Container Engine (KCE)

      Documentation Container Engine (KCE) User Guide RBAC management Manage the RBAC permissions of IAM users

      Manage the RBAC permissions of IAM users

      Last updated:2021-09-29 22:05:17

      Overview

      Kingsoft Cloud Container Engine (KCE) integrates the native role-based access control (RBAC) authorization policies of Kubernetes to help you manage authorization. In RBAC mode, you can manage the access permissions on Kubernetes resources of clusters in a more fine-grained manner. For example, you can grant an IAM user the read-only permission or the read/write permission on a specific namespace.

      Note

      Configuration instructions

      • Before you grant permissions to an IAM user, make sure that the IAM user has been granted at least the read-only permission on the specified cluster.
      • By default, an IAM user has no access to the Kubernetes resources of a cluster if the IAM user is not the creator of the cluster.
      • By default, you have the administrator permissions on all clusters that belong to your Kingsoft Cloud account or created by you.
      • You can grant permissions to IAM users by using the preset identity provided by KCE.
      • Kingsoft Cloud account owners can grant permissions on all their clusters at a time.
      • If you use the account of an IAM user to grant RBAC permissions to other IAM users, the console displays only the cluster and namespace resources on which you can grant permissions. To grant RBAC permissions on a cluster to other IAM users, you must be the administrator of the cluster.
      • You can grant permissions to multiple IAM users at a time.

      Permissions

      All namespaces

      Identity RBAC permission on cluster resources
      Admin Has RBAC read/write permissions on resources in all namespaces of the cluster and read/write permissions on cluster nodes, volumes, namespaces, and quotas, and can grant read/write permissions to IAM users.
      O&M engineer Has RBAC read/write permissions on resources displayed in the console in all namespaces of the cluster and read/write permissions on cluster nodes, volumes, namespaces, and quotas.
      Developer Has RBAC read/write permissions on resources displayed in the console in all namespaces of the cluster.
      Restricted user Has RBAC read-only permissions on resources displayed in the console in all namespaces of the cluster.
      Custom user Has the permissions of the attached ClusterRole role. You must specify the permissions of the ClusterRole role before you attach the role to an IAM user. This ensures that only the required permissions are granted to the IAM user.

      Specified namespace

      Identity RBAC permission on cluster resources
      Developer Has RBAC read/write permissions on resources displayed in the console in the specified namespace.
      Restricted user Has RBAC read-only permissions on resources displayed in the console in the specified namespace. You must select the specified namespace.

      Procedures

      Manage permissions for an IAM user

      You can manage the permissions of an IAM user. For example, you can add, remove, and change permissions for an IAM user.

      1. Log in to the KCE console.
      2. In the left navigation pane, click Authorization Management.
      3. Find the target IAM user and click Manage Permission in the Operation column.
        image.png
      4. Click Add Permission, select a cluster and a namespace as required, and then select a predefined identity. You can also click the cross icon to remove permissions.
        image.png
      5. Click OK.

      Manage permissions for multiple IAM users

      You can add permissions to multiple IAM users at a time without affecting their existing permissions.

      1. Log in to the KCE console.

      2. In the left navigation pane, click Authorization Management.

      3. Select the target IAM users and click Add Permission.
        image.png

      4. Click Add Permission, select a cluster and a namespace as required, and then select a predefined identity. You can also click the cross icon to remove the permission.
        image.png

      5. Click OK.

      Grant permissions with a few clicks

      You can use a Kingsoft Cloud account to grant an IAM user the permissions on all clusters with a few clicks.

      1. Log in to the KCE console.

      2. In the left navigation pane, click Authorization Management.

      3. Select the target IAM user and click Grant Permissions on All.
        image.png

      4. In the dialog box that appears, select a predefined identity as required and click OK.
        image.png

      Previous:KCE monitoring
      Next:Upgrade to the RBAC mode

      Did you find the above information helpful?

      Unhelpful
      Mostly Unhelpful
      A little helpful
      Helpful
      Very helpful

      What might be the problems?

      Insufficient
      Outdated
      Unclear or awkward
      Redundant or clumsy
      Lack of context for the complex system or functionality

      More suggestions

      0/200

      Please give us your feedback.

      Submitted

      Thank you for your feedback.

      问题反馈