What Can I Do If an IAM User Cannot Obtain Cluster or Fleet Information After Logging In to UCS?
Symptom
After an IAM user logs in to the UCS console and goes to the Fleets page, information about the created fleet and registered clusters cannot be obtained. (Both the Fleets and Clusters Not in Fleet pages are empty.)
Solution
Most IAM users cannot obtain cluster information because their permissions are not set or incorrectly set. To obtain cluster information, IAM users must have both the UCS system policy permission and cluster resource object operation permission. You need to contact the administrator to grant you permissions according to the process shown in Figure 1.
- Log in to the IAM console as the administrator and grant the UCS system policy permission to the user group of the IAM user.
Select the system policy to be granted based on the operation scope. For example, to query clusters and fleets or their details, or query cluster resource objects (including nodes, workloads, jobs, and services), you only need to grant the UCS ReadOnlyAccess permission, as shown in Figure 2.
Cluster and fleet permissions shows the minimum permissions required by different permission types. The administrator can grant permissions according to the table.
- Log in to the UCS console as the administrator and grant the IAM user the permissions for performing operations on cluster resource objects.
The procedure is as follows:
Permissions on the UCS console take effect only for on-premises or attached clusters. To perform operations on Huawei Cloud cluster resources, grant the CCE Administrator permission.
- Create a permission policy on the Permissions page. (Select the read-only permission type, which applies to all cluster resource objects.)
- Associate the created permission policy with the fleet or clusters not in the fleet.
Cluster and fleet permissions
|
Function |
Permission Type |
Permission |
Minimum Permission |
|---|---|---|---|
|
Fleets |
Administrator permission |
|
UCS FullAccess |
|
Read-only permissions |
Querying clusters and fleets or their details |
UCS ReadOnlyAccess |
|
|
Huawei Cloud cluster |
Administrator permission |
Read-write permissions on Huawei Cloud clusters and all cluster resource objects (including nodes, workloads, jobs, and services) |
UCS FullAccess + CCE Administrator |
|
Operation permission |
Read-write permissions on Huawei Cloud clusters and most cluster resource objects and read-only permissions on Kubernetes resource objects such as namespaces and resource quotas |
UCS CommonOperations + CCE Administrator |
|
|
Read-only permissions |
Read-only permissions on Huawei Cloud clusters and all cluster resource objects (including nodes, workloads, jobs, and services) |
UCS ReadOnlyAccess + CCE Administrator |
|
|
On-premises/Attached cluster |
Administrator permission |
Read-write permissions on on-premises/attached clusters and all cluster resource objects (including nodes, workloads, jobs, and services) |
UCS FullAccess |
|
Operation permission |
Read-write permissions on on-premises/attached clusters and most cluster resource objects and read-only permissions on Kubernetes resource objects such as namespaces and resource quotas |
UCS CommonOperations + UCS RBAC (The list permission for namespaces is required.) |
|
|
Read-only permissions |
Read-only permissions on on-premises/attached clusters and all cluster resource objects (including nodes, workloads, jobs, and services) |
UCS ReadOnlyAccess + UCS RBAC (The list permission for namespaces is required.) |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
