- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Quick Start
- User Guide
- High-risk Operations of Container Service
- Deploying Containerized Applications in the Cloud
- Kubernetes API Operation Guide
- Open Source Components
- Cluster Management
- Cluster Overview
- Cluster Hosting Modes Introduction
- Cluster Lifecycle
- TKE-Optimized Series Images
- Creating a Cluster
- Deleting a Cluster
- Cluster Scaling
- Connecting to a Cluster
- Upgrading a Cluster
- Enabling IPVS for a Cluster
- Enabling GPU Scheduling for a Cluster
- CVM Container Cluster Network
- Custom Kubernetes Component Launch Parameters
- Node Management
- Node Pool Management
- Kubernetes Object Management
- Overview
- Namespace
- Workload
- Deployment Management
- StatefulSet Management
- DaemonSet Management
- Job Management
- CronJob Management
- Setting the Resource Limit of Workload
- Setting the Scheduling Rule for a Workload
- Setting the Health Check for a Workload
- Setting the Run Command and Parameter for a Workload
- Using a Container Image in a TCR Enterprise Instance to Create a Workload
- Auto Scaling
- Configuration
- Virtual Node Management
- Service Management
- Ingress Management
- Storage Management
- Add-On Management
- Helm Application
- Network Management
- Application Market
- OPS Center
- Remote Terminals
- Elastic Cluster Guide
- Edge Cluster Guide
- Best Practices
- Cluster
- Cluster Migration
- EKS Cluster
- Security
- Service Deployment
- Network
- Using Network Policy for Network Access Control
- Deploying NGINX Ingress on TKE
- Using NodeLocal DNS Cache in a TKE Cluster
- Nginx Ingress High-Concurrency Practices
- Limiting the bandwidth on pods in TKE
- Directly connecting TKE to the CLB of pods based on the ENI
- Use CLB-Pod Direct Connection on TKE
- Obtaining the Real Client Source IP in TKE
- Implementing Custom Domain Name Resolution in TKE
- Using Traefik Ingress in TKE
- Release
- Logs
- Monitoring
- OPS
- Removing and Re-adding Nodes from and to Cluster
- Using Ansible to Batch Operate TKE Nodes
- Using Cluster Audit for Troubleshooting
- Using cert-manager to Issue Free Certificates
- Using the TKE NPDPlus Plug-In to Enhance the Self-Healing Capability of Nodes
- Using kubecm to Manage Multiple Clusters kubeconfig
- Customizing RBAC Authorization in TKE
- DevOps
- Auto Scaling
- Cluster Auto Scaling Practices
- Using tke-autoscaling-placeholder to Implement Auto Scaling in Seconds
- Installing metrics-server on TKE
- Using Custom Metrics for Auto Scaling in TKE
- Utilizing HPA to Auto Scale Businesses on TKE
- Using VPA to Realize Pod Scaling up and Scaling down in TKE
- Adjusting HPA Scaling Sensitivity Based on Different Business Scenarios
- Storage
- Containerization
- Cost Management
- Permission Management
- Overview
- Description of Role Permissions Related to Service Authorization
- TKE Image Registry Resource-level Permission Settings
- Controlling TKE cluster-level permissions
- TKE Kubernetes Object-level Permission Control
- Fault Handling
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Cluster APIs
- DescribeClusterKubeconfig
- DescribeClusters
- CreateCluster
- DescribeClusterSecurity
- DeleteCluster
- ModifyClusterEndpointSP
- DescribeClusterEndpointVipStatus
- DescribeClusterEndpointStatus
- DeleteClusterEndpointVip
- DeleteClusterEndpoint
- CreateClusterEndpointVip
- CreateClusterEndpoint
- ModifyClusterAttribute
- AcquireClusterAdminRole
- UpgradeClusterInstances
- UpdateClusterVersion
- GetUpgradeInstanceProgress
- DescribeAvailableClusterVersion
- DescribeClusterCommonNames
- Node APIs
- Network APIs
- Scaling group APIs
- Cloud Native Monitoring APIs
- Node Pool APIs
- DescribeClusterAsGroupOption
- RemoveNodeFromNodePool
- ModifyClusterNodePool
- DescribeClusterNodePools
- DescribeClusterNodePoolDetail
- DeleteClusterNodePool
- CreateClusterNodePoolFromExistingAsg
- CreateClusterNodePool
- AddNodeToNodePool
- ModifyClusterAsGroupOptionAttribute
- SetNodePoolNodeProtection
- ModifyNodePoolInstanceTypes
- Other APIs
- Data Types
- Error Codes
- API Mapping Guide
- FAQs
- User Guide(Old)
- Service Level Agreement
- Glossary
- Release Notes and Announcements
- Product Introduction
- Purchase Guide
- Quick Start
- User Guide
- High-risk Operations of Container Service
- Deploying Containerized Applications in the Cloud
- Kubernetes API Operation Guide
- Open Source Components
- Cluster Management
- Cluster Overview
- Cluster Hosting Modes Introduction
- Cluster Lifecycle
- TKE-Optimized Series Images
- Creating a Cluster
- Deleting a Cluster
- Cluster Scaling
- Connecting to a Cluster
- Upgrading a Cluster
- Enabling IPVS for a Cluster
- Enabling GPU Scheduling for a Cluster
- CVM Container Cluster Network
- Custom Kubernetes Component Launch Parameters
- Node Management
- Node Pool Management
- Kubernetes Object Management
- Overview
- Namespace
- Workload
- Deployment Management
- StatefulSet Management
- DaemonSet Management
- Job Management
- CronJob Management
- Setting the Resource Limit of Workload
- Setting the Scheduling Rule for a Workload
- Setting the Health Check for a Workload
- Setting the Run Command and Parameter for a Workload
- Using a Container Image in a TCR Enterprise Instance to Create a Workload
- Auto Scaling
- Configuration
- Virtual Node Management
- Service Management
- Ingress Management
- Storage Management
- Add-On Management
- Helm Application
- Network Management
- Application Market
- OPS Center
- Remote Terminals
- Elastic Cluster Guide
- Edge Cluster Guide
- Best Practices
- Cluster
- Cluster Migration
- EKS Cluster
- Security
- Service Deployment
- Network
- Using Network Policy for Network Access Control
- Deploying NGINX Ingress on TKE
- Using NodeLocal DNS Cache in a TKE Cluster
- Nginx Ingress High-Concurrency Practices
- Limiting the bandwidth on pods in TKE
- Directly connecting TKE to the CLB of pods based on the ENI
- Use CLB-Pod Direct Connection on TKE
- Obtaining the Real Client Source IP in TKE
- Implementing Custom Domain Name Resolution in TKE
- Using Traefik Ingress in TKE
- Release
- Logs
- Monitoring
- OPS
- Removing and Re-adding Nodes from and to Cluster
- Using Ansible to Batch Operate TKE Nodes
- Using Cluster Audit for Troubleshooting
- Using cert-manager to Issue Free Certificates
- Using the TKE NPDPlus Plug-In to Enhance the Self-Healing Capability of Nodes
- Using kubecm to Manage Multiple Clusters kubeconfig
- Customizing RBAC Authorization in TKE
- DevOps
- Auto Scaling
- Cluster Auto Scaling Practices
- Using tke-autoscaling-placeholder to Implement Auto Scaling in Seconds
- Installing metrics-server on TKE
- Using Custom Metrics for Auto Scaling in TKE
- Utilizing HPA to Auto Scale Businesses on TKE
- Using VPA to Realize Pod Scaling up and Scaling down in TKE
- Adjusting HPA Scaling Sensitivity Based on Different Business Scenarios
- Storage
- Containerization
- Cost Management
- Permission Management
- Overview
- Description of Role Permissions Related to Service Authorization
- TKE Image Registry Resource-level Permission Settings
- Controlling TKE cluster-level permissions
- TKE Kubernetes Object-level Permission Control
- Fault Handling
- API Documentation
- History
- Introduction
- API Category
- Making API Requests
- Cluster APIs
- DescribeClusterKubeconfig
- DescribeClusters
- CreateCluster
- DescribeClusterSecurity
- DeleteCluster
- ModifyClusterEndpointSP
- DescribeClusterEndpointVipStatus
- DescribeClusterEndpointStatus
- DeleteClusterEndpointVip
- DeleteClusterEndpoint
- CreateClusterEndpointVip
- CreateClusterEndpoint
- ModifyClusterAttribute
- AcquireClusterAdminRole
- UpgradeClusterInstances
- UpdateClusterVersion
- GetUpgradeInstanceProgress
- DescribeAvailableClusterVersion
- DescribeClusterCommonNames
- Node APIs
- Network APIs
- Scaling group APIs
- Cloud Native Monitoring APIs
- Node Pool APIs
- DescribeClusterAsGroupOption
- RemoveNodeFromNodePool
- ModifyClusterNodePool
- DescribeClusterNodePools
- DescribeClusterNodePoolDetail
- DeleteClusterNodePool
- CreateClusterNodePoolFromExistingAsg
- CreateClusterNodePool
- AddNodeToNodePool
- ModifyClusterAsGroupOptionAttribute
- SetNodePoolNodeProtection
- ModifyNodePoolInstanceTypes
- Other APIs
- Data Types
- Error Codes
- API Mapping Guide
- FAQs
- User Guide(Old)
- Service Level Agreement
- Glossary
Description of Role Permissions Related to Service Authorization
Last updated: 2021-06-08 15:49:57
When you use Tencent Kubernetes Engine (TKE), you need to authorize services to use relevant cloud resources. Each scenario usually contains policies that are defined for different roles in advance. The main roles involved are TKE_QCSRole and IPAMDofTKE_QCSRole. This document introduces the details of each authorization policy, and the authorization scenarios and authorization steps for each role.
Note:The sample role in this document does not contain the authorization policy related to container image repositories. For more information about TKE image related permissions, please see TKE Image Registry Resource-level Permission Settings.
TKE_QCSRole
After TKE is activated, Tencent Cloud grants your account the permissions of the role TKE_QCSRole, which is associated with multiple preset policies by default. To obtain relevant permissions, you need to perform the corresponding preset policy authorization operations in specific authorization scenarios. After these operations are completed, the corresponding policy will appear in the role’s list of authorized policies. The preset policies associated with TKE_QCSRole by default include:
The default associated preset policies
QcloudAccessForTKERole: the permission for TKE to access cloud resourcesQcloudAccessForTKERoleInOpsManagement: the permission for OPS management, including the log service
Other associated preset policies
QcloudAccessForTKERoleInCreatingCFSStorageclass: the permission for TKE to operate on Cloud File Storage (CFS), including adding/deleting/querying CFS systems, and querying the mount targets of a file system.QcloudCVMFinanceAccess: CVM finance permission
Preset policy QcloudAccessForTKERole
Authorization scenario
When you log in to the TKE console for the first time after registering and logging in to a Tencent Cloud account, you need to go to the “Cloud Access Management” page to grant the current account TKE permissions for operating on CVMs, CLBs, CBS, and other cloud resources.
Authorization steps
- Log in to the TKE console and click Cluster in the left sidebar. The "Service Authorization" window is displayed.
- Click Go to Cloud Access Management to go to the Role management page.
- Click Grant to complete authentication.
Permission content
- CVM
Permission Name Permission Description cvm:DescribeInstancesQuerying the list of server instances cvm:*Cbs*CBS-related permissions - Tag
Permission Name Permission Description tag:*All features related to tags - CLB
Permission Name Permission Description clb:*All features related to CLB - TKE
Permission Name Permission Description ccs:DescribeClusterQuerying a cluster list ccs:DescribeClusterInstancesQuerying cluster node information
Preset policy QcloudAccessForTKERoleInOpsManagement
Authorization scenario
This policy is associated with TKE_QCSRole by default. After TKE is activated and TKE_QCSRole is granted, you have the permissions of various OPS-related features, including log features.
Authorization Steps
This policy and the preset policy QcloudAccessForTKERole are authorized at the same time, so no extra operation is needed.
Permission content
Log service
| Permission Name | Permission Description |
|---|---|
cls:listTopic |
Displaying the list of log topics under a specified logset |
cls:getTopic |
Viewing log topic information |
cls:createTopic |
Creating a log topic |
cls:modifyTopic |
Modifying a log topic |
cls:deleteTopic |
Deleting a log topic |
cls:listLogset |
Displaying the logset list |
cls:getLogset |
Viewing logset information |
cls:createLogset |
Creating a logset |
cls:modifyLogset |
Modifying a logset |
cls:deleteLogset |
Deleting a logset |
cls:listMachineGroup |
Displaying the server group list |
cls:getMachineGroup |
Viewing server group information |
cls:createMachineGroup |
Creating a server group |
cls:modifyMachineGroup |
Modifying a server group |
cls:deleteMachineGroup |
Deleting a server group |
cls:getMachineStatus |
Viewing server group status |
cls:pushLog |
Uploading logs |
cls:searchLog |
Querying logs |
cls:downloadLog |
Downloading logs |
cls:getCursor |
Getting the cursor based on time |
cls:getIndex |
Viewing indexes |
cls:modifyIndex |
Modifying indexes |
cls:agentHeartBeat |
Heartbeat |
cls:getConfig |
Getting the pusher configuration information |
Preset policy QcloudAccessForTKERoleInCreatingCFSStorageclass
Authorization scenario
The Tencent Cloud CFS add-on can help you use file storage in TKE clusters. When using this add-on for the first time, you need to authorize relevant resources, such as file systems in CFS, via TKE.
Authorization Steps
- Log in to the TKE console and select Add-ons in the left sidebar to go to the “Add-On” management page.
- In the “Add-On” page, click Create.
- On the “Create an Add-On” page, if the add-on is selected as “CFS” for the first time, click Service Authorization at the bottom of the page.
- In the displayed "Service Authorization" window, click Cloud Access Management.
- On the "Role Management" page, click Grant to complete authentication.
Permission content
File storage
| Permission Name | Permission Description |
|---|---|
| cfs:CreateCfsFileSystem | Creating a file system |
| cfs:DescribeCfsFileSystems | Querying a file system |
| cfs:DescribeMountTargets | Querying mount targets of a file system |
| cfs:DeleteCfsFileSystem | Deletes a file system |
Preset policy QcloudCVMFinanceAccess
Authorization scenario
When you need to purchase a cloud disk with monthly subscription, you need to add this policy to the TKE_QCSRole to configure payment permissions. Otherwise, the creation of a PVC based on a monthly subscription storageclass may fail due to lack of payment permissions.
Authorization Steps
- Log in to the CAM console, and select Roles in the left sidebar.
- In the role list page, click TKE_QCSRole to enter the role management page.
- Choose Associate Policy on the “TKE_QCSRole” page, and confirm the operation in the displayed “Risk Tips” window.
- In the displayed “Associate Policy” window, find the policy
QcloudCVMFinanceAccessand select it. - Click OK to complete the authorization.
Permission content
| Permission Name | Permission Description |
|---|---|
finance:* |
CVM finance permission |
IPAMDofTKE_QCSRole
IPAMDofTKE_QCSRole is the TKE IPAMD support service role. After the permissions of this role are granted, you need to associate preset policies in the authorization scenarios described in this document. After these operations are completed, the following policies will appear in the list of authorized policies of the role:
QcloudAccessForIPAMDofTKERole: the permission for TKE IPAMD to access cloud resources
Preset policy QcloudAccessForIPAMDofTKERole
Authorization scenario
When using the VPC-CNI network mode to create a cluster for the first time, you need to grant permission for TKE IPAMD to access cloud resources, so that you can use the VPC-CNI network mode normally.
Authorization Steps
- Log in to the TKE console and click Cluster in the left sidebar.
- On the "Cluster Management" page, click Create or Create with a Template above the cluster list.
- In the "Create Cluster" page, select VPC-CNI for Container Network Add-on in "Cluster Information" section, and click "Service Authorization".
- In the displayed "Service Authorization" window, click Go to Cloud Access Management.
- On the "Role Management" page, click Grant to complete authentication.
Permission content
- CVM
Permission Name Permission Description cvm:DescribeInstancesViewing the list of instances - Tag
Permission Name Permission Description tag:GetResourcesByTagsQuerying the resource list by tag tag:ModifyResourceTagsBatch modifying tags associated with a resource tag:GetResourceTagsByResourceIdsQuerying tags associated with a resource - VPC
Permission Name Permission Description vpc:DescribeSubnetQuerying the list of subnets vpc:CreateNetworkInterfaceCreating an ENI vpc:DescribeNetworkInterfacesQuerying the list of ENIs vpc:AttachNetworkInterfaceBinding an ENI with a CVM vpc:DetachNetworkInterfaceUnbinding an ENI from a CVM vpc:DeleteNetworkInterfaceDeleting an ENI vpc:AssignPrivateIpAddressesApplying for private IP addresses for an ENI vpc:UnassignPrivateIpAddressesReturning the private IP addresses of an ENI vpc:MigratePrivateIpAddressMigrating the private IP addresses of an ENI vpc:DescribeSubnetExQuerying the list of subnets vpc:DescribeVpcExQuerying peering connection vpc:DescribeNetworkInterfaceLimitQuerying the ENI quota vpc:DescribeVpcPrivateIpAddressesQuerying the private IP address of a VPC
Yes
No
Was this page helpful?