Updated on 2022-10-14 GMT+08:00

Permission Policies

Enterprises can use permission policies to implement fine-grained cluster permission management. All sub-users in a user group have the same cluster permission. If a user needs to have different permission policies, you can add the user to multiple user groups on the IAM console.

Creating a Permission Policy

By default, a permission policy named admin is created and associated with the admin user group in IAM. This permission policy contains all cluster groups and has administrator permissions. It cannot be manually edited or deleted.

  1. Log in to the UCS console. In the navigation pane, choose Permission Policies.
  2. Click Create Permission Policy in the upper right corner.
  3. On the page that is displayed, set permission policy parameters, as shown in Figure 1.

    Figure 1 Creating a Permission Policy

    The permission policy parameters are as follows:

    • Permission Policy Name: specifies the name of a custom permission policy. The name must start with a lowercase letter and consist of lowercase letters, digits, and hyphens (-). It cannot end with a hyphen (-).
    • User Group: Select the user group associated with the permission policy. The user groups in the list are inherited from Identity and Access Management (IAM). If the list is empty, click Create User Group to create a user group on the IAM console.
      • If a new IAM user wants to use all UCS functions (except permission policies), you need to add this user to the user group with the Tenant Administrator role on the IAM console to make it a member of the admin user group. For details, see IAM User Permissions.
      • After a permission policy is created, the associated user group cannot be modified.
    • Permission template: By default, no permission template is used. You can also select the default permission templates of UCS or a customized template. For details about how to create a customized permission template, see Adding a Template.
      If the right profile is not used, you can manually add the operation right configuration. You can click to add multiple operation configurations.
      • Available Operations: Select the operations that can be performed by the user. You can select multiple operations.
        • *: All operations
        • get: Retrieves a specific resource object by name.
        • list: Retrieves all resource objects of a specific type in the namespace. You can use the selector to query matched resources.
        • watch: used to respond to resource changes.
        • create: creates a resource.
        • update: updates resources.
        • patch: used for partial update of resources.
        • delete: Delete a resource.
      • Specify Namespace: Select the namespaces that can be operated by the user with the permission policy. You can select multiple namespaces.
      • Specified Resources: Select cluster resources that can be operated by users with the permission policy. You can select multiple resources. For details about resource types, see Table 2.
    • Description: description of the permission policy to be added.

  4. Click Create. After creating a permission policy, you need to associate it with a cluster group so that you can use UCS. For details, see Associating a Permission Policy.

Associating a Permission Policy

  1. Log in to the UCS console. In the navigation pane, choose Container Clusters.
  2. In the row of the target cluster group, click in the upper right corner.

    Figure 2 Associating a permission policy with a cluster group

  3. Select one or more existing permission policies. A cluster group can be associated with multiple permission policies.

    Figure 3 Associating a permission policy

  4. Click OK to associate the permission policy.

Editing a Permission Policy

  1. Log in to the UCS console. In the navigation pane, choose Permission Policies.
  2. Locate the row that contains the target permission policy and click Edit in the Operation column.
  3. On the Edit Permission Policy page, configure the permission again or add the permission policy description. For details about operation permissions, see Creating a Permission Policy.