tencent cloud

Feedback

TKE Image Registry Resource-level Permission Settings

Last updated: 2022-05-09 11:40:29

    TCR Permissions Overview

    The TCR address format is as follows: ccr.ccs.tencentyun.com/${namespace}/${name}:${tag}.
    The following fields are required for configuring the permissions of an image repository:

    • ${namespace}: The namespace to which the image repository belongs.
    • ${name}: The name of the image repository.
    Note:

    Do not add slashes (/) to the namespace ${namespace} and the image name ${name}.
    The ${tag} field currently is only for authenticating the permissions for deleting. For more information, see Image Tag Permissions.

    ${namespace} and ${name} fields allow you to develop detailed permission schemes for collaborators to flexibly manage access permissions.
    For example:

    • Permit collaborator A to pull images
    • Forbid collaborator A from deleting images
    • Forbid collaborator B from pulling the images in the namespace ns1

    If you do not need to manage the permissions of the image repository in detail, you can use Preset Policy Authorization.
    If you need to manage the collaborator permissions in detail, please use Custom Policy Authorization.
    The TCR utilizes CAM (Cloud Access Management) to manage access permissions. You can learn more about how to use CAM here:

    Preset Policy Authorization

    To simplify TCR permissions management, two preset policies are configured in TCR:

    If you do not know how to associate a collaborator with a preset policy, please see Policy and Authorization Management.

    Custom Policy Authorization

    With a custom policy, you can associate different permissions with different collaborators.
    Taking the following factors into account when assigning permissions:

    • Resource: Which image repositories are associated with this permission policy, for example, all image repositories are described as qcs::ccr:::repo/*. For more information, see CAM Resource Description Method.
    • Action: What operations, such as deleting and creating, this permission policy allows the collaborators to perform on the resource. The operations are usually described using APIs.
    • Effect: The effect the permission policy has on the collaborator (Allow/Deny)

    When you have planned the permission settings, you can assign the permissions. The following example shows how to "permit collaborators to create an image repository":

    1. Create a custom policy as instructed in Policy.

    2. Log in to the Tencent Cloud console using your developer account.

    3. Go to the CAM custom policy management page and click Create a custom policy to open the "Select a policy creation method" dialog box, as shown in the following figure:
      Select a method to create policy

    4. Select Create by policy syntax > Blank template.
      Select a template

    5. Click Next to go to the Edit policy page.

    6. Set the policy name and enter the following code to the “Edit policy content” edit box.

             {
             "version": "2.0",
             "statement": [{
                 "action": "ccr:CreateRepository",
                 "resource": "qcs::ccr:::repo/*",
                 "effect": "allow"
             }]
         }
      

      For example, you can set the policy name ccr-policy-demo, as shown in the figure below:

    Note:

    At the end of "resource", use * to indicate that an image repository can be created under any namespace.

    1. Click Create policy to complete the process.
    2. Associate with the custom policy. You can associate the policy created in step 1 (ccr-policy-demo) to any collaborator. For details, see Authorization Management. After the association, the collaborator can have the permissions to create image repositories under any namespace.
      _resource qcs::ccr:::repo/* Format description:
    • qcs::ccr::: is a fixed format, indicating the developer's TCR service.
    • repo is a fixed prefix, representing the resource type, which is an image repository here.
    • * after the slash (/) means matching all image repositories.

    For a detailed description of resource, see CAM Resource Description Method.

    Authorizing by resource

    You can grant permissions for multiple resources at a time. For example, to "permit the deletion of the image repositories in namespaces foo and bar", you can create the following custom policy:

    {
       "version": "2.0",
       "statement": [{
           "action": [
               "ccr:BatchDeleteRepository",
               "ccr:DeleteRepository"
           ],
           "resource": [
               "qcs::ccr:::repo/foo/*",
               "qcs::ccr:::repo/bar/*"
           ],
           "effect": "allow"
       }]
    }
    
    Note:

    • foo/* in qcs::ccr:::repo/foo/* means all images in the image repository namespace foo.
    • bar/* in qcs::ccr:::repo/bar/* means all images in the image repository namespace bar.

    Authorizing by action (API)

    You can configure multiple actions for a resource for a centralized management of resource permissions. For example, to "permit the creation, deletion and push of image repositories in the namespace foo", you can create the following custom policy:

    {
       "version": "2.0",
       "statement": [{
           "action": [
               "ccr:CreateRepository",
               "ccr:BatchDeleteRepository",
               "ccr:DeleteRepository",
               "ccr:push"
           ],
           "resource": "qcs::ccr:::repo/foo/*",
           "effect": "allow"
       }]
    }
    

    Permission List

    docker client permissions

    resource: qcs::ccr:::repo/${namespace}/${name}
    action:

    • ccr:pull: Use the docker command line to pull an image
    • ccr:push: Use the docker command line to push an image

    Namespace permissions

    resource: qcs::ccr:::repo/${namespace}
    action:

    • ccr:CreateCCRNamespace Create an image repository namespace
    • ccr:DeleteUserNamespace Delete an image repository namespace

    Feature guide: TKE > Image Repositories in the left sidebar > My images > Namespace.
    Create or delete permissions of an image repository namespace

    Image repository permissions

    resurce: qcs::ccr:::repo/${namespace}/${name}
    action:

    • ccr:CreateRepository Create an image repository
    • ccr:DeleteRepository Delete an image repository
    • ccr:BatchDeleteRepository Batch delete image repositories
    • ccr:GetUserRepositoryList View the list of image repositories

    Feature guide: TKE > Image Repositories in the left sidebar > My images > My images.
    Permissions of an image repository

    Note:

    To prevent a collaborator from deleting certain images, configure multiple actions.

    For example, to prohibit deleting any image repository:

    {
       "version": "2.0",
       "statement": [{
           "action": [
               "ccr:BatchDeleteRepository",
               "ccr:DeleteRepository"
           ],
           "resource": "qcs::ccr:::repo/*",
           "effect": "deny"
       }]
    }
    

    Image tag permissions

    resource: qcs::ccr:::repo/${namespace}/${name}:${tag}
    action: ccr:DeleteTag Delete image tag permissions

    Feature guide: TKE > Image Repositories in the left sidebar > My images > My images > click an image name > Image tag page.
    Permissions of an image repository

    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support