When you use Tencent Kubernetes Engine (TKE), you need to authorize services to use relevant cloud resources. Each scenario usually contains policies that are defined for different roles in advance. The main roles involved are TKE_QCSRole
and IPAMDofTKE_QCSRole
. This document introduces the details of each authorization policy, and the authorization scenarios and authorization steps for each role.
Note:
The sample role in this document does not contain the authorization policy related to container image repositories. For more information about TKE permissions, please see TKE Image Registry Resource-level Permission Settings
After TKE is activated, Tencent Cloud grants your account the permissions of the role TKE_QCSRole
, which is associated with multiple preset policies by default. To obtain relevant permissions, you need to perform the corresponding preset policy authorization operations in specific authorization scenarios. After these operations are completed, the corresponding policy will appear in the role’s list of authorized policies. The preset policies associated with TKE_QCSRole
by default include:
QcloudAccessForTKERole
: the permission for TKE to access cloud resourcesQcloudAccessForTKERoleInOpsManagement
: the permission for OPS management, including the log serviceQcloudAccessForTKERoleInCreatingCFSStorageclass
: the permission for TKE to operate on Cloud File Storage (CFS), including adding/deleting/querying CFS systems, and querying the mount targets of a file system.QcloudCVMFinanceAccess
: CVM finance permission
When you log in to the Tencent Kubernetes Engine console for the first time after registering and logging in to a Tencent Cloud account, you need to go to the “Cloud Access Management” page to grant the current account TKE permissions for operating on CVMs, CLBs, CBS, and other cloud resources.
Permission Name | Permission Description |
---|---|
cvm:DescribeInstances |
Querying the list of server instances |
cvm:*Cbs* |
CBS-related permissions |
Permission Name | Permission Description |
---|---|
tag:* |
All features related to tags |
Permission Name | Permission Description |
---|---|
clb:* |
All features related to CLB |
Permission Name | Permission Description |
---|---|
ccs:DescribeCluster |
Querying the cluster list |
ccs:DescribeClusterInstances |
Querying cluster node information |
This policy is associated with TKE_QCSRole
by default. After TKE is activated and TKE_QCSRole
is granted, you have the permissions of various OPS-related features, including log features.
This policy and the preset policy QcloudAccessForTKERole are authorized at the same time, so no extra operation is needed.
Log service issues
Permission Name | Permission Description |
---|---|
cls:listTopic |
Displaying the list of log topics under a specified logset |
cls:getTopic |
Viewing log topic information |
cls:createTopic |
Creating a log topic |
cls:modifyTopic |
Modifying a log topic |
cls:deleteTopic |
Deleting a log topic |
cls:listLogset |
Displaying the logset list |
cls:getLogset |
Viewing logset information |
cls:createLogset |
Creating a logset |
cls:modifyLogset |
Modifying a logset |
cls:deleteLogset |
Deleting a logset |
cls:listMachineGroup |
Displaying the server group list |
cls:getMachineGroup |
Viewing server group information |
cls:createMachineGroup |
Creating a server group |
cls:modifyMachineGroup |
Modifying a server group |
cls:deleteMachineGroup |
Deleting a server group |
cls:getMachineStatus |
Viewing server group status |
cls:pushLog |
Uploading logs |
cls:searchLog |
Querying logs |
cls:downloadLog |
Downloading logs |
cls:getCursor |
Getting the cursor based on time |
cls:getIndex |
Viewing indexes |
cls:modifyIndex |
Modifying indexes |
cls:agentHeartBeat |
Heartbeat |
cls:getConfig |
Getting the pusher configuration information |
The Tencent Cloud CFS add-on can help you use file storage in TKE clusters. When using this add-on for the first time, you need to authorize relevant resources, such as file systems in CFS, via TKE.
File storage issues
Permission Name | Permission Description |
---|---|
cfs:CreateCfsFileSystem | Creating a file system |
cfs:DescribeCfsFileSystems | Querying a file system |
cfs:DescribeMountTargets | Querying mount targets of a file system |
cfs:DeleteCfsFileSystem | Deleting a file system |
When you need to purchase a cloud disk using monthly subscription, you need to add this policy to TKE_QCSRole
to configure payment permission. Otherwise, creation of a PVC based on a monthly subscription storageclass may fail due to lack of payment permission.
QcloudCVMFinanceAccess
and select it.Permission Name | Permission Description |
---|---|
finance:* |
CVM finance permission |
IPAMDofTKE_QCSRole
is the TKE IPAMD support service role. After the permissions of this role are granted, you need to associate preset policies in the authorization scenarios described in this document. After these operations are completed, the following policies will appear in the list of authorized policies of the role:
QcloudAccessForIPAMDofTKERole
: the permission for TKE IPAMD to access cloud resources
When using the VPC-CNI network mode for the first time to create a cluster, you need to first grant permission for TKE IPAMD to access cloud resources, so that you can use the VPC-CNI network mode normally.
Permission Name | Permission Description |
---|---|
cvm:DescribeInstances |
Viewing the list of instances |
Permission Name | Permission Description |
---|---|
tag:GetResourcesByTags |
Querying the resource list by tag |
tag:ModifyResourceTags |
Batch modifying tags associated with a resource |
tag:GetResourceTagsByResourceIds |
Querying tags associated with a resource |
Permission Name | Permission Description |
---|---|
vpc:DescribeSubnet |
Querying the list of subnets |
vpc:CreateNetworkInterface |
Creating an ENI |
vpc:DescribeNetworkInterfaces |
Querying the list of ENIs |
vpc:AttachNetworkInterfac e |
Binding an ENI with a CVM |
vpc:DetachNetworkInterface |
Unbinding an ENI from a CVM |
vpc:DeleteNetworkInterface |
Deleting an ENI |
vpc:AssignPrivateIpAddresses |
Applying for private IP addresses for an ENI |
vpc:UnassignPrivateIpAddresses |
Returning the private IP addresses of an ENI |
vpc:MigratePrivateIpAddress |
Migrating the private IP addresses of an ENI |
vpc:DescribeSubnetEx |
Querying the list of subnets |
vpc:DescribeVpcEx |
Querying peering connection |
vpc:DescribeNetworkInterfaceLimit |
Querying the ENI quota |
vpc:DescribeVpcPrivateIpAddresses |
Querying the private IP address of a VPC |
Was this page helpful?