Help Center> Ubiquitous Cloud Native Service> FAQs> Permissions> How Do I Configure Operation Permissions for Cluster Resources?
Updated on 2022-11-07 GMT+08:00

How Do I Configure Operation Permissions for Cluster Resources?

Background

For CCE clusters, configure the permissions on the IAM console. For non-CCE clusters, configure the permissions on the UCS console.

To manage all your clusters on the UCS console, you need to use a Huawei Cloud account or a user in the admin user group to configure permissions on the Permissions Policies page of the UCS console. For details, see Table 1.

Table 1 Operation Permissions on Non-CCE Cluster Resources

Category

Permission Description

Cluster information.

A Huawei Cloud account or a member of the admin user group can associate a user with its target cluster group in Policy Center.

Node-related APIs

The Huawei Cloud account or the admin user group member needs to configure the nodes operation permission for the user in Policy Center.

Workloads

Deployments

The Huawei Cloud account or the admin user group member needs to assign the deployments operation permission in the corresponding namespace to the user in Policy Center.

StatefulSets

The Huawei Cloud account or the admin user group member needs to assign the operation permission of statefulsets in the corresponding namespace to the user in Policy Center.

DaemonSets

The Huawei Cloud account or the admin user group member needs to configure the operation permission of daemonsets in the corresponding namespace for the user in Policy Center.

Normal task

The Huawei Cloud account or the admin user group member needs to configure the operation permission of jobs in the corresponding namespace for the user in Policy Center.

Scheduled task

The Huawei Cloud account or the admin user group member needs to assign the cronjobs operation permission in the corresponding namespace to the user in Policy Center.

Pod

The Huawei Cloud account or the admin user group member needs to configure the operation permission of pods in the corresponding namespace for the user in Policy Center.

Networking

Service

The Huawei Cloud account or the admin user group member needs to configure the operation permission of services in the corresponding namespace for the user in Policy Center.

Ingresses

The Huawei Cloud account or the admin user group member needs to configure the operation permission of ingresses in the corresponding namespace for the user in Policy Center.

Container Storage

PersistentVolumeClaims (PVCs)

The Huawei Cloud account or the admin user group member needs to assign the operation permission of persistentvolumeclaims in the corresponding namespace to the user in Policy Center.

Volumes

The Huawei Cloud account or the admin user group member needs to assign the operation permission of persistentvolumes in the corresponding namespace to the user in Policy Center.

Storage Class

The Huawei Cloud account or the admin user group member needs to assign the operation permission of storageclasses in the corresponding namespace to the user in Policy Center.

ConfigMaps and Secrets

Deployment template

The Huawei Cloud account or the admin user group member needs to assign the configmaps operation permission in the corresponding namespace to the user in Policy Center.

Secret Key

The Huawei Cloud account or the admin user group member needs to configure the operation permission of secrets in the corresponding namespace for the user in Policy Center.

Custom Resource Definitions

The Huawei Cloud account or a member of the admin user group needs to assign the operation permission of customresourcedefinitions in the corresponding namespace to the user in Policy Center.

Namespace

The Huawei Cloud account or the admin user group member needs to assign the namespaces operation permission to the user in Policy Center.

Workload Scaling

The Huawei Cloud account or the admin user group member needs to assign the horizontalpodautoscalers operation permission to the user in Policy Center.

The following table lists the resource operation permissions you can configure on the UCS console:

  • *: Allows all operations.
  • get: Retrieves a specific resource object by name.
  • list: Retrieves all resource objects of a specific type in the namespace. You can use selectors to query matched resources.
  • watch: Watches and responds to resource changes.
  • create: Creates a resource.
  • update: Updates a resource.
  • patch: Partially update a resource.
  • delete: Deletes a resource.

All operations: *

Read-only: get + list + watch

Read-write: get + list + watch + create + update + patch + delete

Prerequisites

An IAM user has been added to a user group. For details, see User Groups.

Procedure

This section guides you to configure permissions on the cluster console for IAM users. For details about the permissions on other functions (such as CCE clusters and container cluster federations), see How Do I Configure the Access Permission for Each Function of the UCS Console?.

  1. Log in to the UCS console as an administrator or a user in the admin user group. In the navigation pane, click Permissions Policies.
  2. In the upper right corner, click Create Permissions Policy.
  3. Set permissions policy parameters.

    • Policy Name: Enter a name, starting with a lowercase letter and not ending with a hyphen (-). Only lowercase letters, digits, and hyphens (-) are allowed.
    • User Group: Select the user group associated with the permissions policy. The user groups in the drop-down list are inherited from IAM. If no user group is available, click Create User Group to create one on the IAM console.
    • Permissions Template: Defaults to Do not use. You can also select a default or a custom template. For details about how to customize a permissions template, see Adding a Template.
      When choosing Do not use, manually configure the permissions. Click to add multiple configurations.
      • Operations to perform: Select one or multiple operations.
        • *: All operations
        • get: Retrieves a specific resource object by name.
        • list: Retrieves all resource objects of a specific type in the namespace. You can use the selector to query matched resources.
        • watch: used to respond to resource changes.
        • create: creates a resource.
        • update: updates resources.
        • patch: used for partial update of resources.
        • delete: Delete a resource.
      • Namespace: Select one or multiple namespaces to operate.
      • Resources to operate: Select one or multiple resources to operate. For details about resource types, see Table 1.
    • Description: Enter a description of the permissions policy to be added.

  4. Click OK.
  5. Associate the created permissions policy with the cluster group by clicking in the cluster group card view on the Container Clusters page.

    Figure 1 Associating a permission policy with a cluster group

  6. Select the created policy and click OK.

    Figure 2 Associating policies

Permissions FAQs

more