Permissions
If you need to assign different permissions to employees in your enterprise to access your UCS resources, IAM is a good choice for fine-grained permission management. IAM provides identity authentication, permission management, and access control, helping you secure access to your resources.
With IAM, you can use your account to create IAM users, and assign permissions to the users to control their access to specific resources. For example, some software developers in your enterprise need to use UCS cluster resources but should not perform high-risk operations such as unregistering clusters. In this case, you can create IAM users for the software developers and grant them only the permissions for using UCS cluster resources.
UCS Permission Types
UCS provides refined permission management based on the role access control (RBAC) capability of IAM and Kubernetes. Permission control can be implemented by UCS service resource and Kubernetes resource in a cluster. The two permission types apply to different resource types and are granted using different methods.
- UCS resource permissions are granted based on the system policies of IAM. UCS resources include container fleets, clusters, and federation instances. Administrators can grant different permissions to different user roles (such as development and O&M) to control their use of UCS resources.
- Kubernetes resource permissions in a cluster are granted based on the Kubernetes RBAC capability. Refined permissions can be granted to Kubernetes resource objects in a cluster. With permission setting, the permissions for performing operations on different Kubernetes resource objects (such as workloads, jobs, and services) will vary with users.
If your team mainly uses UCS resources, IAM system policies can meet your requirements. If you need refined permissions on Kubernetes resource objects in the cluster, use IAM system policies together with Kubernetes RBAC.
UCS Resource Permissions
New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services.
UCS is a global service deployed in all physical regions. You can grant UCS permissions to users in the global service project. In this way, users do not need to switch regions when they access UCS.
You can grant users permissions by using roles and policies.
- Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. IAM provides a limited number of roles for permission management. When you grant permissions using roles, you also need to attach any existing role dependencies. However, roles are not an ideal choice for fine-grained authorization and secure access control.
- Policies: A fine-grained authorization tool that defines permissions for performing operations on specific cloud resources under certain conditions. This type of authorization is more flexible. It is ideal for keeping permissions minimized. For example, you can grant IAM users only the permissions for managing a certain type of fleets and clusters.
Table 1 describes all system permissions of UCS.
System Role/Policy Name |
Description |
Type |
---|---|---|
UCS FullAccess |
UCS administrator with full permissions, including creating permissions policies and security policies |
System policy |
UCS CommonOperations |
Common UCS user with permissions for creating workloads, distributing traffic, and other operations |
System policy |
UCS CIAOperations |
UCS Container Intelligent Analysis (CIA) administrator with full permissions |
System policy |
UCS ReadOnlyAccess |
Read-only permissions on UCS (except for CIA) |
System policy |
Services on Huawei Cloud are interdependent, and UCS depends on other cloud services to implement some functions, such as image repository and domain name resolution. Therefore, the preceding four system policies are often used together with roles or policies of other cloud services for refined permission granting. When granting permissions to IAM users, the administrator must comply with the principle of least privilege. Table 2 lists the minimum permissions required by the administrator, operation, and read-only permissions of each UCS function.
Description |
Permission Type |
Permission |
Minimum Permission |
---|---|---|---|
Fleet |
Admin |
|
UCS FullAccess |
Viewer |
Querying clusters and fleets or their details |
UCS ReadOnlyAccess |
|
Huawei Cloud clusters |
Admin |
Read-write permissions on Huawei Cloud clusters and all Kubernetes resource objects (including nodes, workloads, jobs, and services) |
UCS FullAccess + CCE Administrator |
Operation |
Read-write permissions on Huawei Cloud clusters and most Kubernetes resource objects and read-only permissions on Kubernetes resource objects such as namespaces and resource quotas |
UCS CommonOperations + CCE Administrator |
|
Viewer |
Read-only permissions on Huawei Cloud clusters and all Kubernetes resource objects (including nodes, workloads, jobs, and services) |
UCS ReadOnlyAccess + CCE Administrator |
|
On-premises/Attached/Multi-cloud clusters |
Admin |
Read-write permissions on on-premises/attached/multi-cloud clusters and all Kubernetes resource objects (including nodes, workloads, jobs, and services) |
UCS FullAccess |
Operation |
Read-write permissions on on-premises/attached/multi-cloud clusters and most Kubernetes resource objects and read-only permissions on Kubernetes resource objects such as namespaces and resource quotas |
UCS CommonOperations + UCS RBAC (The list permission for namespaces is required.) |
|
Viewer |
Read-only permissions on on-premises/attached/multi-cloud clusters and all Kubernetes resource objects (including nodes, workloads, jobs, and services) |
UCS ReadOnlyAccess + UCS RBAC (The list permission for namespaces is required.) |
|
Image repository |
Admin |
All permissions on SoftWare Repository for Container (SWR), including creating organizations, uploading images, viewing images or details, and downloading images |
SWR Administrator |
Permissions |
Admin |
NOTE:
When creating a permission policy, you need to grant the IAM ReadOnlyAccess permission (read-only permissions on IAM) to IAM users to obtain the IAM user list. |
UCS FullAccess + IAM ReadOnlyAccess |
Viewer |
Viewing permissions or details |
UCS ReadOnlyAccess + IAM ReadOnlyAccess |
|
Policy Center |
Admin |
|
UCS FullAccess |
Viewer |
For fleets and clusters with Policy Center enabled, users with this permission can view policies and policy implementation details. |
UCS CommonOperations or UCS ReadOnlyAccess |
|
Traffic distribution |
Admin |
Operations such as creating a traffic policy, suspending and deleting a scheduling policy |
(Recommended) UCS CommonOperations + DNS Administrator or UCS FullAccess + DNS Administrator |
Viewer |
Viewing traffic policies or details |
UCS ReadOnlyAccess + DNS Administrator |
|
CIA |
Admin |
|
UCS CIAOperations |
Kubernetes Resource Permissions in a Cluster
Kubernetes resource permissions in a cluster are granted according to Kubernetes RBAC. The administrator can grant users refined permissions on specific Kubernetes resource objects in the cluster. These resources are cluster-level and namespace-level. Refined operation permissions include get, list, watch, create, update, patch, and delete. The permissions take effect on the namespaces of a fleet or on clusters that are not added to the fleet. The operation permissions are described as follows:
- get: Retrieves a specific resource object by name.
- list: Retrieves all resource objects of a specific type in the namespace.
- watch: Responds to resource changes.
- create: Creates a resource.
- update: Updates a resource.
- patch: Updates resources partially.
- delete: Deletes a resource.
For details about cluster-level and namespace-level resources, see Kubernetes Resource Objects.
For example, after permission policies are configured according to the scheme shown in Figure 1, user A can perform get, list, and watch (read-only) operations only on Deployments, pods, and Services in namespace A of the fleet, and user B can perform all operations on all resources in namespace B of the fleet.
Three common permission types are available on the UCS console: admin, developer, and read-only. You can grant these permission types to users. If these permission types cannot meet your requirements, you can customize permissions by specifying the operation type and resource object.
Permission Type |
Description |
---|---|
Admin |
Read-write permissions on all Kubernetes resource objects |
Developer |
Read-write permissions on most Kubernetes resource objects and read-only permissions on Kubernetes resource objects such as namespaces and resource quotas |
Viewer |
Read-only permissions on all Kubernetes resource objects |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot