 and later versions Examples for SDK for Node.js and SDK for TypeScript