- What's New
- Product Bulletin
- Service Overview
- Billing
- Getting Started
-
User Guide
-
UCS Clusters
- Overview
- Huawei Cloud Clusters
-
On-Premises Clusters
- Overview
- Service Planning for On-Premises Cluster Installation
- Registering an On-Premises Cluster
- Installing an On-Premises Cluster
- Managing an On-Premises Cluster
- Attached Clusters
- Multi-Cloud Clusters
- Single-Cluster Management
- Fleets
-
Cluster Federation
- Overview
- Enabling Cluster Federation
- Using kubectl to Connect to a Federation
- Upgrading a Federation
-
Workloads
- Workload Creation
-
Container Settings
- Setting Basic Container Information
- Setting Container Specifications
- Setting Container Lifecycle Parameters
- Setting Health Check for a Container
- Setting Environment Variables
- Configuring a Workload Upgrade Policy
- Configuring a Scheduling Policy (Affinity/Anti-affinity)
- Configuring Scheduling and Differentiation
- Managing a Workload
- ConfigMaps and Secrets
- Services and Ingresses
- MCI
- MCS
- DNS Policies
- Storage
- Namespaces
- Multi-Cluster Workload Scaling
- Adding Labels and Taints to a Cluster
- RBAC Authorization for Cluster Federations
- Image Repositories
- Permissions
-
Policy Center
- Overview
- Basic Concepts
- Enabling Policy Center
- Creating and Managing Policy Instances
- Example: Using Policy Center for Kubernetes Resource Compliance Governance
-
Policy Definition Library
- Overview
- k8spspvolumetypes
- k8spspallowedusers
- k8spspselinuxv2
- k8spspseccomp
- k8spspreadonlyrootfilesystem
- k8spspprocmount
- k8spspprivilegedcontainer
- k8spsphostnetworkingports
- k8spsphostnamespace
- k8spsphostfilesystem
- k8spspfsgroup
- k8spspforbiddensysctls
- k8spspflexvolumes
- k8spspcapabilities
- k8spspapparmor
- k8spspallowprivilegeescalationcontainer
- k8srequiredprobes
- k8srequiredlabels
- k8srequiredannotations
- k8sreplicalimits
- noupdateserviceaccount
- k8simagedigests
- k8sexternalips
- k8sdisallowedtags
- k8sdisallowanonymous
- k8srequiredresources
- k8scontainerratios
- k8scontainerrequests
- k8scontainerlimits
- k8sblockwildcardingress
- k8sblocknodeport
- k8sblockloadbalancer
- k8sblockendpointeditdefaultrole
- k8spspautomountserviceaccounttokenpod
- k8sallowedrepos
- Configuration Management
- Traffic Distribution
- Observability
- Container Migration
- Pipeline
- Error Codes
-
UCS Clusters
- Best Practices
-
API Reference
- Before You Start
- Calling APIs
-
API
- UCS Cluster
-
Fleet
- Adding a Cluster to a Fleet
- Removing a Cluster from a Fleet
- Registering a Fleet
- Deleting a Fleet
- Querying a Fleet
- Adding Clusters to a Fleet
- Updating Fleet Description
- Updating Permission Policies Associated with a Fleet
- Updating the Zone Associated with the Federation of a Fleet
- Obtaining the Fleet List
- Enabling Fleet Federation
- Disabling Cluster Federation
- Querying Federation Enabling Progress
- Creating a Federation Connection and Downloading kubeconfig
- Creating a Federation Connection
- Downloading Federation kubeconfig
- Permissions Management
- Using the Karmada API
- Appendix
-
FAQs
- About UCS
-
Billing
- How Is UCS Billed?
- What Status of a Cluster Will Incur UCS Charges?
- Why Am I Still Being Billed After I Purchase a Resource Package?
- How Do I Change the Billing Mode of a Cluster from Pay-per-Use to Yearly/Monthly?
- What Types of Invoices Are There?
- Can I Unsubscribe from or Modify a Resource Package?
-
Permissions
- How Do I Configure Access Permissions for Each Function of the UCS Console?
- What Can I Do If an IAM User Cannot Obtain Cluster or Fleet Information After Logging In to UCS?
- How Do I Restore ucs_admin_trust I Deleted or Modified?
- What Can I Do If I Cannot Associate the Permission Policy with a Fleet or Cluster?
- How Do I Clear RBAC Resources After a Cluster Is Unregistered?
- Policy Center
-
Fleets
- What Can I Do If Cluster Federation Verification Fails to Be Enabled for a Fleet?
- What Can I Do If an Abnormal, Federated Cluster Fails to Be Removed from the Fleet?
- What Can I Do If an Nginx Ingress Is in the Unready State After Being Deployed?
- What Can I Do If "Error from server (Forbidden)" Is Displayed When I Run the kubectl Command?
- Huawei Cloud Clusters
- Attached Clusters
-
On-Premises Clusters
- What Can I Do If an On-Premises Cluster Fails to Be Connected?
- How Do I Manually Clear Nodes of an On-Premises Cluster?
- How Do I Downgrade a cgroup?
- What Can I Do If the VM SSH Connection Times Out?
- How Do I Expand the Disk Capacity of the CIA Add-on in an On-Premises Cluster?
- What Can I Do If the Cluster Console Is Unavailable After the Master Node Is Shut Down?
- What Can I Do If a Node Is Not Ready After Its Scale-Out?
- How Do I Update the CA/TLS Certificate of an On-Premises Cluster?
- What Can I Do If an On-Premises Cluster Fails to Be Installed?
- Multi-Cloud Clusters
-
Cluster Federation
- What Can I Do If the Pre-upgrade Check of the Cluster Federation Fails?
- What Can I Do If a Cluster Fails to Be Added to a Federation?
- What Can I Do If Status Verification Fails When Clusters Are Added to a Federation?
- What Can I Do If an HPA Created on the Cluster Federation Management Plane Fails to Be Distributed to Member Clusters?
- What Can I Do If an MCI Object Fails to Be Created?
- What Can I Do If I Fail to Access a Service Through MCI?
- What Can I Do If an MCS Object Fails to Be Created?
- What Can I Do If an MCS or MCI Instance Fails to Be Deleted?
- Traffic Distribution
- Container Intelligent Analysis
- General Reference
Copied.
Granting UCS Permissions to IAM Users
Application Scenarios
UCS allows you to grant cluster permissions to IAM users and user groups under your account, so that departments or projects can be isolated by permission policy or cluster group.
Assume that you have two project teams, each involving multiple members. Figure 1 shows how their permissions are granted.
- During the development, project team A needs the Admin permission on fleets 1 and 2 and the Viewer permission on fleet 3.
- During the development, project team B needs the Admin permission on fleets 1 and 3 and the Viewer permission on fleet 2.
Solutions
To implement the preceding permission isolation, IAM system policies and UCS permission management must be used together. IAM system policies control the user operations allowed on the UCS console, and UCS permission management controls the fleet and cluster resources that allow for user operations.
As shown in Figure 2, authorization consists of the following steps:
- Step 1: Authorization on the IAM console. The IAM administrator with the Tenant Administrator permission needs to create three user groups. One is the administrator user group, and the other two are user groups (group 1 and group 2) of two project teams (team A and team B). The UCS FullAccess and UCS CommonOperations permissions are granted to the user groups, respectively.
- Step 2: Authorization on the UCS console. The UCS administrator with the UCS FullAccess permission creates the Admin and Viewer permission policies for user groups 1 and 2, and associates the permission policies with the fleet as follows:
The Admin permission policy of user group 1 is associated with fleets 1 and 2, and the Viewer permission policy is associated with fleet 3. The Admin permission policy of user group 2 is associated with fleets 1 and 3, and the Viewer permission policy is associated with fleet 2.
Prerequisites
- The account has subscribed to UCS and fleet and cluster resources have been available according to Figure 1.
- The permission data is prepared according to Figure 2.
Table 1 Data preparation on the IAM console User Group
User
Permission
Administrator user group: UCS_Group_admin
UCS_Group_admin_User1
UCS FullAccess
User group 1: UCS_Group_1
UCS_Group_1_User1, UCS_Group_1_User2, ...
UCS CommonOperations
User group 2: UCS_Group_2
UCS_Group_2_User1, UCS_Group_2_User2, ...
UCS CommonOperations
Table 2 Data preparation on the UCS console User Group
User
Permission Type
Permission
User group 1
UCS_Group_1_User1, UCS_Group_1_User2, ...
Admin
ucs-group-1-admin
Viewer
ucs-group-1-readonly
User group 2
UCS_Group_2_User1, UCS_Group_2_User2, ...
Admin
ucs-group-2-admin
Viewer
ucs-group-2-readonly
Step 1: Authorizing the IAM Administrator
- Log in to the IAM console as the IAM administrator.
- In the navigation pane, choose User Groups. In the upper right corner, click Create User Group.
- In the displayed dialog box, enter the administrator user group name and description, and click OK.
Figure 3 Creating a user group
- In the user group list, click Authorize in the row that contains the target user group.
Figure 4 Granting permissions to the user group
- Search for and select the permission policy UCS FullAccess.
Figure 5 Selecting the permission policy
- Click Next and select a scope.
The default option All resources is selected, indicating that the IAM user will be able to use all resources, including those in enterprise projects, region-specific projects, and global services under your account based on granted permissions.
- Click OK.
- In the navigation pane, choose Users. In the upper right corner, click Create User.
Enter the username and initial password. For details about other parameters, see Creating an IAM User.
- Click Next and select the user group authorized in 4.
Figure 6 Adding the user to the user group
- Click Create.
- Repeat the preceding steps to create and authorize other user groups and users in Table 1.
Step 2: Authorizing the UCS Administrator
- Log in to the UCS console as the UCS administrator. In the navigation pane, choose Permissions.
- In the upper right corner, click Create Permission Policy.
- Configure the parameters as follows:
- Policy Name: Enter a name, starting with a lowercase letter and not ending with a hyphen (-). Only lowercase letters, digits, and hyphens (-) are allowed.
- User: Select the user associated with the permission policy, that is, the IAM user created in 8. In practice, a user group may contain multiple users. When creating a permission policy, you can select all users in the user group to grant permissions in batches.
- Type: Select Admin. It indicates the read-write permissions on all cluster resource objects.
- Click OK.
- After the permission policy is created, go to the Fleets page and click
in the upper right corner of the target fleet.
Figure 7 Associating the permission policy with the fleet - In the window that slides from the right, click Set Permissions. In Update Permissions, associate the permission policy created in 3 with all namespaces of the fleet.
Figure 8 Updating permissions
- Click OK. The IAM user can now log in to the UCS console to use the functions allowed by the permission policy.
- Repeat the preceding steps to create other permission policies in Table 2 and associate them with the fleet.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot