This document describes how to configure custom policies in Tencent Kubernetes Engine (TKE) and grant sub-accounts specific permissions. Reference this document to create custom policies that best fit your business requirements.
The following figure shows the structure of the policy syntax.
Note:
You can define the policy syntax on your own, or create a custom policy by using the policy generator in CAM. You can configure a custom policy based on the following example.
This section describes multiple features, their sub-features, corresponding Tencent Cloud APIs, APIs for indirect calls, resource levels for permission control, and Action fields of clusters and node modules.
The following table describes the mappings between features and APIs.
Feature | Sub-feature | Corresponding Tencent Cloud API | API for Indirect Calls | Resource Level for Permission Control | Action Field |
---|---|---|---|---|---|
Creating an empty cluster |
|
tke:CreateCluster | cam:GetRole account:DescribeUserData account:DescribeWhiteList tag:GetTagKeys cvm:GetVmConfigQuota vpc:DescribeVpcEx cvm:DescribeImages |
|
"tke:CreateCluster", "cam:GetRole", "tag:GetTagKeys", "cvm:GetVmConfigQuota", "vpc:DescribeVpcEx", "cvm:DescribeImages" |
Using an existing CVM to create a managed cluster |
|
cvm:DescribeInstances vpc:DescribeSubnetEx cvm:DescribeSecurityGroups vpc:DescribeVpcEx cvm:DescribeImages cvm:ResetInstance cvm:DescribeKeyPairs |
|
"tke:CreateCluster", "cvm:DescribeInstances", "vpc:DescribeSubnetEx", "cvm:DescribeSecurityGroups", "vpc:DescribeVpcEx", "cvm:DescribeImages", "cvm:ResetInstance", "cvm:DescribeKeyPairs" | |
Using an existing CVM to create a self-deployed cluster |
|
cvm:DescribeInstances vpc:DescribeSubnetEx cvm:DescribeSecurityGroups vpc:DescribeVpcEx cvm:DescribeImages cvm:ResetInstance cvm:DescribeKeyPairs |
|
"tke:CreateCluster", "cvm:DescribeInstances", "vpc:DescribeSubnetEx", "cvm:DescribeSecurityGroups", "vpc:DescribeVpcEx", "cvm:DescribeImages", "cvm:ResetInstance", "cvm:DescribeKeyPairs" | |
Automatically creating a CVM to create a managed cluster |
|
cvm:DescribeSecurityGroups cvm:DescribeKeyPairs cvm:RunInstances vpc:DescribeSubnetEx vpc:DescribeVpcEx cvm:DescribeImages |
|
"cvm:DescribeSecurityGroups", "cvm:DescribeKeyPairs", "cvm:RunInstances", "vpc:DescribeSubnetEx", "vpc:DescribeVpcEx", "cvm:DescribeImages", "tke:CreateCluster" | |
Automatically creating a CVM to create a self-deployed cluster |
|
cvm:DescribeSecurityGroups cvm:DescribeKeyPairs cvm:RunInstances vpc:DescribeSubnetEx vpc:DescribeVpcEx cvm:DescribeImages |
|
"cvm:DescribeSecurityGroups", "cvm:DescribeKeyPairs", "cvm:RunInstances", "vpc:DescribeSubnetEx", "vpc:DescribeVpcEx", "cvm:DescribeImages", "tke:CreateCluster" | |
Querying a cluster list | - | tke:DescribeClusters | - | Cluster-level permissions are required for obtaining a cluster list. | "tke:DescribeClusters" |
Displaying cluster credentials | - | tke:DescribeClusterSecurity | - | Cluster-level permissions are required for displaying cluster credentials. | "tke:DescribeClusterSecurity" |
Enabling/Disabling the private network/Internet access URL of a cluster |
|
tke:CreateClusterEndpointVip tke:CreateClusterEndpoint tke:ModifyClusterEndpointSP tke:DescribeClusterEndpointVipStatus tke:DescribeClusterEndpointStatus tke:DeleteClusterEndpointVip tke:DeleteClusterEndpoint | - | Cluster-level permissions are required for enabling or disabling cluster access. | - |
Deleting a cluster | - | tke:DeleteCluster | tke:DescribeClusterInstances tke:DescribeInstancesVersion tke:DescribeClusterStatus | Cluster-level permissions are required for deleting a cluster. | "tke:DescribeClusterInstances", "tke:DescribeInstancesVersion", "tke:DescribeClusterStatus", "tke:DeleteCluster" |
The following table describes the mappings between features and APIs.
Feature | Sub-feature | Corresponding Tencent API | API for Indirect Calls | Resource Level for Permission Control | Action Field |
---|---|---|---|---|---|
Adding an existing node |
|
tke:AddExistedInstances | cvm:DescribeInstances vpc:DescribeSubnetEx cvm:DescribeSecurityGroups vpc:DescribeVpcEx cvm:DescribeImages cvm:ResetInstance cvm:DescribeKeyPairs cvm:ModifyInstancesAttribute tke:DescribeClusters |
|
"cvm:DescribeInstances", "vpc:DescribeSubnetEx", "cvm:DescribeSecurityGroups", "vpc:DescribeVpcEx", "cvm:DescribeImages", "cvm:ResetInstance", "cvm:DescribeKeyPairs", "tke:DescribeClusters", "tke:AddExistedInstances" |
Creating a node |
|
tke:CreateClusterInstances | cvm:DescribeSecurityGroups cvm:DescribeKeyPairs cvm:RunInstances vpc:DescribeSubnetEx vpc:DescribeVpcEx cvm:DescribeImages tke:DescribeClusters | Cluster-level permissions are required for creating a node. | "cvm:DescribeSecurityGroups", "cvm:DescribeKeyPairs", "cvm:RunInstances", "vpc:DescribeSubnetEx", "vpc:DescribeVpcEx", "cvm:DescribeImages", "tke:DescribeClusters" |
Node list | Viewing a cluster node list | tke:DescribeClusterInstances | cvm:DescribeInstances tke:DescribeClusters |
|
"cvm:DescribeInstances", "tke:DescribeClusters", "tke:DescribeClusterInstances" |
Deleting a node | - | tke:DeleteClusterInstances | cvm:TerminateInstances tke:DescribeClusters |
|
"cvm:TerminateInstances", "tke:DescribeClusters", "tke:DeleteClusterInstances" |
Was this page helpful?