Help Center/ Ubiquitous Cloud Native Service/ User Guide/ Cluster Federation/ RBAC Authorization for Cluster Federations
Updated on 2025-01-24 GMT+08:00
View PDF
Share

RBAC Authorization for Cluster Federations

UCS allows you to perform refined permissions management by federation based on Huawei Cloud IAM. You can also create native Kubernetes RBAC resources in a federation for the refined management of federation access permissions.

Precautions

  • The permissions management of UCS and the RBAC authorization of a cluster federation do not affect each other. When UCS APIs are called, the permissions management takes effect. If the kubeconfig file is used to perform operations on a federation, the RBAC authorization takes effect.
  • RBAC resources created in the cluster federation and member clusters are unaware of and do not affect each other. The RBAC permissions configured through the cluster federation entry take effect only when the federation is directly accessed. When a member cluster is directly accessed, only the RBAC permissions for the member cluster take effect.
  • You need to assign permissions and roles (such as ClusterRole and ClusterRoleBinding) with caution for fine-grained authorization. Do not assign the permission to view resources to namespaces prefixed with Karmada-. Role and RoleBinding are recommended for assigning permissions to resources in specified namespaces.

Cluster Federation RBAC Authorization

The UCS cluster federation uses the native RBAC authentication mode of Kubernetes. You can create RBAC resources to assign federation access permissions to IAM users.

  1. Download and configure the kubeconfig file as an IAM user with the Tenant Administrator permission. For details, see Using kubectl to Connect to a Federation.
  2. Save the following content to the list-deploy.yaml file: 

    apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: list-deploy-role-binding
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: list-deploy-role
subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: <user-id>    # IAM user ID
  - apiGroup: rbac.authorization.k8s.io
    kind: Group
    name: <group-id>   # IAM user group ID
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: list-deploy-role
  namespace: default
rules:
  - apiGroups:
      - apps
    resources:
      - deployments
    verbs:
      - list
      - get

    Replace <user-id> with the IAM user ID and <group-id> with the IAM user group ID. For details about the fields in RoleBinding and Role, see Using RBAC Authentication.

    Run the following command to create the resources: 
    kubectl apply -f list-deploy.yaml
    The IAM user specified by <user-id> or IAM users in the group specified <group-id> can run the following command to view the Deployments in the default namespace: 
    kubectl get deploy -n default

Parent topic: Cluster Federation