All Products
Search
Document Center

Container Service for Kubernetes:Attach a system permission policy to a RAM user or RAM role

最終更新日:Apr 22, 2024

By default, a Resource Access Management (RAM) user does not have permissions to call the APIs of Alibaba Cloud services. When you want to use Distributed Cloud Container Platform for Kubernetes (ACK One) as a RAM user or by assuming a RAM role, you need to grant the RAM user or RAM role permissions on managing ACK One resources. For example, you need to grant permissions to create Fleet instances, associate clusters, and create workflow clusters. ACK One provides default system permission policies to control global read and write permissions. This topic describes how to attach a system permission policy to a RAM user or RAM role.

Usage notes

You need to grant permissions to a RAM user or RAM role by using an Alibaba Cloud account or RAM administrator account. You cannot grant permissions by using a RAM user.

System permission policies supported by ACK One

RAM system policy

Permission

Cluster involved

Registered clusters

Fleet instances

Workflow clusters

AliyunAdcpFullAccess

Provides read and write permissions on all ACK One resources.

Yes

Yes

Yes

AliyunAdcpReadOnlyAccess

Provides read-only permissions on all ACK One resources.

Yes

Yes

Yes

AliyunCSFullAccess

Provides read and write permissions on all Container Service for Kubernetes (ACK) resources.

Yes

Yes

No

AliyunCSReadOnlyAccess

Provides read-only permissions on all ACK resources.

Yes

Yes

No

AliyunVPCReadOnlyAccess

Provides permissions to specify a virtual private cloud (VPC) for an ACK cluster to be created.

Yes

Yes

Yes

AliyunECIReadOnlyAccess

Provides permissions to schedule pods to elastic container instances.

Yes

Yes

Yes

AliyunLogReadOnlyAccess

Provides permissions to select an existing log project to store logs for an ACK cluster to be created or view the configuration inspection information of an ACK cluster.

Yes

Yes

Yes

AliyunARMSReadOnlyAccess

Provides permissions to view the monitoring data of the Managed Service for Prometheus plug-in in an ACK cluster.

Yes

Yes

Yes

AliyunRAMReadOnlyAccess

Provide permissions to view existing RAM policies.

Yes

Yes

Yes

AliyunECSReadOnlyAccess

Provides permissions to add existing nodes in the cloud to an ACK cluster or view node details.

Yes

No

No

AliyunContainerRegistryReadOnlyAccess

Provides permissions to view application images within an Alibaba Cloud account.

Yes

No

No

AliyunAHASReadOnlyAccess

Provides permissions to use the cluster topology feature.

Yes

No

No

AliyunYundunSASReadOnlyAccess

Provides permissions to view the runtime monitoring data of an ACK cluster.

Yes

No

No

AliyunKMSReadOnlyAccess

Provides permissions to enable the Secret encryption feature when you create an ACK cluster.

Yes

No

No

AliyunESSReadOnlyAccess

Provides permissions to perform node pool-related operations in the cloud, such as the permissions to view, modify, and scale node pools.

Yes

No

No

Grant permissions to a RAM user or RAM role

  1. Log on to the RAM console with an Alibaba Cloud account or a RAM user who has administrative rights.

  2. In the left-side navigation pane, choose Identities > Users.

  3. On the Users page, find the required RAM user and click Add Permissions in the Actions column.

  4. In the Add Permissions panel, grant permissions to the RAM user.

    1. Select the authorization scope.

    2. Specify the principal.

      The principal is the RAM user to which you want to grant permissions.

    3. In the Select Policy section, click System Policy, enter the name of the system permission policy that you want to attach into the search box, and then click the policy name.

      Note

      You can attach at most five policies to a RAM user or RAM role at a time. If you want to attach more than five policies, repeat the operation.

  5. Click OK.

  6. Click Complete.

References

RAM system permission policies can be used to control permissions only on ACK One resources. If a RAM user or RAM role needs to manage Kubernetes resources in the specified cluster, such as creating pods and obtaining node information, you need to grant the RAM user or RAM role Role-Based Access Control (RBAC) permissions on the cluster and its namespace. For more information, see Grant RBAC permissions to a RAM user or RAM role.