检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
{IAM endpoint} specifies the IAM domain name of the current region. export PKR_VAR_auth_url='{IAM endpoint}' Parent Topic: Cluster
Permissions management IAM authorization and RBAC-based namespace authorization are supported. For details, see Permissions Overview. IAM authorization manages access to cloud services, including CCE clusters and associated resources like VPC, ELB, and ECS resources.
When using a token for authentication, cache it to prevent frequently calling the IAM API used to obtain a user token. A token specifies temporary permissions in a computer system.
When installing web-terminal to use kubectl, you must log in using your cloud account or as an IAM user with the CCE Administrator permission. For details about how to control the kubectl permission, see Controlling web-terminal Permissions.
The Kubernetes permissions assigned by the configuration file downloaded by IAM users are the same as those assigned to the IAM users on the CCE console. In Linux, if the KUBECONFIG environment variable is set, kubectl will load it instead of $home/.kube/config.
Figure 1 Achieving cluster HA Secure: Integrated with IAM and Kubernetes RBAC, CCE clusters are under your full control. You can assign different RBAC permissions for IAM users on the console.
You can go to the IAM console, choose Security Settings > Critical Operations, and enable the protection functions. Resource Tag: You can add resource tags to classify resources. Cluster Description: specifies the description that you entered for a cluster.
To further enhance SWR's security and flexibility, fine-grained permissions control can be added to IAM users. Scanning an Image Using SWR With SWR, you can easily scan and secure your images with just a few clicks.
To further enhance SWR's security and flexibility, fine-grained permissions control can be added to IAM users. For details about authorization management, see User Permissions.
Current account: Grant permissions to a specific IAM account under the current account. Other accounts: Grant permissions to a specific IAM account under another account. Other accounts XXX(account ID)/XXX (IAM ID) Resources Specify the authorized resources.
After you agree to delegate permissions, CCE uses IAM to create an agency named cce_admin_trust. This agency is granted Tenant Administrator permissions for the resources of other cloud services (excluding IAM).
After you agree to delegate permissions, CCE uses IAM to create an agency named cce_admin_trust. This agency is granted Tenant Administrator permissions for the resources of other cloud services (excluding IAM).
metadata: name: debugger-binding subjects: - kind: User name: "xxx" # User ID apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: ephemeral-debugger apiGroup: rbac.authorization.k8s.io For details about how to obtain a user ID, see Obtaining Account, IAM
(Optional) Advanced Settings Figure 5 Advanced settings Parameter Description IAM Authentication CCE clusters support IAM authentication. You can call IAM authenticated APIs to access CCE clusters.
On the IAM console, a user deletes cce_admin_trust. All the preceding actions will cause CCE cluster functions to be abnormal. Proactive O&M CCE provides multi-dimensional monitoring and alarm reporting functions, allowing users to locate and rectify faults as soon as possible.
For details, see 1.d. access-key <Access key ID> Specifies the access key ID of an IAM user. It is used as the identity authentication information for accessing the storage. secret-key <Secret access key> Specifies the secret access key of an IAM user.
Only Huawei Cloud accounts, HUAWEI IDs, or IAM users with CCE administrator or FullAccess permissions can perform all operations using Alarm Center. IAM users with the CCE ReadOnlyAccess permission can only view all resources.
After you agree to delegate permissions, CCE uses IAM to create an agency named cce_admin_trust. This agency is granted Tenant Administrator permissions for the resources of other cloud services (excluding IAM).
Prerequisites A cluster is available and the cluster version meets the following requirements: v1.21: v1.21.10-r0 or later v1.23: v1.23.8-r0 or later v1.25: v1.25.3-r0 or later Versions later than v1.25 To drain a node as an IAM user, you must have at least one of the following permissions
For example, CCE users are managed through Identity and Access Management (IAM). Service accounts in Kubernetes are a kind of namespace-level resources, just like pods and ConfigMaps.
