检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
CCE combines the advantages of IAM and RBAC to provide a variety of authorization methods, including IAM fine-grained/token authorization and cluster-/namespace-scoped authorization.
Policies that contain actions for both IAM and enterprise projects can be used and applied for both IAM and Enterprise Management. Policies that contain actions only for IAM projects can be used and applied to IAM only.
For example, to obtain an IAM token in the CN-Hong Kong region, obtain the endpoint of IAM (iam.ap-southeast-1.myhuaweicloud.com) for this region and the resource-path (/v3/auth/tokens) in the URI of the API used to obtain a user token.
Verification You can use a secret of an IAM user to mount an OBS volume. Assume that a workload named obs-secret is created, the mount path in the container is /temp, and the IAM user has the CCE ReadOnlyAccess and Tenant Guest permissions.
For security purposes, create Identity and Access Management (IAM) users and grant them permissions for routine management. User An IAM user is created using an account to use cloud services. Each IAM user has their own identity credentials (password and access keys).
{Endpoint} indicates the endpoint of IAM, which can be obtained from Endpoints. For details about API authentication, see Authentication. The following is an example response.
When using a token for authentication, cache it to prevent frequently calling the IAM API used to obtain a user token. A token specifies temporary permissions in a computer system.
Constraints Only Huawei Cloud accounts, HUAWEI IDs, or IAM users with CCE administrator or FullAccess permissions can perform all operations using Alarm Center. IAM users with the CCE ReadOnlyAccess permission can only view all resources.
For IAM users, the Kubernetes permissions specified in the configuration file are the same as those assigned on the CCE console.
Only Huawei Cloud accounts, HUAWEI IDs, and IAM users in the admin user group can perform this operation. User-defined indicator HPA: Application metrics are automatically collected in the form of service discovery.
You can go to the IAM console, choose Agencies, and click cce_admin_trust to view the delegation records of each region. For details, see Account Delegation. CCE may fail to run as expected if the Tenant Administrator permissions are not assigned.
You can go to the IAM console, choose Agencies, and click cce_admin_trust to view the delegation records of each region. For details, see Account Delegation. CCE may fail to run as expected if the Tenant Administrator permissions are not assigned.
