# alinux-cluster

Part of **ALINUX**

# Alibaba Cloud Linux Cluster Management Console Guide

## Operations Overview

| Operation | Console Navigation Path | Prerequisites | Description |
|----------|------------------------|---------------|-------------|
| Grant RBAC Permissions for Node Labels | Console > ACK > Cluster List > Security Management > Roles > Cluster Role | - Access to the ACK console<br>- Administrative privileges to modify ClusterRoles | Configure RBAC to allow components to read node labels during grayscale deployments |
| Revoke RBAC Permissions for Node Labels | Console > ACK > Cluster List > Security Management > Roles > Cluster Role | - Access to the ACK console<br>- Administrative privileges to modify ClusterRoles | Remove RBAC access to node labels by updating ClusterRole YAML |

## Operation Steps

### Grant RBAC Permissions for Node Labels

**Navigation**: Console > ACK > Cluster List > Security Management > Roles > Cluster Role

**Prerequisites**:
- Access to the ACK console
- Administrative privileges to modify ClusterRoles

1. Log on to the ACK console  
   - Element: **ACK console** (link) — top navigation  
   - Notes: Ensure you are logged in with an account that has sufficient permissions.

2. Click the name of the target cluster  
   - Element: **Cluster List** (menu) — left navigation panel  

3. Navigate to Security Management > Roles > Cluster Role  
   - Element: **Security Management** (menu) — left navigation panel  

4. Search for the specific ClusterRole by name  
   - Element: **search box** (text_input) — top of the table  
   - Notes: Enter the full name: `sysom-aliyunserviceroleforsysom-clusterrole`

5. Click **Edit YAML** in the Actions column to open the YAML editor  
   - Element: **Edit YAML** (button) — Actions column  
   - Notes: A YAML editing dialog will appear. Do not proceed if you lack write permissions.

6. In the YAML editor, ensure the `rules` section grants access to node labels (e.g., includes `nodes` resource with `get`, `list` verbs). Save the configuration.  
   - Element: **Save** (button) — bottom of the YAML dialog  
   - Notes: After saving, the change takes effect immediately. No restart is required.

### Revoke RBAC Permissions for Node Labels

**Navigation**: Console > ACK > Cluster List > Security Management > Roles > Cluster Role

**Prerequisites**:
- Access to the ACK console
- Administrative privileges to modify ClusterRoles

1. Log on to the ACK console  
 - Element: **** (link) — top of the page 

2. In the left navigation panel, select **** and click the target cluster name 
 - Element: **** (menu) — left navigation panel 

3. In the left navigation panel, select **** > **** > **Cluster Role** 
 - Element: **** (menu) — left navigation panel 

4. In the search box at the top, enter the full ClusterRole name  
 - Element: **** (text_input) — top of the page 
   - Notes: Must be exactly: `sysom-aliyunserviceroleforsysom-clusterrole`

5. Click **YAML ** in the Actions column 
 - Element: **YAML ** (button) — Actions column 
   - Notes: A YAML editing dialog appears.

6. In the YAML editor:
   - Add the annotation: `inner.service.alibabacloud.com/user-customized: 'true'`
   - Set the `rules` field to `null`  
 - Element: **** (button) — bottom of the dialog 
   - Notes: This revokes all permissions associated with this ClusterRole. The change applies immediately.

## FAQ

Q: Where can I find the ClusterRole for SysOM node label access?
A: It is named `sysom-aliyunserviceroleforsysom-clusterrole` and located under Security Management > Roles > Cluster Role in the ACK console.

Q: What happens if I delete the `rules` field instead of setting it to `null`?
A: The system may reject the update or revert to a default state. Always explicitly set `rules: null` as documented.

Q: Can I modify this ClusterRole after creation?
A: Yes, but only users with administrative privileges on the cluster can edit it via the **YAML ** or **Edit YAML** button.

Q: Do I need to restart any services after updating the ClusterRole?
A: No. RBAC changes in Kubernetes take effect immediately without requiring service restarts.

Q: What permissions are required to perform these operations?
A: You must have the `ack:UpdateClusterRole` permission or equivalent administrative rights on the ACK cluster.

## Pricing & Billing

### Billing Model
This feature is provided at no additional cost.

### Free Tier
All RBAC configuration operations in the ACK console are free of charge.

### Billing Notes
No billing is incurred for creating, editing, or deleting ClusterRoles or other RBAC resources in Alibaba Cloud Kubernetes Service (ACK).