- What's New
- Product Bulletin
- Service Overview
- Billing
- Getting Started
-
User Guide
-
UCS Clusters
- Overview
- Huawei Cloud Clusters
-
On-Premises Clusters
- Overview
- Service Planning for On-Premises Cluster Installation
- Registering an On-Premises Cluster
- Installing an On-Premises Cluster
- Managing an On-Premises Cluster
- Attached Clusters
- Multi-Cloud Clusters
- Single-Cluster Management
- Fleets
-
Cluster Federation
- Overview
- Enabling Cluster Federation
- Using kubectl to Connect to a Federation
- Upgrading a Federation
-
Workloads
- Workload Creation
-
Container Settings
- Setting Basic Container Information
- Setting Container Specifications
- Setting Container Lifecycle Parameters
- Setting Health Check for a Container
- Setting Environment Variables
- Configuring a Workload Upgrade Policy
- Configuring a Scheduling Policy (Affinity/Anti-affinity)
- Configuring Scheduling and Differentiation
- Managing a Workload
- ConfigMaps and Secrets
- Services and Ingresses
- MCI
- MCS
- DNS Policies
- Storage
- Namespaces
- Multi-Cluster Workload Scaling
- Adding Labels and Taints to a Cluster
- RBAC Authorization for Cluster Federations
- Image Repositories
- Permissions
-
Policy Center
- Overview
- Basic Concepts
- Enabling Policy Center
- Creating and Managing Policy Instances
- Example: Using Policy Center for Kubernetes Resource Compliance Governance
-
Policy Definition Library
- Overview
- k8spspvolumetypes
- k8spspallowedusers
- k8spspselinuxv2
- k8spspseccomp
- k8spspreadonlyrootfilesystem
- k8spspprocmount
- k8spspprivilegedcontainer
- k8spsphostnetworkingports
- k8spsphostnamespace
- k8spsphostfilesystem
- k8spspfsgroup
- k8spspforbiddensysctls
- k8spspflexvolumes
- k8spspcapabilities
- k8spspapparmor
- k8spspallowprivilegeescalationcontainer
- k8srequiredprobes
- k8srequiredlabels
- k8srequiredannotations
- k8sreplicalimits
- noupdateserviceaccount
- k8simagedigests
- k8sexternalips
- k8sdisallowedtags
- k8sdisallowanonymous
- k8srequiredresources
- k8scontainerratios
- k8scontainerrequests
- k8scontainerlimits
- k8sblockwildcardingress
- k8sblocknodeport
- k8sblockloadbalancer
- k8sblockendpointeditdefaultrole
- k8spspautomountserviceaccounttokenpod
- k8sallowedrepos
- Configuration Management
- Traffic Distribution
- Observability
- Container Migration
- Pipeline
- Error Codes
-
UCS Clusters
- Best Practices
-
API Reference
- Before You Start
- Calling APIs
-
API
- UCS Cluster
-
Fleet
- Adding a Cluster to a Fleet
- Removing a Cluster from a Fleet
- Registering a Fleet
- Deleting a Fleet
- Querying a Fleet
- Adding Clusters to a Fleet
- Updating Fleet Description
- Updating Permission Policies Associated with a Fleet
- Updating the Zone Associated with the Federation of a Fleet
- Obtaining the Fleet List
- Enabling Fleet Federation
- Disabling Cluster Federation
- Querying Federation Enabling Progress
- Creating a Federation Connection and Downloading kubeconfig
- Creating a Federation Connection
- Downloading Federation kubeconfig
- Permissions Management
- Using the Karmada API
- Appendix
-
FAQs
- About UCS
-
Billing
- How Is UCS Billed?
- What Status of a Cluster Will Incur UCS Charges?
- Why Am I Still Being Billed After I Purchase a Resource Package?
- How Do I Change the Billing Mode of a Cluster from Pay-per-Use to Yearly/Monthly?
- What Types of Invoices Are There?
- Can I Unsubscribe from or Modify a Resource Package?
-
Permissions
- How Do I Configure Access Permissions for Each Function of the UCS Console?
- What Can I Do If an IAM User Cannot Obtain Cluster or Fleet Information After Logging In to UCS?
- How Do I Restore ucs_admin_trust I Deleted or Modified?
- What Can I Do If I Cannot Associate the Permission Policy with a Fleet or Cluster?
- How Do I Clear RBAC Resources After a Cluster Is Unregistered?
- Policy Center
-
Fleets
- What Can I Do If Cluster Federation Verification Fails to Be Enabled for a Fleet?
- What Can I Do If an Abnormal, Federated Cluster Fails to Be Removed from the Fleet?
- What Can I Do If an Nginx Ingress Is in the Unready State After Being Deployed?
- What Can I Do If "Error from server (Forbidden)" Is Displayed When I Run the kubectl Command?
- Huawei Cloud Clusters
- Attached Clusters
-
On-Premises Clusters
- What Can I Do If an On-Premises Cluster Fails to Be Connected?
- How Do I Manually Clear Nodes of an On-Premises Cluster?
- How Do I Downgrade a cgroup?
- What Can I Do If the VM SSH Connection Times Out?
- How Do I Expand the Disk Capacity of the CIA Add-on in an On-Premises Cluster?
- What Can I Do If the Cluster Console Is Unavailable After the Master Node Is Shut Down?
- What Can I Do If a Node Is Not Ready After Its Scale-Out?
- How Do I Update the CA/TLS Certificate of an On-Premises Cluster?
- What Can I Do If an On-Premises Cluster Fails to Be Installed?
- Multi-Cloud Clusters
-
Cluster Federation
- What Can I Do If the Pre-upgrade Check of the Cluster Federation Fails?
- What Can I Do If a Cluster Fails to Be Added to a Federation?
- What Can I Do If Status Verification Fails When Clusters Are Added to a Federation?
- What Can I Do If an HPA Created on the Cluster Federation Management Plane Fails to Be Distributed to Member Clusters?
- What Can I Do If an MCI Object Fails to Be Created?
- What Can I Do If I Fail to Access a Service Through MCI?
- What Can I Do If an MCS Object Fails to Be Created?
- What Can I Do If an MCS or MCI Instance Fails to Be Deleted?
- Traffic Distribution
- Container Intelligent Analysis
- General Reference
Copied.
How Do I Configure Access Permissions for Each Function of the UCS Console?
Symptom
The functions of the UCS console are controlled by IAM. When an unauthorized user accesses a page on the UCS console, an error message is displayed, indicating that the user does not have the access permission or permission authentication fails.
Solution
The administrator needs to grant users the permissions for using functions of the UCS console. IAM system policies (including UCS FullAccess, UCS CommonOperations, UCS CIAOperations, and UCS ReadOnlyAccess) are used to define user permissions.
Role/Policy Name |
Description |
Type |
---|---|---|
UCS FullAccess |
Administrator permissions for UCS. Users with these permissions can perform all operations on UCS resources, for example, creating permission policies and security policies. |
System-defined policy |
UCS CommonOperations |
Common user permissions for UCS. Users with these permissions can create workloads, distribute traffic, and perform other operations. |
System-defined policy |
UCS CIAOperations |
Administrator permissions for UCS Container Intelligent Analysis. |
System-defined policy |
UCS ReadOnlyAccess |
Read-only permissions for UCS (except for Container Intelligent Analysis). |
System-defined policy |
Services on Huawei Cloud are interdependent, and UCS depends on other cloud services to implement some functions, such as image repository and domain name resolution. Therefore, the preceding system policies are often used together with roles or policies of other cloud services for refined permission granting. When granting permissions to IAM users, the administrator must comply with the principle of least privilege. Table 2 lists the minimum permissions required by the Admin, Operator, and Viewer roles of each UCS function.
For details about how to grant IAM system policies and UCS RBAC permissions to users, see UCS Resource Permissions and Kubernetes Resource Permissions in a Cluster, respectively.
Function |
Permission Type |
Permission |
Minimum Permission |
---|---|---|---|
Fleets |
Admin |
|
UCS FullAccess |
Viewer |
Querying clusters and fleets or their details |
UCS ReadOnlyAccess |
|
Huawei Cloud cluster |
Admin |
Read-write permissions on Huawei Cloud clusters and all Kubernetes resource objects (such as nodes, workloads, jobs, and Services) |
UCS FullAccess + CCE Administrator |
Developer |
Read-write permissions on Huawei Cloud clusters and most Kubernetes resource objects and read-only permissions on Kubernetes resource objects such as namespaces and resource quotas |
UCS CommonOperations + CCE Administrator |
|
Viewer |
Read-only permissions on Huawei Cloud clusters and all Kubernetes resource objects (such as nodes, workloads, jobs, and Services) |
UCS ReadOnlyAccess + CCE Administrator |
|
On-premises/Attached/Multi-cloud cluster |
Admin |
Read-write permissions on on-premises/attached/multi-cloud clusters and all Kubernetes resource objects (such as nodes, workloads, jobs, and Services) |
UCS FullAccess |
Developer |
Read-write permissions on on-premises/attached/multi-cloud clusters and most Kubernetes resource objects and read-only permissions on Kubernetes resource objects such as namespaces and resource quotas |
UCS CommonOperations + UCS RBAC (The list permission for namespaces is required.) |
|
Viewer |
Read-only permissions on on-premises/attached/multi-cloud clusters and all Kubernetes resource objects (such as nodes, workloads, jobs, and Services) |
UCS ReadOnlyAccess + UCS RBAC (The list permission for namespaces is required.) |
|
Image Repositories |
Admin |
All permissions on SoftWare Repository for Container (SWR), including creating organizations, uploading images, viewing images or their details, and downloading images |
SWR Administrator |
Permissions |
Admin |
When creating a permission policy, you need to grant the IAM ReadOnlyAccess permission (read-only permissions on IAM) to IAM users to obtain the IAM user list. |
UCS FullAccess + IAM ReadOnlyAccess |
Viewer |
Viewing permissions or their details |
UCS ReadOnlyAccess + IAM ReadOnlyAccess |
|
Policy Center |
Admin |
|
UCS FullAccess |
Viewer |
Viewing policies and their implementation details of fleets and clusters with Policy Center enabled |
UCS CommonOperations or UCS ReadOnlyAccess |
|
Traffic Distribution |
Admin |
Creating a traffic policy, suspending and deleting a scheduling policy, and performing other operations |
|
Viewer |
Viewing traffic policies or their details |
UCS ReadOnlyAccess + DNS Administrator |
|
Container Intelligent Analysis |
Admin |
|
UCS CIAOperations |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot