检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
When there are both IAM projects and enterprise projects, IAM preferentially matches the IAM project policies.
If an IAM user is required to grant cluster namespace permissions to other users or user groups, the user must have the IAM read-only permission.
IAM authentication is not required for running kubectl commands. Therefore, you can run kubectl commands without configuring cluster management (IAM) permissions. However, you need to obtain the kubectl configuration file (kubeconfig) with the namespace permissions.
Policies that contain actions for both IAM and enterprise projects can be used and applied for both IAM and Enterprise Management. Policies that contain actions only for IAM projects can be used and applied to IAM only.
For example, to obtain an IAM token in the CN-Hong Kong region, obtain the endpoint of IAM (iam.ap-southeast-1.myhuaweicloud.com) for this region and the resource-path (/v3/auth/tokens) in the URI of the API used to obtain a user token.
service, the temporary IAM access key in a cluster expires.
Policies that contain actions for both IAM and enterprise projects can be used and applied for both IAM and Enterprise Management. Policies that contain actions only for IAM projects can be used and applied to IAM only.
However, IAM users created by your accounts do not have the permissions. You need to manually assign the permissions to IAM users. For details, see Permissions Overview.
Create an identity provider on the IAM console. Deploy the application and bind it with the identity provider. Use the OIDC token to access IAM and obtain the IAM token (implemented by you). Use the IAM token to access cloud services (implemented by you).
As a result, all IAM users within your account will use the same key to mount OBS buckets, and they will have identical permissions on the buckets. However, this setting does not allow you to set different permissions for individual IAM users.
IAM users with IAM ReadOnlyAccess, CCE FullAccess, or CCE ReadOnlyAccess assigned can directly use this function.
Creating an IAM User and User Group Log in to IAM and create an IAM user named user-example and a user group named cce-role-group. For details about how to create an IAM user and user group, see Creating IAM Users and Creating User Groups.
Administrators of the IAM Admin user group can grant cluster management permissions (such as CCE Administrator and CCE FullAccess) to IAM users or grant namespace permissions on a cluster on the CCE console.
Operations Performed by IAM Users IAM users can only revoke their own credentials. To revoke a credential, perform the following operations: Log in to the CCE console and click the cluster name to access the cluster console. Choose Overview in the navigation pane.
Only the users with the IAM permissions can download the cluster certificate. Note that information leakage may occur during certificate transmission. Parent Topic: Permissions
kind: User name: 0c97ac3cb280f4d91fa7c0096739e1f8 # User ID of the user-example apiGroup: rbac.authorization.k8s.io The subjects section binds a Role with an IAM user so that the IAM user can obtain the permissions defined in the Role, as shown in the following figure.
Assigned To Permission Description CCE IAM ReadOnlyAccess IAM users need to access Monitoring Center and Alarm Center.
Therefore, you can log in to the IAM console, create a user group named cce-sre-b4 and assign CCE FullAccess to William for his region.
However, IAM users created by a Huawei Cloud account do not have permissions. You need to manually grant the permissions to IAM users. For details, see Permissions Overview. Create a cluster. For details on how to create a Kubernetes cluster, see Creating a Kubernetes Cluster.
Permissions Permissions Overview Granting Cluster Permissions to an IAM User Namespace Permissions (Kubernetes RBAC-based) Example: Designing and Configuring Permissions for Users in a Department Permission Dependency of the CCE Console Service Account Token Security Improvement System
