How to grant RBAC permissions to a RAM user or RAM role - Container Service for Kubernetes

Resource Access Management (RAM) system permission policies can control permissions only on Distributed Cloud Container Platform for Kubernetes (ACK One) resources, such as the permissions to create or view instances. If a RAM user or RAM role wants to manage Kubernetes resources in the specified ACK One Fleet instance, such as creating GitOps applications or Argo workflows, you need to grant the RAM user or RAM role Role-Based Access Control (RBAC) permissions on the ACK One Fleet instance and its namespace. This topic describes how to grant RBAC permissions to a RAM user or RAM role.

Usage notes

To grant permissions to a RAM user or RAM role, you must use an Alibaba Cloud account, the account of the Fleet instance creator, or a RAM user that has administrator permissions on the Fleet instance. You cannot grant permissions to a RAM user or RAM role by using another RAM user.

Prerequisites

The RAM user or RAM role is granted permissions on ACK One Fleet instances. For more information, see Attach a system permission policy to a RAM user or RAM role.
Alibaba Cloud CLI 3.0.159 or later is installed and credentials are configured if you want to use a CLI to grant permissions. For more information, see Install Alibaba Cloud CLI and Configure credentials.

RBAC permissions supported by ACK One

RBAC permissions on Fleet instances

RBAC role	Permission
admin (administrator)	Provides read and write permissions on cluster-wide resources and resources in all namespaces.
dev (developer)	Provides read and write permissions on resources in the specified namespace.
gitops-dev (GitOps developer)	Provides read and write permissions on application resources in the argocd namespace.

View cluster and namespace resources

Fleet instance-scoped resources
Kind
apiVersion
Namespace
v1
Managedcluster
cluster.open-cluster-management.io
MseIngressConfig
mse.alibabacloud.com/v1alpha1
IngressClass
networking.k8s.io/v1

Namespace-scoped resources

Kind	apiVersion
Deployment	apps/v1
Service	v1
Ingress	networking.k8s.io/v1
ConfigMap	v1
Secret	v1
StatefulSet	apps/v1
PersistentVolumeClaim	v1
ServiceExport	multicluster.x-k8s.io/v1alpha1
ServiceImport	multicluster.x-k8s.io/v1alpha1
HorizontalPodAutoscaler	autoscaling/v1
Application ApplicationSet Appproject	argoproj.io
Workflow	argoproj.io
Application	core.oam.dev

Application resources in the argocd namespace
Kind
apiVersion
Application
argoproj.io

RBAC permissions on workflow clusters

RBAC role	Permission
admin (administrator)	Provides read and write permissions on cluster-wide resources and resources in all namespaces.
dev (developer)	Provides read and write permissions on resources in the specified namespace.

View cluster and namespace resources

Fleet instance-scoped resources
Kind
apiVersion
Namespace
v1
PersistentVolumes
v1
ImageCaches
eci.alibabacloud.com
Namespace-scoped resources
Kind
apiVersion
ConfigMap
v1
Secret
v1
ServiceAccount
v1
PersistentVolumeClaim
v1
Pod
v1
Workflow
WorkflowTemplate
CronWorkflow
argoproj.io
EventSource
EventBus
Sensor
argoproj.io

RBAC permissions on registered clusters

For more information, see Grant RBAC permissions to RAM users or RAM roles.

Grant a RAM user or RAM role RBAC permissions on Fleet instances

Use the console

Log on to the ACK One console.
In the left-side navigation pane, choose Fleet > Permissions.
On the Permissions page, click the Fleet tab and then click the RAM User tab.
Find the RAM user that you want to authorize in the list and click Manage Permissions in the Actions column.
In the dialog box that appears, specify RAM Role and Namespaces and click OK.

Use Alibaba Cloud CLI

Grant admin permissions on Fleet instances

aliyun adcp GrantUserPermission --UserId 1159648454****** --ClusterId c6caf48c192f7476****** --RoleType cluster --RoleName admin

Grant dev permissions on the namespaces of Fleet instances

aliyun adcp GrantUserPermission --UserId 1159648454****** --ClusterId c6caf48c192f7476****** --RoleType namespace --Namespace default --RoleName dev

Grant gitops-dev permissions on the argocd namespace

aliyun adcp GrantUserPermission --UserId 1159648454****** --ClusterId c6caf48c192f7476****** --RoleType namespace --Namespace argocd --RoleName gitops-dev

View parameter description

Parameter	Type	Required	Description
UserId	string	Yes	The ID of the RAM user.
ClusterId	string	Yes	The ID of the Fleet instance that you want to authorize the RAM user to manage.
RoleType	string	Yes	The authorization type. Valid values: `cluster`: The permissions are scoped to a Fleet instance. `namespace`: The permissions are scoped to a namespace. Note To grant admin permissions, you must set the RoleType parameter to `cluster`. To grant dev or gitops-dev permissions, you must set the RoleType parameter to `namespace`.
RoleName	string	Yes	The predefined role name. Valid values: `admin`: administrator `dev`: developer `gitops-dev`: GitOps developer
Namespace	string	No	The name of the namespace. Note You must configure this parameter when the RoleType parameter is set to namespace. You must set this parameter to `argocd` when the RoleType parameter is set to namespace and the RoleName parameter is set to gitops-dev. Leave this parameter empty when the RoleType parameter is set to cluster.

Grant a RAM user or RAM role RBAC permissions on workflow clusters

Use Alibaba Cloud CLI

Grant admin permissions on workflow clusters

aliyun adcp GrantUserPermission --UserId 1159648454****** --ClusterId c6caf48c192f7476****** --RoleType cluster --RoleName admin

Grant dev permissions on the namespaces of workflow clusters

aliyun adcp GrantUserPermission --UserId 1159648454****** --ClusterId c6caf48c192f7476****** --RoleType namespace --Namespace default --RoleName dev

View parameter description

Parameter	Type	Required	Description
UserId	string	Yes	The ID of the RAM user.
ClusterId	string	Yes	The ID of the workflow cluster that you want to authorize the RAM user to access.
RoleType	string	Yes	The authorization type. Valid values: cluster: The permissions are scoped to a cluster. namespace: The permissions are scoped to a namespace. Note When you assign the admin role, you must set the parameter to `cluster`. When you assign the dev role, you must set the parameter to `namespace`.
RoleName	string	Yes	The predefined role name. Valid values: admin: administrator dev: developer
Namespace	string	No	The name of the namespace. Note You must configure this parameter when the RoleType parameter is set to namespace. Leave this parameter empty when the RoleType parameter is set to cluster.

What to do next

Modify the RBAC permissions of a RAM user

aliyun adcp UpdateUserPermission --UserId 1159648454****** --ClusterId c6caf48c192f7476****** --RoleType cluster --RoleName dev

Query the RBAC permissions of a RAM user

aliyun adcp DescribeUserPermissions --UserId 1159648454******

Revoke RBAC permissions from a RAM user

aliyun adcp DeleteUserPermission --UserId 1159648454****** --ClusterId c6caf48c192f7476******

Kind	apiVersion
Namespace	v1
Managedcluster	cluster.open-cluster-management.io
MseIngressConfig	mse.alibabacloud.com/v1alpha1
IngressClass	networking.k8s.io/v1

Kind	apiVersion
Namespace	v1
PersistentVolumes	v1
ImageCaches	eci.alibabacloud.com