Overview of ACS cluster authorization - - Alibaba Cloud Documentation Center

The authorization system of Alibaba Cloud Container Compute Service (ACS) consists of Resource Access Management (RAM) authorization and role-based access control (RBAC) authorization. RAM authorization is used to grant permissions on cloud resources. RBAC authorization is used to grant permissions on resources within an ACS cluster. This topic describes RAM authorization and RBAC authorization and how to perform these authorizations in ACS clusters.

ACS authorization system

The authorization system of ACS consists of RAM authorization for computing resources and RBAC authorization for ACS clusters. The following figure shows the ACS authorization system.

RAM authorization involves cluster O&M operations. ACS clusters are a type of Container Service for Kubernetes (ACK) Serverless cluster, and you must call the ACK API to perform O&M operations on ACS clusters. Therefore, you must acquire permissions to call the API operations of ACK and other Alibaba Cloud services. You can call these API operations to perform the following O&M operations:
- Create, view, and delete clusters.
- Manage RBAC authorization.
- Monitor clusters and manage logs and events.
RBAC authorization is used to grant namespace-level or cluster-wide permissions on Kubernetes resources in ACS clusters. This allows you to grant the permissions to create, delete, modify, and view the following types of Kubernetes resources:
- Workload resources: such as Deployment, StatefulSet, Job, CronJob, pod, ReplicaSet, and HorizontalPodAutoscaler (HPA).
- Network resources: such as Service, Ingress, and NetworkPolicy.
- Storage resources: such as persistent volume (PV), persistent volume claim (PVC), and StorageClass.
- Namespace, ConfigMap, and Secret.

If you want to use a RAM user or RAM role to manage a cluster and applications in the cluster, you must perform both RAM authorization and RBAC authorization on the RAM user or RAM role. Before you perform RBAC authorization, you must complete RAM authorization. Refer to the following topics to complete the authorization in different scenarios:

To grant permissions to an O&M engineer, see Scenario 1: Grant O&M engineers the permissions to manage clusters and applications.
To grant permissions to a developer, see Scenario 2: Grant developers the permissions to manage your clusters and applications.
To grant permissions to a permission administrator, see Scenario 3: Grant authorization administrators the permissions to manage the permissions of RAM users and RAM roles.

RAM authorization

When an enterprise interfaces its system with RAM, the O&M engineer needs to use a RAM user or RAM role to manage cloud resources. By default, RAM users or RAM roles do not have permissions to call the APIs of cloud services. You must first grant the required permissions to the RAM user or RAM role.

You can perform RAM authorization by using one of the following methods:

Attach system policies: You can use this method to grant a RAM user or RAM role the read and write permissions on global resources. We recommend that you use system policies to grant O&M permissions on all clusters that belong to your Alibaba Cloud. For more information, see Grant permissions to a RAM user or RAM role.

The following table describes the commonly used system policies related to ACS. You can select system policies based on your requirements.

System policy	Description
AliyunCSFullAccess	This policy provides RAM users or RAM roles with permissions to call all ACK API operations when creating an ACS cluster. Important The scope of this permission includes all ACK clusters except for ACS clusters. Use this policy with caution. This policy involves only RAM authorization for ACK API operations. If you want to manage applications in an ACS cluster, you must perform RBAC authorization. For more information, see RBAC authorization.
AliyunCSReadOnlyAccess	This policy provides RAM users or RAM roles with permissions to call all read-only API operations of ACK. The scope of this permission includes all ACK clusters except for ACS clusters. Use this policy with caution.
AliyunACCFullAccess	This policy provides RAM users or RAM roles with access permissions for all ACS API operations.
AliyunACCReadOnlyAccess	This policy provides RAM users or RAM roles with read-only permissions for all ACS API operations.
AliyunVPCReadOnlyAccess	This policy provides RAM users or RAM roles with permissions to specify a virtual private cloud (VPC) for an ACS cluster to be created.
AliyunContainerRegistryFullAccess	This policy provides RAM users or RAM roles with permissions for business images within the Alibaba Cloud account.
AliyunLogReadOnlyAccess	This policy provides RAM users or RAM roles with permissions to select an existing log project to store the audit logs of an ACS cluster to be created or view the configuration inspection information of an ACS cluster.
AliyunRAMFullAccess	This policy provides RAM users or RAM roles with permissions to manage global authorization within an Alibaba Cloud account.
AliyunEBSFullAccess	This policy provides RAM users or RAM roles with permissions to use all features of the disk storage service.
AliyunARMSReadOnlyAccess	This policy provides RAM users or RAM roles with permissions to view the monitoring data of the Managed Service for Prometheus plug-in.
AliyunKMSReadOnlyAccess	This policy provides RAM users or RAM roles with permissions to view keys in the Key Management Service (KMS) for an ACS cluster to be created.

Attach custom policies: You can use this method to control the permissions of a RAM user or RAM role on cloud resources in a fine-grained manner. If the RAM user or RAM role needs to develop applications based on SDKs, you can use custom policies to control permissions on API operations.

To enforce application-level access control, you can use RAM Roles for Service Accounts (RRSA) to authorize different pods to access different cloud services. For more information, see Use RRSA to authorize different pods to access different cloud services.

For example, you can use the following policy to grant read permissions to a RAM user or RAM role on an Object Storage Service (OSS) bucket:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                      "oss:ListBuckets",
                      "oss:GetBucketStat",
                      "oss:GetBucketInfo",
                      "oss:GetBucketTagging",
                      "oss:GetBucketAcl" 
                      ],    
            "Resource": "acs:oss:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss:ListObjects",
                "oss:GetBucketAcl"
            ],
            "Resource": "acs:oss:*:*:myphotos"
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss:GetObject",
                "oss:GetObjectAcl"
            ],
            "Resource": "acs:oss:*:*:myphotos/*"
        }
    ]
}

Roles and ClusterRoles

A Role or ClusterRole in RBAC contains rules that represent a set of permissions. These permissions are additive and do not contain rules that forbid operations.

A Role is a namespaced resource and defines permissions within a particular namespace. When you create a Role, you must specify the namespace to which the Role belongs.

A ClusterRole is a non-namespaced resource and defines cluster-wide permissions. The two types of roles have different names because a Kubernetes object must be either namespaced or non-namespaced.

A ClusterRole has several uses. You can use a ClusterRole to configure permissions in the following ways:

Define permissions on namespaced resources in a ClusterRole and then use the ClusterRole to grant the permissions within individual namespaces.
Define permissions on namespaced resources in a ClusterRole and then use the ClusterRole to grant the permissions across all namespaces.
Define permissions on cluster-scoped resources.

If you want to define a role within a namespace, use a Role. If you want to define a cluster-wide role, use a ClusterRole.

For more information about how to create a Kubernetes ClusterRole or Role, see Customize an RBAC role.

For more information about how to attach a Kubernetes custom permission policy to a RAM user or RAM role, see Grant RBAC permissions to RAM users or RAM roles.

Important

ACK allows you to use only ClusterRoles to grant RBAC permissions. You cannot use Roles to grant RBAC permissions.

RBAC-based access control

To authorize a RAM user or RAM role to manage the specified Kubernetes resources in a cluster, such as obtaining the pod and node information, go to the authorization page of the ACS console and grant the RAM user or RAM role permissions on data plane resources.

You can assign the following predefined roles to the RAM user or RAM role. For more information, see Grant RBAC permissions to RAM users or RAM roles.

The following table describes the permissions of the roles.

Role	RBAC permission on cluster resources
Administrator	Read and write permissions on resources in all namespaces.
O&M engineer	Read and write permissions on visible resources in the console in all namespaces and read-only permissions on nodes, PVs, namespaces, and quotas.
Developer	Read and write permissions on visible resources in the console in the specified namespace or all namespaces.
Restricted user	Read-only permissions on visible resources in the console in the specified namespace or all namespaces.
Custom role	The permissions of a custom role are determined by the ClusterRole that you select. Before you select a ClusterRole, check the permissions of the ClusterRole and make sure that you grant only the required permissions to the RAM user or RAM role. For more information about ClusterRoles, see Customize an RBAC role.