The address format for TKE image is as follows: ccr.ccs.tencentyun.com/${namespace}/${name}:${tag}
.
The following fields are required for configuring the permissions of an image repository:
${namespace}
: The namespace to which the image repository belongs.${name}
: The name of the image repository.Note:
Do not include slashes (/) in the namespace${namespace}
and the image name${name}
.
The${tag}
field currently is only for authenticating the permissions for deleting. For more information, see Image Tag Permissions.
${namespace}
and${name}
fields allow you to develop detailed permission schemes for managers to flexibly manage access permissions.
For example:
If you do not need to manage image repository permissions in detail, you can use Presetting Policy Authorization.
If you need to manage image repository permissions in detail, use Customizing Policy Authorization.
The TKE image service utilizes Cloud Access Management (CAM) to manage access permissions. You can learn more about how to use CAM here:
To simplify TKE image service permission management, the TKE image service has two preset policies:
docker push
For information about how to associate a preset policy with a collaborator, see the following CAM documents: Preset Policy Overview and Associating a User with a Preset Policy.
With a custom policy, the manager can associate different permissions with different collaborators.
Take the following factors into account when assigning permissions:
qcs::ccr:::repo/*
. For more information, see CAM Resource Description Method.When you have planned the permission settings, you can assign the permissions. The following example shows how to permit collaborators to create an image repository:
{
"version": "2.0",
"statement": [{
"action": "ccr:CreateRepository",
"resource": "qcs::ccr:::repo/*",
"effect": "allow"
}]
}
For example, set the policy name to ccr-policy-demo
, as shown in the following figure:
At the end of "resource", use * to indicate that an image repository can be created under any namespace.
ccr-policy-demo
) is created in step 1, you can associate it with any collaborator. For more information, see the CAM Documentation. After the policy has been associated, the collaborators have create image repository permissions in any namespace.qcs::ccr:::repo/*
Format description:qcs::ccr:::
is a fixed format, indicating the developer's TKE image repository service.repo
is a fixed prefix, representing the resource type, which is an image repository here.*
after the slash (/
) means matching all image repositories.For a detailed description of resource, see CAM Resource Description Method.
You can authorize multiple resources at the same time. For example, to allow deletion of image repositories in namespace foo and bar, you can create the following custom policy:
{
"version": "2.0",
"statement": [{
"action": [
"ccr:BatchDeleteRepository",
"ccr:DeleteRepository"
],
"resource": [
"qcs::ccr:::repo/foo/*",
"qcs::ccr:::repo/bar/*"
],
"effect": "allow"
}]
}
foo/*
inqcs::ccr:::repo/foo/*
means all images in the image repository namespacefoo
.bar/*
inqcs::ccr:::repo/bar/*
means all images in the image repository namespacebar
.
You can configure multiple actions
for a resource for a centralized management of resource permissions. For example, to permit the creation, deletion and pushing of image repository in the namespace foo, you can create the following custom policies:
{
"version": "2.0",
"statement": [{
"action": [
"ccr:CreateRepository",
"ccr:BatchDeleteRepository",
"ccr:DeleteRepository",
"ccr:push"
],
"resource": "qcs::ccr:::repo/foo/*",
"effect": "allow"
}]
}
resource: qcs::ccr:::repo/${namespace}/${name}
action:
ccr:pull
: Use the Docker command line to pull an imageccr:push
: Use the Docker command line to push an imageresource: qcs::ccr:::repo/${namespace}
action:
ccr:CreateCCRNamespace
Create an image repository namespaceccr:DeleteUserNamespace
Delete an image repository namespaceFunction Guide: TKE > Left sidebar Image Repositories > My Images > Namespaces.
resurce: qcs::ccr:::repo/${namespace}/${name}
action:
ccr:CreateRepository
Create an image repositoryccr:DeleteRepository
Delete an image repositoryccr:BatchDeleteRepository
Batch delete image repositoriesccr:GetUserRepositoryList
View the list of image repositoriesFunction Guide: TKE > Left sidebar Image Repositories > My Images > My Images.
Note:
If you want to prevent a collaborator from deleting certain images, configure multiple actions.
For example, to prohibit deleting any image repository:
{
"version": "2.0",
"statement": [{
"action": [
"ccr:BatchDeleteRepository",
"ccr:DeleteRepository"
],
"resource": "qcs::ccr:::repo/*",
"effect": "deny"
}]
}
resource: qcs::ccr:::repo/${namespace}/${name}:${tag}
action: ccr:DeleteTag
Delete image tag permissions
Function Guide: TKE > Left sidebar Image Repositories > My Images > My Images > Click an image name > Image Tag page.
Was this page helpful?