All Products
Search
Document Center

Container Service for Kubernetes:Use RBAC to manage the operation permissions on resources in a cluster

Last Updated:Dec 12, 2024

Role-based access control (RBAC) regulates access to resources based on the roles of users. You can use Roles and ClusterRoles to specify resource objects that can be managed. You can use RoleBinding and ClusterRoleBinding to bind roles to specific users. This way, different users can have different permissions on Kubernetes resources. After you grant Resource Access Management (RAM) permissions to a RAM user or RAM role, you must also grant RBAC permissions to the RAM user or RAM role before you can perform operations on Kubernetes resources in the cluster, such as creating Deployments and Services.

How RBAC works

Kubernetes RBAC provides the following resource objects that you can use to bind RBAC roles to a RAM user or RAM role. Kubernetes RBAC supports only allow permissions. For more information about how to configure ClusterRoles and Roles, see Use custom RBAC roles to limit the permissions of RAM users or RAM roles.

  • Role: A Role defines permissions within a particular namespace.

  • RoleBinding: A RoleBinding is used to bind a Role to a user.

  • ClusterRole: A ClusterRole defines cluster-wide permissions.

  • ClusterRoleBinding: A ClusterRoleBinding is used to bind a ClusterRole to a user.

image

Prerequisites

The RAM user or RAM role is granted the read-only RAM permissions on the specified cluster. The following table describes the policy. For more information, see Attach custom policies.

View the sample RAM policy

{
  "Statement": [
    {
      "Action": [
        "cs:Get*",
        "cs:List*",
        "cs:Describe*"
      ],
      "Effect": "Allow",
      "Resource": [
        "acs:cs:*:*:cluster/<yourclusterID>" 
      ]
    }
  ],
  "Version": "1"
}

Usage notes for authorization

An Alibaba Cloud account can perform all operations on all clusters. A RAM user or RAM role can perform all operations on the clusters it creates. A RAM user or RAM role that is not the creator of a cluster requires additional RAM and RBAC permissions to manage clusters.

Procedure

ACK provides the following predefined RBAC roles: Administrator, O&M Engineer, Developer, and Restricted User. You can use these roles to regulate access to the ACK console in most scenarios. For more information about how to configure custom RAM users or RAM roles, see Use custom RBAC to restrict resource operations within the cluster.

Only the following types of accounts can grant RBAC permissions to other RAM users or RAM roles:

  • An Alibaba Cloud account.

  • A RAM user or a RAM role that has administrator permissions.

Grant RBAC permissions by using an Alibaba Cloud account

  1. Log on to the ACK console. In the left-side navigation pane, click Authorizations.

  2. On the Authorizations page, grant permissions.

    • Grant permissions to a RAM user

      Click the RAM Users tab, find the RAM user that you want to manage in the list, and then click Modify Permissions to open the Permission Management panel. You can also select multiple RAM users to grant permissions.

    • Grant permissions to a RAM role

      Click the RAM Roles tab, specify RAM Role Name, and then click Modify Permissions to open the Permission Management panel.

      Note

      You can manually enter a RAM role or select a RAM role from the drop-down list. You can click the blank box next to the RAM Role Name field. The list of existing RAM roles is displayed. Then, select an existing RAM role from the list to grant permissions.

  3. Click Add Permissions, configure the Clusters, Namespace, and Permission Management parameters for the RAM user or RAM role, and then click Submit.

    Note
    • You can assign one predefined role and multiple custom roles of a cluster or namespace to a RAM user or RAM role. In this case, the granted permissions are the union of the permissions provided by multiple roles.

    • If you need to authorize a RAM user or RAM role to manage all clusters (including newly created clusters), select All Clusters in the Clusters column when you assign a predefined role to the RAM user or RAM role.

    Predefined role

    RBAC permission on cluster resources

    Administrator

    Read and write permissions on resources in all namespaces. Read and write permissions on nodes, volumes, namespaces, and quotas.

    O&M Engineer

    Read and write permissions on visible Kubernetes resources in the console in all namespaces and read-only permissions on nodes, persistent volumes (PVs), namespaces, and quotas.

    Developer

    RBAC read and write permissions on visible Kubernetes resources in the console in all namespaces or the specified namespaces.

    Restricted User

    Read-only RBAC permissions on visible Kubernetes resources in the console in all namespaces or the specified namespaces.

    Custom

    The permissions of a custom role are determined by the cluster role that you select. Before you select a cluster role, check the permissions of the cluster role and make sure that you grant only the required permissions to the RAM user or RAM role. For more information about how to configure custom RAM users or RAM roles, see Use custom RBAC to restrict resource operations within the cluster.

    Important

    After a RAM user or RAM role is assigned the cluster-admin role, the RAM user or RAM role has the same permissions as the Alibaba Cloud account to which the RAM user or RAM role belongs. The RAM user or RAM role has full control over all resources within the cluster. Exercise caution if you want to assign the cluster-admin role to a RAM user or RAM role.

Grant RBAC permissions by using a RAM user or RAM role

An Alibaba Cloud account has full management permissions on the resources within the account. You can also grant the following RAM and RBAC permissions to a new or existing RAM user or RAM role. Then, the RAM user or RAM role is set as a permission administrator, and you can use the RAM user or RAM role to grant RBAC permissions to other RAM users or RAM roles.

Step 1: Specify a RAM user or RAM role as a permission administrator

1. Grant RAM authorization permissions

Grant permissions by using system policies

  1. Log on to the RAM console by using the Alibaba Cloud account and find the RAM user or RAM role that you want to set as a permission administrator.

    • RAM user

      In the left-side navigation pane of the RAM console, choose Identities > Users. Find the RAM user that you want to use and click Add Permissions in the Actions column.

    • RAM role

      In the left-side navigation pane of the RAM console, choose Identities > Roles. Find the RAM role that you want to use and click Add Permissions in the Actions column.

  2. On the Grant Permissions panel, select Account for the Resource Scope. In the Policy field, select System Policy from the drop-down list, then find and select AliyunRAMFullAccess and AliyunCSFullAccess policies. Click Grant permissions and close the panel.

    Important

    The AliyunRAMFullAccess policy is a high-risk permission. Exercise caution when you grant permissions. For more information about fine-grained authorization, see Use custom policies to grant permissions in a fine-grained manner.

Use custom policies to grant permissions in a fine-grained manner

By default, you cannot use a RAM user or RAM role to grant RBAC permissions to other RAM users or RAM roles. You must grant the following permissions to the RAM user or RAM role:

  • The permissions to view other RAM users that belong to the same Alibaba Cloud account.

  • The permissions to attach RAM policies to other RAM users.

  • The permissions to view information about ACK clusters.

  • The permissions to view permissions of RBAC roles.

  • The permissions to assign RBAC roles to other RAM users.

Log on to the RAM console and use the following sample code to grant the required permissions to the RAM user or RAM role. For more information, see Attach custom policies.

Note

Replace xxxxxx with the name of the RAM policy you want to authorize the RAM user or RAM role to attach to other RAM users. If you replace xxxxxx with an asterisk (*), the RAM user or RAM role is authorized to attach all RAM policies to other RAM users or RAM roles.

{
    "Statement": [{
            "Action": [
                "ram:Get*",
                "ram:List*",
                "cs:Get*",
                "cs:Describe*",
                "cs:List*",
                "cs:GrantPermission"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ram:AttachPolicyToUser",
                "ram:AttachPolicy"
            ],
            "Effect": "Allow",
            "Resource":  [
                "acs:ram:*:*:policy/xxxxxx",
                "acs:*:*:*:user/*"
            ]
        }
    ],
    "Version": "1"
}

2. Grant RBAC administrator permissions

Log on to the ACK console with your Alibaba Cloud account. Then, assign the Administrator role of all clusters to the RAM user or RAM role. For more information, see Grant RBAC permissions by using an Alibaba Cloud account.

After the preceding RAM and RBAC permissions are granted, the RAM user or RAM role is set as a permission administrator. You can use the RAM user or RAM role to grant RAM and RBAC permissions to other RAM users or RAM roles.

Note

If a RAM user or RAM role is granted administrator permissions, the RAM user or RAM role can grant other RAM users or RAM roles all cluster-wide permissions. New clusters are automatically bound to existing ClusterRoles.

Step 2: Grant RBAC permissions to other RAM users or RAM roles

If a RAM user or RAM role is granted administrator permissions, you can log on to the RAM console to grant RBAC permissions to other RAM users or RAM roles. The operations are the same as those for granting RBAC permissions by using an Alibaba Cloud account. For more information, see Grant RBAC permissions by using an Alibaba Cloud account.

Error codes for insufficient permissions

If you do not have the required permissions when you use the ACK console or call the ACK API to perform an operation, the console or API returns an error code that indicates the required permissions. The following table describes the error codes that indicate the required RBAC permissions on the cluster.

Error code or error message

Solution

ForbiddenCheckControlPlaneLog

Grant the administrator or O&M engineer permissions to the user.

ForbiddenHelmUsage

Grant the administrator permissions to the user.

ForbiddenRotateCert

Grant the administrator permissions to the user.

ForbiddenAttachInstance

Grant the administrator or O&M engineer permissions to the user.

ForbiddenUpdateKMSState

Grant the administrator or O&M engineer permissions to the user.

Forbidden get trigger

Grant the administrator, O&M engineer, or developer permissions to the user.

ForbiddenQueryClusterNamespace

Grant the administrator, O&M engineer, developer, or restricted user permissions to the user.

References