If the predefined ClusterRoles in the Container Service for Kubernetes (ACK) console cannot meet your permission requirements, you can customize ClusterRoles and Roles for granular role-based access control (RBAC) permissions. This allows for flexible configuration of permission policies based on your business requirements and security policies. This topic describes how to create custom RBAC permissions.
RBAC permissions
A Role defines permissions within a specific namespace, while a ClusterRole defines permissions at the cluster level. You can create custom Role and ClusterRole YAML manifests based on the policy descriptions of the following resources for fine-grained access control for ACK cluster resources.
Role
The following YAML template defines a Role named my-role with read permissions on pod resources within the default namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: my-role
rules: # A list of permission rules.
- apiGroups: [""] # The API group to which the resource belongs.
resources: ["pods"] # The pod resource types.
verbs: ["get", "list"] # The get and list permission policies.ClusterRole
The following YAML template defines a ClusterRole named my-clusterrole with read permissions on pods and Services resources in the cluster.
ClusterRole is a cluster-scoped resource, and a namespace parameter cannot be specified in the YAML configuration file.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# namespace: default
name: my-clusterrole
rules: # A list of permission rules.
- apiGroups: [""] # The API group to which the resource belongs.
resources: ["pods"] # The pod resource types.
verbs: ["get", "list"] # The get and list permission policies.
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "list"]To achieve fine-grained access control for Resource Access Management (RAM) users or roles on cluster resources, you can create custom RBAC permissions for different resources based on the following policy descriptions of common resource types:
Policy descriptions of common resource types
Read permissions
get: retrieve detailed information of the specified resource.list: obtain a list of resource collections.watch: monitor resource changes and receive real-time updates.
Write permissions
create: create resource instances.update: modify existing resources.patch: partially modify existing resources.delete: remove specified resources.
Resource name | Resource type | API group | Permission policies |
Pods | resources: ["pods"] | apiGroups: [""] |
|
Service | resources: ["services"] | apiGroups: [""] |
|
ConfigMaps | resources: ["configmaps"] | apiGroups: [""] |
|
Secrets | resources: ["secrets"] | apiGroups: [""] |
|
PersistentVolumes | resources: ["persistentvolumes"] | apiGroups: [""] |
|
PersistentVolumeClaim | resources: ["persistentvolumeclaims"] | apiGroups: [""] |
|
NameSpaces | resources: ["namespaces"] | apiGroups: [""] |
|
Deployments | resources: ["deployments"] | apiGroups: ["apps"] |
|
DaemonSet | resources: ["daemonsets"] | apiGroups: ["apps"] |
|
StatefulSet | resources: ["statefulsets"] | apiGroups: ["apps"] |
|
Ingresses | resources: ["ingresses"] | apiGroups: ["networking.k8s.io"] |
|
Networkpolicies | resources: ["networkpolicies"] | apiGroups: ["networking.k8s.io"] |
|
Jobs | resources: ["jobs"] | apiGroups: ["batch"] |
|
CronJobs | resources: ["cronjobs"] | apiGroups: ["batch"] |
|
StorageClasses | resources: ["storageclasses"] | apiGroups: ["storage.k8s.io"] |
|
HorizontalPodAutoscalers | resources: ["horizontalpodautoscalers"] | apiGroups: ["autoscaling"] |
|
Procedure
You can customize RBAC permissions through the console or kubectl.
The ACK console only supports binding custom ClusterRoles with RBAC permissions within the cluster. To bind custom Roles with specific permissions, you can use the kubectl command.
Console
Step 1: Create custom RBAC permissions
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name. In the left-side pane, choose .
On the Role page, select the Cluster Role tab. Then, click OK.
In the Create YAML panel, enter the YAML content of the ClusterRole and click OK to create the ClusterRole.
This step uses the YAML template for ClusterRole as an example. You can view the custom permission my-clusterrole under the Cluster Role tab after creation.
Step 2: Use custom RBAC permissions for authorization
Log on to the ACK console. In the left-side navigation pane, click Authorizations.
On the Authorizations page, grant permissions.
Grant permissions to a RAM user
Click the RAM Users tab, find the RAM user that you want to manage in the list, and then click Modify Permissions to open the Permission Management panel. You can also select multiple RAM users to grant permissions.
Grant permissions to a RAM role
Click the RAM Roles tab, specify RAM Role Name, and then click Modify Permissions to open the Permission Management panel.
NoteYou can manually enter a RAM role or select a RAM role from the drop-down list. You can click the blank box next to the RAM Role Name field. The list of existing RAM roles is displayed. Then, select an existing RAM role from the list to grant permissions.
In the Permission Management panel, click + Add Permissions. In the Add Permissions section, select the Clusters associated with the created ClusterRole and the Namespace to be authorized. Select Custom under Permission Management, then select my-clusterrole from the right-hand drop-down list, and click Submit.
kubectl
Step 1: Create custom RBAC permissions
Use the following YAML template to create a file named my-clusterrole.yaml:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: my-clusterrole namespace: default rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["services"] verbs: ["get", "list", "watch"]Run the following command to create the ClusterRole:
kubectl apply -f my-clusterrole.yaml
Step 2: Obtain the authorization object ID
To authorize a RAM user, obtain the UserId by querying the RAM username. For more information, see GetUser.
To authorize a RAM role, obtain the RoleId by querying the RAM role name. For more information, see GetRole.
Step 3: Use custom RBAC permissions for authorization
Use the following YAML template to create a file named my-clusterrole-binding.yaml:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: my-clusterrole-binding subjects: - kind: User name: "20811XXXXXXXXX2288" # UserId or RoleId of the authorization object obtained in Step 2. roleRef: kind: ClusterRole name: my-clusterrole apiGroup: rbac.authorization.k8s.ioRun the following command to create the ClusterRoleBinding:
kubectl apply -f my-clusterrole-binding.yaml
After the RAM user has been granted custom RBAC permissions, confirm their access by retrieving the KubeConfig of the target cluster and connecting to the cluster using the kubectl tool.