Permissions Management for CCI
CCI permissions management allows you to grant permissions to your IAM users and user groups. It combines the advantages of Kubernetes Role-based Access Control (RBAC) authorization and Identity and Access Management (IAM) to provide a variety of authorization methods, including IAM fine-grained authorization, IAM token authorization, namespace-level authorization, and namespaced resource authorization.
- Namespace-level permissions: permissions granted based on Kubernetes RBAC roles. You can authorize users or user groups to perform operations on Kubernetes resources under specific namespace.
- CCI permissions: permissions granted based on IAM fine-grained authorization. You can authorize users to perform operations on namespaces, such as creating and deleting namespaces.
- CCI does not support Landing Zone.
- If you enable RBAC when you create a namespace, access to resources under the namespace is controlled by RBAC policies. If RBAC is disabled, RBAC policies will not take effect.
- After you create a namespace with RBAC enabled, you must authorize IAM users to perform operations on the namespace.
- The network, ClusterRole, and RoleBinding resources are not affected by RBAC policies but are controlled only by IAM fine-grained authentication. The network resources are controlled by network-related actions, and ClusterRole and RoleBinding are controlled by RBAC-related actions.
- You can grant permissions for all namespaces of an IAM user at the same time.
- If both system roles (IAM RBAC authorization) and custom policies (IAM fine-grained authorization) are used, the permissions granted using IAM RBAC authorization take precedence over those granted using IAM fine-grained authorization.
Namespace Permissions
Kubernetes RBAC APIs define four objects: Role, ClusterRole, RoleBinding, and ClusterRoleBinding. Currently, CCI supports only ClusterRole and RoleBinding. The two objects are described as follows:
- ClusterRole specifies which actions can be performed on which resources. In the RBAC API, a role contains rules that represent a set of permissions. A role within a Kubernetes cluster is defined by a ClusterRole.
- RoleBinding binds roles to subjects (including users and user groups). A RoleBinding grants the permissions defined in a role to a user or user group. The user or group has the permissions granted through the bound ClusterRole.
|
Type |
Description |
|---|---|
|
ClusterRole |
A ClusterRole can be used to grant access to resources in a cluster. |
|
RoleBinding |
A RoleBinding binds a ClusterRole to subjects (users) in a namespace, granting the ClusterRole's permissions to those users. |
Currently, you can only use ClusterRole to create a RoleBinding in a namespace.
Currently, there are four roles: cluster-admin, admin, edit, and view. For details, see Table 2.
|
Default ClusterRole |
Description |
|---|---|
|
cluster-admin |
Allows access to all Kubernetes resource objects. |
|
admin |
Allows admin access that can be granted within a namespace using a RoleBinding. If used in a RoleBinding, it allows read/write access to most resources in a namespace. It does not allow write access to resource quota or to the namespace itself. |
|
edit |
Allows read/write access to most resources in a namespace. |
|
view |
Allows read-only access to most objects in a namespace. It does not allow access to secrets. |
For more information about Kubernetes RBAC authorization, see Using RBAC Authorization.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
