On this page

Show all

Help Center/ Cloud Container Engine_Autopilot/ User Guide/ Permissions/ Cluster Permissions (IAM Authorization)

Cluster Permissions (IAM Authorization)

Updated on 2025-01-03 GMT+08:00

View PDF

CCE cluster-level permissions are assigned based on IAM system-defined policies and custom policies. You can use user groups to assign permissions to IAM users.

CAUTION:

Cluster permissions are granted to users for operating cluster-related resources only (such as clusters and nodes). To operate Kubernetes resources like workloads and Services, you must be granted namespace permissions as well.
When viewing a cluster on the CCE console, the information displayed depends on the namespace permissions. If you have no namespace permissions, you cannot view the resources in the cluster.

Prerequisites

Before granting permissions to user groups, you need to get familiar with the system policies listed in Permissions for CCE. To grant permissions for other services, you need to learn about all system-defined permissions supported by IAM.
A user with the Security Administrator role (for example, your account) has all IAM permissions except role switching. Only these users can view user groups and their permissions on the Permissions page on the CCE console.

Configuration Description

On the CCE console, when you choose Permissions > Cluster-Level Permissions to create a user group, you will be directed to the IAM console to complete the process. After the user group is created and its permissions are configured, you can view the information on the Cluster-Level Permissions tab. This section describes the operations in IAM.

Process Flow

Figure 1 Process of granting CCE permissions using identity policy-based authorization

Create a user group and assign permissions.
Create a user group on the IAM console, and assign CCE permissions, for example, the CCE ReadOnlyAccess policy to the group.

NOTE:

CCE is deployed by region. On the IAM console, select Region-specific projects when assigning CCE permissions.
Create an IAM user and add it to the user group.
Create a user on the IAM console and add it to the user group created in 1.

NOTICE:

IAM users need programmatic and management console access to use CCE.
Log in and verify permissions.
In the authorized region, perform the following operations:
- Choose Service List > Cloud Container Engine. Then click Buy Cluster on the CCE console. If a message appears indicating that you have insufficient permissions to perform the operation, the CCE ReadOnlyAccess policy is in effect.
- Choose another service from Service List. If a message appears indicating that you have insufficient permissions to access the service, the CCE ReadOnlyAccess policy is in effect.

System-defined Roles

Roles are a type of coarse-grained authorization mechanism that defines service-level permissions based on user responsibilities. Only a limited number of service-level roles are available for authorization. However, roles are not an ideal choice for fine-grained authorization and secure access control.

The preset system role for CCE in IAM is CCE Administrator. When assigning this role to a user group, you must also select other roles and policies on which this role depends, such as Tenant Guest, Server Administrator, ELB Administrator, OBS Administrator, SFS Administrator, SWR Admin, and APM FullAccess. For more information about dependencies, see System Permissions.

System Policy

The system policies preset for CCE in IAM are CCE FullAccess and CCE ReadOnlyAccess.

CCE FullAccess: common operation permissions on CCE cluster resources, excluding the namespace-level permissions for the clusters (with Kubernetes RBAC enabled) and the privileged administrator operations, such as agency configuration and cluster certificate generation
CCE ReadOnlyAccess: permissions to view CCE cluster resources, excluding the namespace-level permissions of the clusters (with Kubernetes RBAC enabled)

NOTE:

When purchasing a CCE standard or CCE Turbo cluster or a node that is billed on a yearly/monthly basis, add custom policies and configure payment permissions such as bss:*:* for the Billing Center.

In Table 1 and Table 2, "√" indicates that the action is supported for the cluster type, and "x" indicates that the action is not supported for the cluster type.

**Table 1** Permissions granted by CCE FullAccess
Action	Specific Action	CCE Standard or CCE Turbo Clusters	CCE Autopilot Clusters	Description
cce::	cce:cluster:create	√	√	Creating a cluster
	cce:cluster:delete	√	√	Deleting a cluster
	cce:cluster:update	√	√	Updating a cluster, for example, updating cluster node scheduling parameters and providing RBAC support to clusters
	cce:cluster:upgrade	√	√	Upgrading a cluster
	cce:cluster:start	√	×	Waking up a cluster
	cce:cluster:stop	√	×	Hibernating a cluster
	cce:cluster:list	√	√	Listing all clusters
	cce:cluster:get	√	√	Obtaining cluster details
	cce:node:create	√	×	Adding a node
	cce:node:delete	√	×	Deleting one or more nodes
	cce:node:update	√	×	Updating a node, for example, updating the node name
	cce:node:get	√	×	Obtaining node details
	cce:node:list	√	×	Listing all nodes
	cce:nodepool:create	√	×	Creating a node pool
	cce:nodepool:delete	√	×	Deleting a node pool
	cce:nodepool:update	√	×	Updating a node pool
	cce:nodepool:get	√	×	Obtaining a node pool
	cce:nodepool:list	√	×	Listing all node pools in a cluster
	cce:release:create	√	√	Creating a release
	cce:release:delete	√	√	Deleting a release
	cce:release:update	√	√	Updating a release
	cce:job:list	√	√	Listing all cluster jobs
	cce:job:delete	√	√	Deleting one or more cluster jobs
	cce:job:get	√	√	Obtaining job details
	cce:storage:create	√	√	Creating a storage volume
	cce:storage:delete	√	√	Deleting a storage volume
	cce:storage:list	√	√	Listing all storage volumes
	cce:addonInstance:create	√	√	Creating an add-on instance
	cce:addonInstance:delete	√	√	Deleting an add-on instance
	cce:addonInstance:update	√	√	Updating an add-on instance
	cce:addonInstance:get	√	√	Obtaining an add-on instance
	cce:addonTemplate:get	√	√	Obtaining an add-on template
	cce:addonInstance:list	√	√	Listing all add-on instances
	cce:addonTemplate:list	√	√	Listing all add-on templates
	cce:chart:list	√	√	Listing all charts
	cce:chart:delete	√	√	Deleting a chart
	cce:chart:update	√	√	Updating a chart
	cce:chart:upload	√	√	Uploading a chart
	cce:chart:get	√	√	Obtaining chart details
	cce:release:get	√	√	Obtaining release details
	cce:release:list	√	√	Listing all releases
	cce:userAuthorization:get	√	√	Obtaining CCE user authorization
	cce:userAuthorization:create	√	√	Creating CCE user authorization
nat::	-	×	√	Performing all operations on NAT Gateway resources
nat:*:get	-	√	√	Viewing NAT Gateway resource details
nat:*:list	-	√	√	Listing all NAT Gateway resources
vpcep::	-	×	√	Performing all operations on VPC Endpoint resources
ecs::	-	√	√	Performing all operations on ECSs
evs::	-	√	√	Performing all operations on EVS disks EVS disks can be attached to cloud servers and expanded to a higher capacity whenever needed.
vpc::	-	√	√	Performing all operations on a VPC, including the shared load balancers in the VPC. A cluster must run in a VPC. When creating a namespace, you need to create or associate a VPC for the namespace so that all containers in the namespace will run in the VPC.
bms::get	-	√	√	Viewing BMS resource details
bms::list	-	√	√	Listing all BMS resources
ims::get	-	√	√	Viewing IMS resource details
ims::list	-	√	√	Listing all IMS resources
elb:*:get	-	√	√	Viewing ELB resource details
elb:*:list	-	√	√	Listing all ELB resources
sfs::get	-	√	√	Viewing SFS resource details
sfs:shares:ShareAction	-	√	√	Sharing SFS resources for scaling
sfsturbo::get	-	√	√	Viewing SFS Turbo resource details
sfsturbo:shares:ShareAction	-	√	√	Sharing SFS Turbo resources for scaling
tms:resourceTags:list	-	√	√	Listing TMS resources
kps:domainKeypairs:list	-	√	√	Listing DEW SSH keys
kps:domainKeypairs:get	-	√	√	Viewing DEW SSH keys
kms:cmk:get	-	√	√	Viewing DEW keys
kms:cmk:list	-	√	√	Listing DEW keys
aom:*:get	-	√	√	Viewing AOM resource details
aom:*:list	-	√	√	Listing AOM resources
aom:autoScalingRule:*	-	√	√	Performing all operations on AOM auto scaling rules
apm:icmgr:*	-	√	√	Performing operations on the ICAgent in APM
lts::	-	√	√	Performing all operations on LTS
smn::	-	√	√	Performing all operations on SMN

**Table 2** Permissions granted by CCE ReadOnlyAccess
Action	Specific Action	CCE Standard or CCE Turbo Clusters	CCE Autopilot Clusters	Description
cce:*:get	cce:cluster:get	√	√	Obtaining cluster details
	cce:node:get	√	×	Obtaining node details
	cce:job:get	√	√	Obtaining job details
	cce:addonInstance:get	√	√	Obtaining an add-on instance
	cce:addonTemplate:get	√	√	Obtaining an add-on template
	cce:chart:get	√	√	Obtaining chart details
	cce:nodepool:get	√	×	Obtaining a node pool
	cce:release:get	√	√	Obtaining release details
	cce:userAuthorization:get	√	√	Obtaining CCE user authorization
cce:*:list	cce:cluster:list	√	√	Listing all clusters
	cce:node:list	√	×	Listing all nodes
	cce:job:list	√	√	Listing all cluster jobs
	cce:addonInstance:list	√	√	Listing all add-on instances
	cce:addonTemplate:list	√	√	Listing all add-on templates
	cce:chart:list	√	√	Listing all charts
	cce:nodepool:list	√	×	Listing all node pools in a cluster
	cce:release:list	√	√	Listing all releases
	cce:storage:list	√	√	Listing all volumes
cce:kubernetes:*	-	√	√	Performing operations on all Kubernetes resources. For details, see Namespace Permissions.
nat:*:get	-	√	√	Viewing NAT Gateway resource details
nat:*:list	-	√	√	Listing all NAT Gateway resources
vpcep:*:get	-	×	√	Viewing VPC Endpoint resource details
vpcep:*:list	-	×	√	Listing all VPC Endpoint resources
ecs:*:get	-	√	√	Viewing details of all resources on an ECS
ecs:*:list	-	√	√	Listing all resources on an ECS
bms::get	-	√	√	Viewing BMS resource details
bms:*:list	-	√	√	Listing all BMS resources
ims::get	-	√	√	Viewing IMS resource details
ims::list	-	√	√	Listing all IMS resources
evs:*:get	-	√	√	Viewing details about all EVS disk resources. EVS disks can be attached to cloud servers and expanded to a higher capacity whenever needed.
evs:*:list	-	√	√	Listing all EVS resources
evs:*:count	-	√	√	-
vpc:*:get	-	√	√	Viewing details about all VPC resources A cluster must run in a VPC. When creating a namespace, you need to create or associate a VPC for the namespace so that all containers in the namespace will run in the VPC.
vpc:*:list	-	√	√	Listing all VPC resources
elb:*:get	-	√	√	Viewing ELB resource details
elb:*:list	-	√	√	Listing all ELB resources
sfs::get	-	√	√	Viewing SFS resource details
sfs:shares:ShareAction	-	√	√	Sharing SFS resources for scaling
sfsturbo::get	-	√	√	Viewing SFS Turbo resource details
sfsturbo:shares:ShareAction	-	√	√	Sharing SFS Turbo resources for scaling
tms:resourceTags:list	-	√	√	Listing all TMS resources
kps:domainKeypairs:list	-	√	√	Listing DEW SSH keys
kps:domainKeypairs:get	-	√	√	Viewing DEW SSH keys
kms:cmk:get	-	√	√	Viewing DEW keys
kms:cmk:list	-	√	√	Listing DEW keys
aom:*:get	-	√	√	Viewing details about all AOM resources
aom:*:list	-	√	√	Listing all AOM resources
aom:autoScalingRule:*	-	√	√	Performing all operations on AOM auto scaling rules
lts:*:get	-	√	√	Viewing details about all LTS resources
lts:*:list	-	√	√	Listing all LTS resources
smn:*:get	-	√	√	Viewing details about all SMN resources
smn:*:list	-	√	√	Listing SMN resources.

Custom Policies

Custom policies can be created as a supplement to the system-defined policies of CCE. For details about actions supported in custom policies, see Permissions Policies and Supported Actions.

To create a custom policy, choose either visual editor or JSON.

Visual editor: Select cloud services, actions, resources, and request conditions. This does not require knowledge of policy syntax.
JSON: Edit JSON policies from scratch or based on an existing policy.

For details, see Creating a Custom Policy. The following lists examples of common CCE custom policies.

Examples

Example 1: Grant permission to create a cluster named test.

{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cce:cluster:create"
            ]
        }
    ]
}

Example 2: Grant permission to deny node deletion.
A policy with only "Deny" permissions must be used together with other policies. If the permissions granted to an IAM user contain both "Allow" and "Deny", the "Deny" permissions take precedence over the "Allow" permissions.

Assume that you want to grant the permissions of the CCEFullAccess to a user but want to prevent them from deleting nodes (cce:node:delete). You can create a custom policy for denying node deletion, and attach this policy together with the CCEFullAccess policy to the user. As an explicit deny in any policy overrides any allows, the user can perform all operations on nodes excepting deleting them. The following is an example of a deny policy:
```
{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "cce:node:delete"
            ]
        }
    ]
}
```

Example 3: Create a custom policy containing multiple actions.

A custom policy can contain the actions of multiple services that are of the global or project-level type. The following is an example policy containing actions of multiple services:

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "ecs:cloudServers:resize",
                "ecs:cloudServers:delete",
                "ecs:cloudServers:delete",
                "ims:images:list",
                "ims:serverImages:create"
            ],
            "Effect": "Allow"
        }
    ]
}

CCE Cluster Permissions and Enterprise Projects

CCE supports resource management and permission allocation by cluster and enterprise project.

Note that:

IAM projects are based on physical isolation of resources, whereas enterprise projects provide global logical groups of resources, which better meet the actual requirements of enterprises. In addition, IAM policies can be managed based on enterprise projects. Therefore, use enterprise projects for permissions management. For details, see Creating an Enterprise Project.
When there are both IAM projects and enterprise projects, IAM preferentially matches the IAM project policies.
When creating a cluster or node using purchased cloud resources, ensure that IAM users have been granted the required permissions in the enterprise project to use these resources. Otherwise, the cluster or node may fail to be created.

If a resource does not support enterprise projects, the permissions granted to the resource will not take effect.

**Table 3** Enterprise project resource pool
Support for Enterprise Projects	Resources	Description
Supported	cluster	Clusters
	node	Nodes
	nodepool	Node pools
	job	Jobs
	tag	Cluster labels
	addonInstance	Add-on instances
	release	Helm releases
	storage	Storage
Not supported	quota	Cluster quotas
	chart	Charts
	addonTemplate	Add-on templates

CCE Cluster Permissions and IAM RBAC

CCE is compatible with IAM system roles for permissions management. Use fine-grained policies provided by IAM to simplify permissions management.

CCE supports the following roles:

Basic IAM roles:
- te_admin (Tenant Administrator): Users with this role can call all APIs of all services except IAM.
- readonly (Tenant Guest): Users with this role can call APIs with the read-only permissions of all services except IAM.
Custom CCE administrator role: CCE Administrator

NOTE:

If a user has the Tenant Administrator or CCE Administrator system-defined role, the user has the cluster-admin permissions in Kubernetes RBAC and the permissions cannot be removed after the cluster is created.

If the user is the cluster creator, the cluster-admin permissions in Kubernetes RBAC are granted to the user by default. The permissions can be manually removed after the cluster is created.

Method 1: Choose Permissions Management > Namespace-Level Permissions > Delete in the same role as cluster-creator on the CCE console.
Method 2: Delete ClusterRoleBinding: cluster-creator through the API or kubectl.

When RBAC and IAM policies co-exist, the backend authentication logic for open APIs or console operations on CCE is as follows.

Click to enlarge