Help Center/ Ubiquitous Cloud Native Service/ User Guide/ Cluster Federation/ Cluster Federation RBAC Authorization
Updated on 2024-10-25 GMT+08:00

Cluster Federation RBAC Authorization

UCS cluster federation can implement refined permission management based on Huawei Cloud IAM. In addition, native Kubernetes RBAC resources can be created in the federation for refined management of federation access permissions.

Precautions

  • The permission management of UCS and the current RBAC authorization of the cluster federation do not affect each other. When UCS APIs are called, the UCS permission management takes effect. If the kubeconfig file is used to perform federation operations, the RBAC authorization takes effect.
  • RBAC resources created in the cluster federation and member clusters are unaware of and do not affect each other. The RBAC permissions configured through the cluster federation entry take effect only when the federation is directly accessed. When a member cluster is directly accessed, only the RBAC permissions for the member cluster take effect.
  • You need to assign permissions and roles (such as ClusterRole and ClusterRoleBinding) with caution for fine-grained authorization. Do not assign the permission to view resources to namespaces prefixed with Karmada-. Role and RoleBinding are recommended for assigning permissions to resources in specified namespaces.

Cluster Federation RBAC Authorization

The UCS cluster federation uses the native RBAC authentication mode of Kubernetes. You can create RBAC resources to assign federation access permissions to IAM users.

  1. Download and configure the kubeconfig file as an IAM user with the Tenant Administrator permission. For details, see Using kubectl to Connect to a Federation.
  2. Save the following content to the list-deploy.yaml file:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: list-deploy-role-binding
      namespace: default
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: list-deploy-role
    subjects:
      - apiGroup: rbac.authorization.k8s.io
        kind: User
        name: <user-id>    # IAM user ID
      - apiGroup: rbac.authorization.k8s.io
        kind: Group
        name: <group-id>   # IAM user group ID
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: list-deploy-role
      namespace: default
    rules:
      - apiGroups:
          - apps
        resources:
          - deployments
        verbs:
          - list
          - get

    Replace <user-id> with the IAM user ID and <group-id> with the IAM user group ID. For details about the fields in RoleBinding and Role, see Using RBAC Authentication.

    Run the following command to create the resources:
    kubectl apply -f list-deploy.yaml
    The IAM user specified by <user-id> or IAM users in the group specified <group-id> can run the following command to view the Deployments in the default namespace:
    kubectl get deploy -n default