Authorizing Tencent Cloud OPS Team for Troubleshooting

Last updated: 2021-11-12 14:59:34

    Tencent Cloud OPS team is not allowed to log in to your cluster for troubleshooting without your permission. If you need Tencent Cloud OPS team to assist in troubleshooting, please refer to the following steps to grant Tencent Cloud OPS team related permissions. You can cancel the permissions authorized to Tencent Cloud OPS team at any time.

    Grant permissions to Tencent Cloud though console

    1. Log in to the TKE console.
    2. On Cluster Management page, select the cluster where Tencent Cloud assistance is needed.
    3. On the cluster details page, select Authorization Management > Authorize Tencent Cloud OPS team, as shown below:
    4. On the Manage Permissions page, select the operation permissions that you want to authorize to Tencent Cloud OPS team, as shown below:
    5. Click Done. You can check the progress in My Tickets.
      Note:

      Tencent Cloud can only log in to the cluster authorized by you. You can withdraw permissions authorized to Tencent Cloud OPS team at any time by deleting relevant resources (ClusterRoleBinding/tkeopsaccount-ClusterRole, ServiceAccount/tkeopsaccount, and Sercet/tkeopsaccount-token-xxxx).

    Grant permissions to Tencent Cloud OPS team through Kubernetes API

    You can grant permissions to Tencent Cloud OPS team by creating the following Kubernetes resources.

    ServiceAccount: authorize Tencent Cloud OPS team to access cluster credential

    kind: ServiceAccount
    apiVersion: v1
    metadata:
    name: tkeopsaccount
    namespace: kube-system
    labels:
      cloud.tencent.com/tke-ops-account: tkeops
    

    ClusterRoleBinding/RoleBing: rules on granting Tencent Cloud OPS team permissions

    Note:

    1. Name and label should be created according to the following rule.
    2. roleRef can be replaced with the permissions you want to grant to Tencent Cloud OPS team.
    apiVersion: rbac.authorization.k8s.io/v1beta1
    kind: ClusterRoleBinding
    metadata:
    annotations:
     cloud.tencent.com/tke-ops-account: tkeops
    labels:
     cloud.tencent.com/tke-ops-account: tkeops
    name: tkeopsaccount-ClusterRole
    roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: tke:admin
    subjects:
    - kind: ServiceAccount
    name: tkeopsaccount
    namespace: kube-system
    

    (Optional) ClusterRole/Role: permissions authorized to Tencent Cloud OPS team

    If there is relevant ClusterRole/Role in the cluster, you can use ClusterRoleBinding/RoleBinding to associate. Policies will be created automatically if you authorize through console.

    apiVersion: rbac.authorization.k8s.io/v1beta1
    kind: ClusterRole
    metadata:
    labels:
      cloud.tencent.com/tke-rbac-generated: "true"
    name: tke:admin
    rules:
    - apiGroups:
    - '*'
    resources:
    - '*'
    verbs:
    - '*'
    - nonResourceURLs:
    - '*'
    verbs:
    - '*'