All Products
Search
Document Center

Container Compute Service:ACS authorization best practices

Last Updated:Nov 20, 2024

The authorization system of Container Compute Service (ACS) consists of Resource Access Management (RAM) authorization for computing resources and Role-Based Access Control (RBAC) authorization for ACS clusters. Users with different roles require different permissions. This topic provides authorization best practices for the following roles: enterprise resource administrators, Kubernetes cluster administrator, cluster and application O&M engineers, application developers, and authorization administrators.

ACS authorization system

The authorization system of ACS consists of RAM authorization for computing resources and RBAC authorization for ACS clusters. The following figure shows the ACS authorization system.

image
  • RAM authorization involves cluster O&M operations. ACS clusters are a type of Container Service for Kubernetes (ACK) Serverless cluster, and you must call the ACK API to perform O&M operations on ACS clusters. Therefore, you must acquire permissions to call the API operations of ACK and other Alibaba Cloud services. You can call these API operations to perform the following O&M operations:

    • Create, view, and delete clusters.

    • Manage RBAC authorization.

    • Monitor clusters and manage logs and events.

  • RBAC authorization is used to grant namespace-level or cluster-wide permissions on Kubernetes resources in ACS clusters. This allows you to grant the permissions to create, delete, modify, and view the following types of Kubernetes resources:

    • Workload resources: such as Deployment, StatefulSet, Job, CronJob, pod, ReplicaSet, and HorizontalPodAutoscaler (HPA).

    • Network resources: such as Service, Ingress, and NetworkPolicy.

    • Storage resources: such as persistent volume (PV), persistent volume claim (PVC), and StorageClass.

    • Namespace, ConfigMap, and Secret.

Predefined system policies

ACS provides the following predefined system policies, which can be used to quickly grant permissions to RAM users or RAM roles.

Important

The authorization scopes of system policies are large. These policies may provide read or write permissions on all Container Service for Kubernetes (ACK) and ACS API operations. Proceed with caution.

System policy

Description

AliyunAccFullAccess

Permissions on ACS.

AliyunAccReadOnlyAccess

Read permissions on ACS.

AliyunCSFullAccess

Permissions on ACK.

Important

Read and write permissions on all ACK clusters, including ACS clusters. Proceed with caution when you use this policy.

AliyunCSReadOnlyAccess

Read permission on ACK.

Important

Read permissions on all ACK clusters, including ACS clusters. Proceed with caution when you use this policy.

AliyunAccFullAccess

{
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "acc:*",
      "Resource": "*"
    }
  ],
  "Version": "1"
}

AliyunAccReadOnlyAccess

{
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "acc:Describe*",
        "acc:CheckServiceRole"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

AliyunCSFullAccess

{
    "Version": "1",
    "Statement": [
        {
            "Action": "cs:*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "ram:PassRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "acs:Service": "cs.aliyuncs.com"
                }
            }
        }
    ]
}

AliyunCSReadOnlyAccess

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "cs:CheckServiceRole",
                "cs:Get*",
                "cs:List*",
                "cs:Describe*"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Authorization best practices

To authorize a RAM user or RAM role to manage and maintain clusters and applications, you need to perform RAM authorization and RBAC authorization in sequence. You must perform RAM authorization before you perform RBAC authorization. Refer to the following topics to complete the authorization in different scenarios:

Scenario 1: Grant O&M engineers the permissions to manage clusters and applications

O&M engineers need permissions to manage and maintain ACS clusters, and permissions to manage and maintain application resource objects in ACS clusters. In this scenario, you must perform both RAM authorization and RBAC authorization.

  1. RAM authorization

    You can use the AliyunCSFullAccess and AliyunCSReadOnlyAccess RAM policies to grant ACK-related permissions:

    • AliyunCSFullAccess provides the permissions to call all the API operations of ACK.

    • AliyunCSReadOnlyAccess provides the permissions to call API operations of ACK for read-only access.

      Important

      The preceding policies provide permissions on all ACK clusters, including ACS clusters. Proceed with caution.

    You can attach the AliyunCSFullAccess or AliyunCSReadOnlyAccess policy to a RAM user or RAM role in the RAM console. For more information, see Grant permissions to a RAM user and Grant permissions to a RAM role.

    If you require fine-grained access control, you can attach custom policies. For more information, see Attach a RAM policy to a RAM user or RAM role.

    In this case, you can attach the following policy to the RAM user or RAM role that you want to use.

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "acc:DescribeCommodityStatus",
                    "acc:CheckServiceRole",
                    "acc:DescribeCloudProducts",
                    "acc:DescribeRegions",
                    "acc:DescribeZones",
                    "acc:GetInstancePrice"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": "bssapi:GetPayAsYouGoPrice",
                "Resource": "*"
            },
            {
                "Action": "ecs:DescribePrice",
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Action": "ram:GetRole",
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Action": [
                "cs:CreateCluster",
                "cs:DescribeAddons"
                ],
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Action": [
                    "cs:GetClusters",
                    "cs:DescribeClustersV1",
                    "cs:DescribeClusterUserKubeconfig",
                    "cs:DescribeClusterResources",
                    "cs:DescribeUserQuota",
                    "cs:DescribeClusterLogs",
                    "cs:ModifyCluster",
                    "cs:UpgradeCluster",
                    "cs:GetUpgradeStatus",
                    "cs:ResumeUpgradeCluster",
                    "cs:PauseClusterUpgrade",
                    "cs:CancelClusterUpgrade",
                    "cs:InstallClusterAddons",
                    "cs:UpgradeClusterAddons",
                    "cs:DescribeClusterAddonsUpgradeStatus",
                    "cs:UnInstallClusterAddons",
                    "cs:DeleteCluster",
                    "cs:DescribeClusterDetail",
                    "cs:GetClusterAuditProject",
                    "cs:DescribeClusterAddonsVersion",
                    "cs:DescribeClusterTasks",
                    "cs:DescribeClusterEvents",
                    "cs:DescribeEvents",
                    "cs:ListClusterReportSummary",
                    "cs:GetClusterBasicInfo",
                    "cs:ListReportTaskRule",
                    "cs:CreateReportTaskRule",
                    "cs:CreateClusterCheck"
                ],
                "Effect": "Allow",
                "Resource": "acs:cs:*:*:cluster/<yourclusterID>"
            },
            {
                "Action": [
                     "cs:CheckServiceRole",
                     "cs:DescribeKubernetesVersionMetadata"
                ],
                "Effect": "Allow",
                "Resource": "acs:cs:*:*:cluster/*"
            },
            {
                "Action": [
                     "log:ListProject"
                ],
                "Effect": "Allow",
                "Resource": "*"
            }
        ],
        "Version": "1"
    }

    Replace <yourclusterID> with the ID of the cluster that you want to manage.

  2. For more information about the ACK API, see [Product Changes] ACK API enhances user authentication and List of operations by function.

  3. RBAC authorization

    After you perform RAM authorization, you must perform RBAC authorization for the RAM user or RAM role. The following table describes the predefined RBAC roles that are provided by ACK.

    Role

    RBAC permission

    Administrator

    Read and write permissions on all resources in all namespaces.

    O&M engineer

    Read and write permissions on visible Kubernetes resources in the console in all namespaces and read-only permissions on nodes, PVs, namespaces, and quotas.

    Developer

    Read and write permissions on visible resources in the console in all or specified namespaces.

    Restricted user

    Read-only permissions on visible resources in the console in all or specified namespaces.

    In this scenario, you can go to the authorization page in the ACS console and assign the O&M Engineer role to grant cluster and namespace permissions. RBAC

    After the RBAC role is assigned, ACS automatically creates a ClusterRoleBinding in the cluster for the RAM user or RAM role. The following sample code shows the permissions provided by the O&M Engineer role:

    Sample code of the permissions provided by the O&M Engineer role

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: cs:ops
    rules:
    - apiGroups: [""]
      resources:  ["pods", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: [""]
      resources:  ["configmaps", "endpoints", "persistentvolumeclaims", "replicationcontrollers", "replicationcontrollers/scale", "secrets", "serviceaccounts", "services", "services/proxy"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: [""]
      resources:  ["bindings", "events", "limitranges", "namespaces/status", "replicationcontrollers/status", "pods/log", "pods/status", "resourcequotas", "resourcequotas/status", "componentstatuses"]
      verbs: ["get", "list", "watch"]
    - apiGroups: [""]
      resources:  ["namespaces", "nodes", "persistentvolumes"]
      verbs: ["get", "list", "watch", "patch"]
    - apiGroups: ["coordination.k8s.io"]
      resources:  ["leases"]
      verbs: ["get"]
    - apiGroups: ["apps"]
      resources:  ["daemonsets", "deployments", "deployments/rollback", "deployments/scale", "replicasets", "replicasets/scale", "statefulsets"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["autoscaling"]
      resources:  ["horizontalpodautoscalers"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["batch"]
      resources:  ["cronjobs", "jobs"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["extensions"]
      resources:  ["daemonsets", "deployments", "deployments/rollback", "deployments/scale","ingresses","replicasets", "replicasets/scale", "replicationcontrollers/scale"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["networking.k8s.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["servicecatalog.k8s.io"]
      resources:  ["clusterserviceclasses", "clusterserviceplans", "clusterservicebrokers", "serviceinstances", "servicebindings"]
      verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["servicecatalog.k8s.io"]
      resources:  ["clusterservicebrokers/status", "clusterserviceclasses/status", "clusterserviceplans/status", "serviceinstances/status", "serviceinstances/reference", "servicebindings/status",]
      verbs: ["update"]
    - apiGroups: ["storage.k8s.io"]
      resources:  ["storageclasses"]
      verbs: ["get", "list", "watch"]
    - apiGroups: ["alicloud.com"]
      resources:  ["*"]
      verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["policy"]
      resources:  ["poddisruptionbudgets"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["metrics.k8s.io"]
      resources: ["pods"]
      verbs: ["get", "watch", "list"]
    - apiGroups: ["networking.istio.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["config.istio.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["rbac.istio.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["istio.alibabacloud.com"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["authentication.istio.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["log.alibabacloud.com"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["monitoring.kiali.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["kiali.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["apiextensions.k8s.io"]
      resources: ["customresourcedefinitions"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
    - apiGroups: ["serving.knative.dev"]
      resources: ["*"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
    - apiGroups: ["eventing.knative.dev"]
      resources: ["*"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
    - apiGroups: ["messaging.knative.dev"]
      resources: ["*"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
    - apiGroups: ["sources.eventing.knative.dev"]
      resources: ["*"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
    - apiGroups: ["tekton.dev"]
      resources: ["*"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
    - apiGroups: ["alert.alibabacloud.com"]
      resources: ["*"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]

    If you require fine-grained RBAC access control, refer to Using RBAC Authorization and create a custom ClusterRole. Then, go to the authorization page in the ACS console, select Custom, and select the custom ClusterRole from the drop-down list. For more information, see Custom RBAC policies.

Scenario 2: Grant developers the permissions to manage your clusters and applications

Developers need permissions to access Kubernetes resource objects in ACS clusters. In this scenario, you need to perform RBAC authorization. No cloud resource access permissions are needed.

Important

Before you perform RBAC authorization, make sure that the developers have at least read permissions (RAM authorization) on the specified cluster. If you specify Resource "*", the RAM user or RAM role is authorized to perform operations in the Action list on all ACK clusters, including ACS clusters. Do not set Resource to * unless you are aware of the authorization scope and impact.

  1. RAM authorization

    Go to the RAM console and create a custom policy. Then, attach the policy to the RAM user or RAM role that you want to use. For more information, see Attach a RAM policy to a RAM user or RAM role. Sample custom policy:

    {
      "Statement": [
       {
            "Effect": "Allow",
            "Action": [
                "acc:DescribeCommodityStatus",
                "acc:CheckServiceRole",
                "acc:DescribeCloudProducts",
                "acc:DescribeRegions",
                "acc:DescribeZones",
                "acc:GetInstancePrice"
               ],
                "Resource": "*"
        },
        {
             "Effect": "Allow",
             "Action": "bssapi:GetPayAsYouGoPrice",
             "Resource": "*"
        },
        {
          "Action": [
            "cs:Get*",
            "cs:List*",
            "cs:Describe*"
          ],
          "Effect": "Allow",
          "Resource": [
            "acs:cs:*:*:cluster/<yourclusterID>" 
          ]
        }
      ],
      "Version": "1"
    }

    Replace <yourclusterID> with the ID of the cluster that you want to manage.

    Note

    To grant only read permissions on ACS clusters, use this sample custom policy to specify the ARN of the ACS cluster. Do not attach the AliyunCSReadOnlyAccess policy, which is provided by ACK. Otherwise, the RAM user or RAM role has read permissions on all ACK clusters, excluding ACS clusters.

  2. RBAC authorization

    Go to the authorization page in the ACS console and assign the Developer role to grant cluster and namespace permissions to the RAM user or RAM role. developer

    After the RBAC role is assigned, ACS automatically creates a ClusterRoleBinding in the cluster for the RAM user or RAM role. The following sample code shows the permissions provided by the Developer role:

    Sample code of the permissions provided by the Developer role

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: cs:ns:dev
    rules:
    - apiGroups: [""]
      resources:  ["pods", "pods/attach", "pods/exec", "pods/portforward", "pods/proxy"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: [""]
      resources:  ["configmaps", "endpoints", "persistentvolumeclaims", "replicationcontrollers", "replicationcontrollers/scale", "secrets", "serviceaccounts", "services", "services/proxy"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: [""]
      resources:  ["events", "replicationcontrollers/status", "pods/log", "pods/status"]
      verbs: ["get", "list", "watch"]
    - apiGroups: ["apps"]
      resources:  ["daemonsets", "deployments", "deployments/rollback", "deployments/scale", "replicasets", "replicasets/scale", "statefulsets"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["autoscaling"]
      resources:  ["horizontalpodautoscalers"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["batch"]
      resources:  ["cronjobs", "jobs"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["extensions"]
      resources:  ["daemonsets", "deployments", "deployments/rollback", "deployments/scale","ingresses","replicasets", "replicasets/scale", "replicationcontrollers/scale"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["networking.k8s.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["servicecatalog.k8s.io"]
      resources:  ["clusterserviceclasses", "clusterserviceplans", "clusterservicebrokers", "serviceinstances", "servicebindings"]
      verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["servicecatalog.k8s.io"]
      resources:  ["clusterservicebrokers/status", "clusterserviceclasses/status", "clusterserviceplans/status", "serviceinstances/status", "serviceinstances/reference", "servicebindings/status",]
      verbs: ["update"]
    - apiGroups: ["alicloud.com"]
      resources:  ["*"]
      verbs: ["create", "delete", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["policy"]
      resources:  ["poddisruptionbudgets"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["networking.istio.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["config.istio.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["rbac.istio.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["istio.alibabacloud.com"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["authentication.istio.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["log.alibabacloud.com"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["monitoring.kiali.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["kiali.io"]
      resources:  ["*"]
      verbs: ["create", "delete", "deletecollection", "get", "list", "patch", "update", "watch"]
    - apiGroups: ["apiextensions.k8s.io"]
      resources: ["customresourcedefinitions"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
    - apiGroups: ["serving.knative.dev"]
      resources: ["*"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
    - apiGroups: ["eventing.knative.dev"]
      resources: ["*"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
    - apiGroups: ["messaging.knative.dev"]
      resources: ["*"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
    - apiGroups: ["sources.eventing.knative.dev"]
      resources: ["*"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
    - apiGroups: ["tekton.dev"]
      resources: ["*"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]
    - apiGroups: ["alert.alibabacloud.com"]
      resources: ["*"]
      verbs: ["get", "list", "create", "watch", "patch", "update", "delete", "deletecollection"]

Scenario 3: Grant authorization administrators the permissions to manage the permissions of RAM users and RAM roles

Permission administrators require the permissions to manage RBAC permissions of other RAM users and RAM roles. By default, you cannot use a RAM user or RAM role to grant RBAC permissions to other RAM users or RAM roles. When you use a RAM user or RAM role to access the authorization page in the ACS console, if the page prompts The current RAM user does not have management permissions. Contact the Alibaba Cloud account owner or the administrator to acquire the permissions., you need to perform RAM authorization or RBAC authorization to grant the required permissions to the RAM user or RAM role.

  1. RAM authorization

    You must add the following permissions to the policy that is attached to the RAM user or RAM role that you want to use:

    • Query other RAM users or RAM roles that belong to the same Alibaba Cloud account.

    • Attach RAM policies to a RAM user or RAM role.

    • Query the RBAC permissions of a RAM user or RAM role.

    • Grant RBAC permissions to other RAM users or RAM roles.

    Log on to the RAM console and grant permissions to the RAM user or RAM role. For more information, see Attach a RAM policy to a RAM user or RAM role Sample custom policy:

    {
        "Statement": [
          {
            "Effect": "Allow",
            "Action": [
                "acc:DescribeCommodityStatus",
                "acc:CheckServiceRole",
                "acc:DescribeCloudProducts",
                "acc:DescribeRegions",
                "acc:DescribeZones",
                "acc:GetInstancePrice"
               ],
                "Resource": "*"
          },
          {
             "Effect": "Allow",
             "Action": "bssapi:GetPayAsYouGoPrice",
             "Resource": "*"
          },
          {
                "Action": [
                    "ram:Get*",
                    "ram:List*",
                    "cs:GetUserPermissions",
                    "cs:GetSubUsers",
                    "cs:GrantPermission"
                ],
                "Resource": "*",
                "Effect": "Allow"
            },
            {
                "Action": [
                    "ram:AttachPolicyToUser",
                    "ram:AttachPolicyToRole"
                ],
                "Effect": "Allow",
                "Resource":  [
                    "acs:ram:*:*:policy/xxxx", # Replace xxxx with the name of the RAM policy that you want to attach. If you replace xxxx with an asterisk (*), the RAM user or RAM role is authorized to attach all RAM policies to other RAM users. 
                    "acs:*:*:*:user/*"
                ]
            }
        ],
        "Version": "1"
    }
  2. RBAC authorization

    You must assign the Administrator role or the cluster-admin custom role to the RAM user or RAM role and specify the cluster and namespace to which the role is scoped.

    Note

    By default, Alibaba Cloud accounts and cluster owners are assigned the cluster-admin role and therefore have full access to all Kubernetes resources in the cluster.

    cluster-admin

After you perform RAM authorization and RBAC authorization for a RAM user or RAM role, you can use the RAM user or RAM role to grant other RAM users or RAM roles RBAC permissions that take effect within the specified scope. For more information, see Attach a RAM policy to a RAM user or RAM role.

Actions for ACS authorization

Permission (Action)

Description

acc:CheckServiceRole

Check whether a ServiceRole is created for the current account to authorize ACS to access other cloud resources.

acc:DescribeCommodityStatus

Check whether ACS is activated within the current account.

Permission (Action)

Description

bssapi:GetPayAsYouGoPrice

Query the unit prices of pay-as-you-go services.

ram:ListUserBasicInfos

Queries the basic information about all RAM users.

ram:ListRoles

Queries the basic information about all RAM roles.

Note
  1. For more information about the actions, see RAM authorization.

  2. This topic is for reference only. We recommend that you read RAM authorization and follow the least privilege principle when you create policies.

  3. If you do not specify a cluster ID and set the authorization scope to *, the permissions are granted on ACK clusters, excluding ACS clusters. Proceed with caution.