To further minimize the permissions in the Resource Access Management (RAM) policy that the Container Storage Interface (CSI) plug-in (csi-plugin and csi-provisioner) in the ACK managed cluster depends on, Container Service for Kubernetes (ACK) plans to split service roles used by the csi-plugin and csi-provisioner components since November 1, 2024. Additionally, authorization checks are added for the AliyunCSManagedCsiPluginRole and AliyunCSManagedCsiProvisionerRole service roles.
Effective time
The canary release starts at 10:00:00 (UTC+8) on November 1, 2024 and ends at 11:00:00 (UTC+8) on November 15, 2024.
Change details
During the installation and upgrade of the csi-plugin component, an authorization check for the AliyunCSManagedCsiPluginRole service role is added.
During the installation and upgrade of the csi-provisioner component, an authorization check for the AliyunCSManagedCsiProvisionerRole service role is added.
During the creation of an ACK managed cluster, authorization checks for the AliyunCSManagedCsiPluginRole and AliyunCSManagedCsiProvisionerRole service roles that the CSI plug-in depends on are added.
Scope of impacts
Impact of changes on the creation of ACK managed clusters:
Only ACK managed clusters that run Kubernetes 1.26 or later created after November 1, 2024 are affected. Existing clusters are not affected.
Impact of changes on installation and upgrade of the csi-plugin and csi-provisioner components:
Only the csi-plugin and csi-provisioner components in ACK managed clusters that run Kubernetes 1.26 or later are affected. These components in ACK managed clusters that run Kubernetes earlier than 1.26 are not affected.
If you do not complete the authorization for the AliyunCSManagedCsiPluginRole and AliyunCSManagedCsiProvisionerRole service roles before November 1, 2024, any attempts to create an ACK managed cluster or to install or upgrade the csi-plugin or csi-provisioner components after that date will fail due to unauthorized service roles.
Solutions
Perform the following steps to complete the authorization for the new service roles before November 1, 2024.
Each Alibaba Cloud account only needs to authorize the AliyunCSManagedCsiPluginRole and AliyunCSManagedCsiProvisionerRole roles once. You do not need to repeat the authorization for each cluster.
Grant the permission to the AliyunCSManagedCsiPluginRole
Use a RAM user or role that is granted the AliyunRAMFullAccess permission, or an Alibaba Cloud account, to access Cloud Resource Access Authorization.
On the Cloud Resource Access Authorization page, click Agree to Authorization to complete the authorization for AliyunCSManagedCsiPluginRole.
The RAM permission policy that this service role depends on is the system policy AliyunCSManagedCsiPluginRolePolicy.
Grant the permission to the AliyunCSManagedCsiProvisionerRole
Use a RAM user or role that is granted the AliyunRAMFullAccess permission, or an Alibaba Cloud account, to access Cloud Resource Access Authorization.
On the Cloud Resource Access Authorization page, click Agree to Authorization to complete the authorization for AliyunCSManagedCsiProvisionerRole.
The RAM permission policy that this service role depends on is the system policy AliyunCSManagedCsiProvisionerRolePolicy.
Contact us
If you have any questions or suggestions when using Container Service for Kubernetes (ACK), click ACK DingTalk Group (full) or search for DingTalk group 74560018672 to join the DingTalk group.