All Products
Search

This Product

    Container Compute Service:Create a custom Kubernetes ClusterRole or Role

    Document Center

    Container Compute Service:Create a custom Kubernetes ClusterRole or Role

    Last Updated:Mar 25, 2026

    When predefined roles in Alibaba Cloud Container Compute Service (ACS) don't cover your access control requirements — for example, granting access to specific resources across selected namespaces, or restricting a custom resource to a narrow set of verbs — you can create a custom Role or ClusterRole.

    Important

    ACS supports binding only custom ClusterRoles to Role-Based Access Control (RBAC) permissions. Custom Roles cannot be bound to RBAC permissions.

    Roles and ClusterRoles

    A Role defines permissions scoped to a single namespace. A ClusterRole is cluster-scoped and has three uses:

    1. Grant permissions on namespaced resources within one or more specific namespaces.

    2. Grant permissions on namespaced resources across all namespaces.

    3. Grant permissions on cluster-scoped resources (such as nodes or persistent volumes).

    If you need permissions within a namespace, use a Role. For cluster-wide permissions, use a ClusterRole.

    Both Role and ClusterRole specify permissions through rules, which define:

    FieldDescription
    apiGroupsThe API group the resource belongs to. An empty string ("") indicates the core API group, which includes pods, services, and configmaps.
    resourcesThe resource types, for example, pods or services.
    verbsThe allowed operations, for example, get, list, or create.

    YAML templates

    Role

    The following YAML creates a Role named test-role that grants full access to pods in the default namespace.

    apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: test-role
  namespace: default
rules:
- apiGroups:
  - ""          # "" indicates the core API group
  resources:
  - pods
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch

    ClusterRole

    The following YAML creates a ClusterRole named test-clusterrole that grants full access to pods across all namespaces.

    apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: test-clusterrole
rules:
- apiGroups:
  - ""          # "" indicates the core API group
  resources:
  - pods
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch

    For more information, see Roles and ClusterRoles in the Kubernetes documentation.

    Create a custom ClusterRole

    The following steps create a custom ClusterRole for a Resource Access Management (RAM) user or RAM role using the ACS console. To create a custom Role instead, select the Role tab in step 3.

    Prerequisites

    Before you begin, ensure that you have:

    • An ACS cluster

    • The necessary permissions to manage RBAC resources in the cluster

    Steps

    1. Log in to the ACS console. In the left-side navigation pane, click Clusters.

    2. On the Clusters page, click the cluster name. In the left-side navigation pane, choose Security > Role.

    3. On the Role page, click the Cluster Role tab, then click Create.

    4. In the Create YAML panel, enter the ClusterRole YAML and click OK. The YAML template in this example defines cluster-wide permissions. After the ClusterRole is created, it appears as test-clusterrole on the Cluster Role tab.

    What's next

    To grant RAM users or RAM roles access using the ClusterRole you created, see Grant RBAC permissions to RAM users or RAM roles.