Custom Agencies
CCE clusters rely on various cloud services in areas like compute, storage, networking, and monitoring to function properly. To access these cloud resources, CCE clusters need authorization, which is handled through agencies. By default, CCE uses system agencies to generate temporary access credentials. These credentials are used internally by the clusters to access cloud services. You can also configure a custom agency for your cluster. Once set, the cluster will use this custom agency to generate its temporary access credentials.
- Custom agencies are supported only in clusters of v1.27 or later.
- Custom agencies are supported only in CCE standard clusters.
- Custom agencies do not support IAM 5.0 trust agencies.
Prerequisites
- You need to create a custom agency of the cloud service type on the Agencies page of the IAM console and authorize it to CCE. For details, see Creating an Agency and Assigning Permissions.
- You need to authorize the created custom agency. CCE has preset the permissions required for cluster running as system policies. Some of them are mandatory, and the rest can be granted on demand based on what cluster functions you will use. For details, see System Policies.
Ensure that you have granted the required permissions to the created agency, or some functions of the cluster may be unavailable.
Configuring a Custom Agency During Cluster Creation
A custom agency can be configured during cluster creation only using APIs. For details, see Making an API Request.
Call the API for creating a cluster and configure a custom agency.
The request body is as follows:
{
"kind": "Cluster",
"apiVersion": "v3",
"metadata": {
"name": "cce-cluster",
},
"spec": {
"agencyName": "custom_agency_name",
"category": "CCE",
. . .
}
}
custom_agency_name is the name of the custom agency created on IAM.
Configuring a Custom Agency for a Running Cluster
Custom agencies can be configured for running clusters only using APIs. For details, see Making an API Request.
Call the API for updating a specified cluster and configure a custom agency.
The request body is as follows:
{
"spec": {
"agencyName": "custom_agency_name"
}
}
custom_agency_name is the name of the custom agency created on IAM.
- If you use a custom agency in a cluster, do not delete the agency or allow it to expire, as this may cause certain cluster functions to become unavailable.
- After modifying the custom agency used in a cluster, allow some time for the modifications to apply.
System Policies
|
System Policy |
Description |
Authorization Required |
|---|---|---|
|
CCEClusterManagedPolicy |
Permissions for using the basic functions of a CCE cluster |
Yes |
|
CCEClusterNodePolicy |
Permissions for using the basic functions of worker nodes in a CCE cluster |
Yes |
|
CCEClusterTurboNetworkingPolicy |
Permissions for using Cloud Native 2.0 networks in a CCE cluster |
Required if the Cloud Native 2.0 network is used for a cluster |
|
CCEClusterVPCNetworkingPolicy |
Permissions for using VPC networks in a CCE cluster |
Required if the VPC network is used for a cluster |
|
CCEClusterLoadBalancingPolicy |
Permissions for using ELB capabilities in a CCE cluster |
No |
|
CCEClusterResourceOrderPolicy |
Permissions for automatically subscribing to yearly/monthly resources in a CCE cluster |
No |
|
CCEClusterCSIEVSPolicy |
Permissions for using EVS volumes in a CCE cluster |
No |
|
CCEClusterCSIOBSPolicy |
Permissions for using OBS volumes in a CCE cluster |
No (OBS is a global service. To use OBS, grant all project service permissions.) |
|
CCEClusterCSISFSGeneralPolicy |
Permissions for using SFS 3.0 volumes in a CCE cluster |
No (SFS 3.0 is a global service. To use SFS 3.0, grant all project service permissions.) |
|
CCEClusterCSISFSTurboPolicy |
Permissions for using SFS Turbo volumes in a CCE cluster |
No |
|
CCEClusterGEIPPolicy |
Permissions for binding global EIPs to load balancers in a CCE cluster |
No (Global EIP is a global service. To use global EIPs, grant all project service permissions.) |
|
CCEClusterKMSPolicy |
Permissions for mounting encrypted credentials located outside the cluster to containers |
No |
|
CCEClusterLogPolicy |
Permissions for using log collection in a CCE cluster |
No |
|
CCEClusterNodeAutoscalingPolicy |
Permissions for using node auto scaling in a CCE cluster |
No |
|
CCEClusterVirtualKubeletPolicy |
Permissions for using CCE Cloud Bursting Engine for CCI in a CCE cluster |
No |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
