百度智能云
All Product Document

          Cloud Container Engine

          • Cloud Container Engine
          • >
          • Operation Guide
          • >
          • Privilege Management
          • >
          • Authentication of Cluster OIDC

          Authentication of Cluster OIDC

          Last Updated2022-01-14

          This article introduces the CCE cluster OIDC certification, activation instructions, and how to use it in conjunction with RBAC.

          Authentication

          • The OIDC authentication of the CCE cluster relies on the Baidu AI Cloud’s IAM identity authentication. You can perform the IAM user and role authentications.
          • The CCE cluster only supports X509 certificate-based authentication by default. Only the new version of the CCE cluster supports the option to enable OIDC authentication when it is created.
          • After the CCE cluster opens OIDC authentication, the authentication capabilities based on X509 certificates are still retained.
          • After the CCE cluster is enabled for OIDC authentication, it supports the operation of cluster resources through AssumeRole.

          Activation Steps

          1. Create a cluster

          Log in to the Baidu AI Cloud Console and enter "Product Services> Cloud Container Engine CCE”. In the left navigation bar, click "Cluster Management> Cluster List> Create Cluster (New Version)" to enter the cluster creation page:

          image-20200831164416197.png

          1. In the advanced settings, check OIDC authentication, as shown above. Then follow the operating steps to complete the cluster creation.
          2. On the cluster list page, download KubeConfig file based on the OIDC. Based on this file, you can access the cluster through OIDC authentication.

          image-20200831164228163.png

          1. To operate cluster resources through KubeConfig or directly on the console, make sure that the sub-user performing the operation (when accessed through a sub-user), or the IAM Role (when accessed through AssumeRole) that the user switches has been granted the corresponding RBAC permissions in advance. See “Authority Management” below for details.

          Access Control

          OIDC only solves the cluster authentication problem. After the cluster authentication is passed, the authentication operation starts (generally based on RBAC). You need to bind the corresponding RBAC permissions for the user or IAM Role in advance to operate the cluster resources normally.

          Master Account

          The master account has the cluster administrator permission by default, i.e., the master account can operate all the cluster resources without binding RBAC permission.

          Subaccounts

          You can bind the permission of sub-users by the following two methods:

          1. Binding RBAC permissions for sub-accounts through the CCE console. For details, refer to: Sub-accounts RBAC Permissions Configuration

          2. Manually create ClusterRole/Role and ClusterRoleBinding/RoleBinding in the cluster. For details, refer to K8s RBAC [Official ](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)Documentation. The example is as follows:

            kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: custom-cluster-role
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: default
  name: custom-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: custom-cluster-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: User
  name: 294ae2c68794fb1ab58e71fbc8ef338

            Note: In ClusterRoleBinding/RoleBinding, subjects.kind = User, and subjects.name = Sub-accounts ID.

          IAM Role

          Currently, IAM Role can only bind RBAC permissions by manually creating ClusterRole/Role and ClusterRoleBinding/RoleBinding in the cluster. The example is as follows:

          Currently, IAM Role can only bind RBAC permissions by manually creating ClusterRole/Role and ClusterRoleBinding/RoleBinding in the cluster. The example is as follows:

          kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: custom-cluster-role
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

---

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  namespace: default
  name: custom-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: custom-cluster-role
subjects:
- apiGroup: rbac.authorization.k8s.io
  kind: Group
  name: 7e442e97bba54d9ea0d8da1fcacecd7a

          Note: Subjects.kind = Group and subjects.name = IAM Role ID in ClusterRoleBinding/RoleBinding. Don’t confuse IAM Role with K8s Role. IAM Role is mapped to Group in the cluster, and the Group name is equal to IAM Role ID. After binding the RBAC permission to the Group by the method shown in the example, the user playing the IAM Role will get the same RBAC permission.

          Previous
          Configure Sub-user RBAC Privilege
          Next
          Image Repository