Updated on 2024-08-16 GMT+08:00

Permissions Overview

CCE permissions management allows you to assign permissions to IAM users and user groups under your tenant accounts. CCE combines the advantages of Identity and Access Management (IAM) and Kubernetes Role-based Access Control (RBAC) authorization to provide a variety of authorization methods, including IAM fine-grained authorization, IAM token authorization, cluster-scoped authorization, and namespace-wide authorization.

CCE allows you to manage permissions on clusters and related resources at a finer granularity, for example, to control the access of employees in different departments to cloud resources.

This section describes the CCE permissions management mechanism and related concepts. If your account has met your service requirements, you can skip this section.

CCE Permissions Management

CCE permissions are described as follows:
  • Cluster-level permissions: Cluster-level permissions management evolves out of the system policy authorization feature of IAM. IAM users in the same user group have the same permissions. On IAM, you can configure system policies to describe which IAM user groups can perform which operations on cluster resources. For example, you can grant user group A to create and delete cluster X, add a node, or install an add-on, while granting user group B to view information about cluster X.

    Cluster-level permissions involve non-Kubernetes APIs in CCE clusters and support fine-grained IAM policies and enterprise project management.

  • Namespace-level permissions: You can regulate users' or user groups' access to Kubernetes resources in a single namespace based on their Kubernetes RBAC roles. CCE has also been enhanced based on open-source capabilities. It supports RBAC authorization based on IAM user or user group, and RBAC authentication on access to APIs using IAM tokens.

    Namespace-level permissions involve CCE Kubernetes APIs and are enhanced based on the Kubernetes RBAC capabilities. Namespace-level permissions can be granted to IAM users or user groups for authentication and authorization, but are independent of fine-grained IAM policies.

In general, you configure CCE permissions in two scenarios. The first is creating and managing clusters and related resources, such as nodes. The second is creating and using Kubernetes resources in the cluster, such as workloads and Services.

Figure 1 Illustration on CCE permissions

These permissions allow you to manage resource users at a finer granularity.

Cluster Permissions (IAM-based) and Namespace Permissions (Kubernetes RBAC-based)

Users with different cluster permissions (assigned using IAM) have different namespace permissions (assigned using Kubernetes RBAC). Table 1 lists the namespace permissions of different users.

Table 1 Differences in namespace permissions

User

Clusters of v1.13 and Later

User with the Tenant Administrator permissions (for example, an account)

All namespace permissions

IAM user with the CCE Administrator role

All namespace permissions

IAM user with the CCE FullAccess or CCE ReadOnlyAccess role

Requires Kubernetes RBAC authorization.

IAM user with the Tenant Guest role

Requires Kubernetes RBAC authorization.

kubectl Permissions

You can use kubectl to access Kubernetes resources in a cluster.

When you access a cluster using kubectl, CCE uses the kubeconfig.json file generated on the cluster for authentication. This file contains user information, based on which CCE determines which Kubernetes resources can be accessed by kubectl. The permissions recorded in a kubeconfig.json file vary from user to user. The permissions that a user has are listed in Table 1.

Federated Users

IAM provides the identity provider function to implement federated identity authentication based on Security Assertion Markup Language (SAML) or OpenID Connect. This function allows users in your management system to access the cloud platform through single sign-on (SSO).

Users who log in through federated identity authentication are called federated users. Federated users are equivalent to IAM users.

Pay attention to the following for federated users to use CCE:

  • When a user creates a CCE cluster, the cluster-admin permission is granted to the user by default. The user ID of a federated user changes upon each login and logout. Therefore, the user is displayed as deleted on the Permissions page of the CCE console. Do not manually delete the permission, otherwise, the authentication fails. In this case, you are advised to grant the cluster-admin permission to a user group on CCE and add federated users to the user group.
  • Federated users cannot create permanent access keys (AKs/SKs). In scenarios where AKs/SKs are required (for example, when creating OBS-related PVs/PVCs), only you or an IAM user can create the AK/SK and share them with the federated users. An access key contains the permissions granted to a user, so it is recommended that the federated user request an IAM user in the same group to create an access key.

Supported Actions

CCE provides system-defined policies that can be directly used in IAM. You can also create custom policies to supplement system-defined policies for more refined access control. Operations supported by policies are specific to APIs. The following are common concepts related to policies:

  • Permissions: statements in a policy that allow or deny certain operations.
  • APIs: REST APIs that can be called by a user who has been granted specific permissions.
  • Actions: specific operations that are allowed or denied in a custom policy.
  • Dependencies: actions which a specific action depends on. When allowing an action for a user, you also need to allow any existing action dependencies for that user.
  • IAM projects/Enterprise projects: the authorization scope of a custom policy. A custom policy can be applied to IAM projects or enterprise projects or both. Policies that contain actions for both IAM and enterprise projects can be used and applied for both IAM and Enterprise Management. Policies that contain actions only for IAM projects can be used and applied to IAM only. For details about the differences between IAM and enterprise management, see What Are the Differences Between IAM and Enterprise Management?

The check mark (√) and cross symbol (x) respectively indicate that an action takes effect or does not take effect for the corresponding type of projects.

CCE supports the following actions in custom policies.

Table 2 Cluster management actions

Permission

API

Action

IAM Project

Enterprise Project

Obtaining clusters in a project

GET /api/v3/projects/{project_id}/clusters

cce:cluster:list

Obtaining a cluster

GET /api/v3/projects/{project_id}/clusters/{cluster_id}

cce:cluster:get

Creating a cluster

POST /api/v3/projects/{project_id}/clusters

cce:cluster:create

Updating a cluster

PUT /api/v3/projects/{project_id}/clusters/{cluster_id}

cce:cluster:update

Deleting a cluster

DELETE /api/v3/projects/{project_id}/clusters/{cluster_id}

cce:cluster:delete

Upgrading a cluster

POST /api/v2/projects/:projectid/clusters/:clusterid/upgrade

cce:cluster:upgrade

Waking up a cluster

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/awake

cce:cluster:start

Hibernating a cluster

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/hibernate

cce:cluster:stop

Changing the specifications of a cluster

POST /api/v2/projects/{project_id}/clusters/:clusterid/resize

cce:cluster:resize

Obtaining the certificate of a cluster

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/clustercert

cce:cluster:get

Table 3 Node management actions

Permission

API

Action

IAM Project

Enterprise Project

Obtaining all nodes in a cluster

GET /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes

cce:node:list

Obtaining a node

GET /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes/{node_id}

cce:node:get

Creating a node

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes

cce:node:create

NOTE:

If you use enterprise project authorization to create a node, you need to add the global permission of evs:quota:get.

Updating a node

PUT /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes/{node_id}

cce:node:update

Deleting a node

DELETE /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes/{node_id}

cce:node:delete

Table 4 Job management actions

Permission

API

Action

IAM Project

Enterprise Project

Obtaining information about a job

GET /api/v3/projects/{project_id}/jobs/{job_id}

cce:job:get

Listing all jobs

GET /api/v2/projects/{project_id}/jobs

cce:job:list

Deleting one or all jobs

DELETE /api/v2/projects/{project_id}/jobs

DELETE /api/v2/projects/{project_id}/jobs/{job_id}

cce:job:delete

Table 5 Node pool management actions

Permission

API

Action

IAM Project

Enterprise Project

Obtaining all node pools in a cluster

GET /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools

cce:nodepool:list

Obtaining a node pool

GET /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools/{nodepool_id}

cce:nodepool:get

Creating a node pool

POST /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools

cce:nodepool:create

Updating a node pool

PUT /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools/{nodepool_id}

cce:nodepool:update

Deleting a node pool

DELETE /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools/{nodepool_id}

cce:nodepool:delete

Table 6 Chart management actions

Permission

API

Action

IAM Project

Enterprise Project

Updating a chart

PUT /v2/charts/{id}

cce:chart:update

x

Uploading a chart

POST /v2/charts

cce:chart:upload

x

Listing all charts

GET /v2/charts

cce:chart:list

x

Obtaining information about a chart

GET /v2/charts/{id}

cce:chart:get

x

Deleting a chart

DELETE /v2/charts/{id}

cce:chart:delete

x

Table 7 Release management actions

Permission

API

Action

IAM Project

Enterprise Project

Updating a release

PUT /v2/releases/{name}

cce:release:update

Listing all releases

GET /v2/releases

cce:release:list

Creating a release

POST /v2/releases

cce:release:create

Obtaining information about a release

GET /v2/releases/{name}

cce:release:get

Deleting a release

DELETE /v2/releases/{name}

cce:release:delete

Table 8 Storage management actions

Permission

API

Action

IAM Project

Enterprise Project

Creating a PersistentVolumeClaim

POST /api/v1/namespaces/{namespace}/cloudpersistentvolumeclaims

cce:storage:create

Deleting a PersistentVolumeClaim

DELETE /api/v1/namespaces/{namespace}/cloudpersistentvolumeclaims/{name}

cce:storage:delete

Listing all volumes

GET /storage/api/v1/namespaces/{namespace}/listvolumes

cce:storage:list

Table 9 Add-on management actions

Permission

API

Action

IAM Project

Enterprise Project

Creating an add-on instance

POST /api/v3/addons

cce:addonInstance:create

Obtaining an add-on instance

GET /api/v3/addons/{id}?cluster_id={cluster_id}

cce:addonInstance:get

Listing all add-on instances

GET /api/v3/addons?cluster_id={cluster_id}

cce:addonInstance:list

Deleting an add-on instance

DELETE /api/v3/addons/{id}?cluster_id={cluster_id}

cce:addonInstance:delete

Updating an add-on instance

PUT /api/v3/addons/{id}

cce:addonInstance:update

Table 10 Quota management actions

Permission

API

Action

IAM Project

Enterprise Project

Obtaining quota details

GET /api/v3/projects/{project_id}/quotas

cce:quota:get