Authorization overview

更新时间:
复制 MD 格式

Container Compute Service (ACS) uses two authorization layers: Resource Access Management (RAM) for cloud resource operations and role-based access control (RBAC) for Kubernetes resources inside clusters. A RAM user or RAM role needs permissions from both layers to manage clusters and workloads.

Task Authorization layer Documentation
Create, view, or delete clusters RAM Grant permissions to a RAM user or RAM role
Grant a team member access to pods, Deployments, or Services RAM + RBAC Grant RBAC permissions to RAM users or RAM roles
Let different pods access different cloud services RAM (RRSA) Use RRSA to authorize pods to access cloud services
Set up an O&M engineer with cluster and application access RAM + RBAC Scenario 1: Grant O&M engineers the permissions to manage clusters and applications
Set up a developer with namespace-scoped access RAM + RBAC Scenario 2: Grant developers the permissions to manage your clusters and applications
Delegate permission management to an administrator RAM + RBAC Scenario 3: Grant authorization administrators the permissions to manage the permissions of RAM users and RAM roles

How the two layers work together

ACS clusters are a type of Container Service for Kubernetes (ACK) Serverless cluster. All cluster management calls ACK APIs, so both cloud-level (RAM) and cluster-level (RBAC) permissions must be in place.

Layer Scope Controls Granted through
RAM authorization Cloud resources (control plane) Cluster lifecycle, RBAC management, monitoring, logs, and events RAM system policies or custom policies
RBAC authorization Kubernetes resources (data plane) Workloads, networking, storage, namespaces, ConfigMaps, and Secrets Predefined or custom ClusterRoles in the ACS console

Complete RAM authorization before granting RBAC permissions.

ACS authorization system

What RAM authorization covers

RAM authorization grants permissions for cluster O&M operations:

  • Create, view, and delete clusters

  • Manage RBAC authorization

  • Monitor clusters and manage logs and events

What RBAC authorization covers

RBAC authorization grants namespace-level or cluster-wide permissions on Kubernetes resources:

  • Workload resources: Deployment, StatefulSet, Job, CronJob, pod, ReplicaSet, and HorizontalPodAutoscaler (HPA)

  • Network resources: Service, Ingress, and NetworkPolicy

  • Storage resources: persistent volume (PV), persistent volume claim (PVC), and StorageClass

  • Other resources: Namespace, ConfigMap, and Secret

RAM authorization

By default, RAM users and RAM roles cannot call cloud service APIs. Attach RAM policies to grant the required access.

System policies

System policies grant broad, predefined permissions suited for O&M access across all clusters in an account. Grant permissions to a RAM user or RAM role.

System policy What it grants Scope note
AliyunCSFullAccess Full access to all ACK API operations Includes all ACK clusters, not just ACS clusters. Does not grant RBAC permissions on Kubernetes resources.
AliyunCSReadOnlyAccess Read-only access to all ACK API operations Includes all ACK clusters, not just ACS clusters.
AliyunACCFullAccess Full access to all ACS API operations ACS clusters only.
AliyunACCReadOnlyAccess Read-only access to all ACS API operations ACS clusters only.
AliyunVPCReadOnlyAccess Read-only access to Virtual Private Cloud (VPC) Required to select a VPC when creating an ACS cluster.
AliyunContainerRegistryFullAccess Full access to container images in Container Registry (ACR) Account-wide.
AliyunLogReadOnlyAccess Read-only access to Simple Log Service (SLS) Required to select a log project for audit logs or view configuration inspection results.
AliyunRAMFullAccess Full access to RAM Required to manage authorization for other RAM users and RAM roles.
AliyunEBSFullAccess Full access to Elastic Block Storage (EBS) Required to use disk storage features.
AliyunARMSReadOnlyAccess Read-only access to Application Real-Time Monitoring Service (ARMS) Required to view Managed Service for Prometheus monitoring data.
AliyunKMSReadOnlyAccess Read-only access to Key Management Service (KMS) Required to select encryption keys when creating an ACS cluster.
Important

AliyunCSFullAccess and AliyunCSReadOnlyAccess cover all ACK clusters, not just ACS clusters. Evaluate whether this scope is appropriate before attaching these policies.

Custom policies

Custom policies provide fine-grained control over specific API operations and resources. Use them when RAM users or RAM roles need narrowly scoped permissions for SDK-based development.

The following example grants read-only access to an Object Storage Service (OSS) bucket named myphotos:

{
    "Version": "1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "oss:ListBuckets",
                "oss:GetBucketStat",
                "oss:GetBucketInfo",
                "oss:GetBucketTagging",
                "oss:GetBucketAcl"
            ],
            "Resource": "acs:oss:*:*:*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss:ListObjects",
                "oss:GetBucketAcl"
            ],
            "Resource": "acs:oss:*:*:myphotos"
        },
        {
            "Effect": "Allow",
            "Action": [
                "oss:GetObject",
                "oss:GetObjectAcl"
            ],
            "Resource": "acs:oss:*:*:myphotos/*"
        }
    ]
}

Pod-level access with RRSA

RAM Roles for Service Accounts (RRSA) associates a RAM role with a Kubernetes ServiceAccount so that pods using that ServiceAccount can call designated cloud service APIs. Use RRSA to authorize different pods to access different cloud services.

RBAC authorization

After RAM authorization is in place, grant RBAC permissions to control what a RAM user or RAM role can do with Kubernetes resources. Assign RBAC permissions from the ACS console authorization page.

Predefined roles

ACS provides the following predefined roles plus a custom option. Each maps to a ClusterRole. Grant RBAC permissions to RAM users or RAM roles.

Role Scope Grants Does not grant
Administrator All namespaces Read and write access to all resources --
O&M engineer All namespaces Read and write access to console-visible resources; read-only access to nodes, PVs, namespaces, and quotas Write access to nodes, PVs, namespaces, and quotas
Developer Specified or all namespaces Read and write access to console-visible resources Access outside the assigned namespace (when namespace-scoped)
Restricted user Specified or all namespaces Read-only access to console-visible resources Write access to any resource
Custom role Defined by ClusterRole Determined by the selected ClusterRole Permissions not included in the ClusterRole
Important

Before assigning a custom role, review the ClusterRole permissions to verify that only the required access is granted. Customize an RBAC role.

Roles and ClusterRoles

Kubernetes RBAC uses two types of role resources:

  • Role -- a namespaced resource that defines permissions within a single namespace. Specify the target namespace when creating a Role.

  • ClusterRole -- a non-namespaced resource that defines cluster-wide permissions.

A ClusterRole can be used in three ways:

  1. Grant permissions on namespaced resources within individual namespaces.

  2. Grant permissions on namespaced resources across all namespaces.

  3. Grant permissions on cluster-scoped resources.

Use a Role when permissions should be limited to one namespace. Use a ClusterRole when permissions span the entire cluster.

Important

ACK allows only ClusterRoles to grant RBAC permissions. Roles cannot be used for RBAC authorization.

To create a custom ClusterRole, see Customize an RBAC role. To attach a ClusterRole to a RAM user or RAM role, see Grant RBAC permissions to RAM users or RAM roles.