检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
Why Can't an IAM User Obtain Cluster or Fleet Information After Logging In to UCS? How Do I Restore ucs_admin_trust I Deleted or Modified? What Can I Do If I Can't Add Permissions for a Fleet or Cluster? How Do I Clear RBAC Resources After a Cluster Is Unregistered?
apiGroup: rbac.authorization.k8s.io subjects: - kind: User name: 0c97ac3cb280f4d91fa7c0096739e1f8 # User ID of user-example apiGroup: rbac.authorization.k8s.io The subjects section binds a Role with an IAM user so that the IAM user can obtain the permissions defined in the
After you agree to delegate the permissions, an agency named ucs_admin_trust will be created for UCS in Identity and Access Management (IAM). The system account op_svc_ucs will be delegated the Tenant Administrator role to perform operations on other cloud service resources.
Procedure Log in to the IAM console as an administrator. In the navigation pane, choose Agencies. Select ucs_admin_trust and click Delete in the Operation column. In the displayed dialog box, click OK. In the navigation pane, choose Agencies.
Figure 1 Traffic management Prerequisites To manage traffic, IAM users must have the DNS Administrator permissions. You must have a public domain name. If you do not purchase a public domain name, purchase one. Your public domain name has been licensed.
Workload identities allow you to add the public key of an on-premises cluster for an IAM IdP and add a rule to map a ServiceAccount to an IAM account. During workload deployment, the token of the ServiceAccount is mounted to the workload.
Registering a Huawei Cloud Cluster Identity and Access Management (IAM) UCS provides fine-grained permission management based on IAM. Permissions Management Domain Name Service (DNS) UCS integrates with DNS to resolve domain names for large-scale traffic governance.
Table 4 RuleSpec Parameter Mandatory Type Description iamuserids No Array of strings Information of IAM users associated with a permission policy type No String Permission policy type.
{Endpoint} is the IAM endpoint and can be obtained from Regions and Endpoints. For details about API authentication, see Authentication. The following is an example response.
If you set other users as the publish users, you can obtain the UCS fleet information of the account through the IAM service endpoint configured in Creating a Project and Service Endpoint.
Table 3 CreateRuleObjectMeta Parameter Mandatory Type Description name Yes String Permission policy name Table 4 RuleSpec Parameter Mandatory Type Description iamuserids No Array of strings Information of IAM users associated with a permission policy type No String Permission policy
It is the UTC time in the RFC 3339 format. updateTimestamp String Update timestamp Table 6 RuleSpec Parameter Type Description iamuserids Array of strings Information of IAM users associated with a permission policy type String Permission policy type.
Tenant permissions are assigned by enterprise project for the refined management of IAM users' permissions on accessing Kubernetes resources.
Projects: If the IAM project function is enabled, you also need to select a project. Network Settings: This area is mandatory when Data Access is set to Private access. VPC Endpoint: You can select an existing VPC endpoint or create a VPC endpoint.
Projects: If the IAM project function is enabled, you also need to select a project. Network Settings: This area is mandatory when Data Access is set to Private access. VPC Endpoint: You can select an existing VPC endpoint or create a VPC endpoint.
Projects: If the IAM project function is enabled, you also need to select a project. Network Settings: This area is mandatory when Data Access is set to Private access. VPC Endpoint: You can select an existing VPC endpoint or create a VPC endpoint.
Project: If the IAM project is enabled, you need to select a project. VPC Endpoint Service: You can select an existing VPC endpoint service or create a VPC endpoint service. Click OK.
At least the custom policy iam:clustergroups:get has been created. Using kubectl to Connect to a Federation Log in to the UCS console and click the fleet name to access the fleet console. Then, click kubectl in Fleet Info.
Prometheus Request: 1 Limits: 4 Requests: 2 Limits: 12 log-agent Requests: 0.5 Limits: 3 Requests: 1.5 Limits: 2.5 External Dependencies Table 5 External dependencies of BMSs Dependency Description DNS servers DNS servers can resolve the domain names of cloud services such as OBS, SWR, IAM
Prometheus Request: 1 Limits: 4 Requests: 2 Limits: 12 log-agent Requests: 0.5 Limits: 3 Requests: 1.5 Limits: 2.5 External Dependencies Table 5 External dependencies of VMs Dependency Description DNS servers DNS servers can resolve the domain names of cloud services such as OBS, SWR, IAM
