Custom Agencies for Add-ons

Some CCE add-ons rely on cloud service resources such as compute, storage, networking, and monitoring. These add-ons require authorization to perform operations on these cloud resources. To improve cluster security, CCE has significantly enhanced the credential sources used by add-ons.

PoLP: You can assign a dedicated agency to each add-on and grant only the IAM permissions required for its operation. This ensures that each add-on can access only the resources and services it needs.
Eliminating static credentials: Add-ons no longer store credentials statically in secrets. Instead, they use pod identities to associate temporary, automatically rotated credentials with pods.
- IAM 5.0 trust agencies cannot currently be configured separately for individual add-ons.
- Static credentials can be removed only from clusters v1.28.15-r80, v1.29.15-r40, v1.30.14-r40, v1.31.14-r0, v1.32.9-r0, v1.33.7-r0, v1.34.2-r0, or later.

If you do not configure a custom agency when installing these add-ons, CCE automatically creates and uses a default add-on agency. This default agency contains all permissions required by the add-on, and it is advised not to change its authorization settings. The default agency and its corresponding authorization settings are listed below.

Add-on	Version	Module/Component	Default Agency	Authorization Content
CCE Container Storage (Everest)	2.5.1 or later	everest-csi-controller (the everest-csi-controller component)	CCECSIAgency	CCEClusterCSIEVSPolicy CCEClusterCSIOBSPolicy CCEClusterCSISFSGeneralPolicy CCEClusterCSISFSTurboPolicy CCEClusterResourceOrderPolicy CCEClusterCSIOBSEncryptionPolicy
CCE Container Storage (Everest)	2.5.1 or later	everest-csi-driver (the everest-csi-driver component)	CCECSIDriverAgency	CCEClusterCSIEVSAttachPolicy CCEClusterCSIOBSMountPolicy
CCE Cluster Autoscaler	1.28.227, 1.29.189, 1.30.155, 1.31.117, 1.32.93, 1.33.86, 1.34.22, or later	cluster-autoscaler (the autoscaler component)	CCENodeScaleAgency	CCEClusterNodeAutoscalingPolicy
CCE Secrets Manager for DEW	1.1.106 or later	dew-provider (the dew-provider component)	CCESecretEncryptAgency	CCEClusterKMSPolicy
Cloud Native Log Collection	1.7.9 or later	log-manager (the log-operator, otel-collector, and otel-collector-event components)	CCELogManageAgency	CCEClusterLogPolicy
Cloud Native Log Collection	1.7.9 or later	log-reporter (the fluent-bit component)	CCELogReportAgency	None

Do not delete the agency used by an add-on, and ensure that the agency has not expired. Otherwise, the add-on may fail to function properly.

Configuring an Agency for an Add-on

You can use the default agency or a custom agency.

To create a default agency for an add-on, ensure that your account has the following IAM permissions:

iam:agencies:createAgency: for creating an agency
iam:permissions:grantRoleToAgency: for granting permissions to an agency

When installing an add-on, select Create automatically in the Agency Settings area. CCE will automatically create and use the default agency for the add-on. If the default agency already exists, it will not be created.

Click to enlarge

If you need to customize the permissions used by an add-on, you can use a custom agency. Ensure that the created agency has been assigned the required permissions. Otherwise, the add-on functions may not function properly.

You need to create a custom agency of the cloud service type on the Agencies page of the IAM console and authorize it for CCE. For details, see Creating an Agency and Assigning Permissions.
You need to authorize the created custom agency. CCE has preset the permissions required for using add-ons as system policies. You can use the system policies for authorization or use custom policies.

When installing an add-on, select Use existing in the Agency Settings area and select one from the drop-down list.

Click to enlarge

System Policies

System Policy	Description
CCEClusterResourceOrderPolicy	Permissions for automatically subscribing to yearly/monthly resources in a CCE cluster
CCEClusterCSIEVSPolicy	Permissions for using EVS volumes in a CCE cluster
CCEClusterCSIOBSPolicy	Permissions for using OBS volumes in a CCE cluster
CCEClusterCSIOBSEncryptionPolicy	Permissions for using encrypted OBS volumes in a CCE cluster, which are used only for CCE agency authorization
CCEClusterCSISFSGeneralPolicy	Permissions for using SFS 3.0 volumes in a CCE cluster
CCEClusterCSISFSTurboPolicy	Permissions for using SFS Turbo volumes in a CCE cluster
CCEClusterCSIEVSAttachPolicy	Permissions for mounting EVS volumes in a CCE cluster, which are used only for CCE agency authorization
CCEClusterCSIOBSMountPolicy	Permissions for mounting OBS volumes in a CCE cluster, which are used only for CCE agency authorization
CCEClusterKMSPolicy	Permissions for mounting encrypted credentials located outside the cluster to containers
CCEClusterLogPolicy	Permissions for using log collection in a CCE cluster
CCEClusterNodeAutoscalingPolicy	Permissions for using node auto scaling in a CCE cluster
CCEClusterVirtualKubeletPolicy	Permissions for using CCE Cloud Bursting Engine for CCI in a CCE cluster

Parent Topic: CCE Agencies

Previous topic: Custom Agencies for Clusters

Next topic: Service Account Token Security Improvement

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

For any further questions, feel free to contact us through the chatbot.

Chatbot