Disabling a Statically Stored Temporary Credential in a Cluster
CCE has strengthened the security of credential sources used within clusters. CCE no longer relies on temporary credentials that are statically stored in secrets. To improve cluster security, disable these statically stored temporary credentials. The secrets that store temporary credentials include:
- paas.elb and paas.aksk: store the default add-on credentials. The secret data is the temporary AK/SK data. Some add-ons use them as the IAM credential to access other cloud services when no custom agency is configured.
- node-agency-cred: stores the node credential. The secret data is the temporary AK/SK data. The system components installed on the node use this credential by default.
- default-secret: stores the default image access credential. The secret data is the temporary login command for SWR, which is used to pull private images from SWR.
Statically stored temporary credentials can be disabled only for clusters of v1.28.15-r90, v1.29.15-r50, v1.30.14-r50, v1.31.14-r10, v1.32.9-r10, v1.33.7-r10, v1.34.3-r0, or later.
Precautions
- Precautions for disabling paas.elb and paas.aksk
All add-ons that need to access cloud services are already configured with custom agencies. These add-ons must also have the correct agency permissions. For details, see Custom Agencies for Add-ons. If these conditions are not met, disabling one of these secrets will cause affected add-ons to malfunction.
- Precautions for disabling node-agency-cred
Each node or node pool is configured with an agency that includes at least the cce:node:get and cce::assumeAgencyForPodIdentity permissions. Without these permissions, disabling the secret may result in node installation and running exceptions.
- Precautions for disabling default-secret
Workloads must not rely on default-secret as their image pull credentials. Instead, they should use password-free image pulls or custom image pull credentials. If the workloads still rely on default-secret, image pulls may fail once the secret is disabled.
Disabling a Temporary Credential
- Log in to the CCE console.
- In the navigation pane, choose Settings. On the Dashboard tab, find Cluster Settings.
- Select the secret that stores the corresponding temporary credential and disable it.

Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot