All Products
Search
Document Center

Container Service for Kubernetes:Use custom worker RAM roles to implement fine-grained access control for node pools

Last Updated:Jan 20, 2025

A Container Service for Kubernetes (ACK) managed cluster automatically creates a default worker Resource Access Management (RAM) role shared by all nodes. If you authorize an application using this default worker RAM role, the permissions are shared among all nodes in the cluster, which may unintentionally grant more permissions than necessary. You can assign a custom worker RAM role to a node pool upon creation. By assigning specific roles to different node pools, you can isolate the permissions of each node pool, thereby reducing the risk of all nodes in the cluster sharing the same permissions.

Prerequisites

An ACK managed cluster that runs Kubernetes 1.22 or later is created. For more information, see Create an ACK managed cluster.

Step 1: Create a RAM role

You can use the console, API, or Terraform to create a worker RAM role.

Important
  • The name of the RAM role cannot start with KubernetesMasterRole- or KubernetesWorkerRole-.

  • The Trusted Service of the RAM role must be Elastic Compute Service.

Use the console to create a RAM role

  1. Log on to the RAM console by using an Alibaba Cloud account.

    Note

    An Alibaba Cloud account has full management permissions on the resources within the account. You can create a RAM user and attach the AdministratorAccess policy to the RAM user. Then, you can use the RAM user as an account administrator to manage all cloud resources that belong to the Alibaba Cloud account. For more information, see Create a RAM user as an account administrator.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, click Create Role.

  4. On the Create Role page, select Alibaba Cloud Service in the Select Trusted Entity section and click Next.

  5. Select Normal Service Role for the Role Type parameter.

  6. Specify the RAM Role Name and Note parameters.

  7. Select Elastic Compute Service as the trusted service.

  8. Click OK.

  9. Click Close.

Use API or Terraform to create a RAM role

Make sure that the trust policy is configured as follows when using API or Terraform to create a RAM role. For more information about how to modify the trust policy of the RAM role, see Edit the trust policy of a RAM role.

{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "ecs.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}

Step 2: Assign a worker RAM role when creating a node pool

Important

You can assign a custom worker RAM role only when creating a cluster or a node pool. You cannot modify the worker RAM role of an existing node pool.

When you create a cluster or a node pool in the ACK console, under the Advanced Options configuration of the node pool, select the Worker RAM Role as the custom role created in Step 1: Create a RAM role .

For more information, see Advanced options for node pool when creating a cluster and Advanced configuration when creating a node pool.

References

By default, the RAM role does not have any permissions after it is created.

Revoke permissions that are no longer needed from a RAM role at the earliest opportunity. For more information, see Revoke permissions from a RAM role.