How Do I Configure Operation Permissions for Cluster Resources?
Background
For CCE clusters, configure the permissions on the IAM console. For non-CCE clusters, configure the permissions on the UCS console.
To manage all your clusters on the UCS console, you need to use a Huawei Cloud account or a user in the admin user group to configure permissions on the Permissions Policies page of the UCS console. For details, see Table 1.
Category |
Permission Description |
|
|---|---|---|
Cluster information. |
A Huawei Cloud account or a member of the admin user group can associate a user with its target cluster group in Policy Center. |
|
Node-related APIs |
The Huawei Cloud account or the admin user group member needs to configure the nodes operation permission for the user in Policy Center. |
|
Workloads |
Deployments |
The Huawei Cloud account or the admin user group member needs to assign the deployments operation permission in the corresponding namespace to the user in Policy Center. |
StatefulSets |
The Huawei Cloud account or the admin user group member needs to assign the operation permission of statefulsets in the corresponding namespace to the user in Policy Center. |
|
DaemonSets |
The Huawei Cloud account or the admin user group member needs to configure the operation permission of daemonsets in the corresponding namespace for the user in Policy Center. |
|
Normal task |
The Huawei Cloud account or the admin user group member needs to configure the operation permission of jobs in the corresponding namespace for the user in Policy Center. |
|
Scheduled task |
The Huawei Cloud account or the admin user group member needs to assign the cronjobs operation permission in the corresponding namespace to the user in Policy Center. |
|
Pod |
The Huawei Cloud account or the admin user group member needs to configure the operation permission of pods in the corresponding namespace for the user in Policy Center. |
|
Networking |
Service |
The Huawei Cloud account or the admin user group member needs to configure the operation permission of services in the corresponding namespace for the user in Policy Center. |
Ingresses |
The Huawei Cloud account or the admin user group member needs to configure the operation permission of ingresses in the corresponding namespace for the user in Policy Center. |
|
Container Storage |
PersistentVolumeClaims (PVCs) |
The Huawei Cloud account or the admin user group member needs to assign the operation permission of persistentvolumeclaims in the corresponding namespace to the user in Policy Center. |
Volumes |
The Huawei Cloud account or the admin user group member needs to assign the operation permission of persistentvolumes in the corresponding namespace to the user in Policy Center. |
|
Storage Class |
The Huawei Cloud account or the admin user group member needs to assign the operation permission of storageclasses in the corresponding namespace to the user in Policy Center. |
|
ConfigMaps and Secrets |
Deployment template |
The Huawei Cloud account or the admin user group member needs to assign the configmaps operation permission in the corresponding namespace to the user in Policy Center. |
Secret Key |
The Huawei Cloud account or the admin user group member needs to configure the operation permission of secrets in the corresponding namespace for the user in Policy Center. |
|
Custom Resource Definitions |
The Huawei Cloud account or a member of the admin user group needs to assign the operation permission of customresourcedefinitions in the corresponding namespace to the user in Policy Center. |
|
Namespace |
The Huawei Cloud account or the admin user group member needs to assign the namespaces operation permission to the user in Policy Center. |
|
Workload Scaling |
The Huawei Cloud account or the admin user group member needs to assign the horizontalpodautoscalers operation permission to the user in Policy Center. |
|
The following table lists the resource operation permissions you can configure on the UCS console:
- *: Allows all operations.
- get: Retrieves a specific resource object by name.
- list: Retrieves all resource objects of a specific type in the namespace. You can use selectors to query matched resources.
- watch: Watches and responds to resource changes.
- create: Creates a resource.
- update: Updates a resource.
- patch: Partially update a resource.
- delete: Deletes a resource.
All operations: *
Read-only: get + list + watch
Read-write: get + list + watch + create + update + patch + delete
Prerequisites
An IAM user has been added to a user group. For details, see User Groups.
Procedure
This section guides you to configure permissions on the cluster console for IAM users. For details about the permissions on other functions (such as CCE clusters and container cluster federations), see How Do I Configure the Access Permission for Each Function of the UCS Console?.
- Log in to the UCS console as an administrator or a user in the admin user group. In the navigation pane, click Permissions Policies.
- In the upper right corner, click Create Permissions Policy.
- Set permissions policy parameters.
- Policy Name: Enter a name, starting with a lowercase letter and not ending with a hyphen (-). Only lowercase letters, digits, and hyphens (-) are allowed.
- User Group: Select the user group associated with the permissions policy. The user groups in the drop-down list are inherited from IAM. If no user group is available, click Create User Group to create one on the IAM console.
- Permissions Template: Defaults to Do not use. You can also select a default or a custom template. For details about how to customize a permissions template, see Adding a Template.
When choosing Do not use, manually configure the permissions. Click
to add multiple configurations.
- Operations to perform: Select one or multiple operations.
- *: All operations
- get: Retrieves a specific resource object by name.
- list: Retrieves all resource objects of a specific type in the namespace. You can use the selector to query matched resources.
- watch: used to respond to resource changes.
- create: creates a resource.
- update: updates resources.
- patch: used for partial update of resources.
- delete: Delete a resource.
- Namespace: Select one or multiple namespaces to operate.
- Resources to operate: Select one or multiple resources to operate. For details about resource types, see Table 1.
- Operations to perform: Select one or multiple operations.
- Description: Enter a description of the permissions policy to be added.
- Click OK.
- Associate the created permissions policy with the cluster group by clicking
in the cluster group card view on the Container Clusters page.
Figure 1 Associating a permission policy with a cluster group
- Select the created policy and click OK.
Figure 2 Associating policies
Permissions FAQs
- How Do I Configure the Access Permission for Each Function of the UCS Console?
- Why Can't an IAM User Obtain Clusters or Cluster Groups After Logging In to UCS?
- How Do I Configure Operation Permissions for Cluster Resources?
Feedback
Was this page helpful?
Provide feedbackFor any further questions, feel free to contact us through the chatbot.
Chatbotmore
