[Huawei Cloud Technology Sharing] Cloud Container Engine CCE Rights Management Practice
Posted May 27, 2020 • 4 min read
With the rapid development of containerization, the original distributed task scheduling model of big data is being replaced by a technical architecture based on Kubernetes. CCE Cloud Container Engine is a native application and tool launched by Huawei Cloud to support the Kubernetes community. It automatically scales at the application level and automatically builds a container platform on the cloud. Users can quickly and efficiently deploy microservices in the cloud through the cloud container engine.
To facilitate the administrator's authority management of CCE resources, the background provides fine-grained authority management in multiple dimensions. CCE's authority management includes "cluster authority" and "namespace authority" capabilities, which provide fine-grained authorization to user groups or users from the cluster and namespace levels, as explained below:
Cluster permissions: Authorization based on the IAM system policy, which allows user groups to have "cluster management", "node management", "node pool management", "template market", "plug-in management" permissions
Namespace permissions: Authorization based on Kubernetes RBAC capabilities. Users or user groups can have "workload", "network management", "storage management", "namespace" permissions.
The "cluster permissions" based on the IAM system policy and the namespace permissions based on the Kubernetes RBAC capabilities are completely independent and do not affect each other, but they must be used together. At the same time, the permissions set for the user group will affect all users in the user group. When adding multiple permissions to a user or user group, multiple permissions will take effect at the same time(take union).
Usually a company has multiple departments or projects, and each department has multiple members. Therefore, a detailed design is required when configuring permissions. As shown in the following organizational chart, how to set permissions?
Because DAVID needs to configure all permissions related to CCE(including clusters, k8s resources, etc.). Therefore, create a user group "cce-admin" for DAVID separately, and configure the permissions of all projects:"CCE Administrator".
CCE Administrator:CCE administrator rights, with all the rights of the service, no need to give other rights.
CCE FullAccess, CCE ReadOnlyAccess:CCE's cluster management authority is only valid for cluster-related resources(such as clusters, nodes) Etc.).
Operation and maintenance team leader:JAMES
Create a user group "cce-sre" for JAMES and configure the permissions of all projects:"CCE FullAccess". Since then, there have been cluster management permissions for all projects.
Since many engineers need read-only permissions, a read-only user group "read \ _only" should be created. Then, add related users to this user group. Finally, in the "authority management" and "namespace authority" interfaces of CCE, the user group is given "view" authority for all clusters one by one.
Development team leader:ROBERT
Since members of the development group do not need to configure the cluster management permissions, but also have read-only permissions on the interface, so the read-only user group should be given read-only permissions on the "read \ _only" CCE interface.
At the same time, it additionally grants administrator rights to its k8s resources.
Create a user group "cce-sre-b4" for WILLIAM, and then configure "CCE FullAccess" for the Beijing 4 project.
Development engineers:LINDA, PETER
Since the global read-only permissions have been configured for the two engineers in the user group "read-only", only the corresponding management permissions need to be configured here.
Is it possible to configure only the namespace permissions and not the cluster management permissions?
Because the interface permissions are determined by the IAM system policy, if the cluster management permissions are not configured, there is no permission to open the interface.
Can API be used?
The answer is no, because the API requires IAM token authentication.
Can the kubectl command be used?
The answer is yes. But the premise is to download the kubectl configuration file from the interface first. Therefore, if the cluster permissions are configured first, then download the authentication file on the interface. Then delete the cluster management authority(retain the namespace authority), you can still use kubectl to operate the k8s cluster.