子账号权限管理

可授权容器服务 Action 和对应资源

Deployment接口 Action

ActionAction描述资源
comb:ncs:CreateDeployment创建 Deploymentcomb:ncs:${region}:*:Vpc/${VpcId}、comb:ncs:${region}:*:Subnet/${SubnetId}、comb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:Deployment/${* }、comb:ncs:${region}:*:SecurityGroup/${securityGroupId}、 comb:ncs:${region}:*:Image/${Imagepath}
comb:ncs:ModifyDeployment更新Deploymentcomb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:Deployment/${DeploymentId}、comb:ncs:${region}:*:Image/${Imagepath}
comb:ncs:ResetDeploymentSpecType更改Deployment实例规格(按量计费)comb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:Deployment/${DeploymentId}
comb:ncs:ModifyDeploymentReplicas更改Deployment副本数comb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:Deployment/${DeploymentId}
comb:ncs:RedeployDeployment重新部署Deploymentcomb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:Deployment/${DeploymentId}
comb:ncs:DescribeDeployments查询Deployment列表comb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:Deployment/${ *}
comb:ncs:DescribeDeploymentsAllNamespaces查询所有空间下Deployment列表comb:ncs:${region}:*:Namespace/${ *}、comb:ncs:${region}:*:Deployment/${ *}
comb:ncs:DescribeDeploymentInfo查询Deployment详情comb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:Deployment/${DeploymentId}
comb:ncs:DescribeDeploymentInstances查询Deployment实例列表comb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:Deployment/${DeploymentId}
comb:ncs:DeleteDeployment删除Deployment实例comb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:Deployment/${DeploymentId}
comb:ncs:DescribeDeploymentReplicaSets查询Deployment的ReplicaSet列表comb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:Deployment/${DeploymentId}

EndPoint接口 Action

ActionAction描述资源
comb:ncs:CreateEndpoint创建EndPointcomb:ncs:${region}:*:Endpoint/${* }、comb:ncs:${region}:*:Namespace/${NamespaceId}
comb:ncs:DescribeEndpoints查询endpoint列表comb:ncs:${region}:*:Endpoint/${* }、comb:ncs:${region}:*:Namespace/${NamespaceId}
comb:ncs:DescribeEndpointsAllNamespaces查询所有空间endpoint列表comb:ncs:${region}:*:Namespace/${* }、comb:ncs:${region}:*:Endpoint/${*}
comb:ncs:DescribeEndpoint查询endpointcomb:ncs:${region}:*:Endpoint/${EndpointId}、comb:ncs:${region}:*:Namespace/${NamespaceId}
comb:ncs:DeleteEndpoint删除endpointcomb:ncs:${region}:*:Endpoint/${EndpointId}、comb:ncs:${region}:*:Namespace/${NamespaceId}
comb:ncs:ModifyEndpoint修改endpointcomb:ncs:${region}:*:Endpoint/${EndpointId}、comb:ncs:${region}:*:Namespace/${NamespaceId}

Namespace接口 Action

ActionAction描述资源
comb:ncs:CreateNamespace创建Namespacecomb:ncs:${region}:*:Namespace/${* }
comb:ncs:DeleteNamespace删除Namespacecomb:ncs:${region}:*:Namespace/${NamespaceId}
comb:ncs:DescribeNamespaces获取Namespace列表comb:ncs:${region}:*:Namespace/${*}

Service接口 Action

ActionAction描述资源
comb:ncs:CreateService创建Servicecomb:ncs:${region}:*:Vpc/${VpcId}、comb:ncs:${region}:*:Subnet/${SubnetId}、comb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:Service/${*}
comb:ncs:DeleteService删除Servicecomb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:Service/${ServiceId}
comb:ncs:DescribeServices查询service列表comb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:Service/${ *}
comb:ncs:DescribeServicesAllNamespaces查询所有空间下服务列表comb:ncs:${region}:*:Namespace/${ *}、comb:ncs:${region}:*:Service/${ *}
comb:ncs:DescribeServiceInfo查询服务详情comb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:Service/${ServiceId}
comb:ncs:ModifyService修改服务comb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:Service/${ServiceId}
comb:ncs:ListPods通过label查询podcomb:ncs:${region}:*:Namespace/${NamespaceId}

StatefulWorkload接口 Action

ActionAction描述资源
comb:ncs:CreateStatefulWorkload创建 StatefulWorkloadcomb:ncs:${region}:*:Vpc/${VpcId}、comb:ncs:${region}:*:Subnet/${SubnetId}、comb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:DataDisk/${DiskId}、comb:ncs:${region}:*:SecurityGroup/${securityGroupId}、comb:ncs:${region}:*:StatefulWorkload/${*}、 comb:ncs:${region}:*:Image/${Imagepath}、comb:ncs:${region}:*:SshKey/${SshKeyId}
comb:ncs:RedeployStatefulWorkload重新部署有状态容器comb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:StatefulWorkload/${StatefulWorkloadId}
comb:ncs:RestartContainer有状态容器重启comb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:StatefulWorkload/${StatefulWorkloadId}、 comb:ncs:${region}:*:Container/${ContainerId}
comb:ncs:RestartStatefulWorkloadInstance强制重启有状态容器comb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:StatefulWorkload/${StatefulWorkloadId}
comb:ncs:DeleteStatefulWorkload删除 StatefulWorkloadcomb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:StatefulWorkload/${StatefulWorkloadId}
comb:ncs:ResetStatefulWorkloadSpecType更改有状态容器实例规格(按量计费)comb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:StatefulWorkload/${StatefulWorkloadId}
comb:ncs:DescribeStatefulWorkloads【有状态容器】【查询】指定空间下的负载列表comb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:StatefulWorkload/${ *}
comb:ncs:DescribeStatefulWorkloadsAllNamespaces【有状态容器】【查询】全部空间下的负载列表comb:ncs:${region}:*:Namespace/${ *}、comb:ncs:${region}:*:StatefulWorkload/${ *}
comb:ncs:DescribeStatefulWorkloadInfo【有状态容器】【查询】信息详情comb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:StatefulWorkload/${StatefulWorkloadId}
comb:ncs:DescribeStatefulWorkloadInstances【有状态容器】【查询】实例详情comb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:StatefulWorkload/${StatefulWorkloadId}
comb:ncs:DescribeStatefulWorkloadImages【有状态容器】【查询】容器镜像列表comb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:StatefulWorkload/${StatefulWorkloadId}、 comb:ncs:${region}:*:Image/${ *}
comb:ncs:ModifyStatefulWorkload【有状态容器】【更新】定义comb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:StatefulWorkload/${StatefulWorkloadId}、 comb:ncs:${region}:*:Image/${Imagepath}、comb:ncs:${region}:*:SshKey/${SshKeyId}
comb:ncs:AssociateEipOfStatefulWorkload【有状态容器】【更新】绑定弹性公网IPcomb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:StatefulWorkload/${StatefulWorkloadId}、comb:ncs:${region}:*:Eip/${EipId}
comb:ncs:UnAssociateEipOfStatefulWorkload【有状态容器】【更新】解绑弹性公网IPcomb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:StatefulWorkload/${StatefulWorkloadId}、comb:ncs:${region}:*:Eip/${EipId}

ScheduledTask接口 Action

ActionAction描述资源
comb:ncs:CreateScheduledTask创建定时任务comb:ncs:${region}:*:Cluster/${ClusterId}、comb:ncs:${region}:*:Namespace/${NamespaceId}、 comb:ncs:${region}:*:Deployment/${DeploymentId}、comb:ncs:${region}:*:ScheduledTask/${* }
comb:ncs:ModifyScheduledTask修改定时任务comb:ncs:${region}:*:Cluster/${ClusterId}、comb:ncs:${region}:*:Namespace/${NamespaceId}、 comb:ncs:${region}:*:Deployment/${DeploymentId}、comb:ncs:${region}:*:ScheduledTask/${ScheduledTaskId}
comb:ncs:DescribeScheduledTasks查询定时任务列表comb:ncs:${region}:*:Cluster/${ClusterId}、comb:ncs:${region}:*:Namespace/${NamespaceId}、 comb:ncs:${region}:*:ScheduledTask/${* }
comb:ncs:DeleteScheduledTask删除定时任务comb:ncs:${region}:*:ScheduledTask/${ScheduledTaskId}

公共接口 Action

ActionAction描述资源
comb:ncs:DescribeQuota获取配额信息N/A
comb:ncs:GetRecentOpLogs获取最近操作日志comb:ncs:${region}:*:Namespace/${NamespaceId}、comb:ncs:${region}:*:Deployment/${DeploymentId}、comb:ncs:${region}:*:StatefulWorkload/${StatefulWorkloadId}
comb:ncs:DescribeResourceStats获取用户使用量接口comb:ncs:${region}:*:Cluster/${ClusterId}
comb:ncs:DescribePlatformIps获取系统占用用户 VPC 资源列表comb:ncs:${region}:*:Cluster/${ClusterId}、comb:ncs:${region}:*:Vpc/${*}、comb:ncs:${region}:*:Subnet/${ *}
comb:ncs:DescribeEvents获取容器事件接口comb:ncs:${region}:*:Namespace/${NamespaceFullName}、comb:ncs:${region}:*:Deployment/${DeploymentName}、comb:ncs:${region}:*:Pod/${PodName}、comb:ncs:${region}:*:ReplcaSet/${ReplcaSetName}

容器接口 Action

ActionAction描述资源
comb:ncs:CreateImage容器保存为镜像comb:ncs:${region}:*:Container/${ContainerId}、comb:ncs:${region}:*:Repository/${RepositoryName}
comb:ncs:GetDockerLogs查询容器日志comb:ncs:${region}:*:Pod/${PodId}、comb:ncs:${region}:*:Namespace/${NamespaceId}、 comb:ncs:${region}:*:Container/${ContainerName}

策略管理

容器服务管理权限(NcsFullAccess)包括如下Action:

  • comb:ncs:CreateDeployment
  • comb:ncs:ModifyDeployment
  • comb:ncs:ResetDeploymentSpecType
  • comb:ncs:ModifyDeploymentReplicas
  • comb:ncs:RedeployDeployment
  • comb:ncs:DescribeDeployments
  • comb:ncs:DescribeDeploymentsAllNamespaces
  • comb:ncs:DescribeDeploymentInfo
  • comb:ncs:DescribeDeploymentInstances
  • comb:ncs:DeleteDeployment
  • comb:ncs:DescribeDeploymentReplicaSets
  • comb:ncs:CreateEndpoint
  • comb:ncs:DescribeEndpoints
  • comb:ncs:DescribeEndpointsAllNamespaces
  • comb:ncs:DescribeEndpoint
  • comb:ncs:DeleteEndpoint
  • comb:ncs:ModifyEndpoint
  • comb:ncs:CreateNamespace
  • comb:ncs:DeleteNamespace
  • comb:ncs:DescribeNamespaces
  • comb:ncs:CreateService
  • comb:ncs:DeleteService
  • comb:ncs:DescribeServices
  • comb:ncs:DescribeServicesAllNamespaces
  • comb:ncs:DescribeServiceInfo
  • comb:ncs:ModifyService
  • comb:ncs:ListPods
  • comb:ncs:CreateStatefulWorkload
  • comb:ncs:RedeployStatefulWorkload
  • comb:ncs:RestartContainer
  • comb:ncs:RestartStatefulWorkloadInstance
  • comb:ncs:DeleteStatefulWorkload
  • comb:ncs:ResetStatefulWorkloadSpecType
  • comb:ncs:DescribeStatefulWorkloads
  • comb:ncs:DescribeStatefulWorkloadsAllNamespaces
  • comb:ncs:DescribeStatefulWorkloadInfo
  • comb:ncs:DescribeStatefulWorkloadInstances
  • comb:ncs:DescribeStatefulWorkloadImages
  • comb:ncs:ModifyStatefulWorkload
  • comb:ncs:AssociateEipOfStatefulWorkload
  • comb:ncs:UnAssociateEipOfStatefulWorkload
  • comb:ncs:CreateScheduledTask
  • comb:ncs:ModifyScheduledTask
  • comb:ncs:DescribeScheduledTasks
  • comb:ncs:DeleteScheduledTask
  • comb:ncs:DescribeQuota
  • comb:ncs:GetRecentOpLogs
  • comb:ncs:DescribeResourceStats
  • comb:ncs:DescribePlatformIps
  • comb:ncs:DescribeEvents
  • comb:ncs:CreateImage
  • comb:ncs:GetDockerLogs

容器服务只读权限(NcsReadOnlyAccess)包括如下Action:

  • comb:ncs:DescribeDeployments
  • comb:ncs:DescribeDeploymentsAllNamespaces
  • comb:ncs:DescribeDeploymentInfo
  • comb:ncs:DescribeDeploymentInstances
  • comb:ncs:DescribeDeploymentReplicaSets
  • comb:ncs:DescribeEndpoints
  • comb:ncs:DescribeEndpointsAllNamespaces
  • comb:ncs:DescribeEndpoint
  • comb:ncs:DescribeNamespaces
  • comb:ncs:DescribeServices
  • comb:ncs:DescribeServicesAllNamespaces
  • comb:ncs:DescribeServiceInfo
  • comb:ncs:ListPods
  • comb:ncs:DescribeStatefulWorkloads
  • comb:ncs:DescribeStatefulWorkloadsAllNamespaces
  • comb:ncs:DescribeStatefulWorkloadInfo
  • comb:ncs:DescribeStatefulWorkloadInstances
  • comb:ncs:DescribeStatefulWorkloadImages
  • comb:ncs:DescribeScheduledTasks
  • comb:ncs:DescribeQuota
  • comb:ncs:GetRecentOpLogs
  • comb:ncs:DescribeResourceStats
  • comb:ncs:DescribePlatformIps
  • comb:ncs:DescribeEvents
  • comb:ncs:GetDockerLogs

使用Ingress需配置负载均衡Ingress策略

  • 负载均衡Ingress管理权限 (IngFullAccess)
  • 负载均衡Ingress只读权限 (IngReadOnlyAccess)