检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
{Endpoint} indicates the endpoint of IAM, which can be obtained from Endpoints. For details about API authentication, see Authentication. The following is an example response.
It combines the advantages of Kubernetes Role-based Access Control (RBAC) authorization and Identity and Access Management (IAM) to provide a variety of authorization methods, including IAM fine-grained authorization, IAM token authorization, cluster-scoped authorization, and namespace-wide
{IAM endpoint} specifies the IAM domain name of the current region. export PKR_VAR_auth_url='{IAM endpoint}' Parent Topic: Cluster
Permissions management IAM authorization and RBAC-based namespace authorization are supported. For details, see Permissions Overview. IAM authorization manages access to cloud services, including CCE clusters and associated resources like VPC, ELB, and ECS resources.
When using a token for authentication, cache it to prevent frequently calling the IAM API used to obtain a user token. A token specifies temporary permissions in a computer system.
When installing web-terminal to use kubectl, you must log in using your cloud account or as an IAM user with the CCE Administrator permission. For details about how to control the kubectl permission, see Controlling web-terminal Permissions.
Figure 1 Achieving cluster HA Secure: Integrated with IAM and Kubernetes RBAC, CCE clusters are under your full control. You can assign different RBAC permissions for IAM users on the console.
The Kubernetes permissions assigned by the configuration file downloaded by IAM users are the same as those assigned to the IAM users on the CCE console. In Linux, if the KUBECONFIG environment variable is set, kubectl will load it instead of $home/.kube/config.
To further enhance SWR's security and flexibility, fine-grained permissions control can be added to IAM users. Scanning an Image Using SWR With SWR, you can easily scan and secure your images with just a few clicks.
To further enhance SWR's security and flexibility, fine-grained permissions control can be added to IAM users. For details about authorization management, see User Permissions.
You can go to the IAM console, choose Security Settings > Critical Operations, and enable the protection functions. Resource Tag: You can add resource tags to classify resources. Cluster Description: specifies the description that you entered for a cluster.
Current account: Grant permissions to a specific IAM account under the current account. Other accounts: Grant permissions to a specific IAM account under another account. Other accounts XXX(account ID)/XXX (IAM ID) Resources Specify the authorized resources.
After you agree to delegate permissions, CCE uses IAM to create an agency named cce_admin_trust. This agency is granted Tenant Administrator permissions for the resources of other cloud services (excluding IAM).
metadata: name: debugger-binding subjects: - kind: User name: "xxx" # User ID apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: ephemeral-debugger apiGroup: rbac.authorization.k8s.io For details about how to obtain a user ID, see Obtaining Account, IAM
After you agree to delegate permissions, CCE uses IAM to create an agency named cce_admin_trust. This agency is granted Tenant Administrator permissions for the resources of other cloud services (excluding IAM).
Only Huawei Cloud accounts, HUAWEI IDs, or IAM users with CCE administrator or FullAccess permissions can perform all operations using Alarm Center. IAM users with the CCE ReadOnlyAccess permission can only view all resources.
On the IAM console, a user deletes cce_admin_trust. All the preceding actions will cause CCE cluster functions to be abnormal. Proactive O&M CCE provides multi-dimensional monitoring and alarm reporting functions, allowing users to locate and rectify faults as soon as possible.
For details, see 1.d. access-key <Access key ID> Specifies the access key ID of an IAM user. It is used as the identity authentication information for accessing the storage. secret-key <Secret access key> Specifies the secret access key of an IAM user.
After you agree to delegate permissions, CCE uses IAM to create an agency named cce_admin_trust. This agency is granted Tenant Administrator permissions for the resources of other cloud services (excluding IAM).
Figure 10 Configuring advanced settings Table 10 Advanced settings Parameter Description Modifiable After Cluster Creation IAM Authentication CCE clusters support IAM authentication. You can call IAM authenticated APIs to access CCE clusters.
