Configure Sub-user RBAC Privilege
This paper introduces how to configure rbac privileges for sub-users to control the privileges of CCE cluster namespace.
Notice
CCE cluster service has completed the upgrade of rbac cluster authority management system.
- It is forbidden for the child users who have not completed the rbac privilege to access the cluster resources. Please contact the primary account in time to complete the rbac authorization, so as to avoid inconvenience in production.
- The child user will only have the cluster access rights assigned and granted, and the original default access rights will be forbidden.
Authorization Instructions
- First, you need to create cloud platform main user account and one or more sub-user accounts.
- You can only authorize a sub-user under the account of the primary user (or a sub-user with administrator rights).
- rbac authorization can only be performed when a sub-user is granted at least CCE read-only privilege in IAM. For details, see Identity and Access Management.
Privilege Description
CCE has three levels of rbac privileges built in, as follows:
Privilege | Privilege description |
---|---|
Administrators | All operation privileges to the cluster. |
Operation and maintenance | Have read-write privilege for resources under namespace, read-only privilege for nodes, namespace, storage volume and storage class. |
Read only | Read only access to resources under namespace. |
Operation Steps
1.Log in to cloud platform management console, enter "Product Service > Cloud Container Engine (CCE)", click "Cluster Management > Authority Management" in the left navigation bar, and enter the authority management page.
2.Select the sub user to be authorized in the sub user list, and click RBAC authorization, enter the RBAC authorization page.
3.Click the top left of RBAC authorization list Add authorization, pop up the add authorization configuration box, select the privilege to be configured, and the corresponding cluster and namespace.
4.If the sub-user is not granted any privilege in IAM, the authorization is unsuccessful.
5.After the authorization is added successfully, you can view the authorization list.
Verification Privilege
Configure the operation and maintenance development privilege of the default namespace to the sub-user. The verification steps are as follows:
1.Configure sub-user privileges.
2.Sub user login.
3.To view the namespace list, you can only see the default namespace.
4.Create a namespace and prompt "You do not have access privilege to the current operation, please go to RBAC for authorization".