tencent cloud

Feedback

Authorizing by using custom policies

Last updated: 2020-10-10 15:04:42

    This document describes how to configure custom policies in Tencent Kubernetes Engine (TKE) and grant sub-accounts specific permissions. Reference this document to create custom policies that best fit your business requirements.

    Policy Syntax Description

    The following figure shows the structure of the policy syntax.

    • action: indicates an API.
    • resource: indicates a resource.

    Note:

    You can define the policy syntax on your own, or create a custom policy by using the policy generator in CAM. You can configure a custom policy based on the following example.

    Configuring TKE API Permissions

    This section describes multiple features, their sub-features, corresponding Tencent Cloud APIs, APIs for indirect calls, resource levels for permission control, and Action fields of clusters and node modules.

    Cluster modules

    The following table describes the mappings between features and APIs.

      Feature Sub-feature Corresponding Tencent Cloud API API for Indirect CallsResource Level for Permission Control Action Field
    Creating an empty cluster
    • Selecting a Kubernetes version
    • Selecting a runtime component
    • Selecting a VPC
    • Setting a container network
    • Selecting a custom image
    • Setting IPVS
    tke:CreateCluster cam:GetRole account:DescribeUserData account:DescribeWhiteList tag:GetTagKeys cvm:GetVmConfigQuota vpc:DescribeVpcEx cvm:DescribeImages
    • API-level permissions are required for creating a cluster.
    • VPC-level permissions are required for obtaining a VPC list.
    "tke:CreateCluster", "cam:GetRole", "tag:GetTagKeys", "cvm:GetVmConfigQuota", "vpc:DescribeVpcEx", "cvm:DescribeImages"
    Using an existing CVM to create a managed cluster
    • Creating an empty cluster to include features
    • Using an existing CVM as a node
    • Mounting a security group
    • Mounting a data disk
    • Enabling automatic adjustment
    cvm:DescribeInstances vpc:DescribeSubnetEx cvm:DescribeSecurityGroups vpc:DescribeVpcEx cvm:DescribeImages cvm:ResetInstance cvm:DescribeKeyPairs
    • API-level permissions are required for creating a cluster.
    • CVM-level permissions are required for obtaining a CVM list.
    "tke:CreateCluster", "cvm:DescribeInstances", "vpc:DescribeSubnetEx", "cvm:DescribeSecurityGroups", "vpc:DescribeVpcEx", "cvm:DescribeImages", "cvm:ResetInstance", "cvm:DescribeKeyPairs"
    Using an existing CVM to create a self-deployed cluster
    • Creating an empty cluster to include features
    • Using an existing CVM as a node
    • Using an existing CVM as Control Plane & ETCD
    • Mounting a security group
    • Mounting a data disk
    • Enabling automatic adjustment
    cvm:DescribeInstances vpc:DescribeSubnetEx cvm:DescribeSecurityGroups vpc:DescribeVpcEx cvm:DescribeImages cvm:ResetInstance cvm:DescribeKeyPairs
    • API-level permissions are required for creating a cluster.
    • VPC-level permissions are required for obtaining a VPC list.
    • CVM-level permissions are required for obtaining a CVM list.
    "tke:CreateCluster", "cvm:DescribeInstances", "vpc:DescribeSubnetEx", "cvm:DescribeSecurityGroups", "vpc:DescribeVpcEx", "cvm:DescribeImages", "cvm:ResetInstance", "cvm:DescribeKeyPairs"
    Automatically creating a CVM to create a managed cluster
    • Creating an empty cluster to include features
    • Purchasing a CVM as a node
    • Mounting a security group
    • Mounting a data disk
    • Enabling automatic adjustment
    cvm:DescribeSecurityGroups cvm:DescribeKeyPairs cvm:RunInstances vpc:DescribeSubnetEx vpc:DescribeVpcEx cvm:DescribeImages
    • API-level permissions are required for creating a cluster.
    • VPC-level permissions are required for obtaining a VPC list.
    "cvm:DescribeSecurityGroups", "cvm:DescribeKeyPairs", "cvm:RunInstances", "vpc:DescribeSubnetEx", "vpc:DescribeVpcEx", "cvm:DescribeImages", "tke:CreateCluster"
    Automatically creating a CVM to create a self-deployed cluster
    • Creating an empty cluster to include features
    • Purchasing a CVM as a node
    • Purchasing a CVM as Control Plane & ETCD
    • Mounting a security group
    • Mounting a data disk
    • Enabling automatic adjustment
    cvm:DescribeSecurityGroups cvm:DescribeKeyPairs cvm:RunInstances vpc:DescribeSubnetEx vpc:DescribeVpcEx cvm:DescribeImages
    • API-level permissions are required for creating a cluster.
    • VPC-level permissions are required for obtaining a VPC list.
    "cvm:DescribeSecurityGroups", "cvm:DescribeKeyPairs", "cvm:RunInstances", "vpc:DescribeSubnetEx", "vpc:DescribeVpcEx", "cvm:DescribeImages", "tke:CreateCluster"
    Querying a cluster list - tke:DescribeClusters - Cluster-level permissions are required for obtaining a cluster list. "tke:DescribeClusters"
    Displaying cluster credentials - tke:DescribeClusterSecurity - Cluster-level permissions are required for displaying cluster credentials. "tke:DescribeClusterSecurity"
    Enabling/Disabling the private network/Internet access URL of a cluster
    • Creating an Internet access port for a managed cluster
    • Creating a cluster access port
    • Modifying security policies for the Internet access port of a managed cluster
    • Querying the Internet access port enabling status of a managed cluster
    • Deleting the Internet access port of a managed cluster
    • Deleting a cluster access port
    tke:CreateClusterEndpointVip tke:CreateClusterEndpoint tke:ModifyClusterEndpointSP tke:DescribeClusterEndpointVipStatus tke:DescribeClusterEndpointStatus tke:DeleteClusterEndpointVip tke:DeleteClusterEndpoint - Cluster-level permissions are required for enabling or disabling cluster access. -
    Deleting a cluster - tke:DeleteCluster tke:DescribeClusterInstances tke:DescribeInstancesVersion tke:DescribeClusterStatus Cluster-level permissions are required for deleting a cluster. "tke:DescribeClusterInstances", "tke:DescribeInstancesVersion", "tke:DescribeClusterStatus", "tke:DeleteCluster"

    Node modules

    The following table describes the mappings between features and APIs.

      Feature Sub-feature Corresponding Tencent API API for Indirect CallsResource Level for Permission Control Action Field
    Adding an existing node
    • Adding an existing node to a cluster
    • Resetting a data disk
    • Setting a security group
    tke:AddExistedInstances cvm:DescribeInstances vpc:DescribeSubnetEx cvm:DescribeSecurityGroups vpc:DescribeVpcEx cvm:DescribeImages cvm:ResetInstance cvm:DescribeKeyPairs cvm:ModifyInstancesAttribute tke:DescribeClusters
    • Cluster-level permissions are required for adding an existing node.
    • CVM-level permissions are required for obtaining a CVM list.
    "cvm:DescribeInstances", "vpc:DescribeSubnetEx", "cvm:DescribeSecurityGroups", "vpc:DescribeVpcEx", "cvm:DescribeImages", "cvm:ResetInstance", "cvm:DescribeKeyPairs", "tke:DescribeClusters", "tke:AddExistedInstances"
    Creating a node
    • Creating a node and adding it to a cluster
    • Resetting a data disk
    • Setting a security group
    tke:CreateClusterInstances cvm:DescribeSecurityGroups cvm:DescribeKeyPairs cvm:RunInstances vpc:DescribeSubnetEx vpc:DescribeVpcEx cvm:DescribeImages tke:DescribeClusters Cluster-level permissions are required for creating a node. "cvm:DescribeSecurityGroups", "cvm:DescribeKeyPairs", "cvm:RunInstances", "vpc:DescribeSubnetEx", "vpc:DescribeVpcEx", "cvm:DescribeImages", "tke:DescribeClusters"
    Node list Viewing a cluster node list tke:DescribeClusterInstances cvm:DescribeInstances tke:DescribeClusters
    • Cluster-level permissions are required for viewing a node list.
    • CVM-level permissions are required for obtaining a CVM list.
    "cvm:DescribeInstances", "tke:DescribeClusters", "tke:DescribeClusterInstances"
    Deleting a node - tke:DeleteClusterInstances cvm:TerminateInstances tke:DescribeClusters
    • Cluster-level permissions are required for viewing a node list.
    • CVM-level permissions are required for obtaining a CVM list.
    • The termination policy of a node is required for terminating the node.
    "cvm:TerminateInstances", "tke:DescribeClusters", "tke:DeleteClusterInstances"
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support