- Release Notes and Announcements
- Release Notes
- Announcements
- Instructions on Cluster Resource Quota Adjustment
- Starting Charging on Managed Clusters
- Notice on TPS Discontinuation on May 16, 2022 at 10:00 (UTC +8)
- Basic Monitoring Architecture Upgrade
- Instructions on Stopping Delivering the Kubeconfig File to Nodes
- Kubernetes Version Maintenance
- Security Vulnerability Fix Description
- Beginner’s Guide
- Product Introduction
- Purchase Guide
- Quick Start
- User Guide
- High-risk Operations of Container Service
- Deploying Containerized Applications in the Cloud
- Kubernetes API Operation Guide
- Open Source Components
- Cluster Management
- Cluster Overview
- Cluster Hosting Modes Introduction
- Cluster Lifecycle
- TKE-Optimized Series Images
- Creating a Cluster
- Deleting a Cluster
- Cluster Scaling
- Changing the Cluster Operating System
- Connecting to a Cluster
- Upgrading a Cluster
- Enabling IPVS for a Cluster
- Enabling GPU Scheduling for a Cluster
- Custom Kubernetes Component Launch Parameters
- Images
- Node Management
- Node Pool Management
- Supernode management
- Kubernetes Object Management
- Overview
- Namespace
- Workload
- Deployment Management
- StatefulSet Management
- DaemonSet Management
- Job Management
- CronJob Management
- Setting the Resource Limit of Workload
- Setting the Scheduling Rule for a Workload
- Setting the Health Check for a Workload
- Setting the Run Command and Parameter for a Workload
- Using a Container Image in a TCR Enterprise Instance to Create a Workload
- Auto Scaling
- Configuration
- GPU Share
- External Node Management
- Service Management
- Ingress Management
- Storage Management
- Add-On Management
- Helm Application
- Network Management
- Container Network Overview
- GlobalRouter Mode
- VPC-CNI Mode
- VPC-CNI Mode
- Multiple Pods with Shared ENI Mode
- Pods with Exclusive ENI Mode
- Static IP Address Mode Instructions
- Non-static IP Address Mode Instructions
- Interconnection Between VPC-CNI and Other Cloud Resources/IDC Resources
- Security Group of VPC-CNI Mode
- Instructions on Binding an EIP to a Pod
- VPC-CNI Component
- Limits on the Number of Pods in VPC-CNI Mode
- Application Market
- OPS Center
- Cloud Native Monitoring
- Remote Terminals
- Elastic Cluster Guide
- Container Instance Guide
- Edge Cluster Guide
- Cloud Native AI Guide
- TMP
- Best Practices
- Cluster
- Cluster Migration
- EKS Cluster
- Edge Cluster
- Security
- Service Deployment
- Hybrid Cloud
- Network
- Using Network Policy for Network Access Control
- Deploying NGINX Ingress on TKE
- Using NodeLocal DNS Cache in a TKE Cluster
- Nginx Ingress High-Concurrency Practices
- Nginx Ingress Best Practices
- Limiting the bandwidth on pods in TKE
- Directly connecting TKE to the CLB of pods based on the ENI
- Use CLB-Pod Direct Connection on TKE
- Obtaining the Real Client Source IP in TKE
- Implementing Custom Domain Name Resolution in TKE
- Using Traefik Ingress in TKE
- Release
- Logs
- Monitoring
- OPS
- Removing and Re-adding Nodes from and to Cluster
- Using Ansible to Batch Operate TKE Nodes
- Using Cluster Audit for Troubleshooting
- Renewing a TKE Ingress Certificate
- Using cert-manager to Issue Free Certificates
- Using cert-manager to Issue Free Certificate for DNSPod Domain Name
- Using the TKE NPDPlus Plug-In to Enhance the Self-Healing Capability of Nodes
- Using kubecm to Manage Multiple Clusters kubeconfig
- Quick Troubleshooting Using TKE Audit and Event Services
- Customizing RBAC Authorization in TKE
- DevOps
- Quick Implementation of Container DevOps in TKE Using TCR Delivery Pipeline
- Quick Implementation of Container DevOps in TKE Using CODING
- Full Implementation of Container DevOps in TKE Using CODING
- Construction and Deployment of Jenkins Public Network Framework Appications based on TKE
- Using Docker as an image building service in a containerd cluster
- Deploying Jenkins on TKE
- Auto Scaling
- Cluster Auto Scaling Practices
- Using tke-autoscaling-placeholder to Implement Auto Scaling in Seconds
- Installing metrics-server on TKE
- Using Custom Metrics for Auto Scaling in TKE
- Utilizing HPA to Auto Scale Businesses on TKE
- Using VPA to Realize Pod Scaling up and Scaling down in TKE
- Adjusting HPA Scaling Sensitivity Based on Different Business Scenarios
- Storage
- Containerization
- Microservice
- Cost Management
- Permission Management
- Overview
- Description of Role Permissions Related to Service Authorization
- TKE Image Registry Resource-level Permission Settings
- Controlling TKE cluster-level permissions
- TKE Kubernetes Object-level Permission Control
- Fault Handling
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Cluster APIs
- DescribeClusterKubeconfig
- DescribeClusters
- CreateCluster
- DescribeClusterSecurity
- DeleteCluster
- ModifyClusterEndpointSP
- DescribeClusterEndpointVipStatus
- DescribeClusterEndpointStatus
- DeleteClusterEndpointVip
- DeleteClusterEndpoint
- CreateClusterEndpointVip
- CreateClusterEndpoint
- ModifyClusterAttribute
- AcquireClusterAdminRole
- UpgradeClusterInstances
- UpdateClusterVersion
- GetUpgradeInstanceProgress
- DescribeAvailableClusterVersion
- DescribeClusterCommonNames
- ModifyClusterAuthenticationOptions
- DescribeClusterAuthenticationOptions
- EnableClusterDeletionProtection
- DisableClusterDeletionProtection
- DescribeClusterStatus
- GetClusterLevelPrice
- DescribeResourceUsage
- DescribeClusterLevelChangeRecords
- DescribeClusterLevelAttribute
- Node APIs
- Network APIs
- Scaling group APIs
- Cloud Native Monitoring APIs
- Node Pool APIs
- DescribeClusterAsGroupOption
- RemoveNodeFromNodePool
- ModifyClusterNodePool
- DescribeClusterNodePools
- DescribeClusterNodePoolDetail
- DeleteClusterNodePool
- CreateClusterNodePoolFromExistingAsg
- CreateClusterNodePool
- AddNodeToNodePool
- ModifyClusterAsGroupOptionAttribute
- SetNodePoolNodeProtection
- ModifyNodePoolInstanceTypes
- Edge Compute Cluster APIs
- Other APIs
- Data Types
- Error Codes
- API Mapping Guide
- FAQs
- Service Agreement
- Contact Us
- Glossary
- User Guide(Old)
- Release Notes and Announcements
- Release Notes
- Announcements
- Instructions on Cluster Resource Quota Adjustment
- Starting Charging on Managed Clusters
- Notice on TPS Discontinuation on May 16, 2022 at 10:00 (UTC +8)
- Basic Monitoring Architecture Upgrade
- Instructions on Stopping Delivering the Kubeconfig File to Nodes
- Kubernetes Version Maintenance
- Security Vulnerability Fix Description
- Beginner’s Guide
- Product Introduction
- Purchase Guide
- Quick Start
- User Guide
- High-risk Operations of Container Service
- Deploying Containerized Applications in the Cloud
- Kubernetes API Operation Guide
- Open Source Components
- Cluster Management
- Cluster Overview
- Cluster Hosting Modes Introduction
- Cluster Lifecycle
- TKE-Optimized Series Images
- Creating a Cluster
- Deleting a Cluster
- Cluster Scaling
- Changing the Cluster Operating System
- Connecting to a Cluster
- Upgrading a Cluster
- Enabling IPVS for a Cluster
- Enabling GPU Scheduling for a Cluster
- Custom Kubernetes Component Launch Parameters
- Images
- Node Management
- Node Pool Management
- Supernode management
- Kubernetes Object Management
- Overview
- Namespace
- Workload
- Deployment Management
- StatefulSet Management
- DaemonSet Management
- Job Management
- CronJob Management
- Setting the Resource Limit of Workload
- Setting the Scheduling Rule for a Workload
- Setting the Health Check for a Workload
- Setting the Run Command and Parameter for a Workload
- Using a Container Image in a TCR Enterprise Instance to Create a Workload
- Auto Scaling
- Configuration
- GPU Share
- External Node Management
- Service Management
- Ingress Management
- Storage Management
- Add-On Management
- Helm Application
- Network Management
- Container Network Overview
- GlobalRouter Mode
- VPC-CNI Mode
- VPC-CNI Mode
- Multiple Pods with Shared ENI Mode
- Pods with Exclusive ENI Mode
- Static IP Address Mode Instructions
- Non-static IP Address Mode Instructions
- Interconnection Between VPC-CNI and Other Cloud Resources/IDC Resources
- Security Group of VPC-CNI Mode
- Instructions on Binding an EIP to a Pod
- VPC-CNI Component
- Limits on the Number of Pods in VPC-CNI Mode
- Application Market
- OPS Center
- Cloud Native Monitoring
- Remote Terminals
- Elastic Cluster Guide
- Container Instance Guide
- Edge Cluster Guide
- Cloud Native AI Guide
- TMP
- Best Practices
- Cluster
- Cluster Migration
- EKS Cluster
- Edge Cluster
- Security
- Service Deployment
- Hybrid Cloud
- Network
- Using Network Policy for Network Access Control
- Deploying NGINX Ingress on TKE
- Using NodeLocal DNS Cache in a TKE Cluster
- Nginx Ingress High-Concurrency Practices
- Nginx Ingress Best Practices
- Limiting the bandwidth on pods in TKE
- Directly connecting TKE to the CLB of pods based on the ENI
- Use CLB-Pod Direct Connection on TKE
- Obtaining the Real Client Source IP in TKE
- Implementing Custom Domain Name Resolution in TKE
- Using Traefik Ingress in TKE
- Release
- Logs
- Monitoring
- OPS
- Removing and Re-adding Nodes from and to Cluster
- Using Ansible to Batch Operate TKE Nodes
- Using Cluster Audit for Troubleshooting
- Renewing a TKE Ingress Certificate
- Using cert-manager to Issue Free Certificates
- Using cert-manager to Issue Free Certificate for DNSPod Domain Name
- Using the TKE NPDPlus Plug-In to Enhance the Self-Healing Capability of Nodes
- Using kubecm to Manage Multiple Clusters kubeconfig
- Quick Troubleshooting Using TKE Audit and Event Services
- Customizing RBAC Authorization in TKE
- DevOps
- Quick Implementation of Container DevOps in TKE Using TCR Delivery Pipeline
- Quick Implementation of Container DevOps in TKE Using CODING
- Full Implementation of Container DevOps in TKE Using CODING
- Construction and Deployment of Jenkins Public Network Framework Appications based on TKE
- Using Docker as an image building service in a containerd cluster
- Deploying Jenkins on TKE
- Auto Scaling
- Cluster Auto Scaling Practices
- Using tke-autoscaling-placeholder to Implement Auto Scaling in Seconds
- Installing metrics-server on TKE
- Using Custom Metrics for Auto Scaling in TKE
- Utilizing HPA to Auto Scale Businesses on TKE
- Using VPA to Realize Pod Scaling up and Scaling down in TKE
- Adjusting HPA Scaling Sensitivity Based on Different Business Scenarios
- Storage
- Containerization
- Microservice
- Cost Management
- Permission Management
- Overview
- Description of Role Permissions Related to Service Authorization
- TKE Image Registry Resource-level Permission Settings
- Controlling TKE cluster-level permissions
- TKE Kubernetes Object-level Permission Control
- Fault Handling
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Cluster APIs
- DescribeClusterKubeconfig
- DescribeClusters
- CreateCluster
- DescribeClusterSecurity
- DeleteCluster
- ModifyClusterEndpointSP
- DescribeClusterEndpointVipStatus
- DescribeClusterEndpointStatus
- DeleteClusterEndpointVip
- DeleteClusterEndpoint
- CreateClusterEndpointVip
- CreateClusterEndpoint
- ModifyClusterAttribute
- AcquireClusterAdminRole
- UpgradeClusterInstances
- UpdateClusterVersion
- GetUpgradeInstanceProgress
- DescribeAvailableClusterVersion
- DescribeClusterCommonNames
- ModifyClusterAuthenticationOptions
- DescribeClusterAuthenticationOptions
- EnableClusterDeletionProtection
- DisableClusterDeletionProtection
- DescribeClusterStatus
- GetClusterLevelPrice
- DescribeResourceUsage
- DescribeClusterLevelChangeRecords
- DescribeClusterLevelAttribute
- Node APIs
- Network APIs
- Scaling group APIs
- Cloud Native Monitoring APIs
- Node Pool APIs
- DescribeClusterAsGroupOption
- RemoveNodeFromNodePool
- ModifyClusterNodePool
- DescribeClusterNodePools
- DescribeClusterNodePoolDetail
- DeleteClusterNodePool
- CreateClusterNodePoolFromExistingAsg
- CreateClusterNodePool
- AddNodeToNodePool
- ModifyClusterAsGroupOptionAttribute
- SetNodePoolNodeProtection
- ModifyNodePoolInstanceTypes
- Edge Compute Cluster APIs
- Other APIs
- Data Types
- Error Codes
- API Mapping Guide
- FAQs
- Service Agreement
- Contact Us
- Glossary
- User Guide(Old)
Description of Role Permissions Related to Service Authorization
Last updated: 2022-05-09 11:40:29
When you use Tencent Kubernetes Engine (TKE), you need to authorize services to use relevant cloud resources. Each scenario usually contains policies that are defined for different roles in advance. The main roles involved are TKE_QCSRole and IPAMDofTKE_QCSRole. This document introduces the details of each authorization policy, and the authorization scenarios and authorization steps for each role.
Note:The sample role in this document does not contain the authorization policy related to container image repositories. For more information about TKE image related permissions, see TKE Image Registry Resource-level Permission Settings.
TKE_QCSRole
After TKE is activated, Tencent Cloud grants your account the permissions of the role TKE_QCSRole, which is associated with multiple preset policies by default. To obtain relevant permissions, you need to perform the corresponding preset policy authorization operations in specific authorization scenarios. After these operations are completed, the corresponding policy will appear in the role's list of authorized policies. The preset policies associated with TKE_QCSRole by default include:
The default associated preset policies
QcloudAccessForTKERole: The permission for TKE to access cloud resourcesQcloudAccessForTKERoleInOpsManagement: The permission for Ops management, including the log service
Other associated preset policies
QcloudAccessForTKERoleInCreatingCFSStorageclass: The permission for TKE to operate on Cloud File Storage (CFS), including adding/deleting/querying CFS systems, and querying the mount targets of a file system.QcloudCVMFinanceAccess: CVM finance permission
Preset policy QcloudAccessForTKERole
Authorization scenario
When you log in to the TKE console for the first time after registering and logging in to a Tencent Cloud account, you need to go to the "Cloud Access Management" page to grant the current account TKE permissions for operating on CVMs, CLBs, CBS, and other cloud resources.
Authorization steps
- Log in to the TKE console and click Cluster in the left sidebar to pop up the Service authorization window.
- Click Go to Cloud Access Management to enter the Role management page.
- Click Grant to complete authentication.
Permission content
- CVM
Permission Name Permission Description cvm:DescribeInstancesQuerying the list of server instances cvm:*Cbs*CBS-related permissions - Tag
Permission Name Permission Description tag:*All features related to tags - CLB
Permission Name Permission Description clb:*All features related to CLB - TKE
Permission Name Permission Description ccs:DescribeClusterQuerying a cluster list ccs:DescribeClusterInstancesQuerying cluster node information
Preset policy QcloudAccessForTKERoleInOpsManagement
Authorization scenario
This policy is associated with TKE_QCSRole by default. After TKE is activated and TKE_QCSRole is granted, you have the permissions of various Ops-related features, including log features.
Authorization steps
This policy and the preset policy QcloudAccessForTKERole are authorized at the same time, so no extra operation is needed.
Permission content
Log service
| Permission Name | Permission Description |
|---|---|
cls:listTopic |
Displaying the list of log topics under a specified logset |
cls:getTopic |
Viewing log topic information |
cls:createTopic |
Creating a log topic |
cls:modifyTopic |
Modifying a log topic |
cls:deleteTopic |
Deleting a log topic |
cls:listLogset |
Displaying the logset list |
cls:getLogset |
Viewing logset information |
cls:createLogset |
Creating a logset |
cls:modifyLogset |
Modifying a logset |
cls:deleteLogset |
Deleting a logset |
cls:listMachineGroup |
Displaying the server group list |
cls:getMachineGroup |
Viewing server group information |
cls:createMachineGroup |
Creating a server group |
cls:modifyMachineGroup |
Modifying a server group |
cls:deleteMachineGroup |
Deleting a server group |
cls:getMachineStatus |
Viewing server group status |
cls:pushLog |
Uploading logs |
cls:searchLog |
Querying logs |
cls:downloadLog |
Downloading logs |
cls:getCursor |
Getting the cursor based on time |
cls:getIndex |
Viewing indexes |
cls:modifyIndex |
Modifying indexes |
cls:agentHeartBeat |
Heartbeat |
cls:getConfig |
Getting the pusher configuration information |
Preset policy QcloudAccessForTKERoleInCreatingCFSStorageclass
Authorization scenario
The Tencent Cloud CFS add-on can help you use file storage in TKE clusters. When using this add-on for the first time, you need to authorize relevant resources, such as file systems in CFS, via TKE.
Authorization steps
- Log in to the TKE console and click Cluster in the left sidebar.
- On the "Cluster management" page, select the region and ID of the target cluster to go to the cluster details page.
- Select Add-on management and click Create.
- On the Add-on management page, if the add-on is selected as "CFS" for the first time, click Service Authorization at the bottom of the page.
- In the "Service authorization" window that pops up, click Cloud Access Management.
- On the "Role management" page, click Grant to complete authentication.
Permission content
File storage
| Permission Name | Permission Description |
|---|---|
| cfs:CreateCfsFileSystem | Creating a file system |
| cfs:DescribeCfsFileSystems | Querying a file system |
| cfs:DescribeMountTargets | Querying mount targets of a file system |
| cfs:DeleteCfsFileSystem | Deletes a file system |
Preset policy QcloudCVMFinanceAccess
Authorization steps
- Log in to the CAM console, and select Roles in the left sidebar.
- On the role list page, click TKE_QCSRole to enter the role management page.
- Select Associate policy on the TKE_QCSRole page, and confirm the operation in the "Risk tips" pop-up window.
- In the "Associate policy" window that pops up, find the policy
QcloudCVMFinanceAccessand select it.
- Click Confirm to complete the process.
Permission content
| Permission Name | Permission Description |
|---|---|
finance:* |
CVM finance permission |
IPAMDofTKE_QCSRole
IPAMDofTKE_QCSRole is the TKE IPAMD support service role. After the permissions of this role are granted, you need to associate preset policies in the authorization scenarios described in this document. After these operations are completed, the following policies will appear in the list of authorized policies of the role:
QcloudAccessForIPAMDofTKERole: The permission for TKE IPAMD to access cloud resources
Preset policy QcloudAccessForIPAMDofTKERole
Authorization scenario
When using the VPC-CNI network mode to create a cluster for the first time, you need to grant permission for TKE IPAMD to access cloud resources, so that you can use the VPC-CNI network mode normally.
Authorization steps
- Log in to the TKE console and click Cluster in the left sidebar.
- On the "Cluster Management" page, click Create or Create with a template above the cluster list.
- On the "Create cluster" page, select VPC-CNI for Container network add-on in "Cluster information" section, and click "Service Authorization".
- In the displayed "Service authorization" window, click Go to Cloud Access Management.
- On the "Role management" page, click Grant to complete authentication.
Permission content
- CVM
Permission Name Permission Description cvm:DescribeInstancesViewing the list of instances - Tag
Permission Name Permission Description tag:GetResourcesByTagsQuerying the resource list by tag tag:ModifyResourceTagsBatch modifying tags associated with a resource tag:GetResourceTagsByResourceIdsQuerying tags associated with a resource - VPC
Permission Name Permission Description vpc:DescribeSubnetQuerying the list of subnets vpc:CreateNetworkInterfaceCreating an ENI vpc:DescribeNetworkInterfacesQuerying the list of ENIs vpc:AttachNetworkInterfaceBinding an ENI with a CVM vpc:DetachNetworkInterfaceUnbinding an ENI from a CVM vpc:DeleteNetworkInterfaceDeleting an ENI vpc:AssignPrivateIpAddressesApplying for private IP addresses for an ENI vpc:UnassignPrivateIpAddressesReturning the private IP addresses of an ENI vpc:MigratePrivateIpAddressMigrating the private IP addresses of an ENI vpc:DescribeSubnetExQuerying the list of subnets vpc:DescribeVpcExQuerying peering connection vpc:DescribeNetworkInterfaceLimitQuerying the ENI quota vpc:DescribeVpcPrivateIpAddressesQuerying the private IP address of a VPC
Yes
No
Was this page helpful?