Description of Role Permissions Related to Service Authorization

Last updated: 2020-09-11 10:35:28

    When you use Tencent Kubernetes Engine (TKE), you need to authorize services to use relevant cloud resources. Each scenario usually contains policies that are defined for different roles in advance. The main roles involved are TKE_QCSRole and IPAMDofTKE_QCSRole. This document introduces the details of each authorization policy, and the authorization scenarios and authorization steps for each role.

    TKE_QCSRole

    After TKE is activated, Tencent Cloud grants your account the permissions of the role TKE_QCSRole, which is associated with multiple preset policies by default. To obtain relevant permissions, you need to perform the corresponding preset policy authorization operations in specific authorization scenarios. After these operations are completed, the corresponding policy will appear in the role’s list of authorized policies. The preset policies associated with TKE_QCSRole by default include:

    Preset policy QcloudAccessForTKERole

    Authorization scenario

    When you log in to the Tencent Kubernetes Engine console for the first time after registering and logging in to a Tencent Cloud account, you need to go to the “Cloud Access Management” page to grant the current account TKE permissions for operating on CVMs, CLBs, CBS, and other cloud resources.

    Authorization steps

    1. Log in to the Tencent Kubernetes Engine console and click Cluster in the left sidebar. The Service Authorization window is displayed.
    2. Click Go to Cloud Access Management to go to the role management page.
    3. Click Grant Authorization and complete identity verification to complete authorization.

    Permission content

    • CVM issues
      Permission Name Permission Description
      cvm:DescribeInstances Querying the list of server instances
      cvm:*Cbs* CBS-related permissions
    • Tag issues
      Permission Name Permission Description
      tag:* All features related to tags
    • CLB issues
      Permission Name Permission Description
      clb:* All features related to CLB
    • TKE issues
      Permission Name Permission Description
      ccs:DescribeCluster Querying the cluster list
      ccs:DescribeClusterInstances Querying cluster node information

    Preset policy QcloudAccessForTKERoleInOpsManagement

    Authorization scenario

    This policy is associated with TKE_QCSRole by default. After TKE is activated and TKE_QCSRole is granted, you have the permissions of various OPS-related features, including log features.

    Authorization steps

    This policy and the preset policy QcloudAccessForTKERole are authorized at the same time, so no extra operation is needed.

    Permission content

    Log service issues

    Permission Name Permission Description
    cls:listTopic Displaying the list of log topics under a specified logset
    cls:getTopic Viewing log topic information
    cls:createTopic Creating a log topic
    cls:modifyTopic Modifying a log topic
    cls:deleteTopic Deleting a log topic
    cls:listLogset Displaying the logset list
    cls:getLogset Viewing logset information
    cls:createLogset Creating a logset
    cls:modifyLogset Modifying a logset
    cls:deleteLogset Deleting a logset
    cls:listMachineGroup Displaying the server group list
    cls:getMachineGroup Viewing server group information
    cls:createMachineGroup Creating a server group
    cls:modifyMachineGroup Modifying a server group
    cls:deleteMachineGroup Deleting a server group
    cls:getMachineStatus Viewing server group status
    cls:pushLog Uploading logs
    cls:searchLog Querying logs
    cls:downloadLog Downloading logs
    cls:getCursor Getting the cursor based on time
    cls:getIndex Viewing indexes
    cls:modifyIndex Modifying indexes
    cls:agentHeartBeat Heartbeat
    cls:getConfig Getting the pusher configuration information

    Preset policy QcloudAccessForTKERoleInCreatingCFSStorageclass

    Authorization scenario

    The Tencent Cloud CFS add-on can help you use file storage in TKE clusters. When using this add-on for the first time, you need to authorize relevant resources, such as file systems in CFS, via TKE.

    Authorization steps

    1. Log in to the Tencent Kubernetes Engine console and select Add-ons in the left sidebar to go to the “Add-On” management page.
    2. On the top of the “Add-On” page, select the region and the cluster, and click Create.
    3. On the “Create an Add-On” page, if the add-on selected for the first time is “CFS”, click Service Authorization at the bottom of the page.
    4. In the displayed "Service Authorization" window, click Cloud Access Management.
    5. On the "Role Management" page, click Grant Authorization and complete identity verification to complete authorization.

    Permission content

    File storage issues

    Permission Name Permission Description
    cfs:CreateCfsFileSystem Creating a file system
    cfs:DescribeCfsFileSystems Querying a file system
    cfs:DescribeMountTargets Querying mount targets of a file system
    cfs:DeleteCfsFileSystem Deleting a file system

    Preset policy QcloudCVMFinanceAccess

    Authorization scenario

    When you need to purchase a cloud disk using monthly subscription, you need to add this policy to TKE_QCSRole to configure payment permission. Otherwise, creation of a PVC based on a monthly subscription storageclass may fail due to lack of payment permission.

    Authorization steps

    1. Log in to the CAM console, and select [Roles](https://console.cloud.tencent.com/cam/role) in the left sidebar.
    2. On the "Role" list page, click TKE_QCSRole to enter the role management page.
    3. Choose Associate Policy on the “TKE_QCSRole” page, and confirm the operation in the displayed “Risk Warning” window.
    4. In the displayed “Associate Policy” window, find the policy QcloudCVMFinanceAccess and select it.
    5. Click OK to complete the authorization.

    Permission content

    Permission Name Permission Description
    finance:* CVM finance permission

    IPAMDofTKE_QCSRole

    IPAMDofTKE_QCSRole is the TKE IPAMD support service role. After the permissions of this role are granted, you need to associate preset policies in the authorization scenarios described in this document. After these operations are completed, the following policies will appear in the list of authorized policies of the role:

    QcloudAccessForIPAMDofTKERole: the permission for TKE IPAMD to access cloud resources

    Preset policy QcloudAccessForIPAMDofTKERole

    Authorization scenario

    When using the VPC-CNI network mode for the first time to create a cluster, you need to first grant permission for TKE IPAMD to access cloud resources, so that you can use the VPC-CNI network mode normally.

    Authorization steps

    1. Log in to the Tencent Cloud TKE console and click Clusters in the left sidebar.
    2. On the "Cluster Management" page, click Create or Template Creation above the cluster list.
    3. On the "Create a Cluster" page, in the step where you configure "Cluster Information", select VPC-CNI in "Container Network Plug-In", and click "Service Authorization".
    4. In the displayed "Service Authorization" window, click Go to Cloud Access Management.
    5. On the "Role Management" page, click Grant Authorization and complete identity verification to complete authorization.

    Permission content

    • CVM issues
      Permission Name Permission Description
      cvm:DescribeInstances Viewing the list of instances
    • Tag issues
      Permission Name Permission Description
      tag:GetResourcesByTags Querying the resource list by tag
      tag:ModifyResourceTags Batch modifying tags associated with a resource
      tag:GetResourceTagsByResourceIds Querying tags associated with a resource
    • VPC issues
      Permission Name Permission Description
      vpc:DescribeSubnet Querying the list of subnets
      vpc:CreateNetworkInterface Creating an ENI
      vpc:DescribeNetworkInterfaces Querying the list of ENIs
      vpc:AttachNetworkInterface Binding an ENI with a CVM
      vpc:DetachNetworkInterface Unbinding an ENI from a CVM
      vpc:DeleteNetworkInterface Deleting an ENI
      vpc:AssignPrivateIpAddresses Applying for private IP addresses for an ENI
      vpc:UnassignPrivateIpAddresses Returning the private IP addresses of an ENI
      vpc:MigratePrivateIpAddress Migrating the private IP addresses of an ENI
      vpc:DescribeSubnetEx Querying the list of subnets
      vpc:DescribeVpcEx Querying peering connection
      vpc:DescribeNetworkInterfaceLimit Querying the ENI quota
      vpc:DescribeVpcPrivateIpAddresses Querying the private IP address of a VPC

    Was this page helpful?

    Was this page helpful?

    • Not at all
    • Not very helpful
    • Somewhat helpful
    • Very helpful
    • Extremely helpful
    Send Feedback
    Help