Container Compute Service (ACS) uses two authorization layers: Resource Access Management (RAM) for cloud resource operations and role-based access control (RBAC) for Kubernetes resources inside clusters. A RAM user or RAM role needs permissions from both layers to manage clusters and workloads.
| Task | Authorization layer | Documentation |
|---|---|---|
| Create, view, or delete clusters | RAM | Grant permissions to a RAM user or RAM role |
| Grant a team member access to pods, Deployments, or Services | RAM + RBAC | Grant RBAC permissions to RAM users or RAM roles |
| Let different pods access different cloud services | RAM (RRSA) | Use RRSA to authorize pods to access cloud services |
| Set up an O&M engineer with cluster and application access | RAM + RBAC | Scenario 1: Grant O&M engineers the permissions to manage clusters and applications |
| Set up a developer with namespace-scoped access | RAM + RBAC | Scenario 2: Grant developers the permissions to manage your clusters and applications |
| Delegate permission management to an administrator | RAM + RBAC | Scenario 3: Grant authorization administrators the permissions to manage the permissions of RAM users and RAM roles |
How the two layers work together
ACS clusters are a type of Container Service for Kubernetes (ACK) Serverless cluster. All cluster management goes through the ACK API, so both cloud-level and cluster-level permissions must be in place.
| Layer | Scope | Controls | Granted through |
|---|---|---|---|
| RAM authorization | Cloud resources (control plane) | Cluster lifecycle, RBAC management, monitoring, logs, and events | RAM system policies or custom policies |
| RBAC authorization | Kubernetes resources (data plane) | Workloads, networking, storage, namespaces, ConfigMaps, and Secrets | Predefined or custom ClusterRoles in the ACS console |
Complete RAM authorization before granting RBAC permissions.
What RAM authorization covers
RAM authorization grants permissions for cluster O&M operations:
Create, view, and delete clusters
Manage RBAC authorization
Monitor clusters and manage logs and events
What RBAC authorization covers
RBAC authorization grants namespace-level or cluster-wide permissions on Kubernetes resources:
Workload resources: Deployment, StatefulSet, Job, CronJob, pod, ReplicaSet, and HorizontalPodAutoscaler (HPA)
Network resources: Service, Ingress, and NetworkPolicy
Storage resources: persistent volume (PV), persistent volume claim (PVC), and StorageClass
Other resources: Namespace, ConfigMap, and Secret
RAM authorization
By default, RAM users and RAM roles cannot call cloud service APIs. Attach RAM policies to grant the required access.
System policies
System policies grant broad, predefined permissions. They are best suited for O&M access across all clusters in an Alibaba Cloud account. For instructions, see Grant permissions to a RAM user or RAM role.
| System policy | What it grants | Scope note |
|---|---|---|
| AliyunCSFullAccess | Full access to all ACK API operations | Includes all ACK clusters, not just ACS clusters. Does not grant RBAC permissions on Kubernetes resources. |
| AliyunCSReadOnlyAccess | Read-only access to all ACK API operations | Includes all ACK clusters, not just ACS clusters. |
| AliyunACCFullAccess | Full access to all ACS API operations | ACS clusters only. |
| AliyunACCReadOnlyAccess | Read-only access to all ACS API operations | ACS clusters only. |
| AliyunVPCReadOnlyAccess | Read-only access to Virtual Private Cloud (VPC) | Required to select a VPC when creating an ACS cluster. |
| AliyunContainerRegistryFullAccess | Full access to container images in Container Registry (ACR) | Account-wide. |
| AliyunLogReadOnlyAccess | Read-only access to Simple Log Service (SLS) | Required to select a log project for audit logs or view configuration inspection results. |
| AliyunRAMFullAccess | Full access to RAM | Required to manage authorization for other RAM users and RAM roles. |
| AliyunEBSFullAccess | Full access to Elastic Block Storage (EBS) | Required to use disk storage features. |
| AliyunARMSReadOnlyAccess | Read-only access to Application Real-Time Monitoring Service (ARMS) | Required to view Managed Service for Prometheus monitoring data. |
| AliyunKMSReadOnlyAccess | Read-only access to Key Management Service (KMS) | Required to select encryption keys when creating an ACS cluster. |
AliyunCSFullAccess and AliyunCSReadOnlyAccess cover all ACK clusters, not just ACS clusters. Evaluate whether this scope is appropriate before attaching these policies.
Custom policies
Custom policies provide fine-grained control over specific API operations and resources. Use custom policies when RAM users or RAM roles develop applications with SDKs and need narrowly scoped permissions.
The following example grants read-only access to an Object Storage Service (OSS) bucket named myphotos:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"oss:ListBuckets",
"oss:GetBucketStat",
"oss:GetBucketInfo",
"oss:GetBucketTagging",
"oss:GetBucketAcl"
],
"Resource": "acs:oss:*:*:*"
},
{
"Effect": "Allow",
"Action": [
"oss:ListObjects",
"oss:GetBucketAcl"
],
"Resource": "acs:oss:*:*:myphotos"
},
{
"Effect": "Allow",
"Action": [
"oss:GetObject",
"oss:GetObjectAcl"
],
"Resource": "acs:oss:*:*:myphotos/*"
}
]
}Pod-level access with RRSA
To grant individual pods access to specific cloud services, use RAM Roles for Service Accounts (RRSA). RRSA associates a RAM role with a Kubernetes ServiceAccount so that pods using that ServiceAccount can call designated cloud service APIs. For details, see Use RRSA to authorize different pods to access different cloud services.
RBAC authorization
After completing RAM authorization, grant RBAC permissions to control what a RAM user or RAM role can do with Kubernetes resources inside a cluster. Assign RBAC permissions from the authorization page in the ACS console.
Predefined roles
ACS provides the following predefined roles, plus a custom option. Each maps to a ClusterRole that defines its permissions. For setup instructions, see Grant RBAC permissions to RAM users or RAM roles.
| Role | Scope | Grants | Does not grant |
|---|---|---|---|
| Administrator | All namespaces | Read and write access to all resources | -- |
| O&M engineer | All namespaces | Read and write access to console-visible resources; read-only access to nodes, PVs, namespaces, and quotas | Write access to nodes, PVs, namespaces, and quotas |
| Developer | Specified or all namespaces | Read and write access to console-visible resources | Access outside the assigned namespace (when namespace-scoped) |
| Restricted user | Specified or all namespaces | Read-only access to console-visible resources | Write access to any resource |
| Custom role | Defined by ClusterRole | Determined by the selected ClusterRole | Permissions not included in the ClusterRole |
Before assigning a custom role, review the ClusterRole permissions to verify that only the required access is granted. For more information, see Customize an RBAC role.
Roles and ClusterRoles
Kubernetes RBAC uses two types of role resources:
Role -- a namespaced resource that defines permissions within a single namespace. Specify the target namespace when creating a Role.
ClusterRole -- a non-namespaced resource that defines cluster-wide permissions.
A ClusterRole can be used in three ways:
Grant permissions on namespaced resources within individual namespaces.
Grant permissions on namespaced resources across all namespaces.
Grant permissions on cluster-scoped resources.
Use a Role when permissions should be limited to one namespace. Use a ClusterRole when permissions span the entire cluster.
ACK allows only ClusterRoles to grant RBAC permissions. Roles cannot be used for RBAC authorization.
For instructions on creating a custom ClusterRole, see Customize an RBAC role. To attach a ClusterRole to a RAM user or RAM role, see Grant RBAC permissions to RAM users or RAM roles.