Help Center/ Ubiquitous Cloud Native Service/ Service Overview/ Permissions
Updated on 2024-10-25 GMT+08:00
View PDF
Share

Permissions

If you need to grant your enterprise personnel permissions to access your UCS resources, use Identity and Access Management (IAM). IAM provides identity authentication, fine-grained permissions management, and access control. IAM helps you secure access to your resources.

With IAM, you can create IAM users and grant them permissions to access only specific resources. For example, if you want some software developers in your enterprise to be able to use UCS clusters but do not want them to be able to unregister clusters or perform any other high-risk operations, you can create IAM users and grant them permissions to use UCS clusters but not permissions to delete them.

UCS Permission Types

UCS provides refined permission management based on the role access control (RBAC) capability of IAM and Kubernetes. Permission control can be implemented by UCS service resource and Kubernetes resource in a cluster. The two permission types apply to different resource types and are granted using different methods.

  • UCS resource permissions are granted based on the system policies of IAM. UCS resources include fleets, clusters, and federation instances. Administrators can grant different permissions to different user roles (such as development and O&M) to control their use of UCS resources.
  • Kubernetes resource permissions in a cluster are granted based on the Kubernetes RBAC capability. Refined permissions can be granted to Kubernetes resource objects in a cluster. With permission settings, the permissions for performing operations on different Kubernetes resource objects (such as workloads, jobs, and services) will vary with users.

If your team mainly uses UCS resources, IAM system policies can meet your requirements. If you need refined permissions on Kubernetes resource objects in the cluster, use IAM system policies together with Kubernetes RBAC.

UCS Resource Permissions

New IAM users do not have any permissions assigned by default. You need to first add them to one or more groups and then attach policies or roles to these groups. The users then inherit permissions from the groups and can perform specified operations on cloud services based on the permissions they have been assigned.

UCS is a global service deployed for all regions. When you set the authorization scope to Global services, users have permissions to access UCS in all regions.

You can grant users permissions by using roles and policies.

  • Roles: A coarse-grained authorization strategy that defines permissions by job responsibility. Only a limited number of service-level roles are available for authorization. Cloud services often depend on each other. When you grant permissions using roles, you also need to attach any existing role dependencies. Roles are not ideal for fine-grained authorization and least privilege access.
  • Policies: A fine-grained authorization strategy that defines permissions required to perform operations on specific cloud resources under certain conditions. This type of authorization is more flexible and is ideal for least privilege access. For example, you can grant IAM users only permissions to manage a certain type of fleets and clusters.

Table 1 lists all the system-defined permissions for UCS.

Table 1 System-defined permissions for UCS

Role/Policy Name

Description

Type

UCS FullAccess

Administrator permissions for UCS. Users with these permissions can perform all operations on UCS resources, for example, creating permission policies and security policies.

System-defined policy

UCS CommonOperations

Common user permissions for UCS. Users with these permissions can create workloads, distribute traffic, and perform other operations.

System-defined policy

UCS CIAOperations

Administrator permissions for UCS Container Intelligent Analysis.

System-defined policy

UCS ReadOnlyAccess

Read-only permissions for UCS (except for Container Intelligent Analysis).

System-defined policy

Services on Huawei Cloud are interdependent, and UCS depends on other cloud services to implement some functions, such as image repository and domain name resolution. Therefore, the preceding four system policies are often used together with roles or policies of other cloud services for refined permission granting. When granting permissions to IAM users, the administrator must comply with the principle of least privilege. Table 2 lists the minimum permissions of the admin, developer, and viewer permission types required by each UCS function.

Table 2 Minimum permissions required by each UCS function

Function

Permission Type

Permission

Minimum Permission

Fleets

Admin
  • Creating and deleting a fleet
  • Registering a Huawei Cloud cluster (CCE cluster or CCE Turbo cluster) , on-premises cluster, or attached cluster
  • Unregistering a cluster
  • Adding a cluster to or removing a cluster from a fleet
  • Associating permission policies with a cluster or fleet
  • Enabling cluster federation and performing federation management operations (such as creating a federated workload and creating domain name access)

UCS FullAccess

Viewer

Querying clusters and fleets or their details

UCS ReadOnlyAccess

Huawei Cloud cluster

Admin

Read-write permissions on Huawei Cloud clusters and all Kubernetes resource objects (such as nodes, workloads, jobs, and Services)

UCS FullAccess + CCE Administrator

Developer

Read-write permissions on Huawei Cloud clusters and most Kubernetes resource objects and read-only permissions on Kubernetes resource objects such as namespaces and resource quotas

UCS CommonOperations + CCE Administrator

Viewer

Read-only permissions on Huawei Cloud clusters and all Kubernetes resource objects (such as nodes, workloads, jobs, and Services)

UCS ReadOnlyAccess + CCE Administrator

On-premises/Attached/Multi-cloud cluster

Admin

Read-write permissions on on-premises/attached/multi-cloud clusters and all Kubernetes resource objects (such as nodes, workloads, jobs, and Services)

UCS FullAccess

Developer

Read-write permissions on on-premises/attached/multi-cloud clusters and most Kubernetes resource objects and read-only permissions on Kubernetes resource objects such as namespaces and resource quotas

UCS CommonOperations + UCS RBAC (The list permission for namespaces is required.)

Viewer

Read-only permissions on on-premises/attached/multi-cloud clusters and all Kubernetes resource objects (such as nodes, workloads, jobs, and Services)

UCS ReadOnlyAccess + UCS RBAC (The list permission for namespaces is required.)

Image Repositories

Admin

All permissions on SoftWare Repository for Container (SWR), including creating organizations, uploading images, viewing images or their details, and downloading images

SWR Administrator

Permissions

Admin
  • Creating and deleting a permission policy
  • Viewing permissions or their details
NOTE:

When creating a permission policy, you need to grant the IAM ReadOnlyAccess permission (read-only permissions on IAM) to IAM users to obtain the IAM user list.

UCS FullAccess + IAM ReadOnlyAccess

Viewer

Viewing permissions or their details

UCS ReadOnlyAccess + IAM ReadOnlyAccess

Policy Center

Admin
  • Enabling Policy Center
  • Creating and disabling a policy
  • Querying policies
  • Viewing policy implementation details

UCS FullAccess

Viewer

Viewing policies and their implementation details of fleets and clusters with Policy Center enabled

UCS CommonOperations or UCS ReadOnlyAccess

Traffic Distribution

Admin

Creating a traffic policy, suspending and deleting a scheduling policy, and performing other operations
  • UCS CommonOperations + DNS Administrator (recommended)
  • UCS FullAccess + DNS Administrator

Viewer

Viewing traffic policies or their details

UCS ReadOnlyAccess + DNS Administrator

Container Intelligent Analysis

Admin
  • Connecting clusters to a fleet or canceling cluster connection
  • Viewing monitoring data in multiple aspects, such as infrastructure and workload

UCS CIAOperations

Kubernetes Resource Permissions in a Cluster

Kubernetes resource permissions in a cluster are granted according to Kubernetes RBAC. The administrator can grant users refined permissions on specific Kubernetes resource objects in the cluster. These resources are cluster-level and namespace-level. Refined operation permissions include get, list, watch, create, update, patch, and delete. The permissions take effect on the namespaces of a fleet or on clusters that are not added to the fleet. The operation permissions are described as follows:

  • get retrieves a specific resource object by name.
  • list retrieves all resource objects of a specific type in the namespace.
  • watch responds to resource changes.
  • create creates a resource.
  • update updates a resource.
  • patch updates resources partially.
  • delete deletes a resource.

For details about cluster-level and namespace-level resources, see Kubernetes Resource Objects.

For example, after permission policies are configured according to the scheme shown in Figure 1, user A can perform get, list, and watch (read-only) operations only on Deployments, pods, and Services in namespace A of the fleet, and user B can perform all operations on all resources in namespace B of the fleet.

Figure 1 Granting permissions on Kubernetes resources

Three common permission types are available on the UCS console: admin, developer, and viewer. You can grant these permission types to users. If these permission types cannot meet your requirements, you can customize permissions by specifying the operation type and resource object.

Table 3 Permission types

Permission Type

Description

Admin

Read-write permissions on all Kubernetes resource objects

Developer

Read-write permissions on most Kubernetes resource objects and read-only permissions on Kubernetes resource objects such as namespaces and resource quotas

Viewer

Read-only permissions on all Kubernetes resource objects