Use custom worker RAM roles to implement fine-grained access control for node pools - Container Service for Kubernetes

By default, a Container Service for Kubernetes (ACK) managed cluster creates a default worker Resource Access Management (RAM) role shared by all nodes. If you authorize an application using the worker RAM role, the permissions are shared among all nodes in the cluster, which may unintentionally grant more permissions than necessary. You can assign custom worker RAM roles to different node pools upon creation to reduce the potential risk of sharing a worker RAM role among all nodes in the cluster.

Prerequisites

An ACK managed cluster that runs Kubernetes 1.22 or later is created. For more information, see Create an ACK managed cluster.

Step 1: Create a RAM role

You can use the console, API, or Terraform to create a worker RAM role.

Important

The name of the RAM role cannot start with KubernetesMasterRole- or KubernetesWorkerRole-.
The Trusted Service of the RAM role must be Elastic Compute Service.

Use the console to create a RAM role

Log on to the RAM console by using an Alibaba Cloud account.
Note
An Alibaba Cloud account has full management permissions on the resources within the account. You can create a RAM user and attach the AdministratorAccess policy to the RAM user. Then, you can use the RAM user as an account administrator to manage all cloud resources that belong to the Alibaba Cloud account. For more information, see Create a RAM user as an account administrator.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click Create Role.
On the Create Role page, select Alibaba Cloud Service in the Select Trusted Entity section and click Next.
Select Normal Service Role for the Role Type parameter.
Specify the RAM Role Name and Note parameters.
Select Elastic Compute Service as the trusted service.
Click OK.
Click Close.

Use API or Terraform to create a RAM role

Make sure that the trust policy is configured as follows when using API or Terraform to create a RAM role. For more information about how to modify the trust policy of the RAM role, see Edit the trust policy of a RAM role.

{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "ecs.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}

For more information about how to create a RAM role using API, see CreateRole.
For more information about how to create a RAM role using Terraform, see Create a role and bind a custom permission policy to the role.

Step 2: Assign a worker RAM role when creating a node pool

Important

You can assign a custom worker RAM role when creating a cluster or a node pool. You cannot modify the worker RAM role of an existing node pool.

When you create a cluster or a node pool in the ACK console, under the Advanced Options configuration of the node pool, select the Worker RAM Role as the role created in Step 1: Create a RAM role to assign it to the new node pool. For more information, see Advanced options for node pool when creating a cluster and Advanced configuration when creating a node pool.

References

By default, the RAM role does not have any permissions after it is created.

For more information about how to create custom policies and grant permissions using the console, see Create custom policies and Grant permissions to a RAM role.
For more information about how to create custom policies and grant permissions using API, see CreatePolicy and AttachPolicyToRole.
For more information about how to create custom policies and grant permissions using Terraform, see Create a role and bind a custom permission policy to the role.

Revoke permissions that are no longer needed from a RAM role at the earliest opportunity. For more information, see Revoke permissions from a RAM role.