When you use Tencent Kubernetes Engine (TKE), you need to authorize services to use relevant cloud resources. Each scenario usually contains policies that are defined for different roles in advance. The main roles involved are TKE_QCSRole and IPAMDofTKE_QCSRole. This document introduces the details of each authorization policy, and the authorization scenarios and authorization steps for each role.

Note：

The sample role in this document does not contain the authorization policy related to container image repositories. For more information about TKE permissions, please see TKE Image Registry Resource-level Permission Settings

TKE_QCSRole

After TKE is activated, Tencent Cloud grants your account the permissions of the role TKE_QCSRole, which is associated with multiple preset policies by default. To obtain relevant permissions, you need to perform the corresponding preset policy authorization operations in specific authorization scenarios. After these operations are completed, the corresponding policy will appear in the role’s list of authorized policies. The preset policies associated with TKE_QCSRole by default include:

• QcloudAccessForTKERole: the permission for TKE to access cloud resources
• QcloudAccessForTKERoleInOpsManagement: the permission for OPS management, including the log service
• QcloudAccessForTKERoleInCreatingCFSStorageclass: the permission for TKE to operate on Cloud File Storage (CFS), including adding/deleting/querying CFS systems, and querying the mount targets of a file system.
• QcloudCVMFinanceAccess: CVM finance permission

Preset policy QcloudAccessForTKERole

Authorization scenario

When you log in to the Tencent Kubernetes Engine console for the first time after registering and logging in to a Tencent Cloud account, you need to go to the “Cloud Access Management” page to grant the current account TKE permissions for operating on CVMs, CLBs, CBS, and other cloud resources.

Authorization steps

1. Log in to the Tencent Kubernetes Engine console and click Cluster in the left sidebar. The Service Authorization window is displayed.
2. Click Go to Cloud Access Management to go to the role management page.
3. Click Grant Authorization and complete identity verification to complete authorization.

Permission content

• CVM issues

  Permission Name	Permission Description
  cvm:DescribeInstances	Querying the list of server instances
  cvm:*Cbs*	CBS-related permissions

• Tag issues

  Permission Name	Permission Description
  tag:*	All features related to tags

• CLB issues

  Permission Name	Permission Description
  clb:*	All features related to CLB

• TKE issues

  Permission Name	Permission Description
  ccs:DescribeCluster	Querying the cluster list
  ccs:DescribeClusterInstances	Querying cluster node information

Preset policy QcloudAccessForTKERoleInOpsManagement

Authorization scenario

This policy is associated with TKE_QCSRole by default. After TKE is activated and TKE_QCSRole is granted, you have the permissions of various OPS-related features, including log features.

Authorization steps

This policy and the preset policy QcloudAccessForTKERole are authorized at the same time, so no extra operation is needed.

Permission content

Log service issues

Preset policy QcloudAccessForTKERoleInCreatingCFSStorageclass

Authorization scenario

The Tencent Cloud CFS add-on can help you use file storage in TKE clusters. When using this add-on for the first time, you need to authorize relevant resources, such as file systems in CFS, via TKE.

Authorization steps

1. Log in to the Tencent Kubernetes Engine console and select Add-ons in the left sidebar to go to the “Add-On” management page.
2. On the top of the “Add-On” page, select the region and the cluster, and click Create.
3. On the “Create an Add-On” page, if the add-on selected for the first time is “CFS”, click Service Authorization at the bottom of the page.
4. In the displayed "Service Authorization" window, click Cloud Access Management.
5. On the "Role Management" page, click Grant Authorization and complete identity verification to complete authorization.

Permission content

File storage issues

Preset policy QcloudCVMFinanceAccess

Authorization scenario

When you need to purchase a cloud disk using monthly subscription, you need to add this policy to TKE_QCSRole to configure payment permission. Otherwise, creation of a PVC based on a monthly subscription storageclass may fail due to lack of payment permission.

Authorization steps

1. Log in to the CAM console, and select [Roles](https://console.cloud.tencent.com/cam/role) in the left sidebar.
2. On the "Role" list page, click TKE_QCSRole to enter the role management page.
3. Choose Associate Policy on the “TKE_QCSRole” page, and confirm the operation in the displayed “Risk Warning” window.
4. In the displayed “Associate Policy” window, find the policy QcloudCVMFinanceAccess and select it.
5. Click OK to complete the authorization.

Permission content

IPAMDofTKE_QCSRole

IPAMDofTKE_QCSRole is the TKE IPAMD support service role. After the permissions of this role are granted, you need to associate preset policies in the authorization scenarios described in this document. After these operations are completed, the following policies will appear in the list of authorized policies of the role:

QcloudAccessForIPAMDofTKERole: the permission for TKE IPAMD to access cloud resources

Preset policy QcloudAccessForIPAMDofTKERole

Authorization scenario

When using the VPC-CNI network mode for the first time to create a cluster, you need to first grant permission for TKE IPAMD to access cloud resources, so that you can use the VPC-CNI network mode normally.

Authorization steps

1. Log in to the Tencent Cloud TKE console and click Clusters in the left sidebar.
2. On the "Cluster Management" page, click Create or Template Creation above the cluster list.
3. On the "Create a Cluster" page, in the step where you configure "Cluster Information", select VPC-CNI in "Container Network Plug-In", and click "Service Authorization".
4. In the displayed "Service Authorization" window, click Go to Cloud Access Management.
5. On the "Role Management" page, click Grant Authorization and complete identity verification to complete authorization.

Permission content

• CVM issues

  Permission Name	Permission Description
  cvm:DescribeInstances	Viewing the list of instances

• Tag issues

  Permission Name	Permission Description
  tag:GetResourcesByTags	Querying the resource list by tag
  tag:ModifyResourceTags	Batch modifying tags associated with a resource
  tag:GetResourceTagsByResourceIds	Querying tags associated with a resource

• VPC issues

  Permission Name	Permission Description
  vpc:DescribeSubnet	Querying the list of subnets
  vpc:CreateNetworkInterface	Creating an ENI
  vpc:DescribeNetworkInterfaces	Querying the list of ENIs
  vpc:AttachNetworkInterface	Binding an ENI with a CVM
  vpc:DetachNetworkInterface	Unbinding an ENI from a CVM
  vpc:DeleteNetworkInterface	Deleting an ENI
  vpc:AssignPrivateIpAddresses	Applying for private IP addresses for an ENI
  vpc:UnassignPrivateIpAddresses	Returning the private IP addresses of an ENI
  vpc:MigratePrivateIpAddress	Migrating the private IP addresses of an ENI
  vpc:DescribeSubnetEx	Querying the list of subnets
  vpc:DescribeVpcEx	Querying peering connection
  vpc:DescribeNetworkInterfaceLimit	Querying the ENI quota
  vpc:DescribeVpcPrivateIpAddresses	Querying the private IP address of a VPC