tencent cloud

Feedback

Granting TKE Cluster Permissions to API Gateway

Last updated: 2024-12-23 11:30:47

Scenario

This document describes how to authorize API Gateway to access the API server of a TKE cluster, offers solutions to authorization issues, and lists the permissions obtained by API Gateway in an YAML file.

Prerequisites

1. You have logged in to the API Gateway console.
2. You have a TKE cluster and have obtained its admin role.

Directions

In the TKE tunnel configuration of API Gateway, if you reference a TKE cluster for the first time, you need to grant API Gateway the access to the cluster's API server and ensure that the cluster has private network access enabled.
When the TKE tunnel is configured, the API Gateway system will automatically check whether the cluster has been authorized, and if not, it will prompt you for authorization. If the cluster access has already been granted to API Gateway, the system will display Authorized API Gateway. Each cluster only needs to be authorized for API Gateway once and doesn't require repeated authorizations for subsequent operations.

How It Works

The process for API Gateway to get the authorization is as follows:
1. Under the kube-system namespace, create a ServiceAccount named apigw-ingress and a ClusterRole named apigw-ingress-clusterrole.
2. Bind apigw-ingress and apigw-ingress-clusterrole through ClusterRoleBinding. Then, the permission of the apigw-ingress ServiceAccount is obtained by API Gateway to access the API server of the cluster.
The permission of the apigw-ingress ServiceAccount is stored in the Secret prefixed with apigw-ingress-token-.
For more information on the permissions obtained by API Gateway and the specific method, see the YAML used to create resources:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: apigw-ingress-clusterrole
rules:
- apiGroups:
- ""
resources:
- services
- namespaces
- endpoints
- nodes
- pods
verbs:
- get
- list
- watch
- apiGroups:
- apps
resources:
- deployments
- replicasets
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- configmaps
- secrets
verbs:
- "*"
- apiGroups:
- extensions
resources:
- ingresses
- ingresses/status
verbs:
- "*"
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- list
- update
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- "*"
- apiGroups:
- cloud.tencent.com
resources:
- tkeserviceconfigs
verbs:
- "*"
---
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: kube-system
name: apigw-ingress
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: apigw-ingress-clusterrole-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: apigw-ingress-clusterrole
subjects:
- kind: ServiceAccount
name: apigw-ingress
namespace: kube-system

Reminders

After you successfully grant API Gateway the access to the TKE cluster, you cannot modify the resources reserved by API Gateway, including:
The ServiceAccount named apigw-ingress under the kube-system namespace.
The ClusterRole named apigw-ingress-clusterrole under the kube-system namespace.
The ClusterRoleBinding named apigw-ingress-clusterrole-binding under the kube-system namespace.
The Secret prefixed with apigw-ingress-token- in the kube-system namespace.

FAQs

Problem: During authorization, it is found that the private network access feature is not enabled for the TKE cluster.

Catalog

In The Article

Granting TKE Cluster Permissions to API Gateway

Contact Us

Contact our sales team or business advisors to help your business.

Technical Support

Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

7x24 Phone Support