Updated on 2024-02-02 GMT+08:00

Permissions

If you need to assign different permissions to employees in your enterprise to access your UCS resources, IAM is a good choice for fine-grained permission management. IAM provides identity authentication, permission management, and access control, helping you secure access to your resources.

With IAM, you can use your account to create IAM users, and assign permissions to the users to control their access to specific resources. For example, some software developers in your enterprise need to use UCS cluster resources but should not perform high-risk operations such as unregistering clusters. In this case, you can create IAM users for the software developers and grant them only the permissions for using UCS cluster resources.

UCS Permission Types

UCS provides refined permission management based on the role access control (RBAC) capability of IAM and Kubernetes. Permission control can be implemented by UCS service resource and Kubernetes resource in a cluster. The two permission types apply to different resource types and are granted using different methods.

  • UCS resource permissions are granted based on the system policies of IAM. UCS resources include container fleets, clusters, and federation instances. Administrators can grant different permissions to different user roles (such as development and O&M) to control their use of UCS resources.
  • Kubernetes resource permissions in a cluster are granted based on the Kubernetes RBAC capability. Refined permissions can be granted to Kubernetes resource objects in a cluster. With permission setting, the permissions for performing operations on different Kubernetes resource objects (such as workloads, jobs, and services) will vary with users.

If your team mainly uses UCS resources, IAM system policies can meet your requirements. If you need refined permissions on Kubernetes resource objects in the cluster, use IAM system policies together with Kubernetes RBAC.

UCS Resource Permissions

New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services.

UCS is a global service deployed in all physical regions. You can grant UCS permissions to users in the global service project. In this way, users do not need to switch regions when they access UCS.

You can grant users permissions by using roles and policies.

  • Roles: A type of coarse-grained authorization mechanism that defines permissions related to user responsibilities. IAM provides a limited number of roles for permission management. When using roles to grant permissions, you also need to assign other roles on which the permissions depend to take effect. However, roles are not an ideal choice for fine-grained authorization and secure access control.
  • Policies: A fine-grained authorization tool that defines permissions for performing operations on specific cloud resources under certain conditions. This type of authorization is more flexible. It is ideal for keeping permissions minimized. For example, you can grant IAM users only the permissions for managing a certain type of fleets and clusters.

Table 1 describes all system permissions of UCS.

Table 1 UCS system permissions

System Role/Policy Name

Description

Type

UCS FullAccess

UCS administrator with full permissions, including creating permissions policies and security policies

System policy

UCS CommonOperations

Common UCS user with permissions for creating workloads, distributing traffic, and other operations

System policy

UCS CIAOperations

UCS Container Intelligent Analysis administrator with full permissions

System policy

UCS ReadOnlyAccess

Read-only permissions on UCS (except for Container Intelligent Analysis)

System policy

Services on Huawei Cloud are interdependent, and UCS depends on other cloud services to implement some functions, such as image repository and domain name resolution. Therefore, the preceding four system policies are often used together with roles or policies of other cloud services for refined permission granting. When granting permissions to IAM users, the administrator must comply with the principle of least privilege. Table 2 lists the minimum permissions required by the administrator, operation, and read-only permissions of each UCS function.

Table 2 Minimum permissions required by UCS

Description

Permission Type

Permission

Minimum Permission

Fleet

Admin

  • Creating and deleting a fleet
  • Registering a Huawei Cloud cluster (CCE cluster and CCE Turbo cluster), on-premises cluster, or attached cluster
  • Unregistering a cluster
  • Adding a cluster to or removing a cluster from a fleet
  • Associating permission policies with a cluster or fleet
  • Enabling cluster federation and performing federation management operations (such as creating a federated workload and creating domain name access)

UCS FullAccess

Viewer

Querying clusters and fleets or their details

UCS ReadOnlyAccess

Huawei Cloud clusters

Admin

Read-write permissions on Huawei Cloud clusters and all Kubernetes resource objects (including nodes, workloads, jobs, and services)

UCS FullAccess + CCE Administrator

Operation

Read-write permissions on Huawei Cloud clusters and most Kubernetes resource objects and read-only permissions on Kubernetes resource objects such as namespaces and resource quotas

UCS CommonOperations + CCE Administrator

Viewer

Read-only permissions on Huawei Cloud clusters and all Kubernetes resource objects (including nodes, workloads, jobs, and services)

UCS ReadOnlyAccess + CCE Administrator

On-premises/Attached/Multi-cloud clusters

Admin

Read-write permissions on on-premises/attached/multi-cloud clusters and all Kubernetes resource objects (including nodes, workloads, jobs, and services)

UCS FullAccess

Operation

Read-write permissions on on-premises/attached/multi-cloud clusters and most Kubernetes resource objects and read-only permissions on Kubernetes resource objects such as namespaces and resource quotas

UCS CommonOperations + UCS RBAC (The list permission for namespaces is required.)

Viewer

Read-only permissions on on-premises/attached/multi-cloud clusters and all Kubernetes resource objects (including nodes, workloads, jobs, and services)

UCS ReadOnlyAccess + UCS RBAC (The list permission for namespaces is required.)

Image repository

Admin

All permissions on SoftWare Repository for Container (SWR), including creating organizations, uploading images, viewing images or details, and downloading images

SWR Administrator

Permissions

Admin

  • Creating and deleting a permission policy
  • Viewing permissions or details
NOTE:

When creating a permission policy, you need to grant the IAM ReadOnlyAccess permission (read-only permissions on IAM) to IAM users to obtain the IAM user list.

UCS FullAccess + IAM ReadOnlyAccess

Viewer

Viewing permissions or details

UCS ReadOnlyAccess + IAM ReadOnlyAccess

Policy Center

Admin

  • Enabling the Policy Center
  • Creating and disabling a policy
  • Querying policies
  • Viewing policy implementation details

UCS FullAccess

Viewer

For fleets and clusters with Policy Center enabled, users with this permission can view policies and policy implementation details.

UCS CommonOperations or UCS ReadOnlyAccess

Traffic distribution

Admin

Operations such as creating a traffic policy, suspending and deleting a scheduling policy

(Recommended) UCS CommonOperations + DNS Administrator

or

UCS FullAccess + DNS Administrator

Viewer

Viewing traffic policies or details

UCS ReadOnlyAccess + DNS Administrator

Container Intelligent Analysis

Admin

  • Connecting clusters to a fleet or canceling cluster connection
  • Viewing monitoring data in multiple aspects, such as infrastructure and application workload

UCS CIAOperations

Kubernetes Resource Permissions in a Cluster

Kubernetes resource permissions in a cluster are granted according to Kubernetes RBAC. The administrator can grant users refined permissions on specific Kubernetes resource objects in the cluster. These resources are cluster-level and namespace-level. Refined operation permissions include get, list, watch, create, update, patch, and delete. The permissions take effect on the namespaces of a fleet or on clusters that are not added to the fleet. The operation permissions are described as follows:

  • get: Retrieves a specific resource object by name.
  • list: Retrieves all resource objects of a specific type in the namespace.
  • watch: Responds to resource changes.
  • create: Creates a resource.
  • update: Updates a resource.
  • patch: Updates resources partially.
  • delete: Deletes a resource.

For details about cluster-level and namespace-level resources, see Kubernetes Resource Objects.

For example, after permission policies are configured according to the scheme shown in Figure 1, user A can perform get, list, and watch (read-only) operations only on Deployments, pods, and Services in namespace A of the fleet, and user B can perform all operations on all resources in namespace B of the fleet.

Figure 1 Granting permissions on Kubernetes resources

Three common permission types are available on the UCS console: admin, developer, and read-only. You can grant these permission types to users. If these permission types cannot meet your requirements, you can customize permissions by specifying the operation type and resource object.

Table 3 Permission types

Permission Type

Description

Admin

Read-write permissions on all Kubernetes resource objects

Developer

Read-write permissions on most Kubernetes resource objects and read-only permissions on Kubernetes resource objects such as namespaces and resource quotas

Viewer

Read-only permissions on all Kubernetes resource objects