Tencent Cloud OPS team is not allowed to log in to your cluster for troubleshooting without your permission. If you need Tencent Cloud OPS team to assist in troubleshooting, please refer to the following steps to grant Tencent Cloud OPS team related permissions. You can cancel the permissions authorized to Tencent Cloud OPS team at any time.
Tencent Cloud can only log in to the cluster authorized by you. You can withdraw permissions authorized to Tencent Cloud OPS team at any time by deleting relevant resources (ClusterRoleBinding/tkeopsaccount-ClusterRole, ServiceAccount/tkeopsaccount, and Sercet/tkeopsaccount-token-xxxx).
You can grant permissions to Tencent Cloud OPS team by creating the following Kubernetes resources.
kind: ServiceAccount apiVersion: v1 metadata: name: tkeopsaccount namespace: kube-system labels: cloud.tencent.com/tke-ops-account: tkeops
apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRoleBinding metadata: annotations: cloud.tencent.com/tke-ops-account: tkeops labels: cloud.tencent.com/tke-ops-account: tkeops name: tkeopsaccount-ClusterRole roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: tke:admin subjects: - kind: ServiceAccount name: tkeopsaccount namespace: kube-system
If there is relevant ClusterRole/Role in the cluster, you can use ClusterRoleBinding/RoleBinding to associate. Policies will be created automatically if you authorize through console.
apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: labels: cloud.tencent.com/tke-rbac-generated: "true" name: tke:admin rules: - apiGroups: - '*' resources: - '*' verbs: - '*' - nonResourceURLs: - '*' verbs: - '*'