All Products
Search
Document Center

Container Service for Kubernetes:How to grant RBAC permissions to a RAM user or RAM role

Last Updated:Jun 20, 2024

Resource Access Management (RAM) system permission policies can control permissions only on Distributed Cloud Container Platform for Kubernetes (ACK One) resources, such as the permissions to create or view instances. If a RAM user or RAM role wants to manage Kubernetes resources in the specified ACK One Fleet instance, such as creating GitOps applications or Argo workflows, you need to grant the RAM user or RAM role Role-Based Access Control (RBAC) permissions on the ACK One Fleet instance and its namespace. This topic describes how to grant RBAC permissions to a RAM user or RAM role.

Usage notes

To grant permissions to a RAM user or RAM role, you must use an Alibaba Cloud account, the account of the Fleet instance creator, or a RAM user that has administrator permissions on the Fleet instance. You cannot grant permissions to a RAM user or RAM role by using another RAM user.

Prerequisites

RBAC permissions supported by ACK One

RBAC permissions on Fleet instances

RBAC role

Permission

admin (administrator)

Provides read and write permissions on cluster-wide resources and resources in all namespaces.

dev (developer)

Provides read and write permissions on resources in the specified namespace.

gitops-dev (GitOps developer)

Provides read and write permissions on application resources in the argocd namespace.

View cluster and namespace resources

  • Fleet instance-scoped resources

    Kind

    apiVersion

    Namespace

    v1

    Managedcluster

    cluster.open-cluster-management.io

    MseIngressConfig

    mse.alibabacloud.com/v1alpha1

    IngressClass

    networking.k8s.io/v1

  • Namespace-scoped resources

    Kind

    apiVersion

    Deployment

    apps/v1

    Service

    v1

    Ingress

    networking.k8s.io/v1

    ConfigMap

    v1

    Secret

    v1

    StatefulSet

    apps/v1

    PersistentVolumeClaim

    v1

    ServiceExport 

    multicluster.x-k8s.io/v1alpha1

    ServiceImport 

    multicluster.x-k8s.io/v1alpha1

    HorizontalPodAutoscaler

    autoscaling/v1

    Application

    ApplicationSet

    Appproject

    argoproj.io

    Workflow

    argoproj.io

    Application

    core.oam.dev

  • Application resources in the argocd namespace

    Kind

    apiVersion

    Application

    argoproj.io

RBAC permissions on workflow clusters

RBAC role

Permission

admin (administrator)

Provides read and write permissions on cluster-wide resources and resources in all namespaces.

dev (developer)

Provides read and write permissions on resources in the specified namespace.

View cluster and namespace resources

  • Fleet instance-scoped resources

    Kind

    apiVersion

    Namespace

    v1

    PersistentVolumes

    v1

    ImageCaches

    eci.alibabacloud.com

  • Namespace-scoped resources

    Kind

    apiVersion

    ConfigMap

    v1

    Secret

    v1

    ServiceAccount

    v1

    PersistentVolumeClaim

    v1

    Pod

    v1

    Workflow

    WorkflowTemplate

    CronWorkflow

    argoproj.io

    EventSource

    EventBus

    Sensor

    argoproj.io

RBAC permissions on registered clusters

For more information, see Grant RBAC permissions to RAM users or RAM roles.

Grant a RAM user or RAM role RBAC permissions on Fleet instances

Use the console

  1. Log on to the ACK One console.

  2. In the left-side navigation pane, choose Fleet > Permissions.

  3. On the Permissions page, click the Fleet tab and then click the RAM User tab.

  4. Find the RAM user that you want to authorize in the list and click Manage Permissions in the Actions column.

  5. In the dialog box that appears, specify RAM Role and Namespaces and click OK.

Use Alibaba Cloud CLI

Grant admin permissions on Fleet instances

aliyun adcp GrantUserPermission --UserId 1159648454****** --ClusterId c6caf48c192f7476****** --RoleType cluster --RoleName admin

Grant dev permissions on the namespaces of Fleet instances

aliyun adcp GrantUserPermission --UserId 1159648454****** --ClusterId c6caf48c192f7476****** --RoleType namespace --Namespace default --RoleName dev

Grant gitops-dev permissions on the argocd namespace

aliyun adcp GrantUserPermission --UserId 1159648454****** --ClusterId c6caf48c192f7476****** --RoleType namespace --Namespace argocd --RoleName gitops-dev

View parameter description

Parameter

Type

Required

Description

UserId

string

Yes

The ID of the RAM user.

ClusterId

string

Yes

The ID of the Fleet instance that you want to authorize the RAM user to manage.

RoleType

string

Yes

The authorization type. Valid values:

  • cluster: The permissions are scoped to a Fleet instance.

  • namespace: The permissions are scoped to a namespace.

    Note
    • To grant admin permissions, you must set the RoleType parameter to cluster.

    • To grant dev or gitops-dev permissions, you must set the RoleType parameter to namespace.

RoleName

string

Yes

The predefined role name. Valid values:

  • admin: administrator

  • dev: developer

  • gitops-dev: GitOps developer

Namespace

string

No

The name of the namespace.

Note
  • You must configure this parameter when the RoleType parameter is set to namespace.

  • You must set this parameter to argocd when the RoleType parameter is set to namespace and the RoleName parameter is set to gitops-dev.

  • Leave this parameter empty when the RoleType parameter is set to cluster.

Grant a RAM user or RAM role RBAC permissions on workflow clusters

Use Alibaba Cloud CLI

Grant admin permissions on workflow clusters

aliyun adcp GrantUserPermission --UserId 1159648454****** --ClusterId c6caf48c192f7476****** --RoleType cluster --RoleName admin

Grant dev permissions on the namespaces of workflow clusters

aliyun adcp GrantUserPermission --UserId 1159648454****** --ClusterId c6caf48c192f7476****** --RoleType namespace --Namespace default --RoleName dev

View parameter description

Parameter

Type

Required

Description

UserId

string

Yes

The ID of the RAM user.

ClusterId

string

Yes

The ID of the workflow cluster that you want to authorize the RAM user to access.

RoleType

string

Yes

The authorization type. Valid values:

  • cluster: The permissions are scoped to a cluster.

  • namespace: The permissions are scoped to a namespace.

Note
  • When you assign the admin role, you must set the parameter to cluster.

  • When you assign the dev role, you must set the parameter to namespace.

RoleName

string

Yes

The predefined role name. Valid values:

  • admin: administrator

  • dev: developer

Namespace

string

No

The name of the namespace.

    Note

    You must configure this parameter when the RoleType parameter is set to namespace.

    Leave this parameter empty when the RoleType parameter is set to cluster.

What to do next

Modify the RBAC permissions of a RAM user

aliyun adcp UpdateUserPermission --UserId 1159648454****** --ClusterId c6caf48c192f7476****** --RoleType cluster --RoleName dev

Query the RBAC permissions of a RAM user

aliyun adcp DescribeUserPermissions --UserId 1159648454******

Revoke RBAC permissions from a RAM user

aliyun adcp DeleteUserPermission --UserId 1159648454****** --ClusterId c6caf48c192f7476******