Operating on Kubernetes resources in an ACK cluster relies on a dual-authorization model: Resource Access Management (RAM) and Kubernetes Role-Based Access Control (RBAC). The Alibaba Cloud account holds both permissions by default, whereas RAM users and RAM roles need both granted explicitly to access cluster resources.
How it works
The ACK authorization system consists of two layers, Alibaba Cloud RAM and Kubernetes RBAC, which form a complete authorization chain from cloud resources to in-cluster resources.
RAM: Determines who can access the cluster. It operates at the cloud resource level, controlling a principal's permissions for API operations on ACK clusters and their dependent cloud services.
RBAC: Determines what a principal can do within the cluster. It provides fine-grained authorization, defining which operations (such as create or delete) a principal can perform on specific Kubernetes resources (such as Pods and Deployments).
Kubernetes RBAC mechanism
A
ClusterRoledefines a set of permissions that apply across the entire cluster. AClusterRoleBindingbinds it to a principal, making the permissions effective cluster-wide.A
Roledefines a set of permissions scoped to a single namespace. ARoleBindingbinds it to a principal, making the permissions effective only within that namespace.
Scenario 1: Authorize with an Alibaba Cloud account
Log on to the ACK console. In the left navigation pane, click Authorizations.
On the Authorizations page, configure permissions.
To grant permissions to a RAM user: Click the RAM Users tab, find the target RAM user, and click Modify Permissions in the Actions column to go to the Permissions page.
To grant permissions to a RAM role: Click the RAM Role tab, find the target RAM role, and click Modify Permissions to go to the Permission Management page.
Click + Add Permissions. Follow the on-screen instructions to add a permission for the target RAM user or RAM role at the cluster or namespace level, and then select a predefined role. Choose the role based on the user's responsibilities. For permission details of each predefined role, see Appendix: Predefined roles.
Scenario 2: Authorize with a RAM user or role
By default, a RAM user or RAM role cannot grant RBAC permissions to other principals. To simplify permission management, designate a RAM user or RAM role as a permissions administrator. The administrator can then grant RBAC permissions to other principals.
Step 1: Set a RAM user or role as administrator
1. Grant RAM permissions for authorization
Method 1: Use system policies
The system policies AliyunRAMReadOnlyAccess and AliyunCSFullAccess grant broad permissions. For more granular control, see Method 2: Grant fine-grained permissions by using a custom policy.
Log on to the RAM console with your Alibaba Cloud account and find the target RAM user or RAM role.
For a RAM user: Choose . In the user list, find the target user and click Add Permissions in the Actions column.
For a RAM role: Choose . In the role list, find the target role and click Add Permissions in the Actions column.
Set Resource Scope to Account. In the Policies section, find and select the system policies AliyunRAMReadOnlyAccess and AliyunCSFullAccess. Follow the prompts to complete the authorization.
Method 2: Use a custom policy
A permissions administrator needs permissions to:
View information about other RAM principals.
View cluster lists and details.
View existing RBAC configurations for a cluster.
Perform RBAC authorization operations in a cluster.
Log on to the RAM console and grant the required RAM permissions to the target RAM user or RAM role by using the following sample policy. For details, see Grant permissions by using a custom policy.
{
"Statement": [{
"Action": [
"ram:Get*",
"ram:List*",
"cs:Get*",
"cs:Describe*",
"cs:List*",
"cs:GrantPermission"
],
"Resource": "*",
"Effect": "Allow"
}
],
"Version": "1"
}2. Grant the Administrator RBAC role
Log on to the ACK console with your Alibaba Cloud account and grant the Administrator predefined role to the target RAM user or RAM role at the cluster level.
Log on to the ACK console. In the left navigation pane, click Authorizations.
On the Authorizations page, configure permissions.
To grant permissions to a RAM user: Click the RAM Users tab, find the target RAM user, and click Modify Permissions in the Actions column to go to the Permissions page.
To grant permissions to a RAM role: Click the RAM Role tab, find the target RAM role, and click Modify Permissions to go to the Permission Management page.
Click + Add Permissions, follow the prompts to add a permission at the cluster or namespace level, and select Administrator as the predefined role.
Granting permissions at the All Clusters scope automatically extends the permissions administrator's access to any new clusters, eliminating the need for repeated authorization.
Step 2: Grant RBAC permissions to others
Once authorized, the permissions administrator can grant RBAC permissions to other RAM users or RAM roles on the Authorizations page by following the procedure in Scenario 1. After authorization, the target RAM users or roles can operate Kubernetes resources within their permission scope.
Best practices for production environments
To enhance the security and maintainability of permission management, follow these best practices.
Adhere to the principle of least privilege
Grant principals, such as RAM users and roles, only the minimum set of permissions required to perform their tasks. Avoid indiscriminately granting high-privilege roles, such as Administrator.
Implement fine-grained authorization
Use layered authorization: Differentiate responsibilities between RAM for cloud resource access and RBAC for in-cluster resource access.
Constrain scope: Whenever possible, use a
RoleBindingto limit permissions to a specific namespace instead of a cluster-wideClusterRoleBinding.Choose roles precisely: Use the predefined roles provided by ACK. If you need to create custom roles, define permission rules precisely and avoid using wildcards (
*).
Practice continuous governance
Permission management is a dynamic process. Establish a regular audit mechanism to promptly revoke redundant or excessive permissions. Record and monitor the operations of high-privilege roles, such as permissions administrators.
Appendix: Predefined roles
To simplify permission management and meet common use cases, ACK provides several standardized predefined roles based on the RBAC mechanism.
Preset role | In-cluster RBAC permissions |
Administrator | Full read/write access to all Kubernetes resources across all namespaces, including cluster nodes, PVs, namespaces, and resource quotas. |
Read-only Administrator | Read-only access to all Kubernetes resources across all namespaces, including cluster nodes, PVs, namespaces, and resource quotas. |
O&M Engineer | Read/write access to console-exposed resources across all namespaces. Includes read/update access to cluster nodes, PVs, and namespaces, and read-only access to all other resources. |
Developer | Read/write access to console-exposed resources in all or specified namespaces of the cluster. |
Restricted User | Read-only access to console-exposed resources in all or specified namespaces of the cluster. |
Custom | Permissions depend on the specified ClusterRole. To prevent identities from gaining unintended access, verify the permissions of the ClusterRole before assigning it. For more information, see Restrict resource operations with custom RBAC. Important Any RAM user or RAM role with the |
FAQ
Handling permission errors
If an operation performed through the console or an API lacks the necessary RBAC permissions, a permission error is returned. Refer to the following table for solutions:
Error code or message | Description | Solution |
| Not authorized to view control plane logs. | Grant the user the Administrator or O&M Engineer role. |
| Not authorized to perform Helm operations. | Grant the user the Administrator role. |
| Not authorized to perform certificate rotation. | Grant the user the Administrator role. |
| Not authorized to add a node. | Grant the user the Administrator or O&M Engineer role. |
| Not authorized to modify the cluster's encryption at rest status. | Grant the user the Administrator or O&M Engineer role. |
| Not authorized to retrieve application trigger information. | Grant the user the Administrator, O&M Engineer, or Developer role. |
| Not authorized to query cluster namespaces. | Grant the user the Administrator, O&M Engineer, Developer, or Restricted User role. |
Creating custom permissions
Create a custom Role or ClusterRole by writing a YAML manifest. For example, create a ClusterRole that only allows viewing Pods, then select this custom role when granting permissions. For details, see Use custom RBAC to restrict operations on in-cluster resources.
Kubernetes RBAC policies are additive and only support Allow rules. There is no explicit Deny rule.
Related topics
If the predefined roles do not meet your needs, and you require custom RBAC permissions to access in-cluster resources, see Use custom RBAC to restrict operations on in-cluster resources.
For complete authorization workflows (including both RAM and RBAC authorization) for different operational roles, see the following topics:
For information about the service roles used by ACK, see ACK service roles.
If you encounter issues during authorization, see Authorization management FAQ.