yexinru/doc-exports
1
0
Fork 0
forked from docs/doc-exports
Code Pull Requests Activity
Files
0b3a43371a4bcc99577594de0a685249d676a567
doc-exports/docs/cce/umn/cce_10_1069.html
qiujiandong1 ab1e53a279 CCE UMN 20251031 version 
Reviewed-by: Gergo-Bence Lorincz <a200452876@noreply.gitea.eco.tsi-dev.otc-service.com>
Co-authored-by: qiujiandong1 <qiujiandong1@huawei.com>
Co-committed-by: qiujiandong1 <qiujiandong1@huawei.com>
2026-01-15 10:25:22 +00:00

144 lines
12 KiB
HTML
Raw Blame History

<a name="cce_10_1069"></a><a name="cce_10_1069"></a>
<h1 class="topictitle1">Custom Agencies</h1>
<div id="body0000002447353449"><p id="cce_10_1069__p1764752216256">CCE clusters rely on various cloud services in areas like compute, storage, networking, and monitoring to function properly. To access these cloud resources, CCE clusters need authorization, which is handled through agencies. By default, CCE uses <a href="cce_10_0556.html">system agencies</a> to generate temporary access credentials. These credentials are used internally by the clusters to access cloud services. You can also configure a custom agency for your cluster. Once set, the cluster will use this custom agency to generate its temporary access credentials.</p>
<div class="note" id="cce_10_1069__note15465406261"><img src="public_sys-resources/note_3.0-en-us.png"><span class="notetitle"> </span><div class="notebody"><ul id="cce_10_1069__ul147273013263"><li id="cce_10_1069__li16727150182619">Custom agencies are supported only in clusters of v1.27 or later.</li><li id="cce_10_1069__li4727409266">Custom agencies are supported only in CCE standard clusters.</li><li id="cce_10_1069__li1727120192611">Custom agencies do not support IAM 5.0 trust agencies.</li></ul>
</div></div>
<div class="section" id="cce_10_1069__section646919120309"><h4 class="sectiontitle">Prerequisites</h4><ul id="cce_10_1069__ul55270499315"><li id="cce_10_1069__li9527194903113">You need to create a custom agency of the cloud service type on the <strong id="cce_10_1069__b152011332185214">Agencies</strong> page of the <span id="cce_10_1069__ph19386164711309">IAM console</span> and authorize it to CCE. </li><li id="cce_10_1069__li166191330193312">You need to authorize the created custom agency. CCE has preset the permissions required for cluster running as system policies. Some of them are mandatory, and the rest can be granted on demand based on what cluster functions you will use. For details, see <a href="#cce_10_1069__section1348855433317">System Policies</a>.<div class="caution" id="cce_10_1069__note209451157183415"><span class="cautiontitle"><img src="public_sys-resources/caution_3.0-en-us.png"> </span><div class="cautionbody"><p id="cce_10_1069__p1941313585346">Ensure that you have granted the required permissions to the created agency, or some functions of the cluster may be unavailable.</p>
</div></div>
</li></ul>
</div>
<div class="section" id="cce_10_1069__section183341621143416"><h4 class="sectiontitle">Configuring a Custom Agency During Cluster Creation</h4><p id="cce_10_1069__p20576142615340">A custom agency can be configured during cluster creation only using APIs. </p>
<p id="cce_10_1069__p1247242414407">Call the API for and configure a custom agency.</p>
<p id="cce_10_1069__p099354112309">The request body is as follows:</p>
<pre class="screen" id="cce_10_1069__screen78341125203918">{
"kind": "Cluster",
"apiVersion": "v3",
"metadata": {
"name": "cce-cluster",
},
"spec": {
"agencyName": <i><span class="varname" id="cce_10_1069__varname19178154283915">"custom_agency_name"</span></i>,
"category": "CCE",
. . .
}
}</pre>
<p id="cce_10_1069__p98014486396"><strong id="cce_10_1069__b68938553220">custom_agency_name</strong> is the name of the custom agency created on IAM.</p>
</div>
<div class="section" id="cce_10_1069__section19717113253416"><h4 class="sectiontitle">Configuring a Custom Agency for a Running Cluster</h4><p id="cce_10_1069__p10161438104014">Custom agencies can be configured for running clusters only using APIs. </p>
<p id="cce_10_1069__p1216103811407">Call the API for and configure a custom agency.</p>
<p id="cce_10_1069__p5718211154219">The request body is as follows:</p>
<pre class="screen" id="cce_10_1069__screen1797116386429">{
"spec": {
"agencyName": <i><span class="varname" id="cce_10_1069__varname12539114474211">"custom_agency_name"</span></i>
}
}</pre>
<p id="cce_10_1069__p671881120422"><strong id="cce_10_1069__b147511620113410">custom_agency_name</strong> is the name of the custom agency created on IAM.</p>
<div class="caution" id="cce_10_1069__note1556515525424"><span class="cautiontitle"><img src="public_sys-resources/caution_3.0-en-us.png"> </span><div class="cautionbody"><ul id="cce_10_1069__ul1817205224210"><li id="cce_10_1069__li881718520423">If you use a custom agency in a cluster, do not delete the agency or allow it to expire, as this may cause certain cluster functions to become unavailable.</li><li id="cce_10_1069__li14817125274219">After modifying the custom agency used in a cluster, allow some time for the modifications to apply.</li></ul>
</div></div>
</div>
<div class="section" id="cce_10_1069__section1348855433317"><a name="cce_10_1069__section1348855433317"></a><a name="section1348855433317"></a><h4 class="sectiontitle">System Policies</h4>
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" id="cce_10_1069__table271131914434" frame="border" border="1" rules="all"><thead align="left"><tr id="cce_10_1069__row17722019114315"><th align="left" class="cellrowborder" valign="top" width="33.33333333333333%" id="mcps1.3.6.2.1.4.1.1"><p id="cce_10_1069__p1376483724315">System Policy</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="33.33333333333333%" id="mcps1.3.6.2.1.4.1.2"><p id="cce_10_1069__p16764337164315">Description</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="33.33333333333333%" id="mcps1.3.6.2.1.4.1.3"><p id="cce_10_1069__p27641037144311">Authorization Required</p>
</th>
</tr>
</thead>
<tbody><tr id="cce_10_1069__row87219193434"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.1 "><p id="cce_10_1069__p67641375432">CCEClusterManagedPolicy</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.2 "><p id="cce_10_1069__p6764163714432">Permissions for using the basic functions of a CCE cluster</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.3 "><p id="cce_10_1069__p1976463774313">Yes</p>
</td>
</tr>
<tr id="cce_10_1069__row8729190438"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.1 "><p id="cce_10_1069__p15764337164316">CCEClusterNodePolicy</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.2 "><p id="cce_10_1069__p4764937104310">Permissions for using the basic functions of worker nodes in a CCE cluster</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.3 "><p id="cce_10_1069__p12764123764312">Yes</p>
</td>
</tr>
<tr id="cce_10_1069__row1872141919432"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.1 "><p id="cce_10_1069__p276418372437">CCEClusterTurboNetworkingPolicy</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.2 "><p id="cce_10_1069__p197641837114311">Permissions for using Cloud Native 2.0 networks in a CCE cluster</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.3 "><p id="cce_10_1069__p37641937164312">Required if the Cloud Native 2.0 network is used for a cluster</p>
</td>
</tr>
<tr id="cce_10_1069__row17211924317"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.1 "><p id="cce_10_1069__p1276473774314">CCEClusterVPCNetworkingPolicy</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.2 "><p id="cce_10_1069__p9764937144319">Permissions for using VPC networks in a CCE cluster</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.3 "><p id="cce_10_1069__p13764337154313">Required if the VPC network is used for a cluster</p>
</td>
</tr>
<tr id="cce_10_1069__row621663454316"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.1 "><p id="cce_10_1069__p19764143716439">CCEClusterLoadBalancingPolicy</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.2 "><p id="cce_10_1069__p576413377437">Permissions for using ELB capabilities in a CCE cluster</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.3 "><p id="cce_10_1069__p3764133714436">No</p>
</td>
</tr>
<tr id="cce_10_1069__row478603418439"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.1 "><p id="cce_10_1069__p176403714437">CCEClusterCSIEVSPolicy</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.2 "><p id="cce_10_1069__p1876413376433">Permissions for using EVS volumes in a CCE cluster</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.3 "><p id="cce_10_1069__p1976423711432">No</p>
</td>
</tr>
<tr id="cce_10_1069__row6894193464318"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.1 "><p id="cce_10_1069__p1576423715439">CCEClusterCSIOBSPolicy</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.2 "><p id="cce_10_1069__p876463711431">Permissions for using OBS volumes in a CCE cluster</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.3 "><p id="cce_10_1069__p1676473734313">No (OBS is a global service. To use OBS, grant all project service permissions.)</p>
</td>
</tr>
<tr id="cce_10_1069__row28183513431"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.1 "><p id="cce_10_1069__p4764173713439">CCEClusterCSISFSTurboPolicy</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.2 "><p id="cce_10_1069__p97641537204310">Permissions for using SFS Turbo volumes in a CCE cluster</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.3 "><p id="cce_10_1069__p1276413377437">No</p>
</td>
</tr>
<tr id="cce_10_1069__row519063511431"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.1 "><p id="cce_10_1069__p976416371438">CCEClusterGEIPPolicy</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.2 "><p id="cce_10_1069__p87641937204310">Permissions for binding global EIPs to load balancers in a CCE cluster</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.3 "><p id="cce_10_1069__p1476463764311">No (Global EIP is a global service. To use global EIPs, grant all project service permissions.)</p>
</td>
</tr>
<tr id="cce_10_1069__row0282135174317"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.1 "><p id="cce_10_1069__p14764173714311">CCEClusterKMSPolicy</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.2 "><p id="cce_10_1069__p127641837184313">Permissions for mounting encrypted credentials located outside the cluster to containers</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.3 "><p id="cce_10_1069__p2764183724320">No</p>
</td>
</tr>
<tr id="cce_10_1069__row2391143544315"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.1 "><p id="cce_10_1069__p15764163734317">CCEClusterLogPolicy</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.2 "><p id="cce_10_1069__p1976433754311">Permissions for using log collection in a CCE cluster</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.3 "><p id="cce_10_1069__p276423754317">No</p>
</td>
</tr>
<tr id="cce_10_1069__row11483335104319"><td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.1 "><p id="cce_10_1069__p4764103719434">CCEClusterNodeAutoscalingPolicy</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.2 "><p id="cce_10_1069__p1976433704310">Permissions for using node auto scaling in a CCE cluster</p>
</td>
<td class="cellrowborder" valign="top" width="33.33333333333333%" headers="mcps1.3.6.2.1.4.1.3 "><p id="cce_10_1069__p1176433712430">No</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="cce_10_0164.html">Permissions</a></div>
</div>
</div>
View Git Blame Copy Permalink