检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
domain ID IAM_DOMAIN_ID: # IAM service address IAM_ENDPOINT: Parent topic: Managing an On-Premises Cluster
Why Can't an IAM User Obtain Cluster or Fleet Information After Logging In to UCS? How Do I Restore ucs_admin_trust I Deleted or Modified? What Can I Do If I Can't Add Permissions for a Fleet or Cluster? How Do I Clear RBAC Resources After a Cluster Is Unregistered?
apiGroup: rbac.authorization.k8s.io subjects: - kind: User name: 0c97ac3cb280f4d91fa7c0096739e1f8 # User ID of user-example apiGroup: rbac.authorization.k8s.io The subjects section binds a Role with an IAM user so that the IAM user can obtain the permissions defined in the
After you agree to delegate the permissions, an agency named ucs_admin_trust will be created for UCS in Identity and Access Management (IAM). The system account op_svc_ucs will be delegated the Tenant Administrator role to perform operations on other cloud service resources.
Access Key ID* Access key ID obtained from AWS IAM, that is, AccessKeyID. Secret Access Key* Secret access key obtained from AWS IAM, that is, SecretAccessKey. Container CIDR Block* Container CIDR block of the created Kubernetes cluster.
Table 3 IAM permissions Permission Type Permission Name IAMRole AWSIAMRoleNodes, AWSIAMRoleControlPlane, and AWSIAMRoleControllers IAMInstanceProfile AWSIAMInstanceProfileNodes, AWSIAMInstanceProfileControlPlane, and AWSIAMInstanceProfileControllers IAMManagedPolicy AWSIAMManagedPolicyCloudProviderNodes
Figure 1 Traffic management Prerequisites To manage traffic, IAM users must have the DNS Administrator permissions. You must have a public domain name. If you do not purchase a public domain name, purchase one. Your public domain name has been licensed.
Procedure Log in to the IAM console as an administrator. In the navigation pane, choose Agencies. Select ucs_admin_trust and click Delete in the Operation column. In the displayed dialog box, click OK. In the navigation pane, choose Agencies.
Workload identities allow you to add the public key of an on-premises cluster for an IAM IdP and add a rule to map a ServiceAccount to an IAM account. During workload deployment, the token of the ServiceAccount is mounted to the workload.
Registering a Huawei Cloud Cluster Identity and Access Management (IAM) UCS provides fine-grained permission management based on IAM. Permissions Management Domain Name Service (DNS) UCS integrates with DNS to resolve domain names for large-scale traffic governance.
Table 4 RuleSpec Parameter Mandatory Type Description iamuserids No Array of strings IAM user information associated with a permission policy type No String Permission policy type.
{Endpoint} is the IAM endpoint and can be obtained from Regions and Endpoints. For details about API authentication, see Authentication. The following is an example response.
If you set other users as the publish users, you can obtain the UCS fleet information of the account through the IAM service endpoint configured in Creating a Project and Service Endpoint.
Table 3 CreateRuleObjectMeta Parameter Mandatory Type Description name Yes String Permission policy name Minimum: 1 Maximum: 63 Table 4 RuleSpec Parameter Mandatory Type Description iamuserids No Array of strings IAM user information associated with a permission policy type No String
It is a UTC time in the RFC 3339 format. updateTimestamp String Update timestamp Table 6 RuleSpec Parameter Type Description iamuserids Array of strings IAM user information associated with a permission policy type String Permission policy type.
Project: If the IAM project function is enabled, you also need to select a project. Complete metric collection settings. Specifications Deployment Mode: The Agent and Server modes are supported.
Tenant permissions are assigned by enterprise project for the refined management of IAM users' permissions on accessing Kubernetes resources.
Projects: If the IAM project function is enabled, you also need to select a project. Network Settings: This area is mandatory when Data Access is set to Private access. VPC Endpoint: You can select an existing VPC endpoint or create a VPC endpoint.
Projects: If the IAM project function is enabled, you also need to select a project. Network Settings: This area is mandatory when Data Access is set to Private access. VPC Endpoint: You can select an existing VPC endpoint or create a VPC endpoint.
Projects: If the IAM project function is enabled, you also need to select a project. Network Settings: This area is mandatory when Data Access is set to Private access. VPC Endpoint: You can select an existing VPC endpoint or create a VPC endpoint.
