Help Center> Cloud Container Engine> User Guide> User Guide for Standard and Turbo Clusters> Permissions> System Entrustment Description
Updated on 2024-06-26 GMT+08:00
View PDF

System Entrustment Description

CCE works closely with multiple cloud services to support compute, storage, networking, and monitoring functions. When you log in to the CCE console for the first time, CCE automatically requests permissions to access those cloud services in the region where you run your applications. Specifically:
  • Compute services

    When you create a node in a cluster, a cloud server is created accordingly. The prerequisite is that CCE has obtained the permissions for accessing Elastic Cloud Service (ECS) and Bare Metal Server (BMS).

  • Storage services

    CCE allows you to mount storage to nodes and containers in a cluster. The prerequisite is that CCE has obtained the permissions for accessing services such as Elastic Volume Service (EVS), Scalable File Service (SFS), and Object Storage Service (OBS).

  • Networking services

    CCE allows containers in a cluster to be published as services that can be accessed by external systems. The prerequisite is that CCE has obtained the permissions for accessing services such as Virtual Private Cloud (VPC) and Elastic Load Balance (ELB).

  • Container and monitoring services

    CCE supports functions such as container image pull, monitoring, and logging. The prerequisite is that CCE has obtained the permissions for accessing services such as SoftWare Repository for Container (SWR) and Application Operations Management (AOM).

After you agree to the entrustment, CCE automatically creates an agency in IAM to delegate other resource operation permissions in your account to Huawei Cloud CCE. For details, see Account Delegation.

The agencies automatically created by CCE are as follows:

cce_admin_trust

The cce_admin_trust agency has the Tenant Administrator permissions. Tenant Administrator has the permissions on all cloud services except IAM, which are used to call the cloud services that CCE depends on. The delegation takes effect only in the current region.

To use CCE in multiple regions, request for cloud resource permissions in each region. You can go to the IAM console > and click cce_admin_trust to view the permissions of each region.

CCE may fail to run as expected if the Tenant Administrator role is not assigned. Therefore, do not delete or modify the cce_admin_trust agency when using CCE.

cce_cluster_agency

The cce_cluster_agency agency contains only the cloud service resource operation permissions required by CCE components. It generates temporary access credentials used by components in CCE clusters.

  • The cce_cluster_agency agency supports clusters of v1.21 or later.
  • When you create the cce_cluster_agency agency, a custom policy named CCE cluster policies is automatically created. Do not delete this policy.

If the permissions of the cce_cluster_agency agency are different from those expected by CCE, the console displays a message indicating that the permissions have changed and you need to re-authorize the agency.

The cce_cluster_agency agency may be re-authorized in the following scenarios:

  • The permissions on which CCE components depend may change with versions. For example, if a new component depends on new permissions, CCE will update the expected permission list and you need to grant permissions to cce_cluster_agency again.
  • When you manually modify the permissions of the cce_cluster_agency agency, the permissions of the agency are different from those expected by CCE. In this case, a message is displayed, asking you to re-authorize the agency. If you re-authorize the agency, the manually modified permissions may become invalid.
Parent topic: Permissions