Deckhouse Kubernetes Platform on Huawei Cloud

1
Selecting infrastructure
2
Installation information
3
Preparing environment
4
Installation
5
Getting access to the cluster
6
What can I do next?

Before starting the installation, ensure you have the cloud provider quotas required to deploy your cluster.

The cloud-init package must be installed on the VMs. After the virtual machine is started, the following services associated with this package must be started:

  • cloud-config.service;
  • cloud-final.service;
  • cloud-init.service.

Deckhouse components interact with Huawei Cloud resources through the Huawei Cloud API. To configure this connection, you need to create a user in the Huawei Cloud IAM service and provide it with the necessary permissions.

Configuring IAM via the web interface

To configure IAM via the web interface, first create a new user group and assign the necessary permissions. Follow these steps:

  1. Go to the “Identity and Access Management (IAM)” section.
  2. Open the “User Groups” page and click “Create User Group”.
  3. In the “Name” field, enter the group name (e.g., deckhouse).
  4. Click “OK” to create the group.
  5. Select the newly created group from the list.
  6. On the “Permissions” tab, click “Authorize”.
  7. Assign the following policies: “ECS Admin”, “VPC Administrator”, “NAT Admin”, “DEW KeypairFullAccess”.
  8. Click “Next”, then “OK”, and complete the setup by clicking “Finish”.

Then add a new user. Follow these steps:

  1. Go to the “Users” page in the IAM section and click “Create User”.
  2. In the “Username” field, enter the username (e.g., deckhouse).
  3. Set “Access type” to “Programmatic access” and make sure “Management console access” is disabled.
  4. Select “Access key” as the “Credential Type”.
  5. Click “Next”.
  6. Select the previously created user group.
  7. Click “Create” to complete the user creation process.
  8. Click “OK” to download the Access Key ID and Secret Access Key. Make sure to save these credentials in a secure location, as they will be needed to access the API.

JSON policies

Below are the contents of the policies in JSON format:

ECS Admin policy

  {
  "Version": "1.1",
  "Statement": [
  {
      "Action": [
      "ecs:*:*",
      "evs:*:get",
      "evs:*:list",
      "evs:volumes:create",
      "evs:volumes:delete",
      "evs:volumes:attach",
      "evs:volumes:detach",
      "evs:volumes:manage",
      "evs:volumes:update",
      "evs:volumes:use",
      "evs:volumes:uploadImage",
      "evs:snapshots:create",
      "vpc:*:get",
      "vpc:*:list",
      "vpc:networks:create",
      "vpc:networks:update",
      "vpc:subnets:update",
      "vpc:subnets:create",
      "vpc:ports:*",
      "vpc:routers:get",
      "vpc:routers:update",
      "vpc:securityGroups:*",
      "vpc:securityGroupRules:*",
      "vpc:floatingIps:*",
      "vpc:publicIps:*",
      "ims:images:create",
      "ims:images:delete",
      "ims:images:get",
      "ims:images:list",
      "ims:images:update",
      "ims:images:upload"
      ],
      "Effect": "Allow"
  }
  ]
  }

VPC Administrator policy

  {
      "Version": "1.1",
      "Statement": [
          {
              "Action": [
                  "vpc:vpcs:*",
                  "vpc:routers:*",
                  "vpc:networks:*",
                  "vpc:subnets:*",
                  "vpc:ports:*",
                  "vpc:privateIps:*",
                  "vpc:peerings:*",
                  "vpc:routes:*",
                  "vpc:lbaas:*",
                  "vpc:vpns:*",
                  "ecs:*:get",
                  "ecs:*:list",
                  "elb:*:get",
                  "elb:*:list"
              ],
              "Effect": "Allow"
          }
      ]
  }

NAT Admin policy

  {
      "Version": "1.1",
      "Statement": [
          {
              "Action": [
                  "nat:*:*",
                  "vpc:*:*"
              ],
              "Effect": "Allow"
          }
      ]
  }

DEW KeypairFullAccess policy

  {
      "Version": "1.1",
      "Statement": [
          {
              "Action": [
                  "kps:domainKeypairs:*",
                  "ecs:serverKeypairs:*"
              ],
              "Effect": "Allow"
          }
      ]
  }
Go back Next: Installation