When you use Tencent Kubernetes Engine (TKE), you need to authorize services to use relevant cloud resources. Each scenario usually contains policies that are defined for different roles in advance. The main roles involved are TKE_QCSRole
and IPAMDofTKE_QCSRole
. This document introduces the details of each authorization policy, and the authorization scenarios and authorization steps for each role.
Note:The sample role in this document does not contain the authorization policy related to container image repositories. For more information about TKE image related permissions, see TKE Image Registry Resource-level Permission Settings.
After TKE is activated, Tencent Cloud grants your account the permissions of the role TKE_QCSRole
, which is associated with multiple preset policies by default. To obtain relevant permissions, you need to perform the corresponding preset policy authorization operations in specific authorization scenarios. After these operations are completed, the corresponding policy will appear in the role's list of authorized policies. The preset policies associated with TKE_QCSRole
by default include:
QcloudAccessForTKERole
: The permission for TKE to access cloud resourcesQcloudAccessForTKERoleInOpsManagement
: The permission for Ops management, including the log serviceQcloudAccessForTKERoleInCreatingCFSStorageclass
: The permission for TKE to operate on Cloud File Storage (CFS), including adding/deleting/querying CFS systems, and querying the mount targets of a file system.QcloudCVMFinanceAccess
: CVM finance permissionWhen you log in to the TKE console for the first time after registering and logging in to a Tencent Cloud account, you need to go to the "Cloud Access Management" page to grant the current account TKE permissions for operating on CVMs, CLBs, CBS, and other cloud resources.
Permission Name | Permission Description |
---|---|
cvm:DescribeInstances |
Querying the list of server instances |
cvm:*Cbs* |
CBS-related permissions |
Permission Name | Permission Description |
---|---|
tag:* |
All features related to tags |
Permission Name | Permission Description |
---|---|
clb:* |
All features related to CLB |
Permission Name | Permission Description |
---|---|
ccs:DescribeCluster |
Querying a cluster list |
ccs:DescribeClusterInstances |
Querying cluster node information |
This policy is associated with TKE_QCSRole
by default. After TKE is activated and TKE_QCSRole
is granted, you have the permissions of various Ops-related features, including log features.
This policy and the preset policy QcloudAccessForTKERole are authorized at the same time, so no extra operation is needed.
Log service
Permission Name | Permission Description |
---|---|
cls:listTopic |
Displaying the list of log topics under a specified logset |
cls:getTopic |
Viewing log topic information |
cls:createTopic |
Creating a log topic |
cls:modifyTopic |
Modifying a log topic |
cls:deleteTopic |
Deleting a log topic |
cls:listLogset |
Displaying the logset list |
cls:getLogset |
Viewing logset information |
cls:createLogset |
Creating a logset |
cls:modifyLogset |
Modifying a logset |
cls:deleteLogset |
Deleting a logset |
cls:listMachineGroup |
Displaying the server group list |
cls:getMachineGroup |
Viewing server group information |
cls:createMachineGroup |
Creating a server group |
cls:modifyMachineGroup |
Modifying a server group |
cls:deleteMachineGroup |
Deleting a server group |
cls:getMachineStatus |
Viewing server group status |
cls:pushLog |
Uploading logs |
cls:searchLog |
Querying logs |
cls:downloadLog |
Downloading logs |
cls:getCursor |
Getting the cursor based on time |
cls:getIndex |
Viewing indexes |
cls:modifyIndex |
Modifying indexes |
cls:agentHeartBeat |
Heartbeat |
cls:getConfig |
Getting the pusher configuration information |
The Tencent Cloud CFS add-on can help you use file storage in TKE clusters. When using this add-on for the first time, you need to authorize relevant resources, such as file systems in CFS, via TKE.
File storage
Permission Name | Permission Description |
---|---|
cfs:CreateCfsFileSystem | Creating a file system |
cfs:DescribeCfsFileSystems | Querying a file system |
cfs:DescribeMountTargets | Querying mount targets of a file system |
cfs:DeleteCfsFileSystem | Deletes a file system |
QcloudCVMFinanceAccess
and select it.Permission Name | Permission Description |
---|---|
finance:* |
CVM finance permission |
IPAMDofTKE_QCSRole
is the TKE IPAMD support service role. After the permissions of this role are granted, you need to associate preset policies in the authorization scenarios described in this document. After these operations are completed, the following policies will appear in the list of authorized policies of the role:
QcloudAccessForIPAMDofTKERole
: The permission for TKE IPAMD to access cloud resources
When using the VPC-CNI network mode to create a cluster for the first time, you need to grant permission for TKE IPAMD to access cloud resources, so that you can use the VPC-CNI network mode normally.
Permission Name | Permission Description |
---|---|
cvm:DescribeInstances |
Viewing the list of instances |
Permission Name | Permission Description |
---|---|
tag:GetResourcesByTags |
Querying the resource list by tag |
tag:ModifyResourceTags |
Batch modifying tags associated with a resource |
tag:GetResourceTagsByResourceIds |
Querying tags associated with a resource |
Permission Name | Permission Description |
---|---|
vpc:DescribeSubnet |
Querying the list of subnets |
vpc:CreateNetworkInterface |
Creating an ENI |
vpc:DescribeNetworkInterfaces |
Querying the list of ENIs |
vpc:AttachNetworkInterfac e |
Binding an ENI with a CVM |
vpc:DetachNetworkInterface |
Unbinding an ENI from a CVM |
vpc:DeleteNetworkInterface |
Deleting an ENI |
vpc:AssignPrivateIpAddresses |
Applying for private IP addresses for an ENI |
vpc:UnassignPrivateIpAddresses |
Returning the private IP addresses of an ENI |
vpc:MigratePrivateIpAddress |
Migrating the private IP addresses of an ENI |
vpc:DescribeSubnetEx |
Querying the list of subnets |
vpc:DescribeVpcEx |
Querying peering connection |
vpc:DescribeNetworkInterfaceLimit |
Querying the ENI quota |
vpc:DescribeVpcPrivateIpAddresses |
Querying the private IP address of a VPC |
Was this page helpful?