Changes to the default-secret Permissions in CCE Clusters

Impact Scope

All CCE clusters that are upgraded to or created in versions v1.28.15-r80, v1.29.15-r40, v1.30.14-r40, v1.31.14-r0, v1.32.9-r0, v1.33.7-r0, v1.34.2-r0, and later

Impact

• It has no impact on normal service operations that rely on default-secret for pulling images from SWR.
• For services, such as CI/CD pipelines or pod builds, that depend on default-secret to push images to SWR, those operations will fail after the cluster upgrades due to insufficient permissions.

Solution

To continue using default-secret to push images, grant the SWR Admin policy to CCENodeAgency for CCE nodes.

1. Log in to the IAM console and choose Agencies in the navigation pane. Enter CCENodeAgency in the search box on the right. In the search result, click CCENodeAgency to go to its basic information page.
2. On the Permissions tab, click Authorize, search for SWR Admin, and select it.

   

3. Click Next in the lower right corner. On the Authorize Agency page, in the Select Scope step, select All resources and click OK in the lower right corner. On the Authorize Agency page, in the Finish step, click Finish.

It is strongly advised to apply this authorization only when image pushes are required. If your workloads only need to pull images, you can rely on the more secure default configuration without taking any additional action.