Distributed Cloud Container Platform for Kubernetes (ACK One) permissions include permissions provided by service-linked roles, Resource Access Management (RAM) system policies, and Role-Based Access Control (RBAC) roles. To use features provided by ACK One, you need to grant the required permissions to the service account. This topic explains the relationship among service roles, RAM policies, and RBAC permissions. It also describes how to grant appropriate permissions to service accounts.
Permission types
Permission type | Require authorization | Description |
If this is the first time you use ACK One, you need to complete authorization with an Alibaba Cloud account or RAM account administrator. | Only after the authorization is complete, ACK One can access resources in other Alibaba Cloud services. | |
| Only after the authorization is complete, a RAM user or RAM role can use features provided by ACK One. | |
| Only after the authorization is complete, a RAM user or RAM role can manage Kubernetes resources in ACK One clusters. |
Service-linked roles
An Alibaba Cloud service may need to access other Alibaba Cloud services to implement specific features. In this case, the Alibaba Cloud service must assume a service-linked role to access other Alibaba Cloud services. A service-linked role is a RAM role.
For example, after you create a workflow cluster in ACK One, ACK One needs to create elastic container instances to run workflows. To do this, ACK One requires permissions to create elastic container instances.
ACK One provides the following service-linked roles. For more information about the permissions provided by the roles, see Service-linked role for ACK One and the permissions of the role.
Role name | Permission |
AliyunCSDefaultRole |
|
AliyunServiceRoleForAdcp |
|
AliyunAdcpServerlessKubernetesRole |
|
AliyunAdcpManagedMseRole |
|
You do not need to manually create service-linked roles. During the first time you use the ACK One console, the console prompts you to complete the authorization first. You need only to follow the on-screen instructions to complete the authorization.
Only Alibaba Cloud accounts and RAM account administrators can complete role authorization. Regular RAM users are not allowed to perform this operation. If the system prompts that you do not have the permissions, use an Alibaba Cloud account or RAM account administrator.
RAM system policies
By default, RAM users do not have permissions to call any operations on Alibaba Cloud services. To use ACK One with a RAM user or RAM role, you must grant the RAM user or RAM role permissions on ACK One resources.
ACK One provides the following system policies by default to control reads and writes on global resources. You can attach the system policies to RAM users or RAM roles on demand.
For more information, see Attach a system permission policy to a RAM user or RAM role.
RAM system policy | Permission | Cluster involved | ||
Registered clusters | Fleet instances | Workflow clusters | ||
AliyunAdcpFullAccess | Provides read and write permissions on all ACK One resources. | Yes | Yes | Yes |
AliyunAdcpReadOnlyAccess | Provides read-only permissions on all ACK One resources. | Yes | Yes | Yes |
AliyunCSFullAccess | Provides read and write permissions on all Container Service for Kubernetes (ACK) resources. | Yes | Yes | No |
AliyunCSReadOnlyAccess | Provides read-only permissions on all ACK resources. | Yes | Yes | No |
AliyunVPCReadOnlyAccess | Provides permissions to specify a virtual private cloud (VPC) for an ACK cluster to be created. | Yes | Yes | Yes |
AliyunECIReadOnlyAccess | Provides permissions to schedule pods to elastic container instances. | Yes | Yes | Yes |
AliyunLogReadOnlyAccess | Provides permissions to select an existing log project to store logs for an ACK cluster to be created or view the configuration inspection information of an ACK cluster. | Yes | Yes | Yes |
AliyunARMSReadOnlyAccess | Provides permissions to view the monitoring data of the Managed Service for Prometheus plug-in in an ACK cluster. | Yes | Yes | Yes |
AliyunRAMReadOnlyAccess | Provide permissions to view existing RAM policies. | Yes | Yes | Yes |
AliyunECSReadOnlyAccess | Provides permissions to add existing nodes in the cloud to an ACK cluster or view node details. | Yes | No | No |
AliyunContainerRegistryReadOnlyAccess | Provides permissions to view application images within an Alibaba Cloud account. | Yes | No | No |
AliyunAHASReadOnlyAccess | Provides permissions to use the cluster topology feature. | Yes | No | No |
AliyunYundunSASReadOnlyAccess | Provides permissions to view the runtime monitoring data of an ACK cluster. | Yes | No | No |
AliyunKMSReadOnlyAccess | Provides permissions to enable the Secret encryption feature when you create an ACK cluster. | Yes | No | No |
AliyunESSReadOnlyAccess | Provides permissions to perform node pool-related operations in the cloud, such as the permissions to view, modify, and scale node pools. | Yes | No | No |
RBAC permissions
The RAM system policies can control only permissions on ACK One cluster resources. If a RAM user or RAM role wants to manage Kubernetes resources in the specified ACK One cluster, such as creating and querying GitOps applications and Argo workflows, you must grant the RAM user or RAM role RBAC permissions on the ACK One cluster and its namespace.
ACK One provides the following predefined roles:
RBAC permissions on Fleet instances and workflow clusters
RBAC role
Permission
Cluster involved
Fleet instances
Workflow clusters
admin (administrator)
Provides read and write permissions on cluster-wide resources and resources in all namespaces.
Yes
Yes
dev (developer)
Provides read and write permissions on resources in the specified namespace.
Yes
Yes
gitops-dev (GitOps developer)
Provides read and write permissions on application resources in the argocd namespace.
Yes
No
For more information about the resources controlled by RBAC and how to grant permissions, see Grant RBAC permissions to a RAM user or RAM role.