All Products
Search
Document Center

Container Service for Kubernetes:Authorization overview

Last Updated:Nov 20, 2024

Distributed Cloud Container Platform for Kubernetes (ACK One) permissions include permissions provided by service-linked roles, Resource Access Management (RAM) system policies, and Role-Based Access Control (RBAC) roles. To use features provided by ACK One, you need to grant the required permissions to the service account. This topic explains the relationship among service roles, RAM policies, and RBAC permissions. It also describes how to grant appropriate permissions to service accounts.

Permission types

Permission type

Require authorization

Description

Service-linked roles

If this is the first time you use ACK One, you need to complete authorization with an Alibaba Cloud account or RAM account administrator.

Only after the authorization is complete, ACK One can access resources in other Alibaba Cloud services.

RAM system policies

  • You must attach system policies to RAM users or RAM roles.

  • Alibaba Cloud accounts have full permissions by default. No authorization is needed.

Only after the authorization is complete, a RAM user or RAM role can use features provided by ACK One.

RBAC permissions

  • You must grant RBAC permissions to RAM users or RAM roles.

  • Alibaba Cloud accounts have full permissions by default. No authorization is needed.

Only after the authorization is complete, a RAM user or RAM role can manage Kubernetes resources in ACK One clusters.

Service-linked roles

An Alibaba Cloud service may need to access other Alibaba Cloud services to implement specific features. In this case, the Alibaba Cloud service must assume a service-linked role to access other Alibaba Cloud services. A service-linked role is a RAM role.

For example, after you create a workflow cluster in ACK One, ACK One needs to create elastic container instances to run workflows. To do this, ACK One requires permissions to create elastic container instances.

ACK One provides the following service-linked roles. For more information about the permissions provided by the roles, see Service-linked role for ACK One and the permissions of the role.

Role name

Permission

AliyunCSDefaultRole

  • ACK One can assume this role to access your cloud resources during cluster management, such as resources in Elastic Compute Service (ECS), Virtual Private Cloud (VPC), Server Load Balancer (SLB), Resource Orchestration Service (ROS), and Auto Scaling.

  • To use features provided by ACK One, this role is required.

AliyunServiceRoleForAdcp

  • ACK One can assume this role to access your cloud resources during cluster management, such as resources in ECS, VPC, and SLB.

  • To use features provided by ACK One, this role is required.

AliyunAdcpServerlessKubernetesRole

  • Fleet instances and Kubernetes clusters for distributed Argo workflows of ACK One assume this role to access cloud resources in VPC, ECS, Alibaba Cloud DNS PrivateZone, Elastic Container Instance, and Simple Log Service.

  • To use features provided by ACK One, this role is required.

AliyunAdcpManagedMseRole

  • Fleet instances of ACK One assume this role to access resources in Microservices Engine (MSE).

  • This role is required when you use multi-cluster gateways. This role does not affect the use of other features.

You do not need to manually create service-linked roles. During the first time you use the ACK One console, the console prompts you to complete the authorization first. You need only to follow the on-screen instructions to complete the authorization.

Important

Only Alibaba Cloud accounts and RAM account administrators can complete role authorization. Regular RAM users are not allowed to perform this operation. If the system prompts that you do not have the permissions, use an Alibaba Cloud account or RAM account administrator.

RAM system policies

By default, RAM users do not have permissions to call any operations on Alibaba Cloud services. To use ACK One with a RAM user or RAM role, you must grant the RAM user or RAM role permissions on ACK One resources.

ACK One provides the following system policies by default to control reads and writes on global resources. You can attach the system policies to RAM users or RAM roles on demand.

For more information, see Attach a system permission policy to a RAM user or RAM role.

RAM system policy

Permission

Cluster involved

Registered clusters

Fleet instances

Workflow clusters

AliyunAdcpFullAccess

Provides read and write permissions on all ACK One resources.

Yes

Yes

Yes

AliyunAdcpReadOnlyAccess

Provides read-only permissions on all ACK One resources.

Yes

Yes

Yes

AliyunCSFullAccess

Provides read and write permissions on all Container Service for Kubernetes (ACK) resources.

Yes

Yes

No

AliyunCSReadOnlyAccess

Provides read-only permissions on all ACK resources.

Yes

Yes

No

AliyunVPCReadOnlyAccess

Provides permissions to specify a virtual private cloud (VPC) for an ACK cluster to be created.

Yes

Yes

Yes

AliyunECIReadOnlyAccess

Provides permissions to schedule pods to elastic container instances.

Yes

Yes

Yes

AliyunLogReadOnlyAccess

Provides permissions to select an existing log project to store logs for an ACK cluster to be created or view the configuration inspection information of an ACK cluster.

Yes

Yes

Yes

AliyunARMSReadOnlyAccess

Provides permissions to view the monitoring data of the Managed Service for Prometheus plug-in in an ACK cluster.

Yes

Yes

Yes

AliyunRAMReadOnlyAccess

Provide permissions to view existing RAM policies.

Yes

Yes

Yes

AliyunECSReadOnlyAccess

Provides permissions to add existing nodes in the cloud to an ACK cluster or view node details.

Yes

No

No

AliyunContainerRegistryReadOnlyAccess

Provides permissions to view application images within an Alibaba Cloud account.

Yes

No

No

AliyunAHASReadOnlyAccess

Provides permissions to use the cluster topology feature.

Yes

No

No

AliyunYundunSASReadOnlyAccess

Provides permissions to view the runtime monitoring data of an ACK cluster.

Yes

No

No

AliyunKMSReadOnlyAccess

Provides permissions to enable the Secret encryption feature when you create an ACK cluster.

Yes

No

No

AliyunESSReadOnlyAccess

Provides permissions to perform node pool-related operations in the cloud, such as the permissions to view, modify, and scale node pools.

Yes

No

No

RBAC permissions

The RAM system policies can control only permissions on ACK One cluster resources. If a RAM user or RAM role wants to manage Kubernetes resources in the specified ACK One cluster, such as creating and querying GitOps applications and Argo workflows, you must grant the RAM user or RAM role RBAC permissions on the ACK One cluster and its namespace.

ACK One provides the following predefined roles:

  • RBAC permissions on Fleet instances and workflow clusters

    RBAC role

    Permission

    Cluster involved

    Fleet instances

    Workflow clusters

    admin (administrator)

    Provides read and write permissions on cluster-wide resources and resources in all namespaces.

    Yes

    Yes

    dev (developer)

    Provides read and write permissions on resources in the specified namespace.

    Yes

    Yes

    gitops-dev (GitOps developer)

    Provides read and write permissions on application resources in the argocd namespace.

    Yes

    No

  • RBAC permissions on registered clusters

For more information about the resources controlled by RBAC and how to grant permissions, see Grant RBAC permissions to a RAM user or RAM role.