System Agencies

CCE works closely with multiple cloud services to support compute, storage, networking, and monitoring functions. When you log in to the CCE console for the first time, CCE automatically requests permissions to access those cloud services in the region where you run your applications. Specifically:

Compute services
When you create a node in a cluster, a cloud server is created accordingly. The prerequisite is that CCE has obtained the permissions for accessing ECS and BMS.
Storage services
CCE allows you to mount storage to nodes and containers in a cluster. The prerequisite is that CCE has obtained the permissions for accessing services such as EVS, SFS, and OBS.
Networking services
CCE allows containers in a cluster to be published as services that can be accessed by external systems. The prerequisite is that CCE has obtained the permissions for accessing services such as VPC and ELB.
Container and monitoring services
CCE supports functions such as container image pull, monitoring, and logging. The prerequisite is that CCE has obtained the permissions for accessing services such as SWR and AOM.

After you agree to the entrustment, CCE automatically creates an agency in IAM to delegate other resource operation permissions in your account to Huawei Cloud CCE. For details, see Delegating Another Account for Resource Management.

The agencies automatically created by CCE are as follows:

Agency	Description	Applicable Cluster Version
cce_admin_trust	It has the permission to call all cloud services that CCE depends on, with the exception of IAM.	All. CCEServiceAgency is preferred when available.
cce_cluster_agency	It is authorized to operate only the cloud services required by CCE to generate temporary access credentials used by components in CCE clusters.	v1.21 and later Deprecated in v1.28.15-r90, v1.29.15-r50, v1.30.14-r50, v1.31.14-r10, v1.32.9-r10, v1.33.7-r10, v1.34.3-r0, and later
hss_policy_trust	It automatically grants cluster management permission to HSS after HSS is enabled for clusters.	v1.19.16-r0, v1.21.2-r0, and later
CCEServiceAgency	It provides temporary access credentials for CCE, including the minimum permissions required by CCE to manage clusters and node lifecycles.	All
CCEAutoClusterAgency	It provides temporary access credentials for the cluster control plane, including the minimum permissions required by basic functions in clusters.	v1.28.15-r90, v1.29.15-r50, v1.30.14-r50, v1.31.14-r10, v1.32.9-r10, v1.33.7-r10, v1.34.3-r0, and later
CCENodeAgency	It provides temporary access credentials, such as SWR image repository credentials and IAM credentials, to components running on user nodes in CCE clusters.	v1.28.15-r80, v1.29.15-r40, v1.30.14-r40, v1.31.14-r0, v1.32.9-r0, v1.33.7-r0, v1.34.2-r0, and later

If these agencies do not meet your requirements, you need to re-authorize CCE to create new ones or update the agencies. Based on the principle of least privilege (PoLP), an IAM user must have the following IAM operation permissions when creating or updating an agency:

iam:agencies:createAgency: for creating an agency
iam:permissions:revokeRoleFromAgencyOnProject: for removing permissions of an agency for a region-specific project
iam:permissions:grantRoleToAgencyOnProject: for granting permissions to an agency for a region-specific project
iam:permissions:grantRoleToAgency: for granting permissions to an agency
iam:roles:createRole: for creating a custom policy
iam:roles:updateRole: for modifying a custom policy

For details about how to add custom permissions for cloud services, see Example Custom Policies.

cce_admin_trust

The cce_admin_trust agency has permission to call all cloud services that CCE depends on, such as creating a cluster or node. This delegation of permissions only applies to the current region.

To use CCE in multiple regions, request cloud resource permissions in each region. You can go to the IAM console, choose Agencies and click cce_admin_trust to view the permissions of each region.

To ensure CCE functions properly, do not delete or modify the cce_admin_trust agency in IAM. CCE depends on multiple cloud services, and removing this agency may cause insufficient permissions and affect normal service operations.

CCE has updated the cce_admin_trust agency permissions to enhance security while accommodating dependencies on other cloud services. The new permissions no longer include Tenant Administrator permissions. This update is only available in certain regions. If your clusters are of v1.21 or later, a message will appear on the console asking you to re-grant permissions. After re-granting, the cce_admin_trust agency will be updated to include only the necessary cloud service permissions, with the Tenant Administrator permissions removed.

When creating the cce_admin_trust agency, CCE creates a custom policy named CCE admin policies. Do not delete this policy.

cce_cluster_agency

cce_cluster_agency is authorized to operate only the cloud services required by CCE to generate temporary access credentials used by components in CCE clusters. This agency permission will be used when cloud service resources that CCE depends on are automatically created in a cluster, for example, when an ingress or dynamic storage volume is created.

The cce_cluster_agency agency supports clusters of v1.21 or later.
When creating the cce_cluster_agency agency, CCE creates a custom policy named CCE cluster policies. Do not delete this policy.

If the permissions of the cce_cluster_agency agency are different from those expected by CCE, the console displays a message indicating that the permissions have changed and you need to re-authorize the agency.

Click to enlarge

The cce_cluster_agency agency may be re-authorized in the following scenarios:

The permissions on which CCE components depend may change with versions. For example, if a new component depends on new permissions, CCE will update the expected permission list and you need to grant permissions to cce_cluster_agency again.
When you manually modify the permissions of the cce_cluster_agency agency, the permissions of the agency are different from those expected by CCE. In this case, a message is displayed, asking you to re-authorize the agency. If you re-authorize the agency, the manually modified permissions may become invalid.

hss_policy_trust

After HSS is enabled, CCE will automatically create a CCEOperatePolicy policy and assign it to the hss_policy_trust agency.

CCEOperatePolicy permissions:

{
    "Version": "1.1",
    "Statement": [
        {
            "Action": [
                "cce:cluster:get",
                "cce:cluster:list",
                "iam:agencies:listAgencies"
            ],
            "Effect": "Allow"
        }
    ]
}

ClusterRole hss-cluster-role will be automatically created in the cluster with HSS enabled.

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: hss-cluster-role
rules:
  - verbs:
      - '*'
    apiGroups:
      - '*'
    resources:
      - daemonsets
      - namespaces
      - configmaps
      - nodes

CCEServiceAgency

CCEServiceAgency provides temporary access credentials for CCE, including the minimum permissions required by CCE to manage clusters and node lifecycles. It is used for operations such as cluster creation, update, specification change, deletion, node pool scaling, and event and alarm reporting.

CCEServiceAgency uses All resources as the authorization scope and is granted the CCEManagedPolicy system policy.

It is not advised to delete or modify CCEServiceAgency in IAM while using CCE.
When you access the Clusters page of the CCE console, the system automatically checks whether CCEServiceAgency exists. If it does not exist, an Authorization dialog box appears. You must complete the authorization again, or the system will automatically create the agency when you create a new cluster.

CCEAutoClusterAgency

CCEAutoClusterAgency provides temporary access credentials for the cluster control plane, including the minimum permissions required by basic functions in clusters. It is used to manage node statuses, report cluster events and alarms, create Services, and use load balancers for ingresses.

CCEAutoClusterAgency uses All resources as the authorization scope and is granted the system policies below. For details, see System Policies.

CCEClusterManagedPolicy
CCEClusterTurboNetworkingPolicy
CCEClusterVPCNetworkingPolicy
CCEClusterGEIPPolicy
CCEClusterLoadBalancingPolicy

It is not advised to delete or modify CCEAutoClusterAgency in IAM while using CCE.
CCEAutoClusterAgency is used only for clusters of v1.28.15-r90, v1.29.15-r50, v1.30.14-r50, v1.31.14-r10, v1.32.9-r10, v1.33.7-r10, v1.34.3-r0, or later. When you create or upgrade a cluster to one of these versions or later, select Use system-recommended. If CCEAutoClusterAgency is not available, CCE will automatically create it.

CCENodeAgency

CCENodeAgency provides temporary access credentials, such as SWR image repository credentials and IAM credentials, to components running on user nodes in CCE clusters. It is used when pulling images with default-secret, creating nodes, or obtaining workload credentials via pod identities.

CCENodeAgency uses All resources as the authorization scope and is granted the CCEClusterNodePolicy system policy. For details, see System Policies.

It is not advised to delete or modify CCENodeAgency in IAM while using CCE.
CCENodeAgency is required only for clusters v1.28.15-r80, v1.29.15-r40, v1.30.14-r40, v1.31.14-r0, v1.32.9-r0, v1.33.7-r0, v1.34.2-r0, or later. When you create or upgrade a cluster to one of these versions or later, the agency will be created automatically if it does not exist.

Parent Topic: CCE Agencies

Previous topic: CCE Agencies

Next topic: Custom Agencies for Clusters

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

For any further questions, feel free to contact us through the chatbot.

Chatbot