Grant RBAC permissions to RAM users or RAM roles

Role-based access control (RBAC) regulates access to resources based on the roles of users. You can grant multiple permissions to cluster roles and configure different permission policies for different roles. This improves account security. You can grant RBAC permissions to Resource Access Management (RAM) users or RAM roles to allow them to access Kubernetes resources in a Container Service for Kubernetes (ACK) cluster that is not created by the RAM users or RAM roles.

Configurations
Grant RBAC permissions to RAM users or RAM roles
Use a RAM user or RAM role to grant RBAC permissions to other RAM users or RAM roles
Specify a RAM user or RAM role as a permission administrator
Error codes for insufficient permissions
References

Configurations

Configuration item	Description
Default permissions	By default, only Alibaba Cloud accounts and cluster owners have administrator permissions on Kubernetes resources in ACK clusters. By default, RAM users or RAM roles other than the cluster owners do not have the permissions to access Kubernetes resources in ACK clusters.
Authorization methods	Method 1: Assign the following predefined RBAC roles to a RAM user or RAM role: Administrator, O&M Engineer, Developer, Restricted User, and Custom. The Administrator role has the permissions to access all Kubernetes resources in clusters. For more information, see the Grant RBAC permissions to RAM users or RAM roles section of this topic. Method 2: Assign a predefined role to a RAM user or RAM role to manage all clusters. After a predefined role is assigned to the RAM user or RAM role, you can also manage newly created clusters as the RAM user or RAM role. For more information, see the Grant RBAC permissions to RAM users or RAM roles section of this topic. Method 3: Use a RAM user or RAM role to assign RBAC roles to other RAM users or RAM roles. When you use this authorization method, only the clusters and namespaces that the RAM user or RAM role is authorized to manage are listed in the console. In addition, the RAM user or RAM role must be assigned the Administrator or cluster-admin role of the specified cluster or namespace. For more information, see the Specify a RAM user or RAM role as a permission administrator and Use a RAM user or RAM role to grant RBAC permissions to other RAM users or RAM roles sections of this topic. Note Before you grant permissions to a RAM user or RAM role, make sure that the RAM user or RAM role is granted read-only permissions on the specified cluster in the RAM console.
Authorization models	You can grant permissions to one or more RAM users or RAM roles at a time.

Note

To ensure data security, you are not allowed to modify RAM policies that are attached to your RAM users or RAM roles in the ACK console. You must read the instructions on the authorization page, log on to the RAM console, and then modify the RAM policies.

Log on to the ACK console. In the left-side navigation pane, click Authorizations.
On the Authorizations page, grant permissions.
- Grant permissions to a RAM user
  Click the RAM Users tab. In the RAM user list, find the RAM user that you want to manage and click Modify Permissions in the Actions column. The Permission Management panel appears.
- Grant permissions to a RAM role
  Click the RAM Roles tab, configure the RAM Role Name parameter and click Modify Permissions. The Permission Management panel appears.
Note
If you want to use a RAM user or RAM role to grant permissions to other RAM users or RAM roles, make sure that the RAM user or RAM role has been granted RAM permissions on the cluster that you want to manage. For more information, see Create a custom RAM policy. In addition, the RAM user or RAM role must be assigned the Administrator role or cluster-admin role of the cluster.

Click Add Permissions, configure the Clusters, Namespace, and Permission Management parameters for the RAM user or RAM role, and then click Submit.

Note

ACK provides the following predefined roles: Administrator, O&M Engineer, Developer, and Restricted User. You can use these roles to regulate access to resources in the ACK console in most scenarios. You can also use custom roles to define permissions on clusters based on your business requirements.
You can assign one predefined role and multiple custom roles of a cluster or namespace to a RAM user or RAM role.
If you want to authorize a RAM user or RAM role to manage all clusters, including newly created clusters, select All Clusters in the Clusters column when you assign a predefined role to the RAM user or RAM role.

Show the description of predefined roles

Predefined role	RBAC permission on cluster resources
Administrator	Read and write permissions on resources in all namespaces. Read and write permissions on nodes, volumes, namespaces, and quotas.
O&M Engineer	Read and write permissions on visible Kubernetes resources in the console in all namespaces and read-only permissions on nodes, persistent volumes (PVs), namespaces, and quotas.
Developer	RBAC read and write permissions on visible Kubernetes resources in the console in all namespaces or the specified namespaces.
Restricted User	RBAC read-only permissions on visible Kubernetes resources in the console in all namespaces or the specified namespaces.
Custom	The permissions of a custom role are determined by the cluster role that you select. Before you select a cluster role, check the permissions of the cluster role and make sure that you grant only the required permissions to the RAM user or RAM role. The following section describes how to view the permissions of a custom role. Important After a RAM user or RAM role is assigned the cluster-admin role, the RAM user or RAM role has the same permissions as the Alibaba Cloud account to which the RAM user or RAM role belongs. The RAM user or RAM role has full permissions on all resources in the cluster. Exercise caution if you want to assign the cluster-admin role to a RAM user or RAM role.

Show how to view the permissions of a custom role

Log on to a node and run the following command to view the RBAC roles in the cluster:

kubectl get clusterrole

Expected results:

NAME                                                                   AGE
admin                                                                  13d
alibaba-log-controller                                                 13d
alicloud-disk-controller-runner                                        13d
cluster-admin                                                          13d
cs:admin                                                               13d
edit                                                                   13d
flannel                                                                13d
kube-state-metrics                                                     22h
node-exporter                                                          22h
prometheus-k8s                                                         22h
prometheus-operator                                                    22h
system:aggregate-to-admin                                              13d
....  
system:volume-scheduler                                                13d
view                                                                   13d

Run the following command to query the details of a role. In this example, the permissions of the cluster-admin role are queried.

Important

After a RAM user or RAM role is assigned the cluster-admin role, the RAM user or RAM role has the same permissions as the Alibaba Cloud account to which the RAM user or RAM role belongs. The RAM user or RAM role has full permissions on all resources in the cluster. Exercise caution if you want to assign the cluster-admin role to a RAM user or RAM role.

kubectl get clusterrole cluster-admin -o yaml

Expected results:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  annotations:
    rbac.authorization.kubernetes.io/autoupdate: "true"
  creationTimestamp: 2022-12-30T08:31:15Z
  labels:
    kubernetes.io/bootstrapping: rbac-defaults
  name: cluster-admin
  resourceVersion: "57"
  selfLink: /apis/rbac.authorization.k8s.io/v1/clusterroles/cluster-admin
  uid: 2f29f9c5-cdf9-11e8-84bf-00163e0b2f97
rules:
- apiGroups:
  - '*'
  resources:
  - '*'
  verbs:
  - '*'
- nonResourceURLs:
  - '*'
  verbs:
  - '*'

Use a RAM user or RAM role to grant RBAC permissions to other RAM users or RAM roles

By default, you cannot use a RAM user or RAM role to grant RBAC permissions to other RAM users or RAM roles. If you want to use a RAM user or RAM role to grant RBAC permissions to other RAM users or RAM roles, you must first use the Alibaba Cloud account or a RAM user that is assigned the Administrator role of all clusters to grant the required permissions to the RAM user or RAM role.

RAM permission

You must attach a RAM policy to the RAM user or RAM role. The RAM policy must provide the following permissions:

The permissions to view other RAM users that belong to the same Alibaba Cloud account.
The permissions to attach RAM policies to other RAM users or RAM roles.
The permissions to view information about ACK clusters.
The permissions to view permissions of RBAC roles.
The permissions to assign RBAC roles to other RAM users or RAM roles.

Log on to the RAM console and use the following sample code to grant the required permissions to the RAM user or RAM role. For more information, see Create a custom RAM policy.

Note

Replace xxxxxx with the name of the RAM policy you want to authorize the RAM user or RAM role to attach to other RAM users or RAM roles. If you replace xxxxxx with an asterisk (*), the RAM user or RAM role is authorized to attach all RAM policies to other RAM users or RAM roles.

{
    "Statement": [{
            "Action": [
                "ram:Get*",
                "ram:List*",
                "cs:Get*",
                "cs:Describe*",
                "cs:List*",
                "cs:GrantPermission"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ram:AttachPolicyToUser",
                "ram:AttachPolicy"
            ],
            "Effect": "Allow",
            "Resource":  [
                "acs:ram:*:*:policy/xxxxxx",
                "acs:*:*:*:user/*"
            ]
        }
    ],
    "Version": "1"
}

After the RAM policy is attached to the RAM user or RAM role, you can use the RAM user or RAM role to attach the specified RAM policies to other RAM users or RAM roles.

RBAC permissions

After you attach the preceding RAM policy to the RAM user or RAM role, you must assign the Administrator or cluster-admin role to the RAM user or RAM role to allow them to access the specified cluster or namespace. For more information, see the Grant RBAC permissions to RAM users or RAM roles section of this topic.

Set a RAM user or RAM role as a permission administrator

If you do not want to use an Alibaba Cloud account to assign RBAC roles to RAM users or RAM roles, you can set a RAM user or RAM role as a permission administrator and then use the RAM user or RAM role to grant permissions to other RAM users or RAM roles.

Log on to the RAM console and find the RAM user or RAM role that you want to set as a permission administrator.
- RAM user
  In the left-side navigation pane of the RAM console, choose Identities > Users. Find the RAM user that you want to use and click Add Permissions in the Actions column.
- RAM role
  In the left-side navigation pane of the RAM console, choose Identities > Roles. Find the RAM role that you want to use and click Grant Permissions in the Actions column.
In the Grant Permission panel, configure the Resource Scope parameter, select System Policy from the drop-down list, find and click the AliyunRAMReadOnlyAccess and AliyunCSFullAccess system policies to add them to the right-side Selected Policy section, and then click Grant permissions. After the policies are attached, click Close.
Log on to the ACK console by using your Alibaba Cloud account and assign the Administrator role of all clusters to the RAM user or RAM role.
For more information, see the Grant RBAC permissions to RAM users or RAM roles section of this topic.
After the preceding steps are complete, the RAM user or RAM role is set as a permission administrator. You can use the RAM user or RAM role to grant RAM permissions and RBAC permissions to other RAM users or RAM roles.

Error codes for insufficient permissions

If you do not have the required permissions when you use the ACK console or call the ACK API to perform an operation, the console or API returns an error code that indicates the required permissions. The following table describes the error codes that indicate the required RBAC permissions on the cluster.

Error code or error message	Required RBAC permission on the cluster
ForbiddenCheckControlPlaneLog	Permissions of Administrator or O&M Engineer
ForbiddenHelmUsage	Administrator permissions
ForbiddenRotateCert	Administrator permissions
ForbiddenAttachInstance	Permissions of Administrator or O&M Engineer
ForbiddenUpdateKMSState	Permissions of Administrator or O&M Engineer
Forbidden get trigger	Permissions of Administrator, O&M Engineer, or Developer
ForbiddenQueryClusterNamespace	Permissions of Administrator, O&M Engineer, Developer, or Restricted User

References

For more information about the authorization system of ACK, see Best practices of authorization.
For more information about ACK roles, see ACK roles.
For more information about the issues related to authorization, see FAQ about authorization management.

Container Service for Kubernetes:Grant RBAC permissions to RAM users or RAM roles

Table of contents

Configurations