DocsICP FilingConsole
官方文档
首页

Use custom worker RAM Roles for fine-grained Node Pool permissions

更新时间:
复制 MD 格式
产品详情
我的收藏

To enforce the principle of least privilege, assign a custom Resource Access Management (RAM) role to specific node pools in your ACK cluster. Instead of sharing a single default role across all nodes—which can lead to over-permissioning—custom roles isolate permissions at the node-pool level.

Important

A custom worker RAM role can be assigned only when creating a cluster or a new node pool. The worker RAM role of an existing node pool cannot be modified.

Prerequisites

Before you begin, ensure you meet the following requirements:

  • Cluster version: An ACK managed cluster running Kubernetes 1.22 or later. See Create an ACK managed cluster.

  • Operator permissions: The RAM user or RAM role used to create the node pool must have the ram:PassRole permission.

    Note

    If the RAM user or RAM role already has the AliyunCSFullAccess permission, the ram:PassRole permission is not required.

    ram:PassRole policy examples

    Use one of the following permission policy examples. For instructions on creating and attaching policies, see Create a custom policy, Manage RAM user permissions, and Grant permissions to a RAM role.

    Authorize a specific RAM role

    Replace <role_arn> with the ARN of your RAM role. To find the ARN, see How do I view the ARN of a RAM role?

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ram:PassRole",
      "Resource": [
        "<role_arn>"
      ],
      "Condition": {
        "StringEquals": {
          "acs:Service": [
            "cs.aliyuncs.com"
          ]
        }
      }
    }
  ]
}

    Authorize all RAM roles (use with caution)

    {
  "Version": "1",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ram:PassRole",
      "Resource": "*",
      "Condition": {
        "StringEquals": {
          "acs:Service": [
            "cs.aliyuncs.com"
          ]
        }
      }
    }
  ]
}

Step 1: Create a custom RAM role

Create the RAM role that you want to assign to your node pool. The RAM role must meet two requirements:

  • Naming: The role name must not start with KubernetesMasterRole- or KubernetesWorkerRole-.

  • Trust entity: The trusted service must be Cloud Service.

Use either of the following methods to create the role.

Console

Follow the instructions in Create a regular service role.

OpenAPI or Terraform

Create the role using OpenAPI or Terraform, then configure the trust policy as follows. For details on editing the trust policy, see Edit the trust policy of a RAM role.

{
  "Statement": [
    {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "ecs.aliyuncs.com"
        ]
      }
    }
  ],
  "Version": "1"
}

Step 2: Assign the role to a new node pool

After the role is created, attach it when creating a cluster or node pool.

  1. Log on to the ACK console.

  2. Navigate to the cluster creation or node pool creation page.

  3. Expand the Advanced Options section and set Worker RAM Role to the role you created in Step 1.

For detailed instructions, see:

What's next

A newly created RAM role has no permissions by default. Grant the permissions each node pool requires and revoke unnecessary ones.

Grant permissions

Revoke permissions

Revoke permissions that are no longer needed as soon as possible. See Revoke permissions from a RAM role.

Previous:Use tags for fine-grained access controlNext:Use RRSA for pod-level access control