Overview of the TKE Image Service Permissions

The address format for TKE image is as follows: ccr.ccs.tencentyun.com/${namespace}/${name}:${tag}.
The following fields are required for configuring the permissions of an image repository:

• ${namespace}: The namespace to which the image repository belongs.
• ${name}: The name of the image repository.

Note:
Do not include slashes (/) in the namespace ${namespace} and the image name ${name}.
The ${tag} field currently is only for authenticating the permissions for deleting. For more information, see Image Tag Permissions.

${namespace} and ${name} fields allow you to develop detailed permission schemes for managers to flexibly manage access permissions.
For example:

• Permit collaborator A to pull images
• Forbid collaborator A from deleting images
• Forbid collaborator B from pulling images in namespace ns1

If you do not need to manage image repository permissions in detail, you can use Presetting Policy Authorization.
If you need to manage image repository permissions in detail, use Customizing Policy Authorization.
The TKE image service utilizes Cloud Access Management (CAM) to manage access permissions. You can learn more about how to use CAM here:

• User management
• Policy management
• Authorization management

Preset Policy Authorization

To simplify TKE image service permission management, the TKE image service has two preset policies:

• Image repository (CCR) full read/write permission
  The preset policy configures all the permissions of the TKE image service. If the collaborator is associated with the preset policy, they will have the same image repository permissions as the administrator. For more information, see Permissions List.
• Image repository read-only permission
  This preset policy includes only the read-only permission for the TKE image service. If a collaborator is only associated with this policy in the TKE image service, the following operations will be prohibited:
• Pushing an image using docker push
• Creating an image repository namespace
• Deleting an image repository namespace
• Creating an image repository
• Deleting an image repository
• Deleting an image tag

For information about how to associate a preset policy with a collaborator, see the following CAM documents: Preset Policy Overview and Associating a User with a Preset Policy.

Custom Policy Authorization

With a custom policy, the manager can associate different permissions with different collaborators.
Take the following factors into account when assigning permissions:

• resource: Which Image Registries are associated with this permission policy. For example, all Image Registries are described as qcs::ccr:::repo/*. For more information, see CAM Resource Description Method.
• action: What operations, such as deleting and creating, this permission policy allows the collaborators to perform on the resource. The operations are usually described using APIs.
• effect: Whether this permission policy allows collaborators to perform such operations.

When you have planned the permission settings, you can assign the permissions. The following example shows how to permit collaborators to create an image repository:

1. Create a custom policy (see the CAM document).
2. Log in to the Tencent Cloud Console using your developer account.
3. Go to the CAM custom policy management page and click Create a custom policy to open the Select a policy creation method dialog box. This is shown in the following figure:
   
4. Select Create by Policy Syntax>Blank Template.
   
5. Click Next Step to enter the Edit Policy page.
6. Set the policy name, and enter the following content into the Edit Policy Content editing box.

        {
            "version": "2.0",
            "statement": [{
                "action": "ccr:CreateRepository",
                "resource": "qcs::ccr:::repo/*",
                "effect": "allow"
            }]
        }

For example, set the policy name to ccr-policy-demo, as shown in the following figure:

At the end of "resource", use * to indicate that an image repository can be created under any namespace.

6. Click Create Policy to complete the policy creation process.
   
7. Associate a custom policy. After the policy (ccr-policy-demo) is created in step 1, you can associate it with any collaborator. For more information, see the CAM Documentation. After the policy has been associated, the collaborators have create image repository permissions in any namespace.
   _resource qcs::ccr:::repo/* Format description:

• qcs::ccr::: is a fixed format, indicating the developer's TKE image repository service.
• repo is a fixed prefix, representing the resource type, which is an image repository here.
• * after the slash (/) means matching all image repositories.

For a detailed description of resource, see CAM Resource Description Method.

Authorizing by Resource

You can authorize multiple resources at the same time. For example, to allow deletion of image repositories in namespace foo and bar, you can create the following custom policy:

{
    "version": "2.0",
    "statement": [{
        "action": [
            "ccr:BatchDeleteRepository",
            "ccr:DeleteRepository"
        ],
        "resource": [
            "qcs::ccr:::repo/foo/*",
            "qcs::ccr:::repo/bar/*"
        ],
        "effect": "allow"
    }]
}

• foo/* in qcs::ccr:::repo/foo/* means all images in the image repository namespace foo.
• bar/* in qcs::ccr:::repo/bar/* means all images in the image repository namespace bar.

Authorizing by Action (API)

You can configure multiple actions for a resource for a centralized management of resource permissions. For example, to permit the creation, deletion and pushing of image repository in the namespace foo, you can create the following custom policies:

{
    "version": "2.0",
    "statement": [{
        "action": [
            "ccr:CreateRepository",
            "ccr:BatchDeleteRepository",
            "ccr:DeleteRepository",
            "ccr:push"
        ],
        "resource": "qcs::ccr:::repo/foo/*",
        "effect": "allow"
    }]
}

Permission List

Docker Client Permissions

resource： qcs::ccr:::repo/${namespace}/${name}
action:

• ccr:pull: Use the Docker command line to pull an image
• ccr:push: Use the Docker command line to push an image

Namespace Permissions

resource: qcs::ccr:::repo/${namespace}
action:

• ccr:CreateCCRNamespace Create an image repository namespace
• ccr:DeleteUserNamespace Delete an image repository namespace

Function Guide: TKE > Left sidebar Image Repositories > My Images > Namespaces.

Image Repository Permissions

resurce: qcs::ccr:::repo/${namespace}/${name}
action:

• ccr:CreateRepository Create an image repository
• ccr:DeleteRepository Delete an image repository
• ccr:BatchDeleteRepository Batch delete image repositories
• ccr:GetUserRepositoryList View the list of image repositories

Function Guide: TKE > Left sidebar Image Repositories > My Images > My Images.

Note:
If you want to prevent a collaborator from deleting certain images, configure multiple actions.
For example, to prohibit deleting any image repository:

{
    "version": "2.0",
    "statement": [{
        "action": [
            "ccr:BatchDeleteRepository",
            "ccr:DeleteRepository"
        ],
        "resource": "qcs::ccr:::repo/*",
        "effect": "deny"
    }]
}

Image Tag Permissions

resource: qcs::ccr:::repo/${namespace}/${name}:${tag}
action： ccr:DeleteTag Delete image tag permissions

Function Guide: TKE > Left sidebar Image Repositories > My Images > My Images > Click an image name > Image Tag page.