Labels can be used to identify, categorize, or classify resources for easy management. Resource Access Management (RAM) allows you to manage user identities and resource access and operation permissions based on policies. You can use labels as conditions in RAM policies to implement fine-grained access control on resources. You can use labels to classify cluster resources and use labels as conditions in RAM policies to implement fine-grained access control. This grants different users different Container Service for Kubernetes (ACK) cluster permissions.
The following figure shows how to use labels to manage the permissions of a RAM user.
Prerequisites
A RAM user is created. For more information, see Create a RAM user.
Scenarios
The procedure in this topic describes how to use labels for authentication. The scenario that meets the following requirements is used:
Procedure
In this procedure, a custom policy named UseTagAccessRes is created by using an Alibaba Cloud account and is attached to the RAM user userTest. The UseTagAccessRes policy specifies that the RAM user can access and manage only ACK clusters that have the test:foo label.
Log on to the RAM console by using an Alibaba Cloud account.
NoteAn Alibaba Cloud account has full management permissions on the resources within the account. You can create a RAM user and attach the AdministratorAccess policy to the RAM user. Then, you can use the RAM user as an account administrator to manage all cloud resources that belong to the Alibaba Cloud account. For more information, see Create an account administrator.
Create a custom policy named UseTagAccessRes.
For more information, see Create custom policies. In this example, you can configure multiple label-specific conditions for cloud resources in the
Conditionelement of the custom policy to control permissions. The following table describes the label-specific conditions.Label-based condition
Description
acs:RequestTagSpecifies that a label must be included in each API request.
If no API request parameters can be used to specify labels, you cannot use the
acs:RequestTagcondition. Otherwise, authentication fails.acs:ResourceTagSpecifies that a resource must have the specified label.
If no API request parameters can be used to specify resource IDs, you cannot use the
acs:ResourceTagcondition. Otherwise, authentication fails.The following code blocks show the content of the custom policy that applies to different scenarios.
ImportantYou can use the following sample policies as templates and follow the least privilege principle when you modify the templates.
Forbid the RAM user to create ACK clusters that do not have the
test:foolabel. When the RAM user creates an ACK cluster, the RAM user must add thetest:foolabel to the cluster.{ "Statement": [ { "Effect": "Allow", "Action": "cs:CreateCluster", "Resource": "*", "Condition": { "StringEquals": { "acs:RequestTag/test": "foo" } } }, { "Action": [ "cs:DescribeAddons", "cs:DescribeKubernetesVersionMetadata" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "vpc:Describe*", "vpc:List*", "log:List*", "log:Describe*", "cs:Get*", "cs:Describe*" ], "Effect": "Allow", "Resource": "*" } ], "Version": "1" }Forbid the RAM user to manage ACK clusters that do not have the
test:foolabel. These clusters are created by other users.{ "Version": "1", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*", "Condition": { "StringEquals": { "acs:ResourceTag/test": "foo" } } } ] }Allow the RAM user to call specific query APIs and view clusters that have the
test:foolabel.{ "Version": "1", "Statement": [{ "Effect": "Allow", "Action": [ "cs:DescribeClustersV1", "cs:GetClusters" ], "Resource": "*", "Condition": { "StringEquals": { "acs:ResourceTag/test": "foo" } } }, { "Action": [ "cs:DescribeClusterAddonsVersion", "cs:DescribeClusterUserKubeconfig", "cs:DescribeClusterNodePools", "cs:DescribeClusterNodes", "cs:DescribeClusterLogs", "cs:DescribeClusterNodePoolDetail", "cs:DescribeEvents", "cs:DescribeClusterDetail", "cs:DescribeClusterAddonsUpgradeStatus", "cs:DescribeClusterNamespaces", "cs:DescribeAddons", "log:List*", "log:Describe*" ], "Effect": "Allow", "Resource": "*" } ] }Forbid the RAM user to change the labels of ACK clusters.
{ "Version": "1", "Statement": [{ "Effect": "Deny", "Action": [ "cs:UntagResources", "cs:ListTagResources", "cs:TagResources", "cs:ModifyClusterTags" ], "Resource": "*" }] }Forbid role-based access control (RBAC) authorization on ACK clusters that do not have the
test:foolabel.{ "Statement": [{ "Effect": "Allow", "Action": "cs:Get*", "Resource": "*", "Condition": { "StringEquals": { "acs:ResourceTag/test": "foo" } } }, { "Action": [ "ram:Get*", "ram:List*", "cs:DescribeAddons", "cs:DescribeKubernetesVersionMetadata", "cs:DescribeUserPermission", "cs:GrantPermission" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "ram:AttachPolicyToUser", "ram:AttachPolicyToRole" ], "Effect": "Allow", "Resource": [ "acs:ram:*:*:policy/xxxxxx", "acs:*:*:*:user/*" ] } ], "Version": "1" }
Attach the custom policy to a RAM user or to a RAM user group.
For more information, see Grant permissions to a RAM user. In this step, attach the UseTagAccessRes policy to the RAM user userTest.
NoteWhen you attach the UseTagAccessRes policy to an existing RAM user, take note that multiple policies attached to the same RAM user may cause permission issues.
View the result
After the custom policy is attached to the RAM user, the RAM user can access and manage only ACK clusters that have the test:foo label. The following section describes the permissions that the RAM user has to access and manage resources:
Create ACK clusters
The RAM user can create an ACK cluster only if the RAM user adds the
test:foolabel to the cluster in the Advanced Options section of the Cluster Configurations wizard page.If the RAM user does not add the
test:foolabel when the RAM user creates the ACK cluster, the following error message is displayed.
View ACK clusters
Log on to the ACK console. In the left-side navigation pane, click Cluster.
View ACK clusters in the cluster list.
If no clusters have the
test:foolabel, the cluster list is empty. No clusters can be viewed.After the RAM user adds the
test:foolabel to a cluster, the cluster is displayed in the cluster list.
Modify labels
The RAM user cannot modify labels. If the RAM user modifies a label, the following error message is displayed.
Manage authorization
Log on to the ACK console. In the left-side navigation pane, click Authorizations.
On the Authorizations page, click the RAM Users tab. Find the RAM user to which you want to grant permissions and click Manage Permissions in the Actions column.
On the Permission Management page, only clusters that have the
test:foolabel are displayed in the Clusters drop-down list.