Help Center/ Cloud Container Engine/ User Guide/ Permissions/ System Agencies
Updated on 2025-04-27 GMT+08:00
View PDF
Share

System Agencies

CCE works closely with multiple cloud services to support compute, storage, networking, and monitoring functions. When you log in to the CCE console for the first time, CCE automatically requests permissions to access those cloud services in the region where you run your applications. Specifically:
  • Compute services

    When you create a node in a cluster, a cloud server is created accordingly. The prerequisite is that CCE has obtained the permissions for accessing Elastic Cloud Server (ECS) and Bare Metal Server (BMS).

  • Storage services

    CCE allows you to mount storage to nodes and containers in a cluster. The prerequisite is that CCE has obtained the permissions for accessing services such as Elastic Volume Service (EVS), Scalable File Service (SFS), and Object Storage Service (OBS).

  • Networking services

    CCE allows containers in a cluster to be published as services that can be accessed by external systems. The prerequisite is that CCE has obtained the permissions for accessing services such as Virtual Private Cloud (VPC) and Elastic Load Balance (ELB).

  • Container and monitoring services

    CCE supports functions such as container image pull, monitoring, and logging. The prerequisite is that CCE has obtained the permissions for accessing services such as SoftWare Repository for Container (SWR) and Application Operations Management (AOM).

After you agree to the entrustment, CCE automatically creates an agency in IAM to delegate other resource operation permissions in your account to Huawei Cloud CCE. For details, see Account Delegation.

The agencies automatically created by CCE are as follows:

  • cce_admin_trust has permission to call all cloud services that CCE depends on, with the exception of IAM.
  • cce_cluster_agency is authorized to operate only the cloud services required by CCE to generate temporary access credentials used by components in CCE clusters.

cce_admin_trust

The cce_admin_trust agency has the Tenant Administrator permissions. Tenant Administrator has permission to call all cloud services (with the exception of IAM) that CCE depends on, such as creating a cluster or node. This delegation of permissions only applies to the current region.

To use CCE in multiple regions, request for cloud resource permissions in each region. You can go to the IAM console, choose Agencies and click cce_admin_trust to view the permissions of each region.

CCE may fail to run as expected if the Tenant Administrator role is not assigned. Therefore, do not delete or modify the cce_admin_trust agency when using CCE.

CCE has redesigned the cce_admin_trust agency permission to enhance security by taking into account the dependency on other cloud services. The new permission no longer includes the Tenant Administrator permission. This function is only available in certain regions. If the clusters under your account are of v1.21 or later versions, a message indicating a permission change will be displayed on the console, and you will need to re-grant the permission. After you re-grant the permission, the cce_admin_trust agency will be updated to include the cloud service permissions that CCE depends on, while the Tenant Administrator permission will be removed from the agency.

When you create the cce_admin_trust agency, a custom policy named CCE admin policies will be automatically created. Do not delete this policy.

cce_cluster_agency

The cce_cluster_agency agency contains only the cloud service resource operation permissions required by CCE components. It generates temporary access credentials used by components in CCE clusters. This agency permission will be used when cloud service resources that CCE depends on are automatically created in a cluster, for example, when an ingress or dynamic storage volume is created.

  • The cce_cluster_agency agency supports clusters of v1.21 or later.
  • When you create the cce_cluster_agency agency, a custom policy named CCE cluster policies is automatically created. Do not delete this policy.

If the permissions of the cce_cluster_agency agency are different from those expected by CCE, the console displays a message indicating that the permissions have changed and you need to re-authorize the agency.

The cce_cluster_agency agency may be re-authorized in the following scenarios:

  • The permissions on which CCE components depend may change with versions. For example, if a new component depends on new permissions, CCE will update the expected permission list and you need to grant permissions to cce_cluster_agency again.
  • When you manually modify the permissions of the cce_cluster_agency agency, the permissions of the agency are different from those expected by CCE. In this case, a message is displayed, asking you to re-authorize the agency. If you re-authorize the agency, the manually modified permissions may become invalid.

hss_policy_trust

After HSS is enabled, CCE will automatically create a CCEOperatePolicy policy and assign it to the hss_policy_trust agency.

CCEOperatePolicy permissions:

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "cce:cluster:get",
                "cce:cluster:list",
                "iam:agencies:listAgencies"
            ],
            "Effect": "Allow"
        }
    ]
}

ClusterRole hss-cluster-role will be automatically created in the cluster with HSS enabled.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: hss-cluster-role
rules:
  - verbs:
      - '*'
    apiGroups:
      - '*'
    resources:
      - daemonsets
      - namespaces
      - configmaps
      - nodes
Parent Topic: Permissions