Description of Role Permissions Related to Service Authorization

Last updated: 2021-11-10 15:50:58

    When you use Tencent Kubernetes Engine (TKE), you need to authorize services to use relevant cloud resources. Each scenario usually contains policies that are defined for different roles in advance. The main roles involved are TKE_QCSRole and IPAMDofTKE_QCSRole. This document introduces the details of each authorization policy, and the authorization scenarios and authorization steps for each role.

    Note:

    The sample role in this document does not contain the authorization policy related to container image repositories. For more information about TKE image related permissions, please see TKE Image Registry Resource-level Permission Settings.

    TKE_QCSRole

    After TKE is activated, Tencent Cloud grants your account the permissions of the role TKE_QCSRole, which is associated with multiple preset policies by default. To obtain relevant permissions, you need to perform the corresponding preset policy authorization operations in specific authorization scenarios. After these operations are completed, the corresponding policy will appear in the role’s list of authorized policies. The preset policies associated with TKE_QCSRole by default include:

    Default preset policies

    Other preset policies

    Preset policy QcloudAccessForTKERole

    Authorization scenario

    When you log in to the TKE console for the first time after registering and logging in to a Tencent Cloud account, you need to go to the “Cloud Access Management” page to grant the current account TKE permissions for operating on CVMs, CLBs, CBS, and other cloud resources.

    Authorization steps

    1. Log in to the TKE console and click Cluster in the left sidebar. The Service Authorization window is displayed.
    2. Click Go to Cloud Access Management to go to the Role management page.
    3. Click Grant to complete authentication as shown in the figure below:

    Permission content

    • CVM
      Permission Name Permission Description
      cvm:DescribeInstances Querying the list of server instances
      cvm:*Cbs* CBS-related permissions
    • Tag
      Permission Name Permission Description
      tag:* All features related to tags
    • CLB
      Permission Name Permission Description
      clb:* All features related to CLB
    • TKE
      Permission Name Permission Description
      ccs:DescribeCluster Querying the cluster list
      ccs:DescribeClusterInstances Querying information of nodes in the cluster

    Preset policy QcloudAccessForTKERoleInOpsManagement

    Authorization scenario

    This policy is associated with TKE_QCSRole by default. After TKE is activated and TKE_QCSRole is granted, you have the permissions of various OPS-related features, including log features.

    Authorization steps

    This policy and the preset policy QcloudAccessForTKERole are authorized at the same time, so no extra operation is needed.

    Permission content

    Log service

    Permission Name Permission Description
    cls:listTopic Listing all log topics under a specified logset
    cls:getTopic Querying the information of a log topic
    cls:createTopic Creating a log topic
    cls:modifyTopic Modifying a log topic
    cls:deleteTopic Deleting a log topic
    cls:listLogset Querying the list of logsets
    cls:getLogset Querying the information of a logset
    cls:createLogset Creating a logset
    cls:modifyLogset Modifying a logset
    cls:deleteLogset Deleting a logset
    cls:listMachineGroup Displaying the server group list
    cls:getMachineGroup Querying the information of a server group
    cls:createMachineGroup Creating a server group
    cls:modifyMachineGroup Modifying a server group
    cls:deleteMachineGroup Deleting a server group
    cls:getMachineStatus Querying the server group status
    cls:pushLog Uploading logs
    cls:searchLog Querying logs
    cls:downloadLog Downloading logs
    cls:getCursor Getting the cursor based on time
    cls:getIndex Querying the indexes
    cls:modifyIndex Modifying an index
    cls:agentHeartBeat Heartbeat
    cls:getConfig Getting the pusher configuration information

    Preset policy QcloudAccessForTKERoleInCreatingCFSStorageclass

    Authorization scenario

    The Tencent Cloud CFS add-on can help you use file storage in TKE clusters. When using this add-on for the first time, you need to authorize relevant resources, such as file systems in CFS, via TKE.

    Authorization steps

    1. Log in to the TKE console and select Add-ons in the left sidebar to go to the Add-On management page.
    2. In the Add-On page, click Create.
    3. On the “Create an Add-On” page, if the add-on is selected as “CFS” for the first time, click Service Authorization at the bottom of the page, as shown below:
    4. In the displayed "Service Authorization" window, click Cloud Access Management.
    5. On the "Role Management" page, click Grant to complete authentication.

    Permission content

    File storage

    Permission Name Permission Description
    cfs:CreateCfsFileSystem Creating a file system
    cfs:DescribeCfsFileSystems Querying the list of file systems
    cfs:DescribeMountTargets Querying mount targets of a file system
    cfs:DeleteCfsFileSystem Deleting a file system

    Preset policy QcloudCVMFinanceAccess

    Authorization scenario

    When you need to purchase a cloud disk with monthly subscription, you need to add this policy to the TKE_QCSRole to configure payment permissions. Otherwise, the creation of a PVC based on a monthly subscription storageclass may fail due to lack of payment permissions.

    Authorization steps

    1. Log in to the CAM console, and select Roles in the left sidebar.
    2. In the role list page, click TKE_QCSRole to enter the role management page, as shown below:
    3. Choose Associate Policy on the “TKE_QCSRole” page, and confirm the operation in the displayed “Risk Tips” window.
    4. In the displayed Associate Policy window, find the policy QcloudCVMFinanceAccess and select it, as shown below:
    5. Click OK to complete the authorization.

    Permission content

    Permission Name Permission Description
    finance:* CVM finance permission

    IPAMDofTKE_QCSRole

    IPAMDofTKE_QCSRole is the TKE IPAMD support service role. After the permissions of this role are granted, you need to associate preset policies in the authorization scenarios described in this document. After these operations are completed, the following policies will appear in the list of authorized policies of the role:

    QcloudAccessForIPAMDofTKERole: the permission for TKE IPAMD to access cloud resources

    Preset policy QcloudAccessForIPAMDofTKERole

    Authorization scenario

    When using the VPC-CNI network mode to create a cluster for the first time, you need to grant permission for TKE IPAMD to access cloud resources, so that you can use the VPC-CNI network mode normally.

    Authorization steps

    1. Log in to the TKE console and click Cluster in the left sidebar.
    2. On the Cluster Management page, click Create or Create with a Template above the cluster list.
    3. On the Create Cluster page, select VPC-CNI for Container Network Add-on in Cluster Information section, and click Service Authorization, as shown below:
    4. In the displayed Service Authorization window, click Go to Cloud Access Management.
    5. On the Role Management page, click Grant to complete authentication.

    Permission content

    • CVM
      Permission Name Permission Description
      cvm:DescribeInstances Querying the list of instances
    • Tag
      Permission Name Permission Description
      tag:GetResourcesByTags Querying the resource list by tag
      tag:ModifyResourceTags Batch modifying tags associated with a resource
      tag:GetResourceTagsByResourceIds Querying tags associated with a resource
    • VPC
      Permission Name Permission Description
      vpc:DescribeSubnet Querying the list of subnets
      vpc:CreateNetworkInterface Creating an ENI
      vpc:DescribeNetworkInterfaces Querying the list of ENIs
      vpc:AttachNetworkInterface Binding an ENI with a CVM
      vpc:DetachNetworkInterface Unbinding an ENI from a CVM
      vpc:DeleteNetworkInterface Deleting an ENI
      vpc:AssignPrivateIpAddresses Applying for private IP addresses for an ENI
      vpc:UnassignPrivateIpAddresses Returning the private IP addresses of an ENI
      vpc:MigratePrivateIpAddress Migrating the private IP addresses of an ENI
      vpc:DescribeSubnetEx Querying the list of subnets
      vpc:DescribeVpcEx Querying peering connection
      vpc:DescribeNetworkInterfaceLimit Querying the ENI quota
      vpc:DescribeVpcPrivateIpAddresses Querying the private IP address of a VPC