Grant RBAC permissions to RAM users or RAM roles

Role-based access control (RBAC) regulates access to resources based on the roles of users. You can use RBAC to grant different roles different permissions on Kubernetes resources in order to enhance account security. This topic describes how to grant Resource Access Management (RAM) users or RAM roles RBAC permissions on an Alibaba Cloud Container Compute Service (ACS) cluster.

Overview

Item	Description
Default permissions	By default, only Alibaba Cloud accounts and cluster creators have administrator permissions on Kubernetes resources in ACS clusters. By default, RAM users or RAM roles other than the cluster owners do not have the permissions to access Kubernetes resources in ACS clusters.
Authorization methods	Method 1: Assign the following predefined RBAC roles to a RAM user or RAM role: Administrator, O&M Engineer, Developer, Restricted User, and Custom. The Administrator role has the permissions to access all Kubernetes resources in clusters. For more information, see the Grant RBAC permissions to RAM users or RAM roles section of this topic. Method 2: Assign a predefined role to a RAM user or RAM role to manage all clusters. After a predefined role is assigned to the RAM user or RAM role, you can also manage newly created clusters as the RAM user or RAM role. For more information, see the Grant RBAC permissions to RAM users or RAM roles section of this topic. Method 3: Use a RAM user or RAM role to assign RBAC roles to other RAM users or RAM roles. When you use this authorization method, only the clusters and namespaces that the RAM user or RAM role is authorized to manage are displayed in the console. In addition, the RAM user or RAM role must be assigned the Administrator or cluster-admin role of the specified cluster or namespace. For more information, see Specify a RAM user or RAM role as a permission administrator and Use a RAM user or RAM role to grant RBAC permissions to other RAM users or RAM roles. Note Before you grant permissions to a RAM user or RAM role, make sure that the RAM user or RAM role is granted read-only permissions on the specified cluster in the RAM console.
Authorization models	You can grant permissions to one or more RAM users or RAM roles at a time.

Note

To ensure data security, you cannot modify the RAM policies that are attached to your RAM users or RAM roles in the ACS console. You must read the instructions on the authorization page, log on to the RAM console, and then modify the RAM policies.

Log on to the ACS console. In the left-side navigation pane, click Permission Management.
On the Authorizations page, select the RAM user or RAM role that you want to authorize.
Important
ACS clusters are a type of ACK Serverless cluster. If you grant a RAM user or RAM role the permissions to manage all clusters in the ACK console, the RAM user or RAM role is authorized to manage ACS clusters and you cannot grant permissions on ACS clusters to the RAM user or RAM role in the ACS console.
1. Grant permissions to RAM users
  Click the RAM Users tab, find the RAM user that you want to manage in the list, and then click Modify Permissions to open the Permission Management panel.
2. Grant permissions to RAM roles
  Click the RAM Roles tab, specify RAM Role Name, and then click Modify Permissions to open the Permission Management panel.

In the Permission Management panel, click +Add Permissions, configure the Clusters, Namespace, and Permission Management parameters for the RAM user or RAM role, and then click Submit.

Predefined role	RBAC permission on cluster resources
Administrator	Read and write permissions on resources in all namespaces.
O&M Engineer	Read and write permissions on visible Kubernetes resources in the ACS console in all namespaces and read-only permissions on persistent volumes (PVs), namespaces, and quotas.
Developer	Read and write permissions on visible resources in the ACS console in all or specified namespaces.
Restricted User	Read-only permissions on visible resources in the ACS console in all or specified namespaces.
Custom	The permissions of a custom role are determined by the cluster role that you select. Before you select a cluster role, check the permissions of the cluster role and make sure that you grant only the required permissions to the RAM user or RAM role. The following section describes how to view the permissions of a custom role. Important After a RAM user or RAM role is assigned the cluster-admin role, the RAM user or RAM role has the same permissions as the Alibaba Cloud account to which the RAM user or RAM role belongs. The RAM user or RAM role has full control over all resources within the cluster. Proceed with caution when you assign this role.

After the authorization is complete, you can log on to the ACS console as the RAM user or RAM role to manage the specified cluster.

Note

Make sure that the RAM user or RAM role is authorized to manage the cluster and the RBAC administrator or cluster-admin role is assigned. For more information, see Attach a RAM policy to a RAM user or RAM role.
ACS provides the following predefined roles: Administrator, O&M Engineer, Developer, and Restricted User. You can use these roles to regulate access to resources in most scenarios. You can also use custom roles to define permissions on clusters based on your business requirements.
You can assign one predefined role and multiple custom roles to a RAM user or RAM role to manage a cluster or namespace.
If you want to authorize a RAM user or RAM role to manage all clusters (including newly created clusters), select All Clusters in the Clusters column when you assign a predefined role to the RAM user or RAM role.

Show how to view the permissions of a custom role

Click Custom and then click View YAML to view the permissions of the custom role.

Log on to a node and run the following command to view the RBAC roles in the cluster:

kubectl get clusterrole

Expected results:

NAME                                                                   CREATED AT
acs:view                                                               2024-12-31T06:18:06Z
admin                                                                  2024-12-31T06:17:53Z
alibaba-log-controller                                                 2024-12-31T06:25:03Z
alicloud-csi-provisioner                                               2024-12-31T06:19:23Z
aliyun-eci-pod-clusterrole                                             2024-12-31T06:18:52Z
arms-aliyunserviceroleforarms-clusterrole                              2024-12-31T06:25:03Z
cluster-admin                                                          2024-12-31T06:17:53Z
ebs-token-controller                                                   2024-12-31T06:19:00Z
edit                                                                   2024-12-31T06:17:53Z
o11y:addon-controller:role                                             2024-12-31T06:24:32Z
system:aggregate-to-admin                                              2024-12-31T06:17:53Z
system:aggregate-to-edit                                               2024-12-31T06:17:53Z
...
system:volume-scheduler                                                2024-12-31T06:17:53Z
tenant-webhook-clusterrole                                             2024-12-31T06:19:45Z
view                                                                   2024-12-31T06:17:53Z

Run the following command to query the details of a role, such as the cluster-admin role:

Important

After a RAM user or RAM role is assigned the cluster-admin role, the RAM user or RAM role has the same permissions as the Alibaba Cloud account to which the RAM user or RAM role belongs. The RAM user or RAM role has full permissions on all resources in the cluster. Exercise caution if you want to assign the cluster-admin role to a RAM user or RAM role.

kubectl get clusterrole cluster-admin -o yaml

Expected results:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: "2024-12-31T06:17:53Z"
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: cluster-admin
  resourceVersion: "70"
  uid: 759xxxxx-5ad2-42ce-872d-fbce117xxxxx
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
- nonResourceURLs:
  - '*'
  verbs:
  - '*'

Use a RAM user or RAM role to grant RBAC permissions to other RAM users or RAM roles

By default, you cannot use a RAM user or RAM role to grant RBAC permissions to other RAM users or RAM roles. If you want to use a RAM user or RAM role to grant RBAC permissions to other RAM users or RAM roles, you must first use the Alibaba Cloud account or a RAM user that is assigned the Administrator role of all clusters to grant the required permissions to the RAM user or RAM role.

RAM permissions

You must attach a RAM policy to the RAM user or RAM role. The RAM policy must provide the following permissions:

The permissions to view other RAM users that belong to the same Alibaba Cloud account.
The permissions to attach RAM policies to other RAM users or RAM roles.
The permissions to view information about ACK clusters.
The permissions to view permissions of RBAC roles.
The permissions to assign RBAC roles to other RAM users or RAM roles.

Log on to the RAM console, create a RAM policy based on the following content, and then attach the RAM policy to the RAM user or RAM role. For more information, see Attach a RAM policy to a RAM user or RAM role.
Important
Replace xxxxxx with the name of the RAM policy you want to authorize the RAM user or RAM role to attach to other RAM users or RAM roles. If you replace xxxxxx with an asterisk (*), the RAM user or RAM role is authorized to attach all RAM policies to other RAM users or RAM roles. The asterisk (*) in the Resource field grants permissions to perform actions on all resources that belong to the UID. The ACK API (cs:*) includes operation permissions on all ACK clusters except ACS clusters. Exercise caution when you grant permissions.
```
{
    "Statement": [{
            "Action": [
                "ram:Get*",
                "ram:List*",
                "cs:DescribeClustersV1",
                "cs:GrantPermission"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ram:AttachPolicyToUser",
                "ram:AttachPolicy"
            ],
            "Effect": "Allow",
            "Resource":  [
                "acs:ram:*:*:policy/xxxxxx",
                "acs:*:*:*:user/*"
            ]
        }
    ],
    "Version": "1"
}
```
After the RAM policy is attached to the RAM user or RAM role, you can use the RAM user or RAM role to attach the specified RAM policies to other RAM users or RAM roles.

RBAC permissions

After you attach the preceding RAM policy to the RAM user or RAM role, you must assign the Administrator or cluster-admin role to the RAM user or RAM role to allow the RAM user or RAM role to access the specified cluster or namespace. For more information, see Grant authorization administrators the permissions to manage the permissions of RAM users and RAM roles.

Set a RAM user or RAM role as a permission administrator

After you set a RAM user or RAM role as a permission administrator, you can use the RAM user or RAM role to grant permissions to other RAM users or RAM roles.

Log on to the RAM console and find the RAM user or RAM role that you want to use.
- RAM users
  In the left-side navigation pane of the RAM console, choose Identities > Users. Find the RAM user that you want to use and click Add Permissions in the Actions column.
- RAM roles
  In the left-side navigation pane of the RAM console, choose Identities > Roles. Find the RAM role that you want to use and click Add Permissions in the Actions column.
In the Add Permissions panel, set Authorized Scope, select System Policy, and then search for the AliyunRAMFullAccess and AliyunACCFullAccess policies. Click the name of each policy to move the policy to the Selected section on the right side of the page. Then, click OK. After the policies are attached, click Complete.
Log on to the ACS console and assign the Administrator role to the RAM user or RAM role to allow the RAM user or RAM role to access all clusters For more information, see Grant RBAC permissions to RAM users or RAM roles.
After the preceding steps are complete, the RAM user or RAM role is set as a permission administrator. You can use the RAM user or RAM role to grant RAM permissions and RBAC permissions to other RAM users or RAM roles.

Error codes for insufficient permissions

If you do not have the required permissions when you use the ACS console or call the ACS API to perform an operation, the ACS console or API returns an error code that indicates the required permissions. The following table describes the error codes that indicate the required RBAC permissions on the cluster.

Error code or error message	Required RBAC permission on the cluster
ForbiddenCheckControlPlaneLog	Administrator or O&M engineer permissions.
ForbiddenHelmUsage	Administrator permissions.
ForbiddenRotateCert	Administrator permissions.
ForbiddenQueryClusterNamespace	Administrator, O&M engineer, developer, or restricted user permissions.

Container Compute Service:Grant RBAC permissions to RAM users or RAM roles

Overview