All Products
Search
Document Center

:Grant permissions to a RAM user

Last Updated:Apr 23, 2024

By default, only an Alibaba Cloud account and the account that creates a Distributed Cloud Container Platform for Kubernetes (ACK One) Fleet instance have administrator permissions on the Kubernetes resources on the Fleet instance. You must grant the required permissions to a Resource Access Management (RAM) user before you can use the RAM user to create and delete Fleet instances, associate clusters with a Fleet instance, or disassociate clusters from a Fleet instance. This topic describes how to grant RAM permissions and role-based access control (RBAC) permissions to a RAM user.

Prerequisites

Alibaba Cloud CLI 3.0.159 or later is installed and credentials are configured for Alibaba Cloud CLI. For more information, see Install Alibaba Cloud CLI and Configure credentials.

Usage notes for authorization

  • By default, only an Alibaba Cloud account and the account that creates a Fleet instance have administrator permissions on the Kubernetes resources on the Fleet instance. RAM users other than the creator of a Fleet instance cannot access Kubernetes resources on the Fleet instance.

  • The administrator or the Fleet instance creator can authorize a RAM user to access and manage the Fleet instance by using one of the following methods:

    1. Step 1: Grant RAM permissions to a RAM user: After you grant RAM permissions to a RAM user, the RAM user can view or modify the Fleet instance in the ACK One console.

    2. Step 2: Grant a RAM user RBAC permissions on the Fleet instance: After the authorization is complete, the RAM user can run kubectl commands to use the features of the Fleet instance, such as application distribution, GitOps, and multi-cluster Services (MCS).

Step 1: Grant RAM permissions to a RAM user

By default, the AliyunAdcpFullAccess and AliyunAdcpReadOnlyAccess RAM policies are created for Fleet instances of ACK One. You can directly attach the RAM policies to a RAM user. For more information about how to attach RAM policies to a RAM user, see Grant permissions to the RAM user.

System policy

System permission

Description

AliyunAdcpFullAccess

This policy provides full access to Fleet instances, including the permissions to grant permissions to RAM users and the permissions to enable, disable, create, delete, and view Fleet instances.

If you want to set a RAM user as an administrator of a Fleet instance, attach the AliyunAdcpFullAccess policy to the RAM user.

AliyunAdcpReadOnlyAccess

This policy provides read-only access to Fleet instances, including the permissions to view Fleet instances and query the kubeconfig files of Fleet instances.

If you want to set a RAM user as a developer, attach the AliyunAdcpReadOnlyAccess policy to the RAM user. This way, you can use the RAM user to manage applications based on GitOps, distribute applications to associated clusters, and use the MCS feature.

Step 2: Grant a RAM user RBAC permissions on the Fleet instance

Fleet instances of ACK One provide three predefined RBAC roles: admin, dev, and gitops-dev. You can assign the RBAC roles to a RAM user.

RBAC role

Description

admin

This role provides read and write permissions on cluster-wide resources and resources in all namespaces.

dev

This role provides read and write permissions on Kubernetes resources in a specified namespace.

gitops-dev

This role provides read and write permissions on Kubernetes resources in the argocd namespace.

  • Cluster-wide resources

    Kind

    apiVersion

    Namespace

    v1

    Managedcluster

    cluster.open-cluster-management.io

    MseIngressConfig

    mse.alibabacloud.com/v1alpha1

    IngressClass

    networking.k8s.io/v1

  • Namespace-scoped resources

    Kind

    apiVersion

    Deployment

    apps/v1

    Service

    v1

    Ingress

    networking.k8s.io/v1

    ConfigMap

    v1

    Secret

    v1

    StatefulSet

    apps/v1

    PersistentVolumeClaim

    v1

    ServiceExport 

    multicluster.x-k8s.io/v1alpha1

    ServiceImport 

    multicluster.x-k8s.io/v1alpha1

    HorizontalPodAutoscaler

    autoscaling/v1

    Application

    ApplicationSet

    Appproject

    argoproj.io

    Application

    core.oam.dev

  • Resources in the argocd namespace

    Kind

    apiVersion

    Application

    argoproj.io

The following section describes how to assign a role to a RAM user.

Note
  • To grant admin permissions, you must set the RoleType parameter to cluster.

  • To grant dev or gitops-dev permissions, you must set the RoleType parameter to namespace.

Grant admin permissions on Fleet instances

aliyun adcp GrantUserPermission --UserId 2176*** --ClusterId <clusterid> --RoleType cluster --RoleName admin

Grant dev permissions on the namespaces of Fleet instances

aliyun adcp GrantUserPermission --UserId 2176*** --ClusterId <your-fleet-id> --RoleType namespace --Namespace default --RoleName dev

Grant gitops-dev permissions on the argocd namespace

aliyun adcp GrantUserPermission --UserId 2176*** --ClusterId <your-fleet-id> --RoleType namespace --Namespace argocd --RoleName gitops-dev

Request parameters

Parameter

Type

Required

Description

UserId

string

Yes

The RAM user ID.

ClusterId

string

Yes

The ID of the Fleet instance that you want to authorize the RAM user to manage.

RoleType

string

Yes

The authorization type. Valid values:

  • cluster: The permissions are scoped to a Fleet instance.

  • namespace: The permissions are scoped to a namespace.

    Note

    To grant admin permissions, you must set the RoleType parameter to cluster.

    To grant dev or gitops-dev permissions, you must set the RoleType parameter to namespace.

RoleName

string

Yes

The predefined role name. Valid values:

  • admin: administrator

  • dev: developer

  • gitops-dev: GitOps developer

Note

To grant gitops-dev permissions, you must set the RoleType parameter to namespace and the namespace parameter to argocd.

Namespace

string

No

The namespace to which the permissions are scoped. Leave this parameter empty when the RoleType parameter is set to cluster.

What to do next

Query the RBAC permissions of a RAM user

Sample command

aliyun adcp DescribeUserPermissions --UserId 2176***

Request parameters

Parameter

Type

Required

Description

UserId

string

Yes

The RAM user ID.

Response parameters

Parameter

Type

Description

Example

RequestId

string

The request ID.

EA06613B-37A3-549E-BAE0-E4AD8A6E93D7

Permissions

Object

None

None

RoleType

string

The role type. Valid values:

  • admin: administrator

  • dev: developer

  • gitops-dev: GitOps developer

dev

ResourceType

string

The authorization type. Valid values:

  • cluster: The permissions are scoped to a Fleet instance.

  • namespace: The permissions are scoped to a namespace.

namespace

ResourceId

string

The access configuration.

  • When the permissions are scoped to a cluster, the value is in the {cluster_id} format.

  • When the permissions are scoped to a namespace, the value is in the {cluster_id}/{namespace} format.

cffef3c9c7ba145b083292942a2c3****/test

Revoke RBAC permissions from a RAM user

Sample command

aliyun adcp DeleteUserPermission --UserId 2176*** --ClusterId <clusterid>

Request parameters

Parameter

Type

Required

Description

UserId

string

Yes

The RAM user ID.

ClusterId

string

Yes

The ID of the Fleet instance.

Response parameters

Parameter

Type

Description

Example

RequestId

string

The request ID.

EA06613B-37A3-549E-BAE0-E4AD8A6E93D7