Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
SoftWare Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
Help Center/ Ubiquitous Cloud Native Service/ User Guide/ Permissions/ Kubernetes Resource Permissions in a Cluster (RBAC Authorization)

Kubernetes Resource Permissions in a Cluster (RBAC Authorization)

Updated on 2025-02-14 GMT+08:00

Kubernetes resource permissions in a cluster are granted based on the Kubernetes RBAC capability. The administrator can grant users operation permissions on specific Kubernetes resource objects in a cluster. The permissions take effect on the namespace of a fleet or on clusters that do not join the fleet.

This section uses the read-only permission as an example to describe how to grant Kubernetes resource permissions to users. Figure 1 shows the operation process.

NOTICE:

The UCS cluster operation permissions take effect only for non–Huawei Cloud clusters. The operation permissions of Huawei Cloud clusters (CCE and CCE Turbo clusters) are subject to the IAM or CCE RBAC permissions.

Permission Granting Process

Figure 1 Process for granting Kubernetes resource permissions to a user
  1. Create a user.

    The administrator creates a user on the IAM console.

  2. Grant UCS system policies to the user.

    Before granting the Kubernetes resource permissions, you must grant UCS system policies to the IAM user. In this example, the UCS ReadOnlyAccess policy (read-only permissions on UCS) must be granted.

  3. Create a permission policy.

    The administrator creates a permission policy on the UCS console. Select the Viewer permission type, which indicates read-only permissions on all Kubernetes resource objects.

  4. Associate the permission policy with a fleet or clusters not in the fleet.

    Associate the permission policy with a fleet. During the association, you need to select the namespace to which the permission policy applies. You can also associate the permission policy with clusters not in the fleet.

  5. Verify the permission setting.

    Log in to the console as the created user, and verify whether the read-only permission takes effect.

Creating a Permission Policy

  1. Log in to the UCS console. In the navigation pane, choose Permissions.
  2. Click Create Permission Policy in the upper right corner.
  3. Configure permission policy parameters.

    Figure 2 Creating a permission policy
    • Policy Name: Enter a name, starting with a lowercase letter and not ending with a hyphen (-). Only lowercase letters, digits, and hyphens (-) are allowed.
    • User: Select the newly created username from the drop-down list. You can select multiple users. Assume that the R&D employees of a company have the same operation permission on resources. When creating a permission policy, you can select multiple users to grant permissions to all these users.

      This section uses the readonly_user user as an example.

    • Type: Admin, Viewer, Developer, and Custom are supported.
      Table 1 Permission types

      Permission Type

      Description

      Admin

      Read-write permissions on all cluster resource objects.

      Viewer

      Read-only permissions on all cluster resource objects.

      Developer

      Read-write permissions on most cluster resource objects and read-only permissions on cluster resource objects such as namespaces and resource quotas.

      Custom

      Permissions are determined by the actions and resource objects you select.

    • Policy Details: indicates the actions allowed on specific resources. The Admin, Viewer, and Developer permission types have been templated. You can click to view the details of a permission type. When Type is set to Custom, configure Operation to perform and Resource Object.

      Operation to perform: You can add an operation type (for example, deletecollection indicates the deletion of multiple resources). The options are as follows:

      • get: Retrieves a specific resource object by name.
      • list: Retrieves all resource objects of a specific type in the namespace.
      • watch: Responds to resource changes.
      • create: Creates a resource.
      • update: Updates a resource.
      • patch: Updates resources partially.
      • delete: Deletes a resource.
      NOTE:

      All operations: All

      Read-only: get + list + watch

      Read-write: get + list + watch + create + update + patch + delete

      Resource Object: Select All or Resources to operate. All includes existing resource objects and custom resource objects to be added. Resources to operate indicates the custom range of resource objects. UCS categorizes resource objects by workload, service, config and storage, authentication, authorization, policy, extend, and cluster.

      If the desired resource object does not exist in system resources, you can add a custom resource object.

      If the operation types vary according to resource objects (for example, you have the create and delete permissions on Deployments and the get, list, and watch permissions on secrets), you can click to add multiple groups of permissions.

      NOTE:

      For details about resource objects and operation types, see Kubernetes API.

    • Description: Enter a description of the permission policy to be added.

  4. Click OK. After the permission policy is created, you need to associate the permission policy with a fleet or clusters not in the fleet so that you can perform operations on Kubernetes resources.

Associating the Permission Policy with a Fleet or Clusters Not in the Fleet

A fleet contains multiple clusters and can implement unified permission management for these clusters. After clusters join a fleet, you are advised to associate the permission policy with the fleet so that clusters in the fleet can have the same permissions.

  1. Log in to the UCS console. In the navigation pane, choose Fleets.
  2. In the card view of the destination fleet, click in the upper right corner.

    Figure 3 Associating a permission policy with a fleet

  3. On the displayed page, click Update Fleet Permissions or Set Permissions. Then, associate the created permission policy with the namespace of the fleet.

    Figure 4 Updating a permission policy
    • Namespace: Select All namespaces or Namespace. All namespaces includes the existing namespace of the fleet and the namespace to be added to the fleet. Namespace indicates the custom range of namespaces. UCS provides several common namespaces, such as default, kube-system, and kube-public. You can also add a namespace, which should exist in the cluster.

      If you select namespaces, permission policies take effect only on namespace resources, not cluster resources. For details about namespace and cluster resources, see Kubernetes Resource Objects.

    • Set Permissions: Select permissions from the drop-down list box. You can select multiple permissions at a time to batch grant permissions.

    In this example, select default for namespace and the readonly permission.

    If different namespaces are associated with different permission policies (for example, the default namespace is associated with the readonly permission policy and the development namespace is associated with the develop permission policy), you can click to add multiple relationships of permission granting.

  4. Click OK.

    If you need to update the permission policy of the fleet, select the namespace and permission again using the preceding method.

Verifying the Permission Setting

Log in to the console as readonly_user and check whether the permission takes effect. The following uses an attached cluster as an example.

  • Go to the attached cluster of the fleet and choose Resources > Workloads. If you can view the workloads of the default namespace but a message is displayed indicating that you do not have the permission for viewing workloads of other namespaces, the read-only permission has taken effect.
  • Go to the attached cluster of the fleet and choose Resources > Workloads. Switch to the default namespace, and click Create Workload in the upper right corner. If a message is displayed indicating that you do not have the permission, the read-only permission has taken effect.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback