Updated on 2024-11-05 GMT+08:00

Identity Authentication and Access Control

CCI permissions management allows you to grant permissions to your IAM users and user groups. It combines the advantages of Kubernetes Role-based Access Control (RBAC) authorization and Identity and Access Management (IAM) to provide a variety of authorization methods, including IAM fine-grained authorization, IAM token authorization, namespace-level authorization, and namespaced resource authorization.

  • Namespace-level permissions: permissions granted based on Kubernetes RBAC roles. You can authorize users or user groups to perform operations on Kubernetes resources under specific namespace.
  • CCI permissions: permissions granted based on IAM fine-grained authorization. You can authorize users to perform operations on namespaces, such as creating and deleting namespaces.
  • CCI does not support Landing Zone.
  • If you enable RBAC when you create a namespace, access to resources under the namespace is controlled by RBAC policies. If RBAC is disabled, RBAC policies will not take effect.
  • After you create a namespace with RBAC enabled, you must authorize IAM users to perform operations on the namespace.
  • The network, ClusterRole, and RoleBinding resources are not affected by RBAC policies but are controlled only by IAM fine-grained authentication. The network resources are controlled by network-related actions, and ClusterRole and RoleBinding are controlled by RBAC-related actions.
  • You can grant permissions for all namespaces of an IAM user at the same time.
  • If both system roles (IAM RBAC authorization) and custom policies (IAM fine-grained authorization) are used, the permissions granted using IAM RBAC authorization take precedence over those granted using IAM fine-grained authorization.
Figure 1 CCI permissions management

Namespace Permissions

Kubernetes RBAC APIs define four objects: Role, ClusterRole, RoleBinding, and ClusterRoleBinding. Currently, CCI supports only ClusterRole and RoleBinding. The two objects are described as follows:

  • ClusterRole specifies which actions can be performed on which resources. In the RBAC API, a role contains rules that represent a set of permissions. A role within a Kubernetes cluster is defined by a ClusterRole.
  • RoleBinding binds roles to subjects (including users and user groups). A RoleBinding grants the permissions defined in a role to a user or user group. The user or group has the permissions granted through the bound ClusterRole.
Table 1 Two objects declared by the RBAC API

Type

Description

ClusterRole

A ClusterRole can be used to grant access to resources in a cluster.

RoleBinding

A RoleBinding binds a ClusterRole to subjects (users) in a namespace, granting the ClusterRole's permissions to those users.

Currently, you can only use ClusterRole to create a RoleBinding in a namespace.

Currently, there are four roles: cluster-admin, admin, edit, and view. For details, see Table 2.

Table 2 User/user group roles

Default ClusterRole

Description

cluster-admin

Allows access to all Kubernetes resource objects.

admin

Allows admin access that can be granted within a namespace using a RoleBinding. If used in a RoleBinding, it allows read/write access to most resources in a namespace. It does not allow write access to resource quota or to the namespace itself.

edit

Allows read/write access to most resources in a namespace.

view

Allows read-only access to most objects in a namespace. It does not allow access to secrets.

For more information about Kubernetes RBAC authorization, see Using RBAC Authorization.