Permissions Templates
A permission template is a collection of predefined permissions and supports fine-grained authorization at the resource level. You can use a permission template to quickly grant operation permissions to different permission policies. Currently, UCS provides three default permission templates:
- Admin Permission Template: has the operation permission on all cluster resources, including cluster permission management.
- Developer Permission Template: has the read and write permissions on most resources (such as Deployments, Pods, Secrets, Ingresses, and ConfigMaps) in all namespaces, and has the read-only permission on nodes, storage volumes, namespaces, and quota management. Cluster permission management is not included.
- ReadOnly Permission Template: has the read-only permission on all resources.
Default Rights Profile
Table 1 lists the common operation rights in the default template.
Operation |
Admin Permission Template |
Developer Permission Template |
ReadOnly Permission Template |
|---|---|---|---|
Querying Peer Information |
√ |
√ |
√ |
Managing Cluster Nodes |
√ |
× |
× |
Managing Namespaces (Creating, Deleting, and Managing Quotas) |
√ |
× |
× |
Querying a Namespace |
√ |
√ |
√ |
Managing workload lifecycles (creation, upgrade, scaling, and deletion) |
√ |
√ |
× |
Viewing workload details |
√ |
√ |
√ |
Storage volume creation and deletion |
√ |
× |
× |
Querying Storage Volumes |
√ |
√ |
√ |
Service creation, update, and deletion |
√ |
√ |
× |
Reading a Service |
√ |
√ |
√ |
Creating, Updating, and Deleting Ingresses |
√ |
√ |
× |
Reading an Ingress |
√ |
√ |
√ |
Creating, Updating, and Deleting ConfigMaps |
√ |
√ |
× |
Query ConfigMaps |
√ |
√ |
√ |
Creating or deleting a secret |
√ |
√ |
× |
Querying a secret key |
√ |
√ |
√ |
Adding a Template
UCS provides the function of customizing permission templates to help users quickly set permission policies.
- Log in to the UCS console. In the navigation pane, choose Permission Policies.
- Click Add Template, as shown in Figure 1.
- Enter the template information, as shown in Figure 2.
- Mode: Custom and Use existing are supported. If you select Use existing, you can select an existing template and modify the permission rule configuration of the template.
- Template Name: indicates the name of a user-defined template. The name must start with a lowercase letter and consist of lowercase letters, digits, and hyphens (-). It cannot end with a hyphen (-).
- Permission Rule: You can click
to add multiple operation configurations.
- Available Operations: Select the operations that can be performed by the user. You can select multiple operations.
- *: All operations
- get: Retrieves a specific resource object by name.
- list: Retrieves all resource objects of a specific type in the namespace. You can use the selector to query matched resources.
- watch: used to respond to resource changes.
- create: creates a resource.
- update: updates resources.
- patch: used for partial update of resources.
- delete: Delete a resource.
- Specify Namespace: Select the namespaces that can be operated by the user with the permission policy. You can select multiple namespaces.
- Specified Resources: Select cluster resources that can be operated by users with the permission policy. You can select multiple resources. For details about resource types, see Table 2.
- Available Operations: Select the operations that can be performed by the user. You can select multiple operations.
- Description: Add the description of the right profile.
- Click Confirm to create a right profile.
Feedback
Was this page helpful?
Provide feedbackFor any further questions, feel free to contact us through the chatbot.
Chatbot
