Updated on 2022-10-14 GMT+08:00

Permissions

This chapter describes how to assign permissions to different team members in your organization to access your UCS resources. If your Huawei Cloud account does not need to create individual access credentials and permissions for other members, skip this chapter.

You can use Identity and Access Management (IAM) to create individual IAM users under your account for team members and assign them permissions to control their access to Huawei Cloud resources. They can use their IAM usernames and passwords to log in to Huawei Cloud and use resources based on assigned permissions.

IAM is the basic permission management service of Huawei Cloud and can be used free of charge. For more information about IAM, see IAM Service Overview.

IAM User Permissions

For example, some UCS policies are dependent on the policies of other services. By default, newly created IAM users do not have any permissions and cannot use service functions. Therefore, before using UCS, you need to grant IAM users the dependent permissions listed in Table 1.

If the user group to which the IAM user belongs is not granted any permissions, you cannot access the UCS console. For details, see Table 1 to grant permissions.

Table 1 Permissions on which the UCS function depends

Function

Permission

Dependent Permission

Description

Type

Connecting a cluster

-

Aavailable only to users in the IAM admin user group.

CCE clusters or other Kubernetes clusters can be connected on the UCS console for unified management.

-

Permission policies

Administrator permissions

Available only to users in the IAM admin user group.

You can create permission policies and templates.

-

Cluster groups

Administrator permissions

Available only to users in the IAM admin user group.

Cluster groups can be created and deleted, and permission policies can be associated with cluster groups.

-

Operation permissions

Members of the IAM admin user group need to associate permission policies with the cluster group.

The permission policy contains the resource permissions of container clusters. After a user group is associated with a permission policy, users in the user group can read clusters in the cluster group and add or remove clusters.

NOTE:

The private network access of the cluster depends on VPC Endpoint. Therefore, the IAM user group must have the VPC Endpoint Administrator permission.

UCS permission policy

Container cluster - CCE cluster

Administrator permissions

CCE Administrator

Read and write permissions for CCE clusters and all resources (including workloads, nodes, jobs, and Services) in the clusters.

IAM system roles

Operation permissions

CCE FullAccess

Common operation permissions on CCE cluster resources, excluding the namespace-level permissions for the clusters (with Kubernetes RBAC enabled) and the privileged administrator operations, such as agency configuration and cluster certificate generation

For common operation permissions, you also need to configure cluster RBAC authorization. For details, see Namespace Permissions (Kubernetes RBAC-based).

System-defined policies of IAM

Read-only permission

CCE ReadOnlyAccess

Permissions to view CCE cluster resources, excluding the namespace-level permissions of the clusters (with Kubernetes RBAC enabled)

For the read-only permission, you also need to configure RBAC authorization for the cluster. For details, see Namespace Permissions (Kubernetes RBAC-based).

System-defined policies of IAM

Container cluster - non-CCE cluster (For details about how to configure resource permissions, see Cluster Operation Permissions.)

Administrator permissions

Admin Permission Template

You need to grant permissions to the user group in the UCS policy center, and the user group must have any IAM permissions.

Has the read and write permissions on all resources, including cluster permission management.

UCS permission policy

Operation permissions

Developer Permission Template

You need to grant permissions to the user group in the UCS policy center, and the user group must have any IAM permissions.

Has the read and write permissions on resources except cluster permission management.

UCS permission policy

Read-only permission

ReadOnly Permission Template

You need to grant permissions to the user group in the UCS policy center, and the user group must have any IAM permissions.

Has the read-only permission on all resources.

UCS permission policy

Image Repository

Administrator permissions

SWR Admin

SWR administrator permissions, including all SWR permissions.

IAM system roles

Administrator permissions

SWR FullAccess

Full permissions for SWR.

System-defined policies of IAM

Operation permissions

SWR OperateAccess

Common operation permissions for SWR.

System-defined policies of IAM

Read-only permission

SWR ReadOnlyAccess

Read-only permissions for SWR.

System-defined policies of IAM

Traffic Distribution

Administrator permissions

DNS Administrator

Has all permissions except those for the DNS service.

IAM system roles

Read-only permission

Tenant Guest

Has read-only permissions on all services except IAM.

IAM system roles

Description of cluster operation permissions

The permission management policies for CCE clusters and non-CCE clusters are different due to different cluster providers.

  • The operation permissions of CCE clusters must be configured in IAM by members of the admin user group.
  • The permissions of non-CCE clusters are separately managed by the UCS. You need to configure the permissions of the admin user group on the Policy Center page of the UCS console. For details, see Table 2.

    The cluster operation permission settings of UCS take effect only for non-CCE clusters. Operation permissions on CCE clusters are subject to IAM permissions (or cluster RBAC permissions).

Table 2 Operation Permissions on Non-CCE Cluster Resources

Category

Permission Description

Cluster information.

A Huawei Cloud account or a member of the admin user group can associate a user with its target cluster group in Policy Center.

Node-related APIs

The Huawei Cloud account or the admin user group member needs to configure the nodes operation permission for the user in Policy Center.

Workloads

Deployments

The Huawei Cloud account or the admin user group member needs to assign the deployments operation permission in the corresponding namespace to the user in Policy Center.

StatefulSets

The Huawei Cloud account or the admin user group member needs to assign the operation permission of statefulsets in the corresponding namespace to the user in Policy Center.

DaemonSets

The Huawei Cloud account or the admin user group member needs to configure the operation permission of daemonsets in the corresponding namespace for the user in Policy Center.

Normal task

The Huawei Cloud account or the admin user group member needs to configure the operation permission of jobs in the corresponding namespace for the user in Policy Center.

Scheduled task

The Huawei Cloud account or the admin user group member needs to assign the cronjobs operation permission in the corresponding namespace to the user in Policy Center.

Pod

The Huawei Cloud account or the admin user group member needs to configure the operation permission of pods in the corresponding namespace for the user in Policy Center.

Networking

Service

The Huawei Cloud account or the admin user group member needs to configure the operation permission of services in the corresponding namespace for the user in Policy Center.

Ingresses

The Huawei Cloud account or the admin user group member needs to configure the operation permission of ingresses in the corresponding namespace for the user in Policy Center.

Container Storage

PersistentVolumeClaims (PVCs)

The Huawei Cloud account or the admin user group member needs to assign the operation permission of persistentvolumeclaims in the corresponding namespace to the user in Policy Center.

Volumes

The Huawei Cloud account or the admin user group member needs to assign the operation permission of persistentvolumes in the corresponding namespace to the user in Policy Center.

Storage Class

The Huawei Cloud account or the admin user group member needs to assign the operation permission of storageclasses in the corresponding namespace to the user in Policy Center.

ConfigMaps and Secrets

Deployment template

The Huawei Cloud account or the admin user group member needs to assign the configmaps operation permission in the corresponding namespace to the user in Policy Center.

Secret Key

The Huawei Cloud account or the admin user group member needs to configure the operation permission of secrets in the corresponding namespace for the user in Policy Center.

Custom Resource Definitions

The Huawei Cloud account or a member of the admin user group needs to assign the operation permission of customresourcedefinitions in the corresponding namespace to the user in Policy Center.

Namespace

The Huawei Cloud account or the admin user group member needs to assign the namespaces operation permission to the user in Policy Center.

Workload Scaling

The Huawei Cloud account or the admin user group member needs to assign the horizontalpodautoscalers operation permission to the user in Policy Center.

The following table lists the resource operation rights that can be configured on the UCS.

  • *: All operations
  • get: Retrieves a specific resource object by name.
  • list: Retrieves all resource objects of a specific type in the namespace. You can use the selector to query matched resources.
  • watch: used to respond to resource changes.
  • create: creates a resource.
  • update: updates resources.
  • patch: used for partial update of resources.
  • delete: Delete a resource.

All operations: *

<br>Read-only: get + list + watch

<br>Read-write: get + list + watch + create + update + patch + delete