If the predefined ClusterRoles in the Container Service for Kubernetes (ACK) console do not meet your requirements, you can create custom Roles and ClusterRoles. This allows you to implement fine-grained role-based access control (RBAC) and tailor permissions to your needs. This topic describes how to configure these custom permissions.
Custom RBAC policies
You can create custom YAML manifests for Roles and ClusterRoles to implement fine-grained access control over resources in your ACK cluster. Use the policy information for the following resources as a guide.
Role (namespace-scoped)
The following YAML example defines a Role named my-role. This Role grants read-only permissions on Pods in the default namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: my-role
rules: # A list of permission rules.
- apiGroups: [""] # The API group of the resource. An empty string "" indicates the core API group.
resources: ["pods"] # The resource type that the rule applies to.
verbs: ["get", "list"] # The actions that are allowed on the resource.ClusterRole (cluster-scoped)
The following YAML example defines a ClusterRole named my-clusterrole. This ClusterRole grants read-only permissions on Pods and Services across the entire cluster.
A ClusterRole is a cluster-scoped resource. If you specify a namespace in the YAML, it is ignored.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# namespace: default # A namespace is not required for a ClusterRole.
name: my-clusterrole
rules: # A list of permission rules.
- apiGroups: [""] # The API group of the resource.
resources: ["pods"] # The resource type.
verbs: ["get", "list"] # The allowed actions.
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "list"]This allows you to grant granular access control over cluster resources to RAM users or RAM roles.
Common resource policies
-
Read permissions
-
get: Read the details of a specific resource. -
list: List a collection of resources. -
watch: Monitor resources for changes and receive real-time updates.
-
-
Write permissions
-
create: Create a new resource instance. -
update: Modify an existing resource. -
patch: Apply a partial modification to an existing resource. -
delete: Delete a specified resource.
-
|
Resource name |
Resource type (resources) |
API group (apiGroups) |
Permissions (verbs) |
|
Pod |
resources: ["pods"] |
|
|
|
Service |
resources: ["services"] |
apiGroups: [""] |
|
|
ConfigMap |
resources: ["configmaps"] |
apiGroups: [""] |
|
|
Secret |
resources: ["secrets"] |
apiGroups: [""] |
|
|
PersistentVolume |
resources: ["persistentvolumes"] |
apiGroups: [""] |
|
|
PersistentVolumeClaim |
resources: ["persistentvolumeclaims"] |
apiGroups: [""] |
|
|
Namespace |
resources: ["namespaces"] |
apiGroups: [""] |
|
|
Deployment |
resources: ["deployments"] |
apiGroups: ["apps"] |
|
|
DaemonSet |
resources: ["daemonsets"] |
apiGroups: ["apps"] |
|
|
StatefulSet |
resources: ["statefulsets"] |
apiGroups: ["apps"] |
|
|
Ingress |
resources: ["ingresses"] |
apiGroups: ["networking.k8s.io"] |
|
|
NetworkPolicy |
resources: ["networkpolicies"] |
apiGroups: ["networking.k8s.io"] |
|
|
Job |
resources: ["jobs"] |
apiGroups: ["batch"] |
|
|
CronJob |
resources: ["cronjobs"] |
apiGroups: ["batch"] |
|
|
StorageClass |
resources: ["storageclasses"] |
apiGroups: ["storage.k8s.io"] |
|
|
HorizontalPodAutoscaler |
resources: ["horizontalpodautoscalers"] |
apiGroups: ["autoscaling"] |
|
Procedure
You can apply custom RBAC permissions by using the ACK console or kubectl.
The Container Service for Kubernetes (ACK) console supports binding only custom ClusterRoles. To bind a custom Role, use the kubectl command-line tool.
Console
Step 1: Create a custom ClusterRole
Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, click the name of your cluster. In the left navigation pane, click .
-
On the Role page, click the Cluster Role tab. Then, click Create.
-
In the Create YAML panel, enter the YAML manifest for your custom policy, and then click OK to create the ClusterRole.
This step uses the YAML for a ClusterRole (cluster-scoped) as an example. After the ClusterRole is created, you can view the custom ClusterRole my-clusterrole on the Cluster Role tab.
Step 2: Assign the custom ClusterRole
Log on to the ACK console. In the left navigation pane, click Authorizations.
On the Authorizations page, configure permissions.
To grant permissions to a RAM user: Click the RAM Users tab, find the target RAM user, and click Modify Permissions in the Actions column to go to the Permissions page.
To grant permissions to a RAM role: Click the RAM Role tab, find the target RAM role, and click Modify Permissions to go to the Permission Management page.
-
Click +Add Permissions. In the dialog box, select the Cluster where you created the ClusterRole and the Namespace that you want to authorize. In the Permissions section, select Custom. From the drop-down list that appears, select my-clusterrole, and then click Submit.
kubectl
Step 1: Create a custom ClusterRole
-
Create a file named my-clusterrole.yaml that contains the following YAML manifest.
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: my-clusterrole # namespace: default # A namespace is not required for a ClusterRole and is ignored if specified. rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list", "watch"] - apiGroups: [""] resources: ["services"] verbs: ["get", "list", "watch"] -
Run the following command to deploy the ClusterRole:
kubectl apply -f my-clusterrole.yaml
Step 2: Get subject ID
-
To grant permissions to a RAM user, you must obtain their user ID. For more information, see View the details of a RAM user.
-
To grant permissions to a RAM role, you must obtain its role ID. For more information, see View information about a RAM role.
Step 3: Assign the custom ClusterRole
-
Create a file named my-clusterrole-binding.yaml that contains the following YAML manifest.
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: my-clusterrole-binding subjects: - kind: User name: "20811XXXXXXXXX2288" # The user ID or role ID of the subject obtained in Step 2. roleRef: kind: ClusterRole name: my-clusterrole apiGroup: rbac.authorization.k8s.io -
Run the following command to deploy the ClusterRoleBinding:
kubectl apply -f my-clusterrole-binding.yaml
After you grant the custom permissions to the target RAM user or RAM role, obtain the kubeconfig file for the cluster and use kubectl to connect to the cluster to verify the permissions.
FAQ
How to grant console terminal access?
By default, a RAM user or RAM role cannot access a container's terminal from the ACK console, even with get and list read-only permissions for Pods. This action requires get and create permissions on the pods/exec Pod subresource.
Therefore, you must grant get and create permissions on the pods/exec resource in the rules of a Role or ClusterRole, and then bind the role to the target user or user group. The following is an example.
To access the terminal: Log on to the ACK console. On the Clusters page, click the name of the target cluster. In the left-side navigation pane, choose . In the Actions column, click Terminal.
Role
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: ns-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
# Grant permissions on pods/exec in the namespace.
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["get", "create"]ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
# namespace: default
name: my-clusterrole
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["services"]
verbs: ["get", "list"]
# Grant permissions on pods/exec in the cluster.
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["get", "create"]