Configuring Namespace-level Permissions for an IAM User

Application Scenarios

In a containerized environment, various teams and departments have different resource access needs. If the permissions are set too broadly, it can lead to issues like cross-environment occupation, misoperations, and resource competition. To address these problems, it is crucial to have precise control over permissions.

CCE permissions management offers fine-grained control over permissions using IAM and Kubernetes RBAC. It supports IAM-based fine-grained permissions control and IAM token authentication. With cluster-level and namespace-level permissions control, users' access to specific resources can be effectively restricted, ensuring resource isolation and security.

This example describes how to manage member account permissions at the namespace level. For more information about CCE permissions management, see Permissions.

Solution

Assume that there are an R&D and test team and an O&M team. The two teams need to access cluster A created by member account A and have different resource access requirements, which are listed in Table 2.

The details are as follows:

1. Create different user groups for different teams.
2. Assign different permissions to these user groups, which means, perform IAM and RBAC authorization.
   Figure 1 Solution details
   

Notes and Constraints

• Before granting permissions to user groups, you need to get familiar with the system policies listed in Permissions for CCE. To grant permissions for other services, you need to learn about all system-defined permissions supported by IAM.
• Users with the Security Administrator permission, which includes all permissions except IAM role switching, can manage authorization settings on the namespace permissions page on the CCE console. They can also view the current user group and its permissions. The admin user group, for example, has this permission by default.

Step 1: Create Users and User Groups

Member account A creates users and user groups for the R&D and test team and the O&M team, to make user and resource management easier. In this example, three users are created: development, test, and O&M users. You can create additional users as needed.

1. Log in to the management console.
2. Hover the cursor on the username in the upper right corner and choose Identity and Access Management from the drop-down list.
3. In the navigation pane, choose User Groups. In the upper right corner on the displayed page, click Create User Group.

   On the displayed page, enter a user group name and click OK.

   In this example, you need to create two user groups, for example, group1 (for the R&D and test team) and group2 (for the O&M team).

   The two new user groups are displayed in the user group list.

   Figure 2 Viewing the new user groups
   

4. In the navigation pane, choose Users. In the upper right corner on the displayed page, click Create User.

   Configure parameters in Set User Details as required and click Next. For details, see Figure 3.

   Select the user group to which the user is to be added and click Create.

   In this example, three users are created for the R&D, test, and O&M personnel. The R&D and test users are added to group1, and the O&M user is added to group2.

   The three new users are displayed in the user list, as shown in Figure 4.

   Figure 3 Creating a user
   
   Figure 4 Viewing the new users
   

Step 2: Perform IAM Authorization for the User Groups

Member account A grants IAM permissions to user groups group1 and group2 and manages user group permissions based on cloud services.

1. In the navigation pane, choose User Groups, locate the user group to be authorized, and click Authorize.
2. On the displayed page, select Cloud Container Engine (CCE) in the upper right corner.

   Select a policy as required. For more information about CCE FullAccess and CCE ReadOnlyAccess policies, see System-defined Policies.

   In this example, select the CCE FullAccess and CCE ReadOnlyAccess policies for group1, and select the CCE ReadOnlyAccess policy for group2.

   Figure 5 IAM authorization
   

3. Click Next, select a more refined scope as required (for example, All resources), and click OK.

   Table 3 Authorization scopes

   Solution	Description
   All resources	IAM users will be able to use all resources, including those in enterprise projects, region-specific projects, and global services under your account based on assigned permissions.
   Enterprise projects	IAM users will be able to use resources in the selected enterprise projects based on assigned permissions. For example, an enterprise project may contain resources that are deployed in different regions. After you associate the enterprise project with the IAM users, they can access the resources in this enterprise project based on the assigned permissions. IAM users will be able to use resources in the selected enterprise projects based on assigned permissions.
   Region-specific projects	IAM users will be able to use resources in the selected region-specific projects based on assigned permissions. IAM users will be able to use resources in the selected region-specific projects based on assigned permissions.

Step 3: Perform RBAC Authorization for the User Groups

Member account A performs RBAC authorization on the two user groups for namespace-level permissions management. This ensures that user groups with different roles have the minimum permissions, improving system security and management efficiency.

1. Click in the upper left corner and choose Cloud Container Engine to access the CCE console.
2. In the navigation pane, choose Permissions. In the right pane, select a cluster to be authorized and a namespace and click Add Permission in the upper right corner.
   Figure 6 Performing operations on the Permissions page
   

3. On the displayed page, confirm the cluster name, select the user or user group to be authorized, and select a namespace to be used for cluster authorization. In this example, select the default namespace for group1 and the test namespace for group2.

   You can select a permission type based on your requirements. For details about permission types, see Namespace Permissions (Kubernetes RBAC-based). In this example, you can select Custom.

   1. Click Add Custom Role.
   2. Configure the custom role. Table 4 lists the custom role parameters of group1 and group2.
      Figure 7 Adding a custom role
      

      Table 4 Description

      Parameter	Example	Description
      Name	group1: example1 group2: example2	Name of a custom role
      Type	group1: Role group2: Role	Custom roles are classified into ClusterRole and Role. Each ClusterRole or Role contains a group of rules that represent related permissions. For details, see Using RBAC Authorization. ClusterRole: a cluster-level resource that can be used to configure cluster access permissions. Role: used to configure access permissions in a namespace. When creating a Role, specify the namespace to which the Role belongs. In this example, you only need to configure namespace permissions. Therefore, you can choose Role.
      Rule	group1: get, list, watch: persistentvolumeclaims *: resources except persistentvolumeclaims group2: get, list, watch: *	The information on the left indicates the permissions to be granted. The right part indicates the resources to which the permissions are granted. You can configure this parameter based on the actual requirements.

   3. Click OK.

4. On the Add Permission page, select the newly created role for Custom and click OK.

   In this example, two permissions, example1 and example2, need to be created and assigned to group1 and group2, respectively.

   The new permissions are displayed in the permissions list.

   Figure 8 Viewing the permissions list
   

Step 4: Verify Permissions

Log in to the management console as the user created using Step 1: Create Users and User Groups and check whether the user has the required permissions. This section uses the develop user created previously as an example to verify whether the permissions have been configured.

1. Bind a mobile number following instructions and verify the login. Whether or not a mobile number needs to be linked to an account depends on the choice made during the initial setup of basic user information.
   Reset the password following instructions (required for the first login).

   Figure 9 Logging in to the management console
   

2. Click in the upper left corner and choose Cloud Container Engine to access the CCE console.
3. Check whether the develop user can access other clusters except cce-example.

   Click the name of another cluster. If you see a message stating that the user does not have the necessary permissions, it means the user cannot access other clusters.

   Figure 10 No permissions
   

4. Check whether the develop user can access the cce-example cluster.

   Click the name of the cce-example cluster to access the cluster console. In the navigation pane, choose Namespace. In the right pane, only the default namespace (namespace for which permissions are configured) is displayed.

   Figure 11 Viewing namespaces
   

5. Check whether the develop user can create a PVC.

   In the navigation pane, choose Storage. In the right pane, click the PVs tab and click Create PVC in the upper right corner.

   In the window that slides out from the right, configure related parameters and click Create. A message is displayed, indicating that the user does not have the permissions. The develop user only has permissions to view the PVCs, but does not have permissions to perform any operations on them because of the permissions configured in Step 3: Perform RBAC Authorization for the User Groups.

   Figure 12 PVC creation failed due to insufficient permissions
   

6. Check whether the develop user can upgrade a workload.

   In the navigation pane, choose Workloads. In the workload list, locate the row containing the wordpress1 workload and click Upgrade.

   Change the original image tag from php7.3 to latest and click Upgrade Workload.

   Figure 13 Changing the image tag of a workload
   
   In the workload list, check whether the image tag of wordpress1 has been changed to latest. If it is, the workload has been upgraded, and the operation permissions of the develop user have been configured successfully.

   Figure 14 wordpress1 after upgrade
   

Step 5: Clear Resources

If a user group no longer requires permissions, you can delete the permissions of the user group using member account A or even delete the created user and user group.

1. Delete RBAC authorization.

   Log in as member account A.

   Click in the upper left corner and choose Cloud Container Engine to access the CCE console.

   In the navigation pane, choose Permissions. On the page displayed, select a cluster and a namespace.

   In the permissions list, locate the row containing the target permission and click Delete. In the dialog box displayed, click Yes.

2. Delete a user group.

   Hover the cursor on the username in the upper right corner and choose Identity and Access Management from the drop-down list.

   In the navigation pane, choose User Groups. In the right pane, locate the row containing the target user group and click Delete.

   In the displayed dialog box, enter DELETE and click OK.

3. Delete a user.

   In the navigation pane, choose Users. In the right pane, locate the row containing the target user and click Delete. You can also click Edit to disable the user and enable it again as required.

   In the displayed dialog box, enter DELETE and click OK.