A Container Service for Kubernetes (ACK) managed cluster automatically creates a default worker Resource Access Management (RAM) role shared by all nodes. If you authorize an application using this default worker RAM role, the permissions are shared among all nodes in the cluster, which may unintentionally grant more permissions than necessary. You can assign a custom worker RAM role to a node pool upon creation. By assigning specific roles to different node pools, you can isolate the permissions of each node pool, thereby reducing the risk of all nodes in the cluster sharing the same permissions.
Prerequisites
An ACK managed cluster that runs Kubernetes 1.22 or later is created. For more information, see Create an ACK managed cluster.
Step 1: Create a RAM role
You can use the console, API, or Terraform to create a worker RAM role.
The name of the RAM role cannot start with KubernetesMasterRole- or KubernetesWorkerRole-.
The Trusted Service of the RAM role must be Elastic Compute Service.
Use the console to create a RAM role
Log on to the RAM console by using an Alibaba Cloud account.
NoteAn Alibaba Cloud account has full management permissions on the resources within the account. You can create a RAM user and attach the AdministratorAccess policy to the RAM user. Then, you can use the RAM user as an account administrator to manage all cloud resources that belong to the Alibaba Cloud account. For more information, see Create a RAM user as an account administrator.
In the left-side navigation pane, choose .
On the Roles page, click Create Role.
On the Create Role page, select Alibaba Cloud Service in the Select Trusted Entity section and click Next.
Select Normal Service Role for the Role Type parameter.
Specify the RAM Role Name and Note parameters.
Select Elastic Compute Service as the trusted service.
Click OK.
Click Close.
Use API or Terraform to create a RAM role
Make sure that the trust policy is configured as follows when using API or Terraform to create a RAM role. For more information about how to modify the trust policy of the RAM role, see Edit the trust policy of a RAM role.
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"ecs.aliyuncs.com"
]
}
}
],
"Version": "1"
}For more information about how to create a RAM role using API, see CreateRole.
For more information about how to create a RAM role using Terraform, see Use Terraform to create a RAM role and grant permissions to the RAM role.
Step 2: Assign a worker RAM role when creating a node pool
You can assign a custom worker RAM role only when creating a cluster or a node pool. You cannot modify the worker RAM role of an existing node pool.
When you create a cluster or a node pool in the ACK console, under the Advanced Options configuration of the node pool, select the Worker RAM Role as the custom role created in Step 1: Create a RAM role .
For more information, see Advanced options for node pool when creating a cluster and Advanced configuration when creating a node pool.
References
By default, the RAM role does not have any permissions after it is created.
For more information about how to create custom policies and grant permissions using the console, see Create custom policies and Grant permissions to a RAM role.
For more information about how to create custom policies and grant permissions using API, see CreatePolicy and AttachPolicyToRole.
For more information about how to create custom policies and grant permissions using Terraform, see Use Terraform to create a RAM role and grant permissions to the RAM role.
Revoke permissions that are no longer needed from a RAM role at the earliest opportunity. For more information, see Revoke permissions from a RAM role.