tencent cloud

$0 14-Day TrialExperience EdgeOne for acceleration and security protection!

Feedback

Tencent Kubernetes Engine

Configuring a Sub-account's Administrative Permissions to a Single TKE Cluster

Last updated: 2024-12-11 18:50:30

Overview

You can grant a user the permissions to view and use specific resources in the TKE console by using a CAM policy. This document describes how to configure the CAM policy of a single cluster in the console.

Directions

Configuring full read/write permission for a single cluster

1. Log in to the CAM console.
2. In the left sidebar, click Policies to go to the policy management page.
3. Click Create Custom Policy and select the "Create by Policy Syntax" method.
4. Select the "Blank template" type and click Next.
5. Enter a custom policy name and replace "Edit policy content" with the following content.
{
"version": "2.0",
"statement": [
{
"action": [
"ccs:*"
],
"resource": [
"qcs::ccs:sh::cluster/cls-XXXXXXX",
"qcs::cvm:sh::instance/*"
],
"effect": "allow"
},
{
"action": [
"cvm:*"
],
"resource": "*",
"effect": "allow"
},
{
"action": [
"vpc:*"
],
"resource": "*",
"effect": "allow"
},
{
"action": [
"clb:*"
],
"resource": "*",
"effect": "allow"
},
{
"action": [
"monitor:*",
"cam:ListUsersForGroup",
"cam:ListGroups",
"cam:GetGroup",
"cam:GetRole"
],
"resource": "*",
"effect": "allow"
}
]
}
6. In "Edit policy content", modify qcs::ccs:sh::cluster/cls-XXXXXXX to the cluster in the specified region for which you want to grant permissions, as shown below: For example, if you need to grant full read/write permission for the cls-69z7ek9l cluster in Guangzhou, modify qcs::ccs:sh::cluster/cls-XXXXXXX to "qcs::ccs:gz::cluster/cls-69z7ek9l".
Edit Policy Content

Note:
Replace with the ID of the cluster in the specified region for which you want to grant permissions. If you want to allow sub-accounts to scale the cluster, you also need to configure the user payment permission for the sub-accounts.
7. Click Create a policy to complete the configuration of full read/write permission for a single cluster.

Configuring read-only permission for a single cluster

1. Log in to the CAM console.
2. In the left sidebar, click Policies to go to the policy management page.
3. Click Create Custom Policy and select the "Create by Policy Syntax" method.
4. Select the "Blank template" type and click Next.
5. Enter a custom policy name and replace "Edit policy content" with the following content.
{
"version": "2.0",
"statement": [
{
"action": [
"ccs:Describe*",
"ccs:Check*"
],
"resource": "qcs::ccs:gz::cluster/cls-1xxxxxx",
"effect": "allow"
},
{
"action": [
"cvm:Describe*",
"cvm:Inquiry*"
],
"resource": "*",
"effect": "allow"
},
{
"action": [
"vpc:Describe*",
"vpc:Inquiry*",
"vpc:Get*"
],
"resource": "*",
"effect": "allow"
},
{
"action": [
"clb:Describe*"
],
"resource": "*",
"effect": "allow"
},
{
"effect": "allow",
"action": [
"monitor:*",
"cam:ListUsersForGroup",
"cam:ListGroups",
"cam:GetGroup",
"cam:GetRole"
],
"resource": "*"
}
]
}
6. In "Edit policy content", modify qcs::ccs:gz::cluster/cls-1xxxxxx to the cluster in the specified region for which you want to grant permissions, as shown below: For example, if you need to grant ready-only permission for the cls-19a7dz9c cluster in Beijing, modify qcs::ccs:gz::cluster/cls-1xxxxxx to qcs::ccs:bj::cluster/cls-19a7dz9c.
Edit Policy Content 2

7. Click Create a policy to complete the configuration of read-only permission for a single cluster.

Catalog

In The Article

Configuring a Sub-account's Administrative Permissions to a Single TKE Cluster

Contact Us

Contact our sales team or business advisors to help your business.

Technical Support

Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

7x24 Phone Support
Hong Kong, China
+852 800 906 020 (Toll Free)
United States
+1 844 606 0804 (Toll Free)
United Kingdom
+44 808 196 4551 (Toll Free)
Canada
+1 888 605 7930 (Toll Free)
Australia
+61 1300 986 386 (Toll Free)
EdgeOne hotline
+852 300 80699
More local hotlines coming soon