tencent cloud

Feedback

UserGroupAccessControl

Last updated: 2023-08-01 17:07:54

    Overview

    Add-on description

    ‍With UserGroupAccessControl, you can integrate Kubernetes RBAC into a Tencent Cloud CAM user group to control sub-account access in a refined manner.

    Kubernetes objects deployed in a cluster

    Kubernetes object name
    Type
    Specification
    Namespaces
    user-group-access-control
    ServiceAccount
    -
    kube-system
    user-group-access-control
    ClusterRole
    -
    kube-system
    user-group-access-control
    ClusterRoleBinding
    -
    kube-system
    user-group-access-control
    Service
    -
    kube-system
    user-group-access-control
    ConfigMap
    -
    kube-system
    user-group-access-control
    Deployment
    0.5C1G (for new Kubernetes objects)
    kube-system

    Use Cases

    A CAM user group is a collection of multiple users (sub-accounts) with similar roles. It can provide authorization and set subscription messages in batches. UserGroupAccessControl can help setting the same Kubernetes object access permissions for sub-accounts with the same function in a TKE general cluster.

    Limits

    Supported ‍K8s cluster versions: v1.16 and later versions.

    Directions

    Note:
    To use the UserGroupAccessControl add-on, please submit a ticket.

    Step 1. Create a user group

    Create a user group in CAM. For details, see Creating User Group. If you already have a user group, skip this step.

    Step 2. Install the add-on

    1. Log in to the TKE console. In the left sidebar, click Cluster.
    2. On the Cluster page, click the ID of the target cluster to go to the cluster details page.
    3. In the left sidebar, click Add-on management. On the page that appears, click Create.
    4. On the Create add-on page, select the Authentication authorization module and select UserGroupAccessControl.
    5. Click Service authorization. Associate the "TKE_QCSRole" role with the preset policy "QcloudAccessForTKERoleInGroupsForUser" to allow TKE access information of user groups under your account.
    On the Service authorization page, confirm the role name and authorization policy, and click Grant.
    6. Go back to the Create add-on page, click Complete. Now, you can view the add-on details on the Add-on management page.

    Step 3. Create a role and bind the policy to the user group

    1. In the left sidebar, click Authorization Management > ClusterRole. Click RBAC Policy Generator on the ClusterRole page.
    2. Select User group for account type, and select the target user group.
    3. Click Next. In Cluster RBAC settings, set Kubernetes object access permissions for the specified user group.
    4. Click Complete.

    Step 4: View the role binding policy

    In the left sidebar, click Authorization management > ClusterRoleBinding. Check the policy that is named starting with the user group ID.
    Note:
    To manage permissions for Tencent Cloud resources (such as migrating sub-accounts, adding/removing permission for cloud resources), you only need to make changes in the CAM user group. ‍The policy associated with the created role will be updated at the same time. For details, see Managing User Groups.
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support