Microservices Engine (MSE) accesses Container Service for Kubernetes (ACK) cluster resources through a Kubernetes role-based access control (RBAC) ClusterRole. This ClusterRole is automatically created and bound to the MSE service-linked role, granting MSE only the minimum permissions required to operate within your cluster.
This topic describes how the two permission layers work together, what cluster resources MSE can access, and how to revoke that access.
How MSE accesses your ACK cluster
MSE relies on two permission layers to access Kubernetes resources in your ACK cluster:
| Layer | Scope | Mechanism |
|---|---|---|
| IAM | Alibaba Cloud account level | The service-linked role AliyunServiceRoleForMSE authorizes MSE to call ACK APIs on your behalf. |
| Kubernetes RBAC | Cluster level | The ClusterRole mse-aliyunserviceroleformse-clusterrole defines what Kubernetes resources MSE can read or modify inside the cluster. |
Both layers must be in place for MSE to function. Removing either one blocks MSE from accessing cluster resources.
When the RBAC ClusterRole is created
The ClusterRole is not pre-installed in your ACK cluster. MSE creates it automatically when both of the following conditions are met for the first time:
The service-linked role
AliyunServiceRoleForMSEexists in your account.MSE accesses the ACK cluster.
This ClusterRole grants only the minimum permissions that specific MSE features require. It does not affect any RBAC roles or bindings that you have configured.
Permission details
The following table summarizes the ClusterRole permissions, grouped by feature area.
| Feature area | Resources | Allowed operations | Purpose |
|---|---|---|---|
| Core resource discovery | pods, nodes, services, namespaces, endpoints, secrets, configmaps | get, list, watch | Read cluster state for service discovery and configuration sync. |
| Endpoint discovery | endpointslices | get, list, watch | Discover service endpoints through the Discovery API. |
| Ingress management | ingresses, ingressclasses | get, list, watch | Read ingress configurations for cloud-native gateway routing. |
| Ingress status | ingresses/status | all | Update ingress status to reflect gateway state. |
| Gateway API | All resources in gateway.networking.k8s.io and networking.x-k8s.io | all | Manage Gateway API resources for the cloud-native gateway. |
| Custom resource definitions | customresourcedefinitions | get, list, watch | Discover CRDs registered in the cluster. |
| Istio mesh | workloadentries, workloadentries/status | get, list, watch, create, update, patch, delete | Manage Istio WorkloadEntry resources for service mesh integration. |
| Service and namespace provisioning | services, namespaces | get, list, watch, create | Create services and namespaces required by MSE components. |
| Deployment provisioning | deployments | get, list, watch, create | Deploy MSE-managed workloads into the cluster. |
| MSE custom resources | mseingressconfigs, mseingressconfigs/status | get, list, watch | Read MSE-specific ingress configuration CRDs. |
| Event monitoring | events | get, list, watch | Monitor cluster events for diagnostics. |
Full ClusterRole YAML
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: mse-aliyunserviceroleformse-clusterrole
rules:
# Core resource discovery
- apiGroups: [""]
resources: ["pods", "nodes", "services", "namespaces", "endpoints", "secrets", "configmaps"]
verbs: ["get", "watch", "list"]
- apiGroups: ["discovery.k8s.io"]
resources: ["endpointslices"]
verbs: ["get", "list", "watch"]
# Ingress management
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses", "ingressclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses/status"]
verbs: ["*"]
# Gateway API
- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
resources: ["*"]
verbs: ["get", "watch", "list"]
- apiGroups: ["networking.x-k8s.io", "gateway.networking.k8s.io"]
resources: ["*"]
verbs: ["*"]
# Custom resource definitions
- apiGroups: ["apiextensions.k8s.io"]
resources: ["customresourcedefinitions"]
verbs: ["get", "list", "watch"]
# Istio mesh integration
- apiGroups: ["networking.istio.io"]
verbs: ["get", "watch", "list", "update", "patch", "create", "delete"]
resources: ["workloadentries"]
- apiGroups: ["networking.istio.io"]
verbs: ["get", "watch", "list", "update", "patch", "create", "delete"]
resources: ["workloadentries/status"]
# Service, namespace, and deployment provisioning
- apiGroups: [""]
resources: ["services", "namespaces"]
verbs: ["get", "list", "watch", "create"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create"]
# MSE custom resources
- apiGroups: ["mse.alibabacloud.com"]
resources: ["mseingressconfigs", "mseingressconfigs/status"]
verbs: ["get", "watch", "list"]
# Event monitoring
- apiGroups: ["events.k8s.io"]
resources: ["events"]
verbs: ["get", "watch", "list"]Revoke MSE access to an ACK cluster
To stop MSE from accessing a specific ACK cluster, use one of the following methods.
Method 1: Clear the RBAC ClusterRole permissions
Edit the ClusterRole in the ACK console to remove all permission rules. This blocks MSE from accessing resources in that specific cluster while keeping the service-linked role intact for other clusters.
Log on to the ACK console with your Alibaba Cloud account.
In the left-side navigation pane, click Clusters.
On the Clusters page, click the name of the target cluster.
In the left-side navigation pane, choose Security > Role.
Click the Cluster Role tab, enter
mse-aliyunserviceroleformse-clusterrolein the search box, and click the search icon.In the Actions column, click Edit YAML.
In the YAML editor, add the
inner.service.alibabacloud.com/user-customized: trueannotation and clear therulesfield:apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: annotations: inner.service.alibabacloud.com/user-customized: true name: mse-aliyunserviceroleformse-clusterrole rules: []
Note: The inner.service.alibabacloud.com/user-customized: true annotation prevents MSE from automatically restoring the default permissions.
Method 2: Delete the MSE service-linked role
Delete the AliyunServiceRoleForMSE service-linked role to revoke MSE access to all ACK clusters in your account. This also disables all MSE features that depend on the role.
For instructions, see MSE service-linked role.