Help Center/ Cloud Container Engine/ User Guide/ Permissions/ Example: Designing and Configuring Permissions for Users in a Department
Updated on 2024-08-16 GMT+08:00

Example: Designing and Configuring Permissions for Users in a Department

Overview

The conventional distributed task scheduling mode is being replaced by Kubernetes. CCE allows you to easily deploy, manage, and scale containerized applications in the cloud by providing support for you to use Kubernetes.

To help enterprise administrators manage resource permissions in clusters, CCE provides multi-dimensional, fine-grained permission policies and management measures. CCE permissions are described as follows:

  • Cluster-level permissions: allowing a user group to perform operations on clusters, nodes, node pools, charts, and add-ons. These permissions are assigned based on IAM system policies.
  • Namespace-level permissions: allowing a user or user group to perform operations on Kubernetes resources, such as workloads, networking, storage, and namespaces. These permissions are assigned based on Kubernetes RBAC.

Cluster permissions and namespace permissions are independent of each other but must be used together. The permissions set for a user group apply to all users in the user group. When multiple permissions are added to a user or user group, they take effect at the same time (the union set is used).

Permission Design

The following uses company X as an example.

Generally, a company has multiple departments or projects, and each department has multiple members. Design how permissions are to be assigned to different groups and projects, and set a user name for each member to facilitate subsequent user group and permissions configuration.

The following figure shows the organizational structure of a department in a company and the permissions to be assigned to each member:

Director: David

David is a department director of company X. To assign him all CCE permissions (both cluster and namespace permissions), create the cce-admin user group for David on the IAM console and assign the CCE Administrator role.

CCE Administrator: This role has all CCE permissions. You do not need to assign other permissions.

CCE FullAccess and CCE ReadOnlyAccess: These policies are related to cluster management permissions and configured only for cluster-related resources (such as clusters and nodes). You must also configure namespace permissions to perform operations on Kubernetes resources (such as workloads and Services).

Figure 1 Assigning permissions to the user group to which David belongs

O&M Leader: James

James is the O&M team leader of the department. He needs the cluster permissions for all projects and the read-only permissions for all namespaces.

To assign the permissions, create a user group named cce-sre on the IAM console and add James to this user group. Then, assign CCE FullAccess to the user group cce-sre to allow it to perform operations on clusters in all projects.

Figure 2 Assigning permissions to the user group to which James belongs

Assigning Read-only Permissions on All Clusters and Namespaces to All Team Leaders and Engineers

You can create a read-only user group named read_only on the IAM console and add users to the user group.

  • Although the development engineers Linda and Peter do not require cluster management permissions, they still need to view data on the CCE console. Therefore, the read-only cluster permission is required.
  • For the O&M engineer William, assign the read-only permission on clusters to him in this step.
  • The O&M team leader James already has the management permissions on all clusters. You can add him to the read_only user group to assign the read-only permission on clusters to him.

Users James, Robert, William, Linda, and Peter are added to the read_only user group.

Figure 3 Adding users to the read_only user group

Assign the read-only permission on clusters to the user group read_only.

Figure 4 Assigning the read-only permission on clusters to the user group

Return to the CCE console, and add the read-only permission on namespaces to the user group read_only to which the five users belong. Choose Permissions on the CCE console, and assign the read-only policy to the user group read_only for each cluster.

Figure 5 Assigning the read-only permission on namespaces to the user group

After the setting is complete, James has the cluster management permissions for all projects and the read-only permissions on all namespaces, and the Robert, William, Linda, and Peter have the read-only permission on all clusters and namespaces.

Development Team Leader: Robert

In the previous steps, Robert has been assigned the read-only permission on all clusters and namespaces. Now, assign the administrator permissions on all namespaces to Robert.

Therefore, assign the administrator permissions on all namespaces in all clusters to Robert.

Figure 6 Assigning the administrator permissions on namespaces to Robert

O&M Engineer: William

In the previous steps, William has been assigned the read-only permission on all clusters and namespaces. He also requires the cluster management permissions in his region. Therefore, you can log in to the IAM console, create a user group named cce-sre-b4 and assign CCE FullAccess to William for his region.

Figure 7 Assigning the cluster management permissions for Beijing4 region to the user group to which WILLIAM belongs

Now, William has the cluster management permissions for his region and the read-only permission on all namespaces.

Development Engineers: Linda and Peter

In the previous steps, Linda and Peter have been assigned the read-only permission on clusters and namespaces. Therefore, you only need to assign the edit policy to them.

Figure 8 Assigning the edit policy on namespaces

By now, all the required permissions are assigned to the department members.