Example: Designing and Configuring Permissions for Users in a Department¶
Overview¶
The conventional distributed task scheduling mode is being replaced by Kubernetes. CCE allows you to easily deploy, manage, and scale containerized applications in the cloud by providing support for you to use Kubernetes.
To help enterprise administrators manage resource permissions in clusters, CCE provides multi-dimensional, fine-grained permission policies and management measures. CCE permissions are described as follows:
Cluster-level permissions: allowing a user group to perform operations on clusters, nodes, node pools, charts, and add-ons. These permissions are assigned based on IAM system policies.
Namespace-level permissions: allowing a user or user group to perform operations on Kubernetes resources, such as workloads, networking, storage, and namespaces. These permissions are assigned based on Kubernetes RBAC.
Cluster permissions and namespace permissions are independent of each other but must be used together. The permissions set for a user group apply to all users in the user group. When multiple permissions are added to a user or user group, they take effect at the same time (the union set is used).
Permission Design¶
The following uses company X as an example.
Generally, a company has multiple departments or projects, and each department has multiple members. Therefore, you need to design how permissions are to be assigned to different groups and projects, and set a user name for each member to facilitate subsequent user group and permissions configuration.
The following figure shows the organizational structure of a department in a company and the permissions to be assigned to each member:
Director: David¶
David is a department director of company X. To assign him all CCE permissions (both cluster and namespace permissions), you need to create the cce-admin user group for David on the IAM console and assign the CCE Administrator role.
Note
CCE Administrator: This role has all CCE permissions. You do not need to assign other permissions.
CCE FullAccess and CCE ReadOnlyAccess: These policies are related to cluster management permissions and configured only for cluster-related resources (such as clusters and nodes). You must also configure namespace permissions to perform operations on Kubernetes resources (such as workloads and Services).
O&M Leader: James¶
James is the O&M team leader of the department. He needs the cluster permissions for all projects and the read-only permissions for all namespaces.
To assign the permissions, create a user group named cce-sre on the IAM console and add James to this user group. Then, assign CCE FullAccess to the user group cce-sre to allow it to perform operations on clusters in all projects.
Assigning Read-only Permissions on All Clusters and Namespaces to All Team Leaders and Engineers
You can create a read-only user group named read_only on the IAM console and add users to the user group.
Although the development engineers Linda and Peter do not require cluster management permissions, they still need to view data on the CCE console. Therefore, the read-only cluster permission is required.
For the O&M engineer William, assign the read-only permission on clusters to him in this step.
The O&M team leader James already has the management permissions on all clusters. You can add him to the read_only user group to assign the read-only permission on clusters to him.
Users James, Robert, William, Linda, and Peter are added to the read_only user group.
Assign the read-only permission on clusters to the user group read_only.
Return to the CCE console, and add the read-only permission on namespaces to the user group read_only to which the five users belong. Choose Permissions on the CCE console, and assign the read-only policy to the user group read_only for each cluster.
After the setting is complete, James has the cluster management permissions for all projects and the read-only permissions on all namespaces, and the Robert, William, Linda, and Peter have the read-only permission on all clusters and namespaces.
Development Team Leader: Robert¶
In the previous steps, Robert has been assigned the read-only permission on all clusters and namespaces. Now, assign the administrator permissions on all namespaces to Robert.
Therefore, you need to assign the administrator permissions on all namespaces in all clusters to Robert.
O&M Engineer: William¶
In the previous steps, William has been assigned the read-only permission on all clusters and namespaces. He also requires the cluster management permissions. Therefore, you can log in to the IAM console, create a user group named cce-sre-b4 and assign CCE FullAccess to William.
Now, William has the cluster management permissions and the read-only permission on all namespaces.
Development Engineers: Linda and Peter¶
In the previous steps, Linda and Peter have been assigned the read-only permission on clusters and namespaces. Therefore, you only need to assign the edit policy to them.
By now, all the required permissions are assigned to the department members.