This topic describes how to create a custom policy to grant a RAM user or RAM role permissions to query, expand, and delete Container Compute Service (ACS) clusters.
Prerequisites
You have a basic knowledge of policy elements, structure, and syntax before you create a custom policy. For more information, see Policy elements.
Background information
The system policies that are provided by Alibaba Cloud Container Compute Service (ACS) are coarse-grained and may fail to meet your business requirements. You can create custom policies to implement fine-grained management on ACS. For example, if you want to control the operation permissions on a specific cluster, you must create a custom policy to meet this requirement and achieve fine-grained management.
Before you use role-based access control (RBAC) to grant a RAM user or RAM role the permissions to manage a cluster, you must grant the RAM user or RAM role the permissions to manage the cluster in the RAM console. You can grant the RAM user or RAM role read and write permissions on the cluster based on your business requirements.
Read permissions: view basic information about a specific cluster, such as cluster configurations and the kubeconfig file.
Write permissions: manage a specific cluster, such as scaling and upgrading the cluster and removing nodes from the cluster.
Before you perform RBAC authorization for the RAM user or RAM role, make sure that the RAM user or RAM role has read-only permissions on the cluster that you want to manage.
{
"Statement": [
{
"Action": [
"cs:Describe*"
],
"Effect": "Allow",
"Resource": [
"acs:cs:*:*:cluster/Cluster ID"
]
}
],
"Version": "1"
}After you grant the RAM user the required RAM permissions on the cluster, use RBAC to grant the RAM user the permissions to manage cluster resources.
Custom policies
The system policies provided by ACK are coarse-grained. If the system policies cannot meet your requirements, you can create custom policies to implement fine-grained access control for your ACK clusters. For example, if you want to control the operation permissions on a specified cluster, you must create a custom policy to meet this requirement for fine-grained management.
Step 1: Create a custom policy
Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab and enter the content of the policy.
{ "Statement": [{ "Action": [ "cs:Get*", "cs:List*", "cs:Describe*", "cs:ScaleCluster", "cs:DeleteCluster" ], "Effect": "Allow", "Resource": [ "acs:cs:*:*:cluster/Cluster ID" ] }], "Version": "1" }Parameter
Description
Action
The permissions that you want to grant. Wildcard characters are supported.
Resource
Replace
Cluster IDwith the actual ID of the cluster, such ascae93341766c843479ae986b3305xxxxx.Grant permissions on one cluster
"Resource": [ "acs:cs:*:*:cluster/Cluster ID" ]Grant permissions on multiple clusters
"Resource": [ "acs:cs:*:*:cluster/Cluster ID", "acs:cs:*:*:cluster/Cluster ID" ]Grant permissions on all clusters
"Resource": [ "*" ]
After you enter the content, click OK. In the dialog box that appears, enter the policy name and click OK to create the policy.
Return to the Policies page, you can enter the name or description of the policy into the search box to find the policy.
Step 2: Attach the custom policy to a RAM user or RAM role
You can attach a custom policy in the same way you attach a system policy. For more information, see Attach a system policy to a RAM user or RAM role.
References
Grant a RAM user or RAM role the permissions to call non-cluster-specific ACK API operations
If you want to grant a RAM user the permissions to call non-cluster-specific ACK API operations, such as DescribeEvents, do not specify cluster IDs in the Resource field of the policy content.
The following code block shows the current RAM policy:
{
"Statement": [
{
"Action": [
"cs:Describe*"
],
"Effect": "Allow",
"Resource": [
"acs:cs:*:*:cluster/Cluster ID"
]
}
],
"Version": "1"
}