Use RBAC to manage the operation permissions on resources in a cluster - Container Service for Kubernetes

Role-based access control (RBAC) regulates access to resources based on the roles of users. You can use Roles and ClusterRoles to specify resource objects that can be managed. You can use RoleBinding and ClusterRoleBinding to bind roles to specific users. This way, different users can have different permissions on Kubernetes resources. After you grant Resource Access Management (RAM) permissions to a RAM user or RAM role, you must also grant RBAC permissions to the RAM user or RAM role before you can perform operations on Kubernetes resources in the cluster, such as creating Deployments and Services.

How RBAC works

Kubernetes RBAC provides the following resource objects that you can use to bind RBAC roles to a RAM user or RAM role. Kubernetes RBAC supports only allow permissions. For more information about how to configure ClusterRoles and Roles, see Use custom RBAC roles to limit the permissions of RAM users or RAM roles.

Role: A Role defines permissions within a particular namespace.
RoleBinding: A RoleBinding is used to bind a Role to a user.
ClusterRole: A ClusterRole defines cluster-wide permissions.
ClusterRoleBinding: A ClusterRoleBinding is used to bind a ClusterRole to a user.

Prerequisites

The RAM user or RAM role is granted the read-only RAM permissions on the specified cluster. The following table describes the policy. For more information, see Attach custom policies.

View the sample RAM policy

{
  "Statement": [
    {
      "Action": [
        "cs:Get*",
        "cs:List*",
        "cs:Describe*"
      ],
      "Effect": "Allow",
      "Resource": [
        "acs:cs:*:*:cluster/<yourclusterID>" 
      ]
    }
  ],
  "Version": "1"
}

Usage notes for authorization

An Alibaba Cloud account can perform all operations on all clusters. A RAM user or RAM role can perform all operations on the clusters it creates. A RAM user or RAM role that is not the creator of a cluster requires additional RAM and RBAC permissions to manage clusters.

Procedure

ACK provides the following predefined RBAC roles: Administrator, O&M Engineer, Developer, and Restricted User. You can use these roles to regulate access to the ACK console in most scenarios. For more information about how to configure custom RAM users or RAM roles, see Use custom RBAC to restrict resource operations within the cluster.

Only the following types of accounts can grant RBAC permissions to other RAM users or RAM roles:

An Alibaba Cloud account.
A RAM user or a RAM role that has administrator permissions.

Grant RBAC permissions by using an Alibaba Cloud account

Log on to the ACK console. In the left-side navigation pane, click Authorizations.
On the Authorizations page, grant permissions.
- Grant permissions to a RAM user
  Click the RAM Users tab, find the RAM user that you want to manage in the list, and then click Modify Permissions to open the Permission Management panel. You can also select multiple RAM users to grant permissions.
- Grant permissions to a RAM role
  Click the RAM Roles tab, specify RAM Role Name, and then click Modify Permissions to open the Permission Management panel.
  Note
  You can manually enter a RAM role or select a RAM role from the drop-down list. You can click the blank box next to the RAM Role Name field. The list of existing RAM roles is displayed. Then, select an existing RAM role from the list to grant permissions.

Click Add Permissions, configure the Clusters, Namespace, and Permission Management parameters for the RAM user or RAM role, and then click Submit.

Note

You can assign one predefined role and multiple custom roles of a cluster or namespace to a RAM user or RAM role. In this case, the granted permissions are the union of the permissions provided by multiple roles.
If you need to authorize a RAM user or RAM role to manage all clusters (including newly created clusters), select All Clusters in the Clusters column when you assign a predefined role to the RAM user or RAM role.

Predefined role	RBAC permission on cluster resources
Administrator	Read and write permissions on resources in all namespaces. Read and write permissions on nodes, volumes, namespaces, and quotas.
O&M Engineer	Read and write permissions on visible Kubernetes resources in the console in all namespaces and read-only permissions on nodes, persistent volumes (PVs), namespaces, and quotas.
Developer	RBAC read and write permissions on visible Kubernetes resources in the console in all namespaces or the specified namespaces.
Restricted User	Read-only RBAC permissions on visible Kubernetes resources in the console in all namespaces or the specified namespaces.
Custom	The permissions of a custom role are determined by the cluster role that you select. Before you select a cluster role, check the permissions of the cluster role and make sure that you grant only the required permissions to the RAM user or RAM role. For more information about how to configure custom RAM users or RAM roles, see Use custom RBAC to restrict resource operations within the cluster. Important After a RAM user or RAM role is assigned the cluster-admin role, the RAM user or RAM role has the same permissions as the Alibaba Cloud account to which the RAM user or RAM role belongs. The RAM user or RAM role has full control over all resources within the cluster. Exercise caution if you want to assign the cluster-admin role to a RAM user or RAM role.

Grant RBAC permissions by using a RAM user or RAM role

An Alibaba Cloud account has full management permissions on the resources within the account. You can also grant the following RAM and RBAC permissions to a new or existing RAM user or RAM role. Then, the RAM user or RAM role is set as a permission administrator, and you can use the RAM user or RAM role to grant RBAC permissions to other RAM users or RAM roles.

Step 1: Specify a RAM user or RAM role as a permission administrator

1. Grant RAM authorization permissions

Grant permissions by using system policies

Log on to the RAM console by using the Alibaba Cloud account and find the RAM user or RAM role that you want to set as a permission administrator.
- RAM user
  In the left-side navigation pane of the RAM console, choose Identities > Users. Find the RAM user that you want to use and click Add Permissions in the Actions column.
- RAM role
  In the left-side navigation pane of the RAM console, choose Identities > Roles. Find the RAM role that you want to use and click Add Permissions in the Actions column.
On the Grant Permissions panel, choose Account for the Resource Scope. In the Policy field, select System Policy from the drop-down list, then find and select AliyunRAMFullAccess and AliyunCSFullAccess policies. Click Grant permissions and close the panel.
Important
The AliyunRAMFullAccess policy is a high-risk permission. Exercise caution when you grant permissions. For more information about fine-grained authorization, see Use custom policies to grant permissions in a fine-grained manner.

Use custom policies to grant permissions in a fine-grained manner

By default, you cannot use a RAM user or RAM role to grant RBAC permissions to other RAM users or RAM roles. You must grant the following permissions to the RAM user or RAM role:

The permissions to view other RAM users that belong to the same Alibaba Cloud account.
The permissions to attach RAM policies to other RAM users.
The permissions to view information about ACK clusters.
The permissions to view permissions of RBAC roles.
The permissions to assign RBAC roles to other RAM users.

Log on to the RAM console and use the following sample code to grant the required permissions to the RAM user or RAM role. For more information, see Attach custom policies.

Note

Replace xxxxxx with the name of the RAM policy you want to authorize the RAM user or RAM role to attach to other RAM users. If you replace xxxxxx with an asterisk (*), the RAM user or RAM role is authorized to attach all RAM policies to other RAM users or RAM roles.

{
    "Statement": [{
            "Action": [
                "ram:Get*",
                "ram:List*",
                "cs:Get*",
                "cs:Describe*",
                "cs:List*",
                "cs:GrantPermission"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ram:AttachPolicyToUser",
                "ram:AttachPolicy"
            ],
            "Effect": "Allow",
            "Resource":  [
                "acs:ram:*:*:policy/xxxxxx",
                "acs:*:*:*:user/*"
            ]
        }
    ],
    "Version": "1"
}

2. Grant RBAC authorization permissions

After the preceding RAM and RBAC permissions are granted, the RAM user or RAM role is set as a permission administrator. You can use the RAM user or RAM role to grant RAM and RBAC permissions to other RAM users or RAM roles.

Note

If a RAM user or RAM role is granted administrator permissions, the RAM user or RAM role can grant other RAM users or RAM roles all cluster-wide permissions. New clusters are automatically bound to existing ClusterRoles.

Step 2: Grant RBAC permissions to other RAM users or RAM roles

If a RAM user or RAM role is granted administrator permissions, you can log on to the RAM console to grant RBAC permissions to other RAM users or RAM roles. The operations are the same as those for granting RBAC permissions by using an Alibaba Cloud account. For more information, see Grant RBAC permissions by using an Alibaba Cloud account.

Error codes for insufficient permissions

If you do not have the required permissions when you use the ACK console or call the ACK API to perform an operation, the console or API returns an error code that indicates the required permissions. The following table describes the error codes that indicate the required RBAC permissions on the cluster.

Error code or error message	Solution
ForbiddenCheckControlPlaneLog	Grant the administrator or O&M engineer permissions to the user.
ForbiddenHelmUsage	Grant the administrator permissions to the user.
ForbiddenRotateCert	Grant the administrator permissions to the user.
ForbiddenAttachInstance	Grant the administrator or O&M engineer permissions to the user.
ForbiddenUpdateKMSState	Grant the administrator or O&M engineer permissions to the user.
Forbidden get trigger	Grant the administrator, O&M engineer, or developer permissions to the user.
ForbiddenQueryClusterNamespace	Grant the administrator, O&M engineer, developer, or restricted user permissions to the user.

References

If the predefined roles cannot meet your requirements, you can configure custom RAM users or RAM roles. For more information, see Use custom RBAC to restrict resource operations within the cluster.
To authorize a RAM user or RAM role to manage and maintain clusters and applications, you need to perform RAM authorization and RBAC authorization in sequence.
- To grant permissions to an O&M engineer, see Scenario 1: Grant O&M engineers the permissions to manage clusters and applications.
- To grant permissions to a developer, see Scenario 2: Grant developers the permissions to manage your clusters and applications.
- To grant permissions to a permission administrator, see Scenario 3: Grant authorization administrators the permissions to manage the permissions of RAM users and RAM roles.
For more information about ACK roles, see ACK roles.
For more information about the issues related to authorization, see FAQ about authorization management.