Permissions to access clusters and cloud resources - Container Service for Kubernetes

By default, Resource Access Management (RAM) users and RAM roles do not have permissions to call Alibaba Cloud service APIs. You must authorize RAM users and RAM roles to use the APIs of Container Service for Kubernetes (ACK). This topic describes the process of assigning permissions to RAM users and RAM roles for accessing clusters and cloud resources.

Attach system policies

You can use this method to grant RAM users and RAM roles read and write permissions for all clusters in your Alibaba Cloud account. For RAM users or RAM roles that require O&M permissions on all ACK clusters in your Alibaba Cloud account, we recommend that you use system policies for quick authorization. The following table describes the system policies commonly used in ACK.

Important

Full-level permissions in system policies are considered highly risky. We recommend that you grant them cautiously to avoid potential security issues.

Expand to view commonly used system policies for ACK

System policy name	Description
AliyunCSFullAccess	This policy provides permissions to call all ACK API operations. Note This policy contains only the permissions that are related to ACK. To manage and maintain applications deployed in ACK clusters, you need to grant Role-Based Access Control (RBAC) permissions. For more information, see RBAC authorization.
AliyunVPCReadOnlyAccess	This policy provides permissions to specify a virtual private cloud (VPC) for an ACK cluster to be created.
AliyunECSReadOnlyAccess	This policy provides permissions to add existing nodes to an ACK cluster or view the detailed information about nodes.
AliyunContainerRegistryFullAccess	This policy provides permissions to manage all images that belong to an Alibaba Cloud account.
AliyunLogReadOnlyAccess	This policy provides permissions to select an existing log project to store logs for an ACK cluster to be created or view the configuration inspection information of an ACK cluster.
AliyunAHASReadOnlyAccess	This policy provides permissions to use the cluster topology feature.
AliyunRAMFullAccess	This policy provides permissions to manage all authorizations within an Alibaba Cloud account.
AliyunYundunSASReadOnlyAccess	This policy provides permissions to view the runtime monitoring data of an ACK cluster.
AliyunARMSReadOnlyAccess	This policy provides permissions to view the monitoring data of the Managed Service for Prometheus plug-in in an ACK cluster.
AliyunKMSReadOnlyAccess	This policy provides permissions to enable the Secret encryption feature for an ACK Pro cluster to be created.
AliyunESSReadOnlyAccess	This policy provides permissions to perform node pool operations, such as viewing, modifying, and scaling node pools.

Note

An Alibaba Cloud account has full management permissions on the resources within the account. You can create a RAM user and attach the AdministratorAccess policy to the RAM user. Then, you can use the RAM user as an account administrator to manage all cloud resources that belong to the Alibaba Cloud account. For more information, see Create a RAM user as an account administrator.

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Identities > Users.
On the Users page, find the required RAM user, and click Add Permissions in the Actions column.
You can also select multiple RAM users and click Add Permissions in the lower part of the page to grant permissions to the RAM users at a time.
In the Grant Permission panel, grant permissions to the RAM user.
1. Configure the Resource Scope parameter.
  - Account: The authorization takes effect on the current Alibaba Cloud account.
  - ResourceGroup: The authorization takes effect on a specific resource group.
    Important
    If you select Resource Group for the Resource Scope parameter, make sure that the required cloud service supports resource groups. For more information, see Services that work with Resource Group. For more information about how to grant permissions on a resource group, see Use a resource group to grant a RAM user the permissions to manage a specific ECS instance.
2. Configure the Principal parameter.
  The principal is the RAM user to which you want to grant permissions. The current RAM user is automatically selected.
3. Select the system policy that you want to attach.
4. Click Grant permissions.
Click Close.

Attach custom policies

You can use this method to control the permissions of RAM users and RAM roles on cloud resources in a fine-grained manner. Custom policies enable fine-grained access control for cloud resources, tailored to the specific security and access requirements of RAM users and RAM roles. For example, to restrict the permissions of a user to a particular cluster, you can create a custom policy. Additionally, if a RAM user requires permissions for custom development by using SDKs, you can use this method to grant the RAM user the permissions to call specified API operations. For more information about the authorization operations supported by RAM, see RAM authorization.

Note

To create a custom policy, you must understand the basic structure and syntax of the policies. For more information, see Policy elements.

Step 1: Create a custom policy

Log on to the RAM console as a RAM administrator.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.

On the Create Policy page, click the JSON tab and enter the following content of the policy:

{
 "Statement": [{
     "Action": [
         "cs:Get*",
         "cs:List*",
         "cs:Describe*",
         "cs:ScaleCluster",
         "cs:DeleteCluster"
     ],
     "Effect": "Allow",
     "Resource": [
         "acs:cs:*:*:cluster/cluster ID"
     ]
 }],
 "Version": "1"
}

Parameter

Description

Action

The permissions that you want to grant. Wildcard characters are supported.

Resource

Choose from the following configuration options. Replace cluster ID with the actual ID of your cluster:

Grant permissions to one cluster

"Resource": [
     "acs:cs:*:*:cluster/cluster ID"
 ]

Grant permissions to multiple clusters

"Resource": [
     "acs:cs:*:*:cluster/cluster ID",
     "acs:cs:*:*:cluster/cluster ID"
 ]

Grant permissions to all clusters
```
"Resource": [
     "*"
 ]
```

Click Next to edit policy information, enter the name of the policy, and click OK.
Return to the Policies page. You can enter the name or description of the policy into the search box to find the policy.

Step 2: Attach the custom policy to a RAM user or a RAM role

You can attach a custom policy in the same way you attach a system policy. For more information, see Attach system policies.

Custom policy examples

Example 1: Grant read-only permissions to a specified cluster

{
  "Statement": [
    {
      "Action": [
        "cs:Get*",
        "cs:List*",
        "cs:Describe*"
      ],
      "Effect": "Allow",
      "Resource": [
        "acs:cs:*:*:cluster/<yourclusterID>" # Target cluster ID.
      ]
    }
  ],
  "Version": "1"
}

Example 2: Grant read permissions to a specified OSS bucket

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                      "oss:ListBuckets",
                      "oss:GetBucketStat",
                      "oss:GetBucketInfo",
                      "oss:GetBucketTagging",
                      "oss:GetBucketAcl" 
                      ],    
            "Resource": "acs:oss:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss:ListObjects",
                "oss:GetBucketAcl"
            ],
            "Resource": "acs:oss:*:*:myphotos"
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss:GetObject",
                "oss:GetObjectAcl"
            ],
            "Resource": "acs:oss:*:*:myphotos/*"
        }
    ]
}

Example 3: Authorize permissions to call non-cluster-specific API operations

If you want to authorize a RAM user to call non-cluster-specific API operations, such as DescribeEvents, do not specify cluster IDs in the Resource field of the policy content. The following table shows the comparison of RAM policies before and after the modification:

Before modification

After modification

{
    "Statement": [
        {
            "Action": [
                "cs:Get*",
                "cs:List*",
                "cs:Describe*"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:cs:*:*:cluster/c2e63856bcd714197****"
            ]
        }
    ],
    "Version": "1"
}

{
    "Statement": [
        {
            "Action": [
                "cs:DescribeEvents"
            ],
            "Effect": "Allow",
            "Resource": [
              "*"
            ]
        },
        {
            "Action": [
                "cs:Get*",
                "cs:List*",
                "cs:Describe*"
            ],
            "Effect": "Allow",
            "Resource": [
                "acs:cs:*:*:cluster/c2e63856bcd714197****"
            ]
        }
    ],
    "Version": "1"
}

What to do next

To manage internal resources after RAM authorization, grant RBAC permissions to RAM users for Kubernetes resources in the cluster. For more information about RBAC authorization, see Grant RBAC permissions to RAM users or RAM roles.
To enhance the security of applications in an ACK cluster accessing other cloud services, configure the RAM permissions of ServiceAccount through RAM Roles for Service Accounts (RRSA) for pod permission isolation. For more information, see Use RRSA to authorize different pods to access different cloud services.
To implement fine-grained permission management, see Use labels to implement fine-grained access control and Manually limit the permissions of the worker RAM role of an ACK managed cluster.
To know more about the issues related to authorization, see FAQs about authorization management.