All Documents
Current Document

Recommend

Container Engine Virtual Private Cloud Standard Storage Service

Found 0 result in total

Content is empty

If you don't find the content you expect, please try another search term

Documentation

Container Engine (KCE)

View more results
Document title with current keyword not found
Directory
Expand AllFold All Up
No products found with this keyword
Documentation Container Engine (KCE) User Guide RBAC management Manage the RBAC permissions of IAM users

Manage the RBAC permissions of IAM users

Last updated:2021-09-29 22:05:17

Overview

Kingsoft Cloud Container Engine (KCE) integrates the native role-based access control (RBAC) authorization policies of Kubernetes to help you manage authorization. In RBAC mode, you can manage the access permissions on Kubernetes resources of clusters in a more fine-grained manner. For example, you can grant an IAM user the read-only permission or the read/write permission on a specific namespace.

Note

Configuration instructions

  • Before you grant permissions to an IAM user, make sure that the IAM user has been granted at least the read-only permission on the specified cluster.
  • By default, an IAM user has no access to the Kubernetes resources of a cluster if the IAM user is not the creator of the cluster.
  • By default, you have the administrator permissions on all clusters that belong to your Kingsoft Cloud account or created by you.
  • You can grant permissions to IAM users by using the preset identity provided by KCE.
  • Kingsoft Cloud account owners can grant permissions on all their clusters at a time.
  • If you use the account of an IAM user to grant RBAC permissions to other IAM users, the console displays only the cluster and namespace resources on which you can grant permissions. To grant RBAC permissions on a cluster to other IAM users, you must be the administrator of the cluster.
  • You can grant permissions to multiple IAM users at a time.

Permissions

All namespaces

Identity RBAC permission on cluster resources
Admin Has RBAC read/write permissions on resources in all namespaces of the cluster and read/write permissions on cluster nodes, volumes, namespaces, and quotas, and can grant read/write permissions to IAM users.
O&M engineer Has RBAC read/write permissions on resources displayed in the console in all namespaces of the cluster and read/write permissions on cluster nodes, volumes, namespaces, and quotas.
Developer Has RBAC read/write permissions on resources displayed in the console in all namespaces of the cluster.
Restricted user Has RBAC read-only permissions on resources displayed in the console in all namespaces of the cluster.
Custom user Has the permissions of the attached ClusterRole role. You must specify the permissions of the ClusterRole role before you attach the role to an IAM user. This ensures that only the required permissions are granted to the IAM user.

Specified namespace

Identity RBAC permission on cluster resources
Developer Has RBAC read/write permissions on resources displayed in the console in the specified namespace.
Restricted user Has RBAC read-only permissions on resources displayed in the console in the specified namespace. You must select the specified namespace.

Procedures

Manage permissions for an IAM user

You can manage the permissions of an IAM user. For example, you can add, remove, and change permissions for an IAM user.

  1. Log in to the KCE console.
  2. In the left navigation pane, click Authorization Management.
  3. Find the target IAM user and click Manage Permission in the Operation column. image.png
  4. Click Add Permission, select a cluster and a namespace as required, and then select a predefined identity. You can also click the cross icon to remove permissions. image.png
  5. Click OK.

Manage permissions for multiple IAM users

You can add permissions to multiple IAM users at a time without affecting their existing permissions.

  1. Log in to the KCE console.
  2. In the left navigation pane, click Authorization Management.
  3. Select the target IAM users and click Add Permission. image.png

  4. Click Add Permission, select a cluster and a namespace as required, and then select a predefined identity. You can also click the cross icon to remove the permission. image.png

  5. Click OK.

Grant permissions with a few clicks

You can use a Kingsoft Cloud account to grant an IAM user the permissions on all clusters with a few clicks.

  1. Log in to the KCE console.
  2. In the left navigation pane, click Authorization Management.

  3. Select the target IAM user and click Grant Permissions on All. image.png

  4. In the dialog box that appears, select a predefined identity as required and click OK. image.png
On this page
Previous:RBAC management
Next:Upgrade to the RBAC mode
Pure ModeNormal Mode

Pure Mode

Click to preview the document content in full screen
Feedback