By default, only an Alibaba Cloud account and the account that creates a Distributed Cloud Container Platform for Kubernetes (ACK One) Fleet instance have administrator permissions on the Kubernetes resources on the Fleet instance. You must grant the required permissions to a Resource Access Management (RAM) user before you can use the RAM user to create and delete Fleet instances, associate clusters with a Fleet instance, or disassociate clusters from a Fleet instance. This topic describes how to grant RAM permissions and role-based access control (RBAC) permissions to a RAM user.
Prerequisites
Alibaba Cloud CLI 3.0.159 or later is installed and credentials are configured for Alibaba Cloud CLI. For more information, see Install Alibaba Cloud CLI and Configure credentials.
Usage notes for authorization
By default, only an Alibaba Cloud account and the account that creates a Fleet instance have administrator permissions on the Kubernetes resources on the Fleet instance. RAM users other than the creator of a Fleet instance cannot access Kubernetes resources on the Fleet instance.
The administrator or the Fleet instance creator can authorize a RAM user to access and manage the Fleet instance by using one of the following methods:
Step 1: Grant RAM permissions to a RAM user: After you grant RAM permissions to a RAM user, the RAM user can view or modify the Fleet instance in the ACK One console.
Step 2: Grant a RAM user RBAC permissions on the Fleet instance: After the authorization is complete, the RAM user can run kubectl commands to use the features of the Fleet instance, such as application distribution, GitOps, and multi-cluster Services (MCS).
Step 1: Grant RAM permissions to a RAM user
By default, the AliyunAdcpFullAccess and AliyunAdcpReadOnlyAccess RAM policies are created for Fleet instances of ACK One. You can directly attach the RAM policies to a RAM user. For more information about how to attach RAM policies to a RAM user, see Grant permissions to the RAM user.
System policy | System permission | Description |
AliyunAdcpFullAccess | This policy provides full access to Fleet instances, including the permissions to grant permissions to RAM users and the permissions to enable, disable, create, delete, and view Fleet instances. | If you want to set a RAM user as an administrator of a Fleet instance, attach the AliyunAdcpFullAccess policy to the RAM user. |
AliyunAdcpReadOnlyAccess | This policy provides read-only access to Fleet instances, including the permissions to view Fleet instances and query the kubeconfig files of Fleet instances. | If you want to set a RAM user as a developer, attach the AliyunAdcpReadOnlyAccess policy to the RAM user. This way, you can use the RAM user to manage applications based on GitOps, distribute applications to associated clusters, and use the MCS feature. |
Step 2: Grant a RAM user RBAC permissions on the Fleet instance
Fleet instances of ACK One provide three predefined RBAC roles: admin, dev, and gitops-dev. You can assign the RBAC roles to a RAM user.
RBAC role | Description |
admin | This role provides read and write permissions on cluster-wide resources and resources in all namespaces. |
dev | This role provides read and write permissions on Kubernetes resources in a specified namespace. |
gitops-dev | This role provides read and write permissions on Kubernetes resources in the argocd namespace. |
Cluster-wide resources
Kind
apiVersion
Namespace
v1
Managedcluster
cluster.open-cluster-management.io
MseIngressConfig
mse.alibabacloud.com/v1alpha1
IngressClass
networking.k8s.io/v1
Namespace-scoped resources
Kind
apiVersion
Deployment
apps/v1
Service
v1
Ingress
networking.k8s.io/v1
ConfigMap
v1
Secret
v1
StatefulSet
apps/v1
PersistentVolumeClaim
v1
ServiceExport
multicluster.x-k8s.io/v1alpha1
ServiceImport
multicluster.x-k8s.io/v1alpha1
HorizontalPodAutoscaler
autoscaling/v1
Application
ApplicationSet
Appproject
argoproj.io
Application
core.oam.dev
Resources in the argocd namespace
Kind
apiVersion
Application
argoproj.io
The following section describes how to assign a role to a RAM user.
To grant admin permissions, you must set the RoleType parameter to
cluster
.To grant dev or gitops-dev permissions, you must set the RoleType parameter to
namespace
.
Grant admin permissions on Fleet instances
aliyun adcp GrantUserPermission --UserId 2176*** --ClusterId <clusterid> --RoleType cluster --RoleName admin
Grant dev permissions on the namespaces of Fleet instances
aliyun adcp GrantUserPermission --UserId 2176*** --ClusterId <your-fleet-id> --RoleType namespace --Namespace default --RoleName dev
Grant gitops-dev permissions on the argocd namespace
aliyun adcp GrantUserPermission --UserId 2176*** --ClusterId <your-fleet-id> --RoleType namespace --Namespace argocd --RoleName gitops-dev
Request parameters
Parameter | Type | Required | Description |
UserId | string | Yes | The RAM user ID. |
ClusterId | string | Yes | The ID of the Fleet instance that you want to authorize the RAM user to manage. |
RoleType | string | Yes | The authorization type. Valid values:
Note To grant admin permissions, you must set the RoleType parameter to To grant dev or gitops-dev permissions, you must set the RoleType parameter to |
RoleName | string | Yes | The predefined role name. Valid values:
Note To grant gitops-dev permissions, you must set the RoleType parameter to |
Namespace | string | No | The namespace to which the permissions are scoped. Leave this parameter empty when the RoleType parameter is set to cluster. |
What to do next
Query the RBAC permissions of a RAM user
Sample command
aliyun adcp DescribeUserPermissions --UserId 2176***
Request parameters
Parameter | Type | Required | Description |
UserId | string | Yes | The RAM user ID. |
Response parameters
Parameter | Type | Description | Example |
RequestId | string | The request ID. | EA06613B-37A3-549E-BAE0-E4AD8A6E93D7 |
Permissions | Object | None | None |
RoleType | string | The role type. Valid values:
| dev |
ResourceType | string | The authorization type. Valid values:
| namespace |
ResourceId | string | The access configuration.
| cffef3c9c7ba145b083292942a2c3****/test |
Revoke RBAC permissions from a RAM user
Sample command
aliyun adcp DeleteUserPermission --UserId 2176*** --ClusterId <clusterid>
Request parameters
Parameter | Type | Required | Description |
UserId | string | Yes | The RAM user ID. |
ClusterId | string | Yes | The ID of the Fleet instance. |
Response parameters
Parameter | Type | Description | Example |
RequestId | string | The request ID. | EA06613B-37A3-549E-BAE0-E4AD8A6E93D7 |