Authorizing Tencent Cloud OPS Team for Troubleshooting

Last updated: 2021-09-01 17:30:52

    Tencent Cloud OPS team is not allowed to log in to your cluster for troubleshooting without your permission. If you need Tencent Cloud OPS team to assist in troubleshooting, please refer to the following steps to grant Tencent Cloud OPS team related permissions. You can cancel the permissions at any time.

    Grant permissions to Tencent Cloud though console

    1. Log in to the Tencent Cloud TKE console

    2. Open the details page of the target cluster

    3. Enter the permission management page

    4. Click Authorize Tencent Cloud OPS team

    5. Select the permissions to be granted to Tencent Cloud OPS team

    6. Wait for the ticket reply or response from customer service

    7. Cancel the permissions

    Note:

    Tencent Cloud OPS team is only allowed to log in to the cluster authorized by you. You can withdraw permissions authorized to Tencent Cloud OPS team at any time by deleting relevant resources (ClusterRoleBinding/tkeopsaccount-ClusterRole, ServiceAccount/tkeopsaccount, and Sercet/tkeopsaccount-token-xxxx).

    Grant permissions to Tencent Cloud OPS team through Kubernetes API

    You can grant permissions to Tencent Cloud OPS team by creating the following kubernetes resources.

    ServiceAccount: authorize Tencent Cloud OPS team to access cluster credential

    kind: ServiceAccount
    apiVersion: v1
    metadata:
    name: tkeopsaccount
    namespace: kube-system
    labels:
      cloud.tencent.com/tke-ops-account: tkeops
    

    ClusterRoleBinding/RoleBing: rules on granting Tencent Cloud OPS team permissions

    apiVersion: rbac.authorization.k8s.io/v1beta1
    kind: ClusterRoleBinding
    metadata:
    annotations:
      cloud.tencent.com/tke-ops-account: tkeops
    labels:
      cloud.tencent.com/tke-ops-account: tkeops
    name: tkeopsaccount-ClusterRole
    roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: tke:admin
    subjects:
    - kind: ServiceAccount
    name: tkeopsaccount
    namespace: kube-system
    
    1. Names and labels should be created according to above rules
    2. roleRef can be replaced with the permissions you want to grant to Tencent Cloud OPS team

    (Optional) ClusterRole/Role specifies the permission to be granted to Tencent Cloud OPS team

    If there is relevant ClusterRole/Role in the cluster, you can use ClusterRoleBinding/RoleBinding to associate.Policies will be created automatically if you authorize through console.

    apiVersion: rbac.authorization.k8s.io/v1beta1
    kind: ClusterRole
    metadata:
    labels:
    cloud.tencent.com/tke-rbac-generated: "true"
    name: tke:admin
    rules:
    - apiGroups:
    - '*'
    resources:
    - '*'
    verbs:
    - '*'
    - nonResourceURLs:
    - '*'
    verbs:
    - '*'