Authorization overview-Container Service for Kubernetes(ACK)-阿里云帮助中心

ACK combines RAM and Kubernetes RBAC to govern access to cloud infrastructure and in-cluster resources.

Authorization system

ACK uses RAM for infrastructure-level permissions and RBAC for in-cluster resource access.

RAM authorization: Grants permissions via RAM policies to call ACK and dependent cloud service APIs. Covers operations such as:
- Cluster: create, view, upgrade, and delete
- Node pool: create, modify, and scale
- Permission management
- Cluster monitoring, logs, and events
RBAC authorization: Based on Kubernetes RBAC, grants permissions at the in-cluster resource level. RBAC authorization grants different users permissions to operate on different Kubernetes resources. This includes create, read, update, and delete (CRUD) operations on Kubernetes object resources, such as:
- Workloads: Deployment, StatefulSet, DaemonSet, Job, CronJob, Pod, ReplicaSet, and more.
- Network: Service, Ingress, NetworkPolicy, and more.
- Storage: persistent volume (PV), persistent volume claim (PVC), StorageClass, and more.
- Namespace, ConfigMap, Secret, and more.

Permission types

Permission type	Is authorization required?	Permission description
RAM authorization	Required for RAM users and roles. Alibaba Cloud accounts have full access by default. Service role: On first ACK use, authorize with an Alibaba Cloud account or RAM administrator (RAM user).	RAM authorization supports system policies and custom policies. After authorization, RAM users or RAM roles can access associated cloud service resources. An authorized service role can access ACK and other cloud resources on your behalf. See ACK service roles.
RBAC authorization	Required for RAM users and roles. Alibaba Cloud accounts have full access by default.	Authorized RAM users and roles can operate on Kubernetes resources within the cluster.

RAM authorization

RAM users and RAM roles have no default permissions to call Alibaba Cloud service APIs. Configure system or custom RAM policies as needed. See Use RAM to grant access permissions to clusters and cloud resources.

Other scenarios for RAM authorization

Categorize clusters with tags and apply RAM policies for fine-grained access control. See Use tags to implement fine-grained permission management.
Sharing a single Worker RAM role across all cluster nodes can lead to over-permissive access . Assign a custom Worker RAM role per node pool to reduce this risk. See Use a custom Worker RAM role.
To secure in-cluster applications accessing Alibaba Cloud services, use RRSA for ServiceAccount-level RAM permissions and pod isolation. See Use RRSA to configure RAM permissions for a ServiceAccount and isolate pod permissions.
To secure nodes in an ACK managed cluster, adjust Worker RAM role permissions based on the principle of least privilege. See Restrict worker RAM role permissions.

RBAC authorization

RAM authorization covers cluster-level operations only. To access Kubernetes resources such as pods and nodes, grant RBAC authorization on the ACK console Permission Management page.

Kubernetes RBAC supports these role and binding types. When defining access permissions for resources using roles, only allow rules are supported. Deny rules are not supported. To write custom ClusterRoles and Roles, see Use custom RBAC to restrict operations on in-cluster resources.

Role: Defines access permissions for resources within a single namespace.
RoleBinding: Binds a user to a Role.
ClusterRole: Defines cluster-wide resource permissions.
ClusterRoleBinding: Binds a user to a ClusterRole.

Important

Permission management in ACK supports binding custom ClusterRoles to RAM users or RAM roles in a cluster. It does not support binding custom Roles to RAM users or RAM roles.

Container Service for Kubernetes console provides preset ClusterRoles to simplify permission assignment. See Use RBAC to authorize operations on in-cluster resources.

Table 1. Role permission description

Preset role	In-cluster RBAC permissions
Administrator	Full read/write access to all Kubernetes resources across all namespaces, including cluster nodes, PVs, namespaces, and resource quotas.
Read-only Administrator	Read-only access to all Kubernetes resources across all namespaces, including cluster nodes, PVs, namespaces, and resource quotas.
OM Engineer	Read/write access to console-exposed resources across all namespaces. Includes read/update access to cluster nodes, PVs, and namespaces, and read-only access to all other resources.
Developer	Read/write access to console-exposed resources in all or specified namespaces of the cluster.
Restricted User	Read-only access to console-exposed resources in all or specified namespaces of the cluster.
Custom	Permissions depend on the specified ClusterRole. To prevent identities from gaining unintended access, verify the permissions of the ClusterRole before assigning it. See Restrict resource operations with custom RBAC. Important Any RAM user or RAM role with the `cluster-admin` permission has full control over all cluster resources, equivalent to a root Alibaba Cloud account. Grant this permission with extreme caution.

If a RAM user or RAM role needs to perform cluster and application OM, you must grant RAM authorization before RBAC authorization. Typical authorization scenarios:

To view cluster resources, see Use case 1: Grant read-only administrators permission to view cluster resources.
To manage cluster infrastructure and workloads, see Use case 2: Grant OM engineers permission to manage clusters and applications.
To build and deploy in-cluster applications, see Use case 3: Grant developers permission to manage clusters and applications.
To manage cluster permissions, see Use case 4: Grant permission administrators access to manage RAM user and RAM role authorization.

Important

Deleting a RAM user or role does not revoke their RBAC permissions from the KubeConfig. Manually revoke KubeConfig permissions during offboarding or security remediation.