Overview
Add-on description
With UserGroupAccessControl, you can integrate Kubernetes RBAC into a Tencent Cloud CAM user group to control sub-account access in a refined manner.
Kubernetes objects deployed in a cluster
|
user-group-access-control | ServiceAccount | - | kube-system |
user-group-access-control | ClusterRole | - | kube-system |
user-group-access-control | ClusterRoleBinding | - | kube-system |
user-group-access-control | Service | - | kube-system |
user-group-access-control | ConfigMap | - | kube-system |
user-group-access-control | Deployment | 0.5C1G (for new Kubernetes objects) | kube-system |
Use Cases
A CAM user group is a collection of multiple users (sub-accounts) with similar roles. It can provide authorization and set subscription messages in batches. UserGroupAccessControl can help setting the same Kubernetes object access permissions for sub-accounts with the same function in a TKE general cluster.
Limits
Supported K8s cluster versions: v1.16 and later versions.
Directions
Step 1. Create a user group
Create a user group in CAM. For details, see Creating User Group. If you already have a user group, skip this step. Step 2. Install the add-on
1. Log in to the TKE console. In the left sidebar, click Cluster. 2. On the Cluster page, click the ID of the target cluster to go to the cluster details page.
3. In the left sidebar, click Add-on management. On the page that appears, click Create.
4. On the Create add-on page, select the Authentication authorization module and select UserGroupAccessControl.
5. Click Service authorization. Associate the "TKE_QCSRole" role with the preset policy "QcloudAccessForTKERoleInGroupsForUser" to allow TKE access information of user groups under your account.
On the Service authorization page, confirm the role name and authorization policy, and click Grant.
6. Go back to the Create add-on page, click Complete. Now, you can view the add-on details on the Add-on management page.
Step 3. Create a role and bind the policy to the user group
1. In the left sidebar, click Authorization Management > ClusterRole. Click RBAC Policy Generator on the ClusterRole page.
2. Select User group for account type, and select the target user group.
3. Click Next. In Cluster RBAC settings, set Kubernetes object access permissions for the specified user group.
4. Click Complete.
Step 4: View the role binding policy
In the left sidebar, click Authorization management > ClusterRoleBinding. Check the policy that is named starting with the user group ID.
Note:
To manage permissions for Tencent Cloud resources (such as migrating sub-accounts, adding/removing permission for cloud resources), you only need to make changes in the CAM user group. The policy associated with the created role will be updated at the same time. For details, see Managing User Groups.
Was this page helpful?