When you use Tencent Kubernetes Engine (TKE), you need to authorize services to use relevant cloud resources. Each scenario usually contains policies that are defined for different roles in advance. The main roles involved are TKE_QCSRole and IPAMDofTKE_QCSRole. This document introduces the details of each authorization policy, and the authorization scenarios and authorization steps for each role.

Note：

The sample role in this document does not contain the authorization policy related to container image repositories. For more information about TKE image related permissions, please see TKE Image Registry Resource-level Permission Settings.

TKE_QCSRole

After TKE is activated, Tencent Cloud grants your account the permissions of the role TKE_QCSRole, which is associated with multiple preset policies by default. To obtain relevant permissions, you need to perform the corresponding preset policy authorization operations in specific authorization scenarios. After these operations are completed, the corresponding policy will appear in the role’s list of authorized policies. The preset policies associated with TKE_QCSRole by default include:

Default preset policies

• QcloudAccessForTKERole: the permission for TKE to access cloud resources
• QcloudAccessForTKERoleInOpsManagement: the permission for OPS management, including the log service

Other preset policies

• QcloudAccessForTKERoleInCreatingCFSStorageclass: the permission for TKE to operate on Cloud File Storage (CFS), including adding/deleting/querying CFS systems, and querying the mount targets of a file system.
• QcloudCVMFinanceAccess: CVM finance permission

Preset policy QcloudAccessForTKERole

Authorization scenario

When you log in to the TKE console for the first time after registering and logging in to a Tencent Cloud account, you need to go to the “Cloud Access Management” page to grant the current account TKE permissions for operating on CVMs, CLBs, CBS, and other cloud resources.

Authorization steps

1. Log in to the TKE console and click Cluster in the left sidebar. The Service Authorization window is displayed.
2. Click Go to Cloud Access Management to go to the Role management page.
3. Click Grant to complete authentication as shown in the figure below:
   

Permission content

• CVM

  Permission Name	Permission Description
  cvm:DescribeInstances	Querying the list of server instances
  cvm:*Cbs*	CBS-related permissions

• Tag

  Permission Name	Permission Description
  tag:*	All features related to tags

• CLB

  Permission Name	Permission Description
  clb:*	All features related to CLB

• TKE

  Permission Name	Permission Description
  ccs:DescribeCluster	Querying the cluster list
  ccs:DescribeClusterInstances	Querying information of nodes in the cluster

Preset policy QcloudAccessForTKERoleInOpsManagement

Authorization scenario

This policy is associated with TKE_QCSRole by default. After TKE is activated and TKE_QCSRole is granted, you have the permissions of various OPS-related features, including log features.

Authorization steps

This policy and the preset policy QcloudAccessForTKERole are authorized at the same time, so no extra operation is needed.

Permission content

Log service

Preset policy QcloudAccessForTKERoleInCreatingCFSStorageclass

Authorization scenario

The Tencent Cloud CFS add-on can help you use file storage in TKE clusters. When using this add-on for the first time, you need to authorize relevant resources, such as file systems in CFS, via TKE.

Authorization steps

1. Log in to the TKE console and select Add-ons in the left sidebar to go to the Add-On management page.
2. In the Add-On page, click Create.
3. On the “Create an Add-On” page, if the add-on is selected as “CFS” for the first time, click Service Authorization at the bottom of the page, as shown below:
   
4. In the displayed "Service Authorization" window, click Cloud Access Management.
5. On the "Role Management" page, click Grant to complete authentication.

Permission content

File storage

Preset policy QcloudCVMFinanceAccess

Authorization scenario

When you need to purchase a cloud disk with monthly subscription, you need to add this policy to the TKE_QCSRole to configure payment permissions. Otherwise, the creation of a PVC based on a monthly subscription storageclass may fail due to lack of payment permissions.

Authorization steps

1. Log in to the CAM console, and select Roles in the left sidebar.
2. In the role list page, click TKE_QCSRole to enter the role management page, as shown below:
   
3. Choose Associate Policy on the “TKE_QCSRole” page, and confirm the operation in the displayed “Risk Tips” window.
4. In the displayed Associate Policy window, find the policy QcloudCVMFinanceAccess and select it, as shown below:
   
5. Click OK to complete the authorization.

Permission content

IPAMDofTKE_QCSRole

IPAMDofTKE_QCSRole is the TKE IPAMD support service role. After the permissions of this role are granted, you need to associate preset policies in the authorization scenarios described in this document. After these operations are completed, the following policies will appear in the list of authorized policies of the role:

QcloudAccessForIPAMDofTKERole: the permission for TKE IPAMD to access cloud resources

Preset policy QcloudAccessForIPAMDofTKERole

Authorization scenario

When using the VPC-CNI network mode to create a cluster for the first time, you need to grant permission for TKE IPAMD to access cloud resources, so that you can use the VPC-CNI network mode normally.

Authorization steps

1. Log in to the TKE console and click Cluster in the left sidebar.
2. On the Cluster Management page, click Create or Create with a Template above the cluster list.
3. On the Create Cluster page, select VPC-CNI for Container Network Add-on in Cluster Information section, and click Service Authorization, as shown below:
   
4. In the displayed Service Authorization window, click Go to Cloud Access Management.
5. On the Role Management page, click Grant to complete authentication.

Permission content

• CVM

  Permission Name	Permission Description
  cvm:DescribeInstances	Querying the list of instances

• Tag

  Permission Name	Permission Description
  tag:GetResourcesByTags	Querying the resource list by tag
  tag:ModifyResourceTags	Batch modifying tags associated with a resource
  tag:GetResourceTagsByResourceIds	Querying tags associated with a resource

• VPC

  Permission Name	Permission Description
  vpc:DescribeSubnet	Querying the list of subnets
  vpc:CreateNetworkInterface	Creating an ENI
  vpc:DescribeNetworkInterfaces	Querying the list of ENIs
  vpc:AttachNetworkInterface	Binding an ENI with a CVM
  vpc:DetachNetworkInterface	Unbinding an ENI from a CVM
  vpc:DeleteNetworkInterface	Deleting an ENI
  vpc:AssignPrivateIpAddresses	Applying for private IP addresses for an ENI
  vpc:UnassignPrivateIpAddresses	Returning the private IP addresses of an ENI
  vpc:MigratePrivateIpAddress	Migrating the private IP addresses of an ENI
  vpc:DescribeSubnetEx	Querying the list of subnets
  vpc:DescribeVpcEx	Querying peering connection
  vpc:DescribeNetworkInterfaceLimit	Querying the ENI quota
  vpc:DescribeVpcPrivateIpAddresses	Querying the private IP address of a VPC