检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Operations Performed by IAM Users IAM users can only revoke their own credentials. To revoke a credential, perform the following operations: Log in to the CCE console and click the cluster name to access the cluster console. Choose Overview in the navigation pane.
Only the users with the IAM permissions can download the cluster certificate. Note that information leakage may occur during certificate transmission. Parent topic: Permissions
Only the users with the IAM permissions can download the cluster certificate. Note that information leakage may occur during certificate transmission. Parent Topic: Permissions
kind: User name: 0c97ac3cb280f4d91fa7c0096739e1f8 # User ID of the user-example apiGroup: rbac.authorization.k8s.io The subjects section binds a Role with an IAM user so that the IAM user can obtain the permissions defined in the Role, as shown in the following figure.
Therefore, you can log in to the IAM console, create a user group named cce-sre-b4 and assign CCE FullAccess to William for his region.
However, IAM users created by a Huawei Cloud account do not have permissions. You need to manually grant the permissions to IAM users. For details, see Permissions Overview. Create a cluster. For details on how to create a Kubernetes cluster, see Creating a Kubernetes Cluster.
Permission Configuring kubeconfig for Fine-Grained Management on Cluster Resources Configuring Namespace-level Permissions for an IAM User Performing RBAC Authentication on a Namespace Using kubectl Commands
Permissions Permissions Overview Granting Cluster Permissions to an IAM User Namespace Permissions (Kubernetes RBAC-based) Using the AccessPolicy API to Manage Namespace Permissions (Kubernetes RBAC-based) Example: Designing and Configuring Permissions for Users in a Department Permission
After you agree to the entrustment, CCE automatically creates an agency in IAM to delegate other resource operation permissions in your account to Huawei Cloud CCE. For details, see Account Delegation.
Log in to the IAM console. In the navigation pane, choose Permissions > Policies/Roles. Then click Create Custom Policy. Configure parameters for the policy. Policy Name: Set it to CCE Subscribe Operator. Policy View: Select JSON.
Why Can't an IAM User Make API Calls? What Is an OBS Global Access Key and How Do I Check Whether a Global Access Key Is Used in a Cluster?
Permissions Before Optimization Table 1 cia_admin_trust permissions Granted To Policy/Role Description CCE IAM ReadOnlyAccess IAM users need to be able to access Monitoring Center and Alarm Center.
It combines the advantages of Identity and Access Management (IAM) and Kubernetes Role-based Access Control (RBAC) authorization to provide a variety of authorization methods, including IAM fine-grained authorization, IAM token authorization, cluster-scoped authorization, and namespace-wide
Permissions Before Optimization Table 1 cia_admin_trust permissions Granted To Policy/Role Description CCE IAM ReadOnlyAccess IAM users need to be able to access Monitoring Center and Alarm Center.
If you need to create multiple IAM users, configure the permissions of the IAM users and namespaces properly. For details about how to configure cluster permissions, see Cluster Permissions (IAM-based).
For security purposes, create Identity and Access Management (IAM) users and grant them permissions for routine management. User An IAM user is created using an account to use cloud services. Each IAM user has their own identity credentials (password and access keys).
Follow the principle of the least privilege when granting permissions to IAM users. Use RBAC policies to restrict the access to the pods/exec, pods/attach, pods/portforward, and proxy resources. Parent topic: Vulnerability Notices
If you do not have IAM permissions, you cannot select users or user groups when configuring permissions for other users or user groups. In this case, you can enter a user ID or user group ID. Permissions can be customized as required.
If you do not have IAM permissions, you cannot select users or user groups when configuring permissions for other users or user groups. In this case, you can enter a user ID or user group ID. Figure 1 Configuring namespace permissions Permissions can be customized as required.
Table 1 Resource permissions Assigned To Permission Description CCE IAM ReadOnlyAccess IAM users need to access Cloud Native Cost Governance.
