Grant permissions to MSE Ingress Controller in ACK clusters - Microservices Engine

If you need to use Microservices Engine (MSE) Ingress gateways to access services in Container Service for Kubernetes (ACK) clusters, you must grant related permissions to MSE Ingress Controller in the clusters. This topic describes how to grant permissions to MSE Ingress Controller in an ACK cluster.

Grant permissions to MSE Ingress Controller in an ACK managed cluster

You can use one of the following methods to grant permissions to MSE Ingress Controller in an ACK managed cluster:

If you need to use MSE Ingress Controller in an existing ACK managed cluster, use Method 1.
If you determine to use MSE Ingress Controller when you create an ACK managed cluster, use Method 2.

Method 1: Grant permissions to MSE Ingress Controller on the Add-ons page

When you install MSE Ingress Controller on the Add-ons page, permission verification is automatically implemented. If the error message "Failed to pass the precheck." appears, perform the following steps to grant permissions:

Move the pointer over the error message "Failed to pass the precheck.", and click View Report.
On the Report page, click the red box in the Error column. Then, click the link in the panel that appears.
On the RAM Quick Authorization page, click Authorize.
Reinstall MSE Ingress Controller.

Method 2: Grant permissions to MSE Ingress Controller when you create a cluster

When you install MSE Ingress Controller during the cluster creation process, check the status displayed for MSE Ingress Authorization Check in the Dependency Check section in the Confirm Order step. If Failed is displayed for MSE Ingress Authorization Check, click Authorize Now.
On the RAM Quick Authorization page, click Authorize.
Return to the Confirm Order step, and click Re-check. If the check is passed, click Create Cluster.

Grant permissions to MSE Ingress Controller in an ACK dedicated cluster

Log on to the ACK console.
In the left-side navigation pane, click Clusters. Then, click the name of the cluster that you want to manage.
On the cluster details page, click the Cluster Resources tab. On the Cluster Resources tab, click the hyperlink next to Worker RAM Role.
In the Resource Access Management (RAM) console, attach the AliyunMSEFullAccess policy to the worker RAM role.
1. On the Permissions tab of the Roles page, click Grant Permission.
2. In the Select Policy section of the Grant Permission panel, click the System Policy tab, and enter the policy name in the search box to perform a fuzzy search.
  For example, you can enter mse to search for AliyunMSEFullAccess.
3. Click AliyunMSEFullAccess to add the policy to the Selected list. Then, click OK.
You can check whether the AliyunMSEFullAccess policy is attached to the role in the policy list, as shown in the following figure.
Search for the ack-mse-ingress-controller application in the mse-ingress-controller namespace to which the cluster belongs, and click More in the Actions column of the application. In the list that appears, select Redeploy. Then, click OK.
After the application is redeployed, click the ack-mse-ingress-controller application to confirm that the pod of the application is in the Running state.

(Optional) Create a Simple Log Service policy and attach the policy to the worker RAM role of the cluster

If you want to activate Simple Log Service for the MSE cloud-native gateway by using an MseIngressConfig, you must grant permissions on Simple Log Service to the worker RAM role on the Cluster Resources tab.

Log on to the RAM console as a RAM user who has administrative rights.
In the left-side navigation pane, choose Permissions > Policies.
On the Policies page, click Create Policy.

On the Create Policy page, click the JSON tab, enter the following policy content in the code editor, and then click Next: Edit Basic Information.

{
    "Version": "1",
    "Statement": [
        {
            "Action": [
                "log:CloseProductDataCollection",
                "log:OpenProductDataCollection",
                "log:GetProductDataCollection"
            ],
            "Resource": [
                "acs:mse:*:*:instance/*",
                "acs:log:*:*:project/*/logstore/mse_*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": "ram:PassRole",
            "Resource": "acs:ram::*:role/aliyunserviceroleforslsaudit",
            "Effect": "Allow"
        },
        {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
                "StringEquals": {
                    "ram:ServiceName": "audit.log.aliyuncs.com"
                }
            }
        }
    ]
}

Specify the Name and Description fields.
Click OK.
Grant permissions on Simple Log Service to the worker RAM role on the Cluster Resources tab.
1. Log on to the ACK console.
2. In the left-side navigation pane, click Clusters. Then, click the name of the cluster that you want to manage.
3. On the cluster details page, click the Cluster Resources tab. On the Cluster Resources tab, click the hyperlink next to Worker RAM Role.
4. In the RAM console, grant permissions on Simple Log Service to the worker RAM role.
  1. On the Permissions tab of the role details page, click Grant Permission.
  2. In the Grant Permission panel, click the Custom Policy tab in the Select Policy section, and then enter the policy name in the search box to perform a fuzzy search.
    Note
    The policy name is a custom name.
  3. Click the policy name and click OK.

Grant permissions to MSE Ingress Controller in an ACK Serverless cluster

You can use one of the following methods to grant permissions to MSE Ingress Controller in an ACK Serverless cluster:

If you need to use MSE Ingress Controller in an existing ACK Serverless cluster, use Method 1.
If you determine to use MSE Ingress Controller when you create an ACK Serverless cluster, use Method 2.

Method 1: Grant permissions to MSE Ingress Controller on the Add-ons page

Move the pointer over the error message "Failed to pass the precheck.", and click View Report.
On the Report page, click the red box in the Error column. Then, click the link in the panel that appears.
On the RAM Quick Authorization page, click Authorize.
Reinstall MSE Ingress Controller.

Method 2: Grant permissions to MSE Ingress Controller when you create a cluster

When you install MSE Ingress Controller during the cluster creation process, check the status displayed for MSE Ingress Authorization Check in the Dependency Check section in the Confirm Order step. If Failed is displayed for MSE Ingress Authorization Check, click Authorize Now.
On the RAM Quick Authorization page, click Authorize.
Return to the Confirm Order step, and click Re-check. If the check is passed, click Create Cluster.

Grant permissions to MSE Ingress Controller in an ACS cluster

You can use the following method to grant permissions to MSE Ingress Controller in an ACS cluster. If you determine to use MSE Ingress Controller when you create an ACS cluster, use the following method.

Method 1: Grant permissions to MSE Ingress Controller when you create a cluster

When you install MSE Ingress Controller during the cluster creation process, check the status displayed for MSE Ingress Authorization Check in the Dependency Check section in the Confirm Order step. If Failed is displayed for MSE Ingress Authorization Check, click Authorize Now.
On the RAM Quick Authorization page, click Authorize.
Return to the Confirm Order step, and click Re-check. If the check is passed, click Create Cluster.

What to do next

For more information about how to use an MSE Ingress gateway to access services in an ACK cluster, see Use MSE Ingresses to access applications in ACK clusters.