The authorization system of Container Compute Service (ACS) consists of Resource Access Management (RAM) authorization for computing resources and Role-Based Access Control (RBAC) authorization for ACS clusters. Users with different roles require different permissions. This topic provides authorization best practices for the following roles: enterprise resource administrators, Kubernetes cluster administrator, cluster and application O&M engineers, application developers, and authorization administrators.
ACS authorization system
The authorization system of ACS consists of RAM authorization for computing resources and RBAC authorization for ACS clusters. The following figure shows the ACS authorization system.
RAM authorization involves cluster O&M operations. ACS clusters are a type of Container Service for Kubernetes (ACK) Serverless cluster, and you must call the ACK API to perform O&M operations on ACS clusters. Therefore, you must acquire permissions to call the API operations of ACK and other Alibaba Cloud services. You can call these API operations to perform the following O&M operations:
Create, view, and delete clusters.
Manage RBAC authorization.
Monitor clusters and manage logs and events.
RBAC authorization is used to grant namespace-level or cluster-wide permissions on Kubernetes resources in ACS clusters. This allows you to grant the permissions to create, delete, modify, and view the following types of Kubernetes resources:
Workload resources: such as Deployment, StatefulSet, Job, CronJob, pod, ReplicaSet, and HorizontalPodAutoscaler (HPA).
Network resources: such as Service, Ingress, and NetworkPolicy.
Storage resources: such as persistent volume (PV), persistent volume claim (PVC), and StorageClass.
Namespace, ConfigMap, and Secret.
Predefined system policies
ACS provides the following predefined system policies, which can be used to quickly grant permissions to RAM users or RAM roles.
The authorization scopes of system policies are large. These policies may provide read or write permissions on all Container Service for Kubernetes (ACK) and ACS API operations. Proceed with caution.
System policy | Description |
AliyunAccFullAccess | Permissions on ACS. |
AliyunAccReadOnlyAccess | Read permissions on ACS. |
AliyunCSFullAccess | Permissions on ACK. Important Read and write permissions on all ACK clusters, including ACS clusters. Proceed with caution when you use this policy. |
AliyunCSReadOnlyAccess | Read permission on ACK. Important Read permissions on all ACK clusters, including ACS clusters. Proceed with caution when you use this policy. |
AliyunAccFullAccess
{
"Statement": [
{
"Effect": "Allow",
"Action": "acc:*",
"Resource": "*"
}
],
"Version": "1"
}AliyunAccReadOnlyAccess
{
"Version": "1",
"Statement": [
{
"Action": [
"acc:Describe*",
"acc:CheckServiceRole"
],
"Resource": "*",
"Effect": "Allow"
}
]
}AliyunCSFullAccess
{
"Version": "1",
"Statement": [
{
"Action": "cs:*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "ram:PassRole",
"Resource": "*",
"Effect": "Allow",
"Condition": {
"StringEquals": {
"acs:Service": "cs.aliyuncs.com"
}
}
}
]
}AliyunCSReadOnlyAccess
{
"Version": "1",
"Statement": [
{
"Action": [
"cs:CheckServiceRole",
"cs:Get*",
"cs:List*",
"cs:Describe*"
],
"Resource": "*",
"Effect": "Allow"
}
]
}Authorization best practices
To authorize a RAM user or RAM role to manage and maintain clusters and applications, you need to perform RAM authorization and RBAC authorization in sequence. You must perform RAM authorization before you perform RBAC authorization. Refer to the following topics to complete the authorization in different scenarios:
To grant permissions to an O&M engineer, see Scenario 1: Grant O&M engineers the permissions to manage clusters and applications.
To grant permissions to a developer, see Scenario 2: Grant developers the permissions to manage your clusters and applications.
To grant permissions to a permission administrator, see Scenario 3: Grant authorization administrators the permissions to manage the permissions of RAM users and RAM roles.
Scenario 1: Grant O&M engineers the permissions to manage clusters and applications
O&M engineers need permissions to manage and maintain ACS clusters, and permissions to manage and maintain application resource objects in ACS clusters. In this scenario, you must perform both RAM authorization and RBAC authorization.
RAM authorization
You can use the AliyunCSFullAccess and AliyunCSReadOnlyAccess RAM policies to grant ACK-related permissions:
AliyunCSFullAccess provides the permissions to call all the API operations of ACK.
AliyunCSReadOnlyAccess provides the permissions to call API operations of ACK for read-only access.
ImportantThe preceding policies provide permissions on all ACK clusters, including ACS clusters. Proceed with caution.
You can attach the AliyunCSFullAccess or AliyunCSReadOnlyAccess policy to a RAM user or RAM role in the RAM console. For more information, see Grant permissions to a RAM user and Grant permissions to a RAM role.
If you require fine-grained access control, you can attach custom policies. For more information, see Attach a RAM policy to a RAM user or RAM role.
In this case, you can attach the following policy to the RAM user or RAM role that you want to use.
{ "Statement": [ { "Effect": "Allow", "Action": [ "acc:DescribeCommodityStatus", "acc:CheckServiceRole", "acc:DescribeCloudProducts", "acc:DescribeRegions", "acc:DescribeZones", "acc:GetInstancePrice" ], "Resource": "*" }, { "Effect": "Allow", "Action": "bssapi:GetPayAsYouGoPrice", "Resource": "*" }, { "Action": "ecs:DescribePrice", "Effect": "Allow", "Resource": "*" }, { "Action": "ram:GetRole", "Effect": "Allow", "Resource": "*" }, { "Action": [ "cs:CreateCluster", "cs:DescribeAddons" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "cs:GetClusters", "cs:DescribeClustersV1", "cs:DescribeClusterUserKubeconfig", "cs:DescribeClusterResources", "cs:DescribeUserQuota", "cs:DescribeClusterLogs", "cs:ModifyCluster", "cs:UpgradeCluster", "cs:GetUpgradeStatus", "cs:ResumeUpgradeCluster", "cs:PauseClusterUpgrade", "cs:CancelClusterUpgrade", "cs:InstallClusterAddons", "cs:UpgradeClusterAddons", "cs:DescribeClusterAddonsUpgradeStatus", "cs:UnInstallClusterAddons", "cs:DeleteCluster", "cs:DescribeClusterDetail", "cs:GetClusterAuditProject", "cs:DescribeClusterAddonsVersion", "cs:DescribeClusterTasks", "cs:DescribeClusterEvents", "cs:DescribeEvents", "cs:ListClusterReportSummary", "cs:GetClusterBasicInfo", "cs:ListReportTaskRule", "cs:CreateReportTaskRule", "cs:CreateClusterCheck" ], "Effect": "Allow", "Resource": "acs:cs:*:*:cluster/<yourclusterID>" }, { "Action": [ "cs:CheckServiceRole", "cs:DescribeKubernetesVersionMetadata" ], "Effect": "Allow", "Resource": "acs:cs:*:*:cluster/*" }, { "Action": [ "log:ListProject" ], "Effect": "Allow", "Resource": "*" } ], "Version": "1" }Replace
<yourclusterID>with the ID of the cluster that you want to manage.For more information about the ACK API, see [Product Changes] ACK API enhances user authentication and List of operations by function.
RBAC authorization
After you perform RAM authorization, you must perform RBAC authorization for the RAM user or RAM role. The following table describes the predefined RBAC roles that are provided by ACK.
Role
RBAC permission
Administrator
Read and write permissions on all resources in all namespaces.
O&M engineer
Read and write permissions on visible Kubernetes resources in the console in all namespaces and read-only permissions on nodes, PVs, namespaces, and quotas.
Developer
Read and write permissions on visible resources in the console in all or specified namespaces.
Restricted user
Read-only permissions on visible resources in the console in all or specified namespaces.
In this scenario, you can go to the authorization page in the ACS console and assign the O&M Engineer role to grant cluster and namespace permissions.
After the RBAC role is assigned, ACS automatically creates a ClusterRoleBinding in the cluster for the RAM user or RAM role. The following sample code shows the permissions provided by the O&M Engineer role:
If you require fine-grained RBAC access control, refer to Using RBAC Authorization and create a custom ClusterRole. Then, go to the authorization page in the ACS console, select Custom, and select the custom ClusterRole from the drop-down list. For more information, see Custom RBAC policies.
Scenario 2: Grant developers the permissions to manage your clusters and applications
Developers need permissions to access Kubernetes resource objects in ACS clusters. In this scenario, you need to perform RBAC authorization. No cloud resource access permissions are needed.
Before you perform RBAC authorization, make sure that the developers have at least read permissions (RAM authorization) on the specified cluster. If you specify Resource "*", the RAM user or RAM role is authorized to perform operations in the Action list on all ACK clusters, including ACS clusters. Do not set Resource to * unless you are aware of the authorization scope and impact.
RAM authorization
Go to the RAM console and create a custom policy. Then, attach the policy to the RAM user or RAM role that you want to use. For more information, see Attach a RAM policy to a RAM user or RAM role. Sample custom policy:
{ "Statement": [ { "Effect": "Allow", "Action": [ "acc:DescribeCommodityStatus", "acc:CheckServiceRole", "acc:DescribeCloudProducts", "acc:DescribeRegions", "acc:DescribeZones", "acc:GetInstancePrice" ], "Resource": "*" }, { "Effect": "Allow", "Action": "bssapi:GetPayAsYouGoPrice", "Resource": "*" }, { "Action": [ "cs:Get*", "cs:List*", "cs:Describe*" ], "Effect": "Allow", "Resource": [ "acs:cs:*:*:cluster/<yourclusterID>" ] } ], "Version": "1" }Replace
<yourclusterID>with the ID of the cluster that you want to manage.NoteTo grant only read permissions on ACS clusters, use this sample custom policy to specify the ARN of the ACS cluster. Do not attach the
AliyunCSReadOnlyAccesspolicy, which is provided by ACK. Otherwise, the RAM user or RAM role has read permissions on all ACK clusters, excluding ACS clusters.RBAC authorization
Go to the authorization page in the ACS console and assign the Developer role to grant cluster and namespace permissions to the RAM user or RAM role.
After the RBAC role is assigned, ACS automatically creates a ClusterRoleBinding in the cluster for the RAM user or RAM role. The following sample code shows the permissions provided by the Developer role:
Scenario 3: Grant authorization administrators the permissions to manage the permissions of RAM users and RAM roles
Permission administrators require the permissions to manage RBAC permissions of other RAM users and RAM roles. By default, you cannot use a RAM user or RAM role to grant RBAC permissions to other RAM users or RAM roles. When you use a RAM user or RAM role to access the authorization page in the ACS console, if the page prompts The current RAM user does not have management permissions. Contact the Alibaba Cloud account owner or the administrator to acquire the permissions., you need to perform RAM authorization or RBAC authorization to grant the required permissions to the RAM user or RAM role.
RAM authorization
You must add the following permissions to the policy that is attached to the RAM user or RAM role that you want to use:
Query other RAM users or RAM roles that belong to the same Alibaba Cloud account.
Attach RAM policies to a RAM user or RAM role.
Query the RBAC permissions of a RAM user or RAM role.
Grant RBAC permissions to other RAM users or RAM roles.
Log on to the RAM console and grant permissions to the RAM user or RAM role. For more information, see Attach a RAM policy to a RAM user or RAM role Sample custom policy:
{ "Statement": [ { "Effect": "Allow", "Action": [ "acc:DescribeCommodityStatus", "acc:CheckServiceRole", "acc:DescribeCloudProducts", "acc:DescribeRegions", "acc:DescribeZones", "acc:GetInstancePrice" ], "Resource": "*" }, { "Effect": "Allow", "Action": "bssapi:GetPayAsYouGoPrice", "Resource": "*" }, { "Action": [ "ram:Get*", "ram:List*", "cs:GetUserPermissions", "cs:GetSubUsers", "cs:GrantPermission" ], "Resource": "*", "Effect": "Allow" }, { "Action": [ "ram:AttachPolicyToUser", "ram:AttachPolicyToRole" ], "Effect": "Allow", "Resource": [ "acs:ram:*:*:policy/xxxx", # Replace xxxx with the name of the RAM policy that you want to attach. If you replace xxxx with an asterisk (*), the RAM user or RAM role is authorized to attach all RAM policies to other RAM users. "acs:*:*:*:user/*" ] } ], "Version": "1" }RBAC authorization
You must assign the Administrator role or the cluster-admin custom role to the RAM user or RAM role and specify the cluster and namespace to which the role is scoped.
NoteBy default, Alibaba Cloud accounts and cluster owners are assigned the cluster-admin role and therefore have full access to all Kubernetes resources in the cluster.
After you perform RAM authorization and RBAC authorization for a RAM user or RAM role, you can use the RAM user or RAM role to grant other RAM users or RAM roles RBAC permissions that take effect within the specified scope. For more information, see Attach a RAM policy to a RAM user or RAM role.
Actions for ACS authorization
Permission (Action) | Description |
acc:CheckServiceRole | Check whether a ServiceRole is created for the current account to authorize ACS to access other cloud resources. |
acc:DescribeCommodityStatus | Check whether ACS is activated within the current account. |
Permission (Action) | Description |
bssapi:GetPayAsYouGoPrice | Query the unit prices of pay-as-you-go services. |
ram:ListUserBasicInfos | Queries the basic information about all RAM users. |
ram:ListRoles | Queries the basic information about all RAM roles. |
For more information about the actions, see RAM authorization.
This topic is for reference only. We recommend that you read RAM authorization and follow the least privilege principle when you create policies.
If you do not specify a cluster ID and set the authorization scope to *, the permissions are granted on ACK clusters, excluding ACS clusters. Proceed with caution.