Tencent Kubernetes Engine
- Release Notes and Announcements
- Release Notes
- Announcements
- Security Vulnerability Fix Description
- Release Notes
- Kubernetes Version Maintenance
- Runtime Version Maintenance Description
- Product Introduction
- Quick Start
- TKE General Cluster Guide
- Purchase a TKE General Cluster
- Permission Management
- Controlling TKE cluster-level permissions
- TKE Kubernetes Object-level Permission Control
- Cluster Management
- Images
- Worker node introduction
- Normal Node Management
- Native Node Management
- Purchasing Native Nodes
- Supernode management
- Purchasing a Super Node
- Registered Node Management
- Memory Compression Instructions
- GPU Share
- qGPU Online/Offline Hybrid Deployment
- Kubernetes Object Management
- Workload
- Configuration
- Auto Scaling
- Service Management
- Ingress Management
- CLB Type Ingress
- API Gateway Type Ingress
- Storage Management
- Use File to Store CFS
- Use Cloud Disk CBS
- Add-On Management
- CBS-CSI Description
- Network Management
- GlobalRouter Mode
- VPC-CNI Mode
- Static IP Address Mode Instructions
- Cilium-Overlay Mode
- OPS Center
- Audit Management
- Event Management
- Monitoring Management
- Log Management
- Using CRD to Configure Log Collection
- Backup Center
- TKE Serverless Cluster Guide
- Purchasing a TKE Serverless Cluster
- TKE Serverless Cluster Management
- Super Node Management
- Kubernetes Object Management
- OPS Center
- Log Collection
- Using a CRD to Configure Log Collection
- Audit Management
- Event Management
- TKE Registered Cluster Guide
- Registered Cluster Management
- Ops Guide
- TKE Insight
- TKE Scheduling
- Job Scheduling
- Native Node Dedicated Scheduler
- Cloud Native Service Guide
- Cloud Service for etcd
- Version Maintenance
- Cluster Troubleshooting
- Practical Tutorial
- Cluster
- Serverless Cluster
- Mastering Deep Learning in Serverless Cluster
- Scheduling
- Security
- Service Deployment
- Proper Use of Node Resources
- Network
- DNS
- Self-Built Nginx Ingress Practice Tutorial
- Logs
- Monitoring
- OPS
- DevOps
- Construction and Deployment of Jenkins Public Network Framework Appications based on TKE
- Auto Scaling
- KEDA
- Containerization
- Microservice
- Cost Management
- Hybrid Cloud
- Fault Handling
- Pod Status Exception and Handling
- Pod exception troubleshooter
- API Documentation
- Making API Requests
- Elastic Cluster APIs
- Resource Reserved Coupon APIs
- Cluster APIs
- Third-party Node APIs
- Network APIs
- Node APIs
- Node Pool APIs
- TKE Edge Cluster APIs
- Cloud Native Monitoring APIs
- Super Node APIs
- TKE API 2022-05-01
- Making API Requests
- Node Pool APIs
- FAQs
- TKE General Cluster
- TKE Serverless Cluster
- About OPS
- Service Agreement
- User Guide(Old)
DocumentationTencent Kubernetes EngineTKE General Cluster Guide Add-On ManagementUserGroupAccessControl
UserGroupAccessControl
Last updated: 2023-08-01 17:07:54
Overview
Add-on description
With UserGroupAccessControl, you can integrate Kubernetes RBAC into a Tencent Cloud CAM user group to control sub-account access in a refined manner.
Kubernetes objects deployed in a cluster
Kubernetes object name | Type | Specification | Namespaces |
user-group-access-control | ServiceAccount | - | kube-system |
user-group-access-control | ClusterRole | - | kube-system |
user-group-access-control | ClusterRoleBinding | - | kube-system |
user-group-access-control | Service | - | kube-system |
user-group-access-control | ConfigMap | - | kube-system |
user-group-access-control | Deployment | 0.5C1G (for new Kubernetes objects) | kube-system |
Use Cases
A CAM user group is a collection of multiple users (sub-accounts) with similar roles. It can provide authorization and set subscription messages in batches. UserGroupAccessControl can help setting the same Kubernetes object access permissions for sub-accounts with the same function in a TKE general cluster.
Limits
Supported K8s cluster versions: v1.16 and later versions.
Directions
Note:
Step 1. Create a user group
Create a user group in CAM. For details, see Creating User Group. If you already have a user group, skip this step.
Step 2. Install the add-on
1. Log in to the TKE console. In the left sidebar, click Cluster.
2. On the Cluster page, click the ID of the target cluster to go to the cluster details page.
3. In the left sidebar, click Add-on management. On the page that appears, click Create.
4. On the Create add-on page, select the Authentication authorization module and select UserGroupAccessControl.
5. Click Service authorization. Associate the "TKE_QCSRole" role with the preset policy "QcloudAccessForTKERoleInGroupsForUser" to allow TKE access information of user groups under your account.
On the Service authorization page, confirm the role name and authorization policy, and click Grant.
6. Go back to the Create add-on page, click Complete. Now, you can view the add-on details on the Add-on management page.
Step 3. Create a role and bind the policy to the user group
1. In the left sidebar, click Authorization Management > ClusterRole. Click RBAC Policy Generator on the ClusterRole page.
2. Select User group for account type, and select the target user group.
3. Click Next. In Cluster RBAC settings, set Kubernetes object access permissions for the specified user group.
4. Click Complete.
Step 4: View the role binding policy
In the left sidebar, click Authorization management > ClusterRoleBinding. Check the policy that is named starting with the user group ID.
Note:
To manage permissions for Tencent Cloud resources (such as migrating sub-accounts, adding/removing permission for cloud resources), you only need to make changes in the CAM user group. The policy associated with the created role will be updated at the same time. For details, see Managing User Groups.
Was this page helpful?
You can also Contact Sales or Submit a Ticket for help.
Yes
No