Permissions
This chapter describes how to assign permissions to different team members in your organization to access your UCS resources. If your Huawei Cloud account does not need to create individual access credentials and permissions for other members, skip this chapter.
You can use Identity and Access Management (IAM) to create individual IAM users under your account for team members and assign them permissions to control their access to Huawei Cloud resources. They can use their IAM usernames and passwords to log in to Huawei Cloud and use resources based on assigned permissions.
IAM is the basic permission management service of Huawei Cloud and can be used free of charge. For more information about IAM, see IAM Service Overview.
IAM User Permissions
For example, some UCS policies are dependent on the policies of other services. By default, newly created IAM users do not have any permissions and cannot use service functions. Therefore, before using UCS, you need to grant IAM users the dependent permissions listed in Table 1.
If the user group to which the IAM user belongs is not granted any permissions, you cannot access the UCS console. For details, see Table 1 to grant permissions.
Function |
Permission |
Dependent Permission |
Description |
Type |
|---|---|---|---|---|
Connecting a cluster |
- |
Aavailable only to users in the IAM admin user group. |
CCE clusters or other Kubernetes clusters can be connected on the UCS console for unified management. |
- |
Permission policies |
Administrator permissions |
Available only to users in the IAM admin user group. |
You can create permission policies and templates. |
- |
Cluster groups |
Administrator permissions |
Available only to users in the IAM admin user group. |
Cluster groups can be created and deleted, and permission policies can be associated with cluster groups. |
- |
Operation permissions |
Members of the IAM admin user group need to associate permission policies with the cluster group. |
The permission policy contains the resource permissions of container clusters. After a user group is associated with a permission policy, users in the user group can read clusters in the cluster group and add or remove clusters.
NOTE:
The private network access of the cluster depends on VPC Endpoint. Therefore, the IAM user group must have the VPC Endpoint Administrator permission. |
UCS permission policy |
|
Container cluster - CCE cluster |
Administrator permissions |
CCE Administrator |
Read and write permissions for CCE clusters and all resources (including workloads, nodes, jobs, and Services) in the clusters. |
IAM system roles |
Operation permissions |
CCE FullAccess |
Common operation permissions on CCE cluster resources, excluding the namespace-level permissions for the clusters (with Kubernetes RBAC enabled) and the privileged administrator operations, such as agency configuration and cluster certificate generation For common operation permissions, you also need to configure cluster RBAC authorization. For details, see Namespace Permissions (Kubernetes RBAC-based). |
System-defined policies of IAM |
|
Read-only permission |
CCE ReadOnlyAccess |
Permissions to view CCE cluster resources, excluding the namespace-level permissions of the clusters (with Kubernetes RBAC enabled) For the read-only permission, you also need to configure RBAC authorization for the cluster. For details, see Namespace Permissions (Kubernetes RBAC-based). |
System-defined policies of IAM |
|
Container cluster - non-CCE cluster (For details about how to configure resource permissions, see Cluster Operation Permissions.) |
Administrator permissions |
Admin Permission Template |
You need to grant permissions to the user group in the UCS policy center, and the user group must have any IAM permissions. Has the read and write permissions on all resources, including cluster permission management. |
UCS permission policy |
Operation permissions |
Developer Permission Template |
You need to grant permissions to the user group in the UCS policy center, and the user group must have any IAM permissions. Has the read and write permissions on resources except cluster permission management. |
UCS permission policy |
|
Read-only permission |
ReadOnly Permission Template |
You need to grant permissions to the user group in the UCS policy center, and the user group must have any IAM permissions. Has the read-only permission on all resources. |
UCS permission policy |
|
Image Repository |
Administrator permissions |
SWR Admin |
SWR administrator permissions, including all SWR permissions. |
IAM system roles |
Administrator permissions |
SWR FullAccess |
Full permissions for SWR. |
System-defined policies of IAM |
|
Operation permissions |
SWR OperateAccess |
Common operation permissions for SWR. |
System-defined policies of IAM |
|
Read-only permission |
SWR ReadOnlyAccess |
Read-only permissions for SWR. |
System-defined policies of IAM |
|
Traffic Distribution |
Administrator permissions |
DNS Administrator |
Has all permissions except those for the DNS service. |
IAM system roles |
Read-only permission |
Tenant Guest |
Has read-only permissions on all services except IAM. |
IAM system roles |
Description of cluster operation permissions
The permission management policies for CCE clusters and non-CCE clusters are different due to different cluster providers.
- The operation permissions of CCE clusters must be configured in IAM by members of the admin user group.
- The permissions of non-CCE clusters are separately managed by the UCS. You need to configure the permissions of the admin user group on the Policy Center page of the UCS console. For details, see Table 2.
The cluster operation permission settings of UCS take effect only for non-CCE clusters. Operation permissions on CCE clusters are subject to IAM permissions (or cluster RBAC permissions).
Category |
Permission Description |
|
|---|---|---|
Cluster information. |
A Huawei Cloud account or a member of the admin user group can associate a user with its target cluster group in Policy Center. |
|
Node-related APIs |
The Huawei Cloud account or the admin user group member needs to configure the nodes operation permission for the user in Policy Center. |
|
Workloads |
Deployments |
The Huawei Cloud account or the admin user group member needs to assign the deployments operation permission in the corresponding namespace to the user in Policy Center. |
StatefulSets |
The Huawei Cloud account or the admin user group member needs to assign the operation permission of statefulsets in the corresponding namespace to the user in Policy Center. |
|
DaemonSets |
The Huawei Cloud account or the admin user group member needs to configure the operation permission of daemonsets in the corresponding namespace for the user in Policy Center. |
|
Normal task |
The Huawei Cloud account or the admin user group member needs to configure the operation permission of jobs in the corresponding namespace for the user in Policy Center. |
|
Scheduled task |
The Huawei Cloud account or the admin user group member needs to assign the cronjobs operation permission in the corresponding namespace to the user in Policy Center. |
|
Pod |
The Huawei Cloud account or the admin user group member needs to configure the operation permission of pods in the corresponding namespace for the user in Policy Center. |
|
Networking |
Service |
The Huawei Cloud account or the admin user group member needs to configure the operation permission of services in the corresponding namespace for the user in Policy Center. |
Ingresses |
The Huawei Cloud account or the admin user group member needs to configure the operation permission of ingresses in the corresponding namespace for the user in Policy Center. |
|
Container Storage |
PersistentVolumeClaims (PVCs) |
The Huawei Cloud account or the admin user group member needs to assign the operation permission of persistentvolumeclaims in the corresponding namespace to the user in Policy Center. |
Volumes |
The Huawei Cloud account or the admin user group member needs to assign the operation permission of persistentvolumes in the corresponding namespace to the user in Policy Center. |
|
Storage Class |
The Huawei Cloud account or the admin user group member needs to assign the operation permission of storageclasses in the corresponding namespace to the user in Policy Center. |
|
ConfigMaps and Secrets |
Deployment template |
The Huawei Cloud account or the admin user group member needs to assign the configmaps operation permission in the corresponding namespace to the user in Policy Center. |
Secret Key |
The Huawei Cloud account or the admin user group member needs to configure the operation permission of secrets in the corresponding namespace for the user in Policy Center. |
|
Custom Resource Definitions |
The Huawei Cloud account or a member of the admin user group needs to assign the operation permission of customresourcedefinitions in the corresponding namespace to the user in Policy Center. |
|
Namespace |
The Huawei Cloud account or the admin user group member needs to assign the namespaces operation permission to the user in Policy Center. |
|
Workload Scaling |
The Huawei Cloud account or the admin user group member needs to assign the horizontalpodautoscalers operation permission to the user in Policy Center. |
|
The following table lists the resource operation rights that can be configured on the UCS.
- *: All operations
- get: Retrieves a specific resource object by name.
- list: Retrieves all resource objects of a specific type in the namespace. You can use the selector to query matched resources.
- watch: used to respond to resource changes.
- create: creates a resource.
- update: updates resources.
- patch: used for partial update of resources.
- delete: Delete a resource.
All operations: *
<br>Read-only: get + list + watch
<br>Read-write: get + list + watch + create + update + patch + delete
Feedback
Was this page helpful?
Provide feedbackFor any further questions, feel free to contact us through the chatbot.
Chatbot
