Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you about the practice of CCE permission management of cloud container engine. The article is rich in content and analyzed and described from a professional point of view. I hope you can get something after reading this article.

With the rapid development of containerization, big data's original distributed task scheduling mode is being replaced by the technical architecture based on Kubernetes. CCE Cloud Container engine is a native application and tool launched by Huawei Cloud that supports the Kubernetes community. It automatically scales and automatically builds a cloud container platform. Users can deploy micro-services on the cloud quickly and efficiently through the cloud container engine.

In order to facilitate the administrator to manage the rights of CCE resources, the background provides fine-grained permission management in various dimensions. The permission management of CCE includes "cluster permissions" and "namespace permissions", which provide fine-grained authorization to user groups or users at the cluster and namespace levels, respectively. The details are as follows:

Cluster permissions: authorization based on IAM system policy, which allows user groups to have "cluster management", "node management", "node pool management", "template market" and "plug-in management" permissions.

Namespace permissions: authorization based on Kubernetes RBAC capabilities. Users or user groups can have workload, Network Management, Storage Management, and Namespace permissions.

Cluster permissions based on IAM system policy and namespace permissions based on Kubernetes RBAC capabilities are completely independent and do not affect each other, but they should be used together. At the same time, the permissions set for the user group apply to all users under the user group. When multiple permissions are added to a user or user group, multiple permissions take effect at the same time (merge).

Usually there are multiple departments or projects in a company, and each department has multiple members. Therefore, detailed design is required when configuring permissions. How should permissions be set in the organization chart shown in the following figure?

Supervisor: DAVID

Because DAVID needs to configure all permissions related to CCE (including clusters, K8s resources, etc.). So, create a user group "cce-admin" for DAVID separately, and configure the permissions for all projects: "CCE Administrator".

Warm reminder:

The administrator rights of CCE Administrator:CCE, with all the permissions of the service, do not need to be given other permissions.

The cluster management permissions of CCE FullAccess and CCE ReadOnlyAccess:CCE are only valid for cluster-related resources (such as clusters and nodes). You must ensure that "namespace permissions" are also configured before you can operate on Kubernetes resources (such as workload, Service, etc.).

Operation and maintenance team leader: JAMES

Create a user group "cce-sre" for JAMES and configure permissions for all projects: "CCE FullAccess". Since then, you have cluster management rights for all projects.

Because many engineers need read-only permission, you should create a read-only user group "read_only". Then, add all the relevant users to this user group. Finally, the "view" permissions for all clusters are given to this user group one by one in the "rights management" and "namespace permissions" interfaces of CCE.

Development team leader: ROBERT

Since members of the development team do not need to configure cluster administration permissions, but they also need read-only access to the interface, the read-only user group "read_only" CCE interface should be given read-only permission.

At the same time, it is also given the administrator rights of K8s resources.

Operation and maintenance engineer: WILLIAM

Create a user group "cce-sre-b4" for WILLIAM, and then configure "CCE FullAccess" for Beijing 4 Project.

Development engineer: LINDA, PETER

Since you have previously configured global read-only permissions for the two engineers in the user group "read-only", you only need to configure the appropriate administrative permissions here.

Minor problems:

Can I configure only namespace permissions, not cluster management permissions?

Since the interface permissions are determined by the IAM system policy, if the cluster management permission is not configured, there is no permission to open the interface.

Is it possible to use API?

The answer is also no, because API requires token authentication of IAM.

Can I use the kubectl command?

The answer is yes. But only if you download the kubectl configuration file from the interface first. Therefore, if you configure the cluster permissions first, and then download the authentication file on the interface. Then delete the cluster administration permissions (keep the namespace permissions), and you can still use kubectl to operate the K8s cluster.

The above is the practice of CCE permission management of cloud container engine shared by Xiaobian. If you happen to have similar doubts, please refer to the above analysis for understanding. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.