检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
检测到您已登录华为云国际站账号,为了您更好的体验,建议您访问国际站服务网站 https://www.huaweicloud.com/intl/zh-cn
不再显示此消息
domain ID IAM_DOMAIN_ID: # IAM service address IAM_ENDPOINT: Parent topic: Managing an On-Premises Cluster
What Can I Do If an IAM User Cannot Obtain Cluster or Fleet Information After Logging In to UCS? How Do I Restore ucs_admin_trust I Deleted or Modified? What Can I Do If I Cannot Associate the Permission Policy with a Fleet or Cluster?
After you agree to delegate the permissions, an agency named ucs_admin_trust will be created for UCS in Identity and Access Management (IAM). The system account op_svc_ucs will be delegated the Tenant Administrator role to perform operations on other cloud service resources.
Access Key ID* Access key ID obtained from AWS IAM, that is, AccessKeyID. Secret Access Key* Secret access key obtained from AWS IAM, that is, SecretAccessKey. Container CIDR Block* Container CIDR block of the created Kubernetes cluster.
Workload identities allow you to add the public key of an on-premises cluster for an IAM IdP and add a rule to map a ServiceAccount to an IAM account. During workload deployment, the token of the ServiceAccount is mounted to the workload.
Why Can't an IAM User Obtain Clusters or Cluster Groups After Logging In to UCS? How Do I Restore System Agency ucs_admin_trust I Deleted? More UCS Clusters Why Can't I Connect an Attached Cluster to UCS?
Figure 1 Traffic management Prerequisites To manage traffic, IAM users must have the DNS Administrator permission. You must have a public zone. If not, you need to buy one. Your public zone has been submitted for ICP license.
Table 3 IAM permissions Permission Type Permission Name IAMRole AWSIAMRoleNodes, AWSIAMRoleControlPlane, and AWSIAMRoleControllers IAMInstanceProfile AWSIAMInstanceProfileNodes, AWSIAMInstanceProfileControlPlane, and AWSIAMInstanceProfileControllers IAMManagedPolicy AWSIAMManagedPolicyCloudProviderNodes
Procedure Log in to the IAM console as an administrator.. In the navigation pane, choose Agencies. Select ucs_admin_trust and click Delete in the Operation column. In the displayed dialog box, click OK. In the navigation pane, choose Agencies.
Registering a Huawei Cloud Cluster Identity and Access Management (IAM) UCS provides fine-grained permission management based on IAM. Permissions Domain Name Service (DNS) UCS integrates with DNS to resolve domain names for large-scale traffic governance.
Table 4 RuleSpec Parameter Mandatory Type Description iamuserids No Array of strings IAM user information associated with a permission policy type No String Permission policy type.
{Endpoint} is the IAM endpoint and can be obtained from Regions and Endpoints. For details about API authentication, see Authentication. The following is an example response.
If you set other users as the publish users, you can obtain the UCS fleet information of the account through the IAM service endpoint configured in Creating a Project and Service Endpoint.
Table 3 CreateRuleObjectMeta Parameter Mandatory Type Description name Yes String Permission policy name Minimum: 1 Maximum: 63 Table 4 RuleSpec Parameter Mandatory Type Description iamuserids No Array of strings IAM user information associated with a permission policy type No String
The administrator creates a user on the IAM console. Grant the UCS system policy permission to the user. Before granting the Kubernetes resource permissions, you must grant the UCS system policy permission to the user.
) Domain name used by external systems to access IAM 443 TCP HTTP No HTTPS and certificate TLS 1.2 All nodes IP address of each node All SoftWare Repository for Container (SWR) IP address of the SWR endpoint 443 TCP HTTP No HTTPS and certificate TLS 1.2 All nodes IP address of each
It is a UTC time in the RFC 3339 format. updateTimestamp String Update timestamp Table 6 RuleSpec Parameter Type Description iamuserids Array of strings IAM user information associated with a permission policy type String Permission policy type.
Project: If the IAM project function is enabled, you also need to select a project. Complete metric collection settings. Specifications Deployment Mode: The Agent and Server modes are supported.
You can manage the configurations of your multi-cloud clusters all in one place by controlling permissions of tenants in enterprise projects, and perform fine-grained management on IAM users' permissions on Kubernetes resources.
Project: If the IAM project function is enabled, you also need to select a project. Private access: This parameter is mandatory when Data Access is set to Private access.
