Permissions Overview
CCE permissions management allows you to assign permissions to IAM users and user groups under your tenant accounts. CCE combines the advantages of Identity and Access Management (IAM) and Kubernetes Role-based Access Control (RBAC) authorization to provide a variety of authorization methods, including IAM fine-grained authorization, IAM token authorization, cluster-scoped authorization, and namespace-wide authorization.
CCE allows you to manage permissions on clusters and related resources at a finer granularity, for example, to control the access of employees in different departments to cloud resources.
This section describes the CCE permissions management mechanism and related concepts. If your account has met your service requirements, you can skip this section.
CCE Permissions Management
- Cluster-level permissions: Cluster-level permissions management evolves out of the system policy authorization feature of IAM. IAM users in the same user group have the same permissions. On IAM, you can configure system policies to describe which IAM user groups can perform which operations on cluster resources. For example, you can grant user group A to create and delete cluster X, add a node, or install an add-on, while granting user group B to view information about cluster X.
Cluster-level permissions involve non-Kubernetes APIs in CCE clusters and support fine-grained IAM policies and enterprise project management.
- Namespace-level permissions: You can regulate users' or user groups' access to Kubernetes resources in a single namespace based on their Kubernetes RBAC roles. CCE has also been enhanced based on open-source capabilities. It supports RBAC authorization based on IAM user or user group, and RBAC authentication on access to APIs using IAM tokens.
Namespace-level permissions involve CCE Kubernetes APIs and are enhanced based on the Kubernetes RBAC capabilities. Namespace-level permissions can be granted to IAM users or user groups for authentication and authorization, but are independent of fine-grained IAM policies.
In general, you configure CCE permissions in two scenarios. The first is creating and managing clusters and related resources, such as nodes. The second is creating and using Kubernetes resources in the cluster, such as workloads and Services.
These permissions allow you to manage resource users at a finer granularity.
Cluster Permissions (IAM-based) and Namespace Permissions (Kubernetes RBAC-based)
Users with different cluster permissions (assigned using IAM) have different namespace permissions (assigned using Kubernetes RBAC). Table 1 lists the namespace permissions of different users.
User |
Clusters of v1.13 and Later |
|---|---|
User with the Tenant Administrator permissions (for example, an account) |
All namespace permissions |
IAM user with the CCE Administrator role |
All namespace permissions |
IAM user with the CCE FullAccess or CCE ReadOnlyAccess role |
Requires Kubernetes RBAC authorization. |
IAM user with the Tenant Guest role |
Requires Kubernetes RBAC authorization. |
kubectl Permissions
You can use kubectl to access Kubernetes resources in a cluster.
When you access a cluster using kubectl, CCE uses the kubeconfig.json file generated on the cluster for authentication. This file contains user information, based on which CCE determines which Kubernetes resources can be accessed by kubectl. The permissions recorded in a kubeconfig.json file vary from user to user. The permissions that a user has are listed in Table 1.
Federated Users
IAM provides the identity provider function to implement federated identity authentication based on Security Assertion Markup Language (SAML) or OpenID Connect. This function allows users in your management system to access the cloud platform through single sign-on (SSO).
Users who log in through federated identity authentication are called federated users. Federated users are equivalent to IAM users.
Pay attention to the following for federated users to use CCE:
- When a user creates a CCE cluster, the cluster-admin permission is granted to the user by default. The user ID of a federated user changes upon each login and logout. Therefore, the user is displayed as deleted on the Permissions page of the CCE console. Do not manually delete the permission, otherwise, the authentication fails. In this case, you are advised to grant the cluster-admin permission to a user group on CCE and add federated users to the user group.
- Federated users cannot create permanent access keys (AKs/SKs). In scenarios where AKs/SKs are required (for example, when creating OBS-related PVs/PVCs), only you or an IAM user can create the AK/SK and share them with the federated users. An access key contains the permissions granted to a user, so it is recommended that the federated user request an IAM user in the same group to create an access key.
Supported Actions
CCE provides system-defined policies that can be directly used in IAM. You can also create custom policies to supplement system-defined policies for more refined access control. Operations supported by policies are specific to APIs. The following are common concepts related to policies:
- Permissions: statements in a policy that allow or deny certain operations.
- APIs: REST APIs that can be called by a user who has been granted specific permissions.
- Actions: specific operations that are allowed or denied in a custom policy.
- Dependencies: actions which a specific action depends on. When allowing an action for a user, you also need to allow any existing action dependencies for that user.
- IAM projects/Enterprise projects: the authorization scope of a custom policy. A custom policy can be applied to IAM projects or enterprise projects or both. Policies that contain actions for both IAM and enterprise projects can be used and applied for both IAM and Enterprise Management. Policies that contain actions only for IAM projects can be used and applied to IAM only. For details about the differences between IAM and enterprise management, see What Are the Differences Between IAM and Enterprise Management?
The check mark (√) and cross symbol (x) respectively indicate that an action takes effect or does not take effect for the corresponding type of projects.
CCE supports the following actions in custom policies.
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
Obtaining clusters in a project |
GET /api/v3/projects/{project_id}/clusters |
cce:cluster:list |
√ |
√ |
Obtaining a cluster |
GET /api/v3/projects/{project_id}/clusters/{cluster_id} |
cce:cluster:get |
√ |
√ |
Creating a cluster |
POST /api/v3/projects/{project_id}/clusters |
cce:cluster:create |
√ |
√ |
Updating a cluster |
PUT /api/v3/projects/{project_id}/clusters/{cluster_id} |
cce:cluster:update |
√ |
√ |
Deleting a cluster |
DELETE /api/v3/projects/{project_id}/clusters/{cluster_id} |
cce:cluster:delete |
√ |
√ |
Upgrading a cluster |
POST /api/v2/projects/:projectid/clusters/:clusterid/upgrade |
cce:cluster:upgrade |
√ |
√ |
Waking up a cluster |
POST /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/awake |
cce:cluster:start |
√ |
√ |
Hibernating a cluster |
POST /api/v3/projects/{project_id}/clusters/{cluster_id}/operation/hibernate |
cce:cluster:stop |
√ |
√ |
Changing the specifications of a cluster |
POST /api/v2/projects/{project_id}/clusters/:clusterid/resize |
cce:cluster:resize |
√ |
√ |
Obtaining the certificate of a cluster |
POST /api/v3/projects/{project_id}/clusters/{cluster_id}/clustercert |
cce:cluster:get |
√ |
√ |
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
Obtaining all nodes in a cluster |
GET /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes |
cce:node:list |
√ |
√ |
Obtaining a node |
GET /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes/{node_id} |
cce:node:get |
√ |
√ |
Creating a node |
POST /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes |
cce:node:create |
√ |
√
NOTE:
If you use enterprise project authorization to create a node, you need to add the global permission of evs:quota:get. |
Updating a node |
PUT /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes/{node_id} |
cce:node:update |
√ |
√ |
Deleting a node |
DELETE /api/v3/projects/{project_id}/clusters/{cluster_id}/nodes/{node_id} |
cce:node:delete |
√ |
√ |
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
Obtaining information about a job |
GET /api/v3/projects/{project_id}/jobs/{job_id} |
cce:job:get |
√ |
√ |
Listing all jobs |
GET /api/v2/projects/{project_id}/jobs |
cce:job:list |
√ |
√ |
Deleting one or all jobs |
DELETE /api/v2/projects/{project_id}/jobs DELETE /api/v2/projects/{project_id}/jobs/{job_id} |
cce:job:delete |
√ |
√ |
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
Obtaining all node pools in a cluster |
GET /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools |
cce:nodepool:list |
√ |
√ |
Obtaining a node pool |
GET /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools/{nodepool_id} |
cce:nodepool:get |
√ |
√ |
Creating a node pool |
POST /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools |
cce:nodepool:create |
√ |
√ |
Updating a node pool |
PUT /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools/{nodepool_id} |
cce:nodepool:update |
√ |
√ |
Deleting a node pool |
DELETE /api/v3/projects/{project_id}/clusters/{cluster_id}/nodepools/{nodepool_id} |
cce:nodepool:delete |
√ |
√ |
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
Updating a chart |
PUT /v2/charts/{id} |
cce:chart:update |
√ |
x |
Uploading a chart |
POST /v2/charts |
cce:chart:upload |
√ |
x |
Listing all charts |
GET /v2/charts |
cce:chart:list |
√ |
x |
Obtaining information about a chart |
GET /v2/charts/{id} |
cce:chart:get |
√ |
x |
Deleting a chart |
DELETE /v2/charts/{id} |
cce:chart:delete |
√ |
x |
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
Updating a release |
PUT /v2/releases/{name} |
cce:release:update |
√ |
√ |
Listing all releases |
GET /v2/releases |
cce:release:list |
√ |
√ |
Creating a release |
POST /v2/releases |
cce:release:create |
√ |
√ |
Obtaining information about a release |
GET /v2/releases/{name} |
cce:release:get |
√ |
√ |
Deleting a release |
DELETE /v2/releases/{name} |
cce:release:delete |
√ |
√ |
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
Creating a PersistentVolumeClaim |
POST /api/v1/namespaces/{namespace}/cloudpersistentvolumeclaims |
cce:storage:create |
√ |
√ |
Deleting a PersistentVolumeClaim |
DELETE /api/v1/namespaces/{namespace}/cloudpersistentvolumeclaims/{name} |
cce:storage:delete |
√ |
√ |
Listing all volumes |
GET /storage/api/v1/namespaces/{namespace}/listvolumes |
cce:storage:list |
√ |
√ |
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
Creating an add-on instance |
POST /api/v3/addons |
cce:addonInstance:create |
√ |
√ |
Obtaining an add-on instance |
GET /api/v3/addons/{id}?cluster_id={cluster_id} |
cce:addonInstance:get |
√ |
√ |
Listing all add-on instances |
GET /api/v3/addons?cluster_id={cluster_id} |
cce:addonInstance:list |
√ |
√ |
Deleting an add-on instance |
DELETE /api/v3/addons/{id}?cluster_id={cluster_id} |
cce:addonInstance:delete |
√ |
√ |
Updating an add-on instance |
PUT /api/v3/addons/{id} |
cce:addonInstance:update |
√ |
√ |
Permission |
API |
Action |
IAM Project |
Enterprise Project |
|---|---|---|---|---|
Obtaining quota details |
GET /api/v3/projects/{project_id}/quotas |
cce:quota:get |
√ |
√ |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
