Permissions Management for CCI
CCI permissions management allows you to grant permissions to your IAM users and user groups. It combines the advantages of Kubernetes Role-based Access Control (RBAC) authorization and Identity and Access Management (IAM) to provide a variety of authorization methods, including IAM fine-grained authorization, IAM token authorization, namespace-level authorization, and namespaced resource authorization.
- Namespaced resource permissions management: an authorization method based on Kubernetes RBAC roles. You can authorize users or user groups to perform operations on Kubernetes resources under specific namespace.
- Namespace-level permissions management: an authorization method based on IAM fine-grained authorization. You can authorize users to perform operations on namespaces, such as creating and deleting namespaces. For more information about fine-grained permissions, see Actions associated with CCI fine-grained policies.
- If you enable RBAC when you create a namespace, access to resources under the namespace is controlled by RBAC policies. If RBAC is disabled, RBAC policies will not take effect.
- After you create a namespace with RBAC enabled, you must authorize IAM users to perform operations on the namespace.
- The network, ClusterRole, and RoleBinding resources are not affected by RBAC policies but are controlled only by IAM fine-grained authentication. The network resources are controlled by network-related actions, and ClusterRole and RoleBinding are controlled by RBAC-related actions.
- You can grant permissions for all namespaces of an IAM user at the same time.
Namespace-Level Permissions
Kubernetes RBAC APIs define four objects: Role, ClusterRole, RoleBinding, and ClusterRoleBinding. Currently, CCI supports only ClusterRole and RoleBinding. The two objects are described as follows:
- ClusterRole specifies which actions can be performed on which resources. In the RBAC API, a role contains rules that represent a set of permissions. A role within a Kubernetes cluster is defined by a ClusterRole.
- RoleBinding binds roles to subjects (including users and user groups). A RoleBinding grants the permissions defined in a role to a user or user group. The user or group has the permissions granted through the bound ClusterRole.
|
Type |
Description |
|---|---|
|
ClusterRole |
A ClusterRole can be used to grant access to resources in a cluster. |
|
RoleBinding |
A RoleBinding binds a ClusterRole to subjects (users) in a namespace, granting the ClusterRole's permissions to those users. |
Currently, you can only use ClusterRole to create a RoleBinding in a namespace.
In CCI, you can regulate users' or user groups' access to Kubernetes resources in a single namespace based on their Kubernetes RBAC roles.
Currently, there are four roles: cluster-admin, admin, edit, and view. For details, see Table 2.
|
Default ClusterRole |
Description |
|---|---|
|
cluster-admin |
Allows access to all Kubernetes resource objects. |
|
admin |
Allows admin access that can be granted within a namespace using a RoleBinding. If used in a RoleBinding, it allows read/write access to most resources in a namespace. It does not allow write access to resource quota or to the namespace itself. |
|
edit |
Allows read/write access to most resources in a namespace. |
|
view |
Allows read-only access to most objects in a namespace. It does not allow access to secrets. |
For more information about Kubernetes RBAC authorization, see Using RBAC Authorization.
Last Article: Permissions Management
Next Article: Creating a User and Granting CCI Permissions
Did this article solve your problem?
Thank you for your score!Your feedback would help us improve the website.