检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
domain ID IAM_DOMAIN_ID: # IAM service address IAM_ENDPOINT: Parent topic: Managing an On-Premises Cluster
Why Can't an IAM User Obtain Cluster or Fleet Information After Logging In to UCS? How Do I Restore ucs_admin_trust I Deleted or Modified? What Can I Do If I Can't Add Permissions for a Fleet or Cluster? How Do I Clear RBAC Resources After a Cluster Is Unregistered?
apiGroup: rbac.authorization.k8s.io subjects: - kind: User name: 0c97ac3cb280f4d91fa7c0096739e1f8 # User ID of user-example apiGroup: rbac.authorization.k8s.io The subjects section binds a Role with an IAM user so that the IAM user can obtain the permissions defined in the
UCS combines the advantages of IAM and Kubernetes RBAC to provide a variety of authorization methods, including IAM fine-grained and token authorization and cluster-, fleet-, cluster namespace–, and fleet namespace–level authorization. For more information, see UCS Permissions.
Workload identities allow you to add the public key of an on-premises cluster for an IAM IdP and add a rule to map a ServiceAccount to an IAM account. During workload deployment, the token of the ServiceAccount is mounted to the workload.
Procedure Log in to the IAM console as the administrator. In the navigation pane, choose Agencies. Select ucs_admin_trust and click Delete in the Operation column. In the displayed dialog box, click OK. In the navigation pane, choose Agencies.
Figure 1 Traffic management Prerequisites To manage traffic, IAM users must have the DNS Administrator permissions. You must have a public domain name. If you do not purchase a public domain name, purchase one. Your public domain name has been licensed.
Registering a Huawei Cloud Cluster Identity and Access Management (IAM) UCS provides fine-grained permission management based on IAM. Permissions Management Domain Name Service (DNS) UCS integrates with DNS to resolve domain names for large-scale traffic governance.
After you agree to delegate the permissions, an agency named ucs_admin_trust will be created for UCS in Identity and Access Management (IAM).
{Endpoint} is the IAM endpoint and can be obtained from Regions and Endpoints. For details about API authentication, see Authentication. The following is an example response.
If you set other users as the publish users, you can obtain the UCS fleet information of the account through the IAM service endpoint configured in Creating a Project and Service Endpoint.
Table 4 RuleSpec Parameter Mandatory Type Description iamUserIDs No Array of strings IAM user information associated with a permission policy type No String Permission policy type.
Table 3 CreateRuleObjectMeta Parameter Mandatory Type Description name Yes String Permission policy name Table 4 RuleSpec Parameter Mandatory Type Description iamUserIDs No Array of strings IAM user information associated with a permission policy type No String Permission policy type
balancer CILIUM_IPV4POOL_CIDR No String CIDR block of the IPv4 address pool of the Cilium network component NETWORK_CIDR No String Container network CIDR block DNS_SERVER_IP No String IP address of a DNS server NTP_SERVER_IP No String IP address of a NTP server IAM_DOMAIN_ID No String IAM
Tenant permissions are assigned by enterprise project for the refined management of IAM users' permissions on accessing Kubernetes resources.
Table 8 RuleSpec Parameter Type Description iamUserIDs Array of strings IAM user information associated with a permission policy type String Permission policy type.
Projects: If the IAM project function is enabled, you also need to select a project. Network Settings: This area is mandatory when Data Access is set to Private access. VPC Endpoint: You can select an existing VPC endpoint or create a VPC endpoint.
Projects: If the IAM project function is enabled, you also need to select a project. Network Settings: This area is mandatory when Data Access is set to Private access. VPC Endpoint: You can select an existing VPC endpoint or create a VPC endpoint.
Projects: If the IAM project function is enabled, you also need to select a project. Network Settings: This area is mandatory when Data Access is set to Private access. VPC Endpoint: You can select an existing VPC endpoint or create a VPC endpoint.
Project: If the IAM project is enabled, you need to select a project. VPC Endpoint Service: You can select an existing VPC endpoint service or create a VPC endpoint service. Click OK.
