All Products
Search
Document Center

Container Compute Service:Create a custom Kubernetes ClusterRole or Role

Last Updated:Aug 21, 2024

A Kubernetes-native Role or ClusterRole used in Role-Based Access Control (RBAC) defines a set of permissions. A Role defines permissions scoped to a namespace and a ClusterRole defines permissions on cluster-wide resources. This topic describes how to customize a Role and a ClusterRole.

Introduction to Roles and ClusterRoles

You can create a Role or ClusterRole by using a YAML file or the Alibaba Cloud Container Compute Service (ACS) console.

Create a Role

To define permissions scoped to a namespace, create a Role.

You can use the following YAML file to create Role that defines permissions on pods in the default namespace.

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: test-role
  namespace: default
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch

Create a ClusterRole

To define cluster-wide permissions, create a ClusterRole.

You can use the following YAML file to create ClusterRole that defines permissions on pods in a namespace.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: test-clusterrole
rules:
- apiGroups:
  - ""
  resources:
  - pods
  verbs:
  - create
  - delete
  - deletecollection
  - get
  - list
  - patch
  - update
  - watch

For more information about Roles and ClusterRoles, see Roles and ClusterRoles.

Create a custom role

Note

This example shows how to create a custom ClusterRole for a Resource Access Management (RAM) user or RAM role. The procedure is similar to that for creating a custom Role. You can modify the configuration on demand.

  1. Log on to the ACS console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, click the name of the cluster. In the left-side navigation pane, choose Security > Role.

  3. On the Role page, click the Cluster Role tab and click Create.

  4. In the Create YAML panel, enter the YAML content of the ClusterRole and click OK.

    The YAML template in this example defines cluster-wide permissions. After the ClusterRole is created, you can view the ClusterRole named test-clusterrole on the Cluster Role tab.

What to do next

For more information about how to attach a Kubernetes custom permission policy to a RAM user or RAM role, see Grant RBAC permissions to RAM users or RAM roles.

Important

ACS allows you to bind only custom ClusterRoles to RBAC permissions. You cannot bind custom Roles to RBAC permissions.