By default, the worker Resource Access Management (RAM) role of Container Service for Kubernetes (ACK) managed clusters is granted limited permissions. Starting from July 17, 2023, the permissions granted to the worker RAM role of ACK managed clusters are revoked to enhance node security.
Affected versions
ACK managed clusters, including ACK standard clusters and ACK Pro clusters, that are created from July 17, 2023 and are of version 1.22.15-aliyun.1 or later.
The following clusters are not affected:
Clusters that are created before July 17, 2023.
Clusters whose version is earlier than 1.22.15-aliyun.1.
Clusters created by Alibaba Cloud accounts that are not eligible for this update.
Impact
Before the update, the worker RAM role of ACK managed clusters is granted limited permissions by default.
After the update, no permission is granted to the worker RAM role of newly created ACK managed clusters by default.
If your application needs to access OpenAPI Explorer from the ACK cluster, we recommend that you use the RAM Roles for Service Accounts (RRSA) feature to obtain the credentials to access OpenAPI Explorer. For more information, see Use RRSA to authorize different pods to access different cloud services.
If your application relies on the worker RAM role, you need to manually grant the permissions that are required by the application to the worker RAM role. For more information, see the Grant permissions to the worker RAM role section of this topic.
If you want to install the aliyun-acr-credential-helper component in a newly created cluster, make sure that you install the latest version of the component.
Grant permissions to the worker RAM role
Step 1: Create a custom policy
For more information about how to create a custom policy, see Create custom policies.
Step 2: Attach the custom policy to the worker RAM role
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, find the cluster that you want to manage and click its name.
On the page that appears, click the Basic Information tab. On the Basic Information tab, click the hyperlink next to Worker RAM Role field to log on to the RAM console.
On the Permissions tab, click Grant Permission. In the Policy section of the Grant Permission panel, select Custom Policy from the drop-down list and select the custom policy that you created in the previous step.
Click Grant permissions.
Click Close.