检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
You can go to the IAM console > and click cce_admin_trust to view the permissions of each region. CCE may fail to run as expected if the Tenant Administrator role is not assigned.
Log in to the IAM console. In the navigation pane, choose Permissions > Policies/Roles. Then click Create Custom Policy. Configure parameters for the policy. Policy Name: Set it to CCE Subscribe Operator. Policy View: Select JSON.
It combines the advantages of Identity and Access Management (IAM) and Kubernetes Role-based Access Control (RBAC) authorization to provide a variety of authorization methods, including IAM fine-grained authorization, IAM token authorization, cluster-scoped authorization, and namespace-wide
If you need to create multiple IAM users, configure the permissions of the IAM users and namespaces properly. For details about how to configure cluster permissions, see Cluster Permissions (IAM-based).
For security purposes, create Identity and Access Management (IAM) users and grant them permissions for routine management. User An IAM user is created using an account to use cloud services. Each IAM user has their own identity credentials (password and access keys).
Follow the principle of the least privilege when granting permissions to IAM users. Use RBAC policies to restrict the access to the pods/exec, pods/attach, pods/portforward, and proxy resources. Parent topic: Vulnerability Notices
If you do not have IAM permissions, you cannot select users or user groups when configuring permissions for other users or user groups. In this case, you can enter a user ID or user group ID. Figure 1 Configuring namespace permissions Permissions can be customized as required.
Table 1 Resource permissions Assigned To Permission Description CCE IAM ReadOnlyAccess IAM users need to access Cloud Native Cost Governance.
{Endpoint} indicates the endpoint of IAM, which can be obtained from Endpoints. For details about API authentication, see Authentication. The following is an example response.
It combines the advantages of Kubernetes Role-based Access Control (RBAC) authorization and Identity and Access Management (IAM) to provide a variety of authorization methods, including IAM fine-grained authorization, IAM token authorization, cluster-scoped authorization, and namespace-wide
{IAM endpoint} specifies the IAM domain name of the current region. export PKR_VAR_auth_url='{IAM endpoint}' Parent Topic: Cluster
The Kubernetes permissions assigned by the configuration file downloaded by IAM users are the same as those assigned to the IAM users on the CCE console.
When using a token for authentication, cache it to prevent frequently calling the IAM API used to obtain a user token. A token specifies temporary permissions in a computer system.
You can go to the IAM console, choose Security Settings > Critical Operations, and enable the protection functions. Resource Tag: You can add resource tags to classify resources. Cluster Description: specifies the description that you entered for a cluster.
Figure 1 Achieving cluster HA Secure: Integrating IAM and Kubernetes RBAC, CCE clusters are under your full control. You can set different RBAC permissions for IAM users on the console.
When installing web-terminal to use kubectl, you must log in using your cloud account or as an IAM user with the CCE Administrator permission. For details about how to control the kubectl permission, see Controlling web-terminal Permissions.
(Optional) Advanced Settings Parameter Description IAM Authentication CCE clusters support IAM authentication. You can call IAM authenticated APIs to access CCE clusters.
To further enhance SWR's security and flexibility, fine-grained permissions control can be added to IAM users. For details about authorization management, see User Permissions.
Current account: Grant permissions to a specific IAM account under the current account. Other accounts: Grant permissions to a specific IAM account under another account. Other accounts XXX(account ID)/XXX (IAM ID) Resources Specify the authorized resources.
On the IAM console, a user deletes cce_admin_trust. All the preceding actions will cause CCE cluster functions to be abnormal. Proactive O&M CCE provides multi-dimensional monitoring and alarm reporting functions, allowing users to locate and rectify faults as soon as possible.
