Cluster Federation RBAC Authorization
UCS cluster federation can implement refined permission management based on Huawei Cloud IAM. In addition, native Kubernetes RBAC resources can be created in the federation for refined management of federation access permissions.
Precautions
- The permission management of UCS and the current RBAC authorization of the cluster federation do not affect each other. When UCS APIs are called, the UCS permission management takes effect. If the kubeconfig file is used to perform federation operations, the RBAC authorization takes effect.
- RBAC resources created in the cluster federation and member clusters are unaware of and do not affect each other. The RBAC permissions configured through the cluster federation entry take effect only when the federation is directly accessed. When a member cluster is directly accessed, only the RBAC permissions for the member cluster take effect.
- You need to assign permissions and roles (such as ClusterRole and ClusterRoleBinding) with caution for fine-grained authorization. Do not assign the permission to view resources to namespaces prefixed with Karmada-. Role and RoleBinding are recommended for assigning permissions to resources in specified namespaces.
Cluster Federation RBAC Authorization
The UCS cluster federation uses the native RBAC authentication mode of Kubernetes. You can create RBAC resources to assign federation access permissions to IAM users.
- Download and configure the kubeconfig file as an IAM user with the Tenant Administrator permission. For details, see Using kubectl to Connect to a Federation.
- Save the following content to the list-deploy.yaml file:
apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: list-deploy-role-binding namespace: default roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: list-deploy-role subjects: - apiGroup: rbac.authorization.k8s.io kind: User name: <user-id> # IAM user ID - apiGroup: rbac.authorization.k8s.io kind: Group name: <group-id> # IAM user group ID --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: list-deploy-role namespace: default rules: - apiGroups: - apps resources: - deployments verbs: - list - get<user-id> indicates the IAM user ID, and <group-id> indicates the IAM user group ID. For details about the fields in RoleBinding and Role, see Using RBAC Authentication.
Run the following command to create the resources:kubectl apply -f list-deploy.yaml
The IAM user specified by <user-id> or IAM users in the group specified <group-id> can run the following command to view the Deployments in the default namespace:kubectl get deploy -n default
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
