tencent cloud

Feedback

Granting TKE Cluster Permissions to API Gateway

Last updated: 2023-03-31 10:34:01

    Scenario

    This document describes how to authorize API Gateway to access the API server of a TKE cluster, offers solutions to authorization issues, and lists the permissions obtained by API Gateway in an YAML file.

    Prerequisites

    1. You have logged in to the API Gateway console.
    2. You have a TKE cluster and have obtained its admin role.

    Directions

    In the TKE tunnel configuration of API Gateway, if you reference a TKE cluster for the first time, you need to grant API Gateway the access to the cluster's API server and ensure that the cluster has private network access enabled.
    When the TKE tunnel is configured, the API Gateway system will automatically check whether the cluster has been authorized, and if not, it will prompt you for authorization. If the cluster access has already been granted to API Gateway, the system will display Authorized API Gateway. Each cluster only needs to be authorized for API Gateway once and doesn't require repeated authorizations for subsequent operations.

    How It Works

    The process for API Gateway to get the authorization is as follows:
    1. Under the kube-system namespace, create a ServiceAccount named apigw-ingress and a ClusterRole named apigw-ingress-clusterrole.
    2. Bind apigw-ingress and apigw-ingress-clusterrole through ClusterRoleBinding. Then, the permission of the apigw-ingress ServiceAccount is obtained by API Gateway to access the API server of the cluster.
    The permission of the apigw-ingress ServiceAccount is stored in the Secret prefixed with apigw-ingress-token-.
    For more information on the permissions obtained by API Gateway and the specific method, see the YAML used to create resources:
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
    name: apigw-ingress-clusterrole
    rules:
    - apiGroups:
    - ""
    resources:
    - services
    - namespaces
    - endpoints
    - nodes
    - pods
    verbs:
    - get
    - list
    - watch
    - apiGroups:
    - apps
    resources:
    - deployments
    - replicasets
    verbs:
    - get
    - list
    - watch
    - apiGroups:
    - ""
    resources:
    - configmaps
    - secrets
    verbs:
    - "*"
    - apiGroups:
    - extensions
    resources:
    - ingresses
    - ingresses/status
    verbs:
    - "*"
    - apiGroups:
    - ""
    resources:
    - events
    verbs:
    - create
    - patch
    - list
    - update
    - apiGroups:
    - apiextensions.k8s.io
    resources:
    - customresourcedefinitions
    verbs:
    - "*"
    - apiGroups:
    - cloud.tencent.com
    resources:
    - tkeserviceconfigs
    verbs:
    - "*"
    ---
    apiVersion: v1
    kind: ServiceAccount
    metadata:
    namespace: kube-system
    name: apigw-ingress
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
    name: apigw-ingress-clusterrole-binding
    roleRef:
    apiGroup: rbac.authorization.k8s.io
    kind: ClusterRole
    name: apigw-ingress-clusterrole
    subjects:
    - kind: ServiceAccount
    name: apigw-ingress
    namespace: kube-system

    Reminders

    After you successfully grant API Gateway the access to the TKE cluster, you cannot modify the resources reserved by API Gateway, including:
    The ServiceAccount named apigw-ingress under the kube-system namespace.
    The ClusterRole named apigw-ingress-clusterrole under the kube-system namespace.
    The ClusterRoleBinding named apigw-ingress-clusterrole-binding under the kube-system namespace.
    The Secret prefixed with apigw-ingress-token- in the kube-system namespace.

    FAQs

    Problem: During authorization, it is found that the private network access feature is not enabled for the TKE cluster.
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support