Authorization overview - Container Service for Kubernetes

The authorization system of Container Service for Kubernetes (ACK) consists of Resource Access Management (RAM) authorization and role-based access control (RBAC) authorization. You can use RAM and RBAC to enforce flexible and layered permission control on cloud resources and resources within an ACK cluster.

Authorization system

The authorization system of ACK consists of RAM authorization and RBAC authorization. RAM authorization is used to grant permissions on cloud resources. RBAC authorization is used to grant permissions on Kubernetes resources within a cluster. The following figure shows the authorization system of ACK.

RAM authorization: based on the system policies and custom policies of RAM. This authorization system is used to grant permissions on the API operations of ACK and other Alibaba Cloud services to support the following O&M operations:
- Create, view, upgrade, and delete clusters.
- Create, modify, and scale node pools.
- Manage authorization.
- Monitor clusters and collect logs and events.
RBAC authorization: based on Kubernetes RBAC. This authorization system is used to grant permissions on Kubernetes resources in ACK clusters to support O&M operations. In most cases, you can use RBAC authorization to grant the permissions to add, delete, modify, and query the following Kubernetes resource objects:
- Workload resources: Deployment, StatefulSet, DaemonSet, Job, CronJob, pod, and ReplicaSet.
- Network resources: Service, Ingress, and NetworkPolicy.
- Storage resources: persistent volume (PV), persistent volume claim (PVC), and StorageClass.
- Namespace, ConfigMap, and Secret.

Authorization types

Authorization type	Require authorization	Description
RAM authorization	RAM users or RAM roles: You must attach policies to RAM users or RAM roles. Alibaba Cloud accounts: By default, Alibaba Cloud accounts have full permissions. No authorization is required. Service-linked roles: If this is the first time you use ACK, you need to complete authorization with an Alibaba Cloud account or RAM account administrator (RAM user).	RAM authorization allows you to attach system policies or custom policies to a RAM user or RAM role. Only after the authorization is complete, a RAM user or RAM role can access resources in other Alibaba Cloud services. After you assign a service-linked role to ACK, you can assume the role to access ACK clusters and resources in other Alibaba Cloud services. For more information about the service-linked roles for ACK, see ACK roles.
RBAC authorization	RAM users or RAM roles: You must attach policies to RAM users or RAM roles. Alibaba Cloud accounts: By default, Alibaba Cloud accounts have full permissions. No authorization is required.	Only after the authorization is complete, a RAM user or RAM role has permissions to manage Kubernetes resources in ACK One clusters.

RAM authorization

By default, RAM users or RAM roles do not have the permissions to use cloud service APIs. Before you use a RAM user or RAM role to manage cloud resources, you must grant the required permissions to the RAM user or RAM role. RAM authorization allows you to attach system policies or custom policies to a RAM user or RAM role. For more information, see Use RAM to grant the permissions to access clusters and cloud resources.

Scenarios

You can use labels to classify clusters and configure labels as conditions in RAM policies to implement fine-grained access control. This grants different users different permissions on clusters. For more information, see Use labels to implement fine-grained access control.
When you use a worker RAM role to grant permissions to a specific application in a cluster, the permissions are granted to all nodes in the cluster. This may increase the risk of privilege abuse. To address this issue, we recommend that you assign different custom worker RAM roles to different node pools when you create the node pools. This way, different node pools use different RAM roles. For more information, see Use custom worker RAM roles.
To ensure secure access to other cloud services from applications in ACK clusters, you can use the RAM Roles for Service Accounts (RRSA) feature to conduct API permission control on pods. For more information, see Use RRSA to authorize different pods to access different cloud services.
To ensure node security for an ACK managed cluster, you can manually limit the permissions of the worker RAM role of the cluster based on the least privilege principle. For more information, see Manually limit the permissions of the worker RAM role of an ACK managed cluster.

RBAC authorization

RBAC authorization allows you to grant only the permissions on Kubernetes resources in clusters. For example, you can use RBAC authorization to grant a RAM user or RAM role permissions on resources, such as the permissions to query information about a pod or node in a cluster. You can perform RBAC authorization on the Authorizations page in the ACK console.

Kubernetes RBAC provides the following resource objects that you can use to bind RBAC roles to a RAM user or RAM role. Kubernetes RBAC supports only allow permissions. For more information about how to configure ClusterRoles and Roles, see Use custom RBAC roles to limit the permissions of RAM users or RAM roles.

Role: A Role defines permissions within a particular namespace.
RoleBinding: A RoleBinding is used to bind a Role to a user.
ClusterRole: A ClusterRole defines cluster-wide permissions.
ClusterRoleBinding: A ClusterRoleBinding is used to bind a ClusterRole to a user.

Important

ACK allows you to bind only custom ClusterRoles to a RAM user or RAM role. You cannot bind custom Roles to a RAM user or RAM role.

You can assign the following predefined roles to a RAM user or RAM role in the ACK console. For more information, see Grant RBAC permissions to RAM users or RAM roles.

Table 1. Roles and permissions

Role	RBAC permissions on cluster resources
Administrator	Read and write permissions on resources in all namespaces.
O&M engineer	Read and write permissions on visible resources in the console in all namespaces and read-only permissions on nodes, PVs, namespaces, and quotas.
Developer	Read and write permissions on visible resources in the console in a specified namespace or all namespaces.
Restricted user	Read-only permissions on visible resources in the console in a specified namespace or all namespaces.
Custom role	The permissions of a custom role are determined by the ClusterRole that you select. Before you select a ClusterRole, check the permissions of the ClusterRole and make sure that you grant only the required permissions to the RAM user or RAM role. For more information about ClusterRoles, see Use custom RBAC roles to limit the permissions of RAM users or RAM roles.

To authorize a RAM user or RAM role to manage and maintain clusters and applications, you need to perform RAM authorization and RBAC authorization in sequence. Before you perform RBAC authorization, you must complete RAM authorization. Refer to the following topics to complete the authorization in different scenarios:

To grant permissions to an O&M engineer, see Scenario 1: Grant O&M engineers the permissions to manage clusters and applications.
To grant permissions to a developer, see Scenario 2: Grant developers the permissions to manage your clusters and applications.
To grant permissions to a permission administrator, see Scenario 3: Grant authorization administrators the permissions to manage the permissions of RAM users and RAM roles.

Important

For resigned employees or untrusted individuals, when you delete their RAM users or RAM roles, the RBAC permissions they have in the kubeconfig file will not be automatically revoked. Therefore, after you delete the RAM user or RAM role of a user, you must revoke the kubeconfig file from the user. For more information, see Delete kubeconfig files.