- Release Notes and Announcements
- Release Notes
- Announcements
- Security Vulnerability Fix Description
- Announcement on Authentication Upgrade of Some TKE APIs
- Discontinuing Update of NginxIngress Addon
- qGPU Service Adjustment
- Version Upgrade of Master Add-On of TKE Managed Cluster
- Upgrading tke-monitor-agent
- Discontinuing TKE API 2.0
- Instructions on Cluster Resource Quota Adjustment
- Decommissioning Kubernetes Version
- Deactivation of Scaling Group Feature
- Notice on TPS Discontinuation on May 16, 2022 at 10:00 (UTC +8)
- Basic Monitoring Architecture Upgrade
- Starting Charging on Managed Clusters
- Instructions on Stopping Delivering the Kubeconfig File to Nodes
- Release Notes
- Product Introduction
- Purchase Guide
- Quick Start
- TKE General Cluster Guide
- TKE General Cluster Overview
- Purchase a TKE General Cluster
- High-risk Operations of Container Service
- Deploying Containerized Applications in the Cloud
- Open Source Components
- Permission Management
- Cluster Management
- Cluster Overview
- Cluster Hosting Modes Introduction
- Cluster Lifecycle
- Creating a Cluster
- Changing the Cluster Operating System
- Deleting a Cluster
- Cluster Scaling
- Connecting to a Cluster
- Upgrading a Cluster
- Enabling IPVS for a Cluster
- Custom Kubernetes Component Launch Parameters
- Using KMS for Kubernetes Data Source Encryption
- Images
- Worker node introduction
- Normal Node Management
- Native Node Management
- Overview
- Native Node Parameters
- Purchasing Native Nodes
- Lifecycle of a Native Node
- Creating Native Nodes
- Modifying Native Nodes
- Deleting Native Nodes
- Self-Heal Rules
- Declarative Operation Practice
- Native Node Scaling
- In-place Pod Configuration Adjustment
- Enabling Public Network Access for a Native Node
- Management Parameters
- Enabling SSH Key Login for a Native Node
- FAQs for Native Nodes
- Supernode management
- Registered Node Management
- Memory Compression Instructions
- GPU Share
- Kubernetes Object Management
- Overview
- Namespace
- Workload
- Deployment Management
- StatefulSet Management
- DaemonSet Management
- CronJob Management
- Job Management
- Setting the Resource Limit of Workload
- Setting the Scheduling Rule for a Workload
- Setting the Health Check for a Workload
- Setting the Run Command and Parameter for a Workload
- Using a Container Image in a TCR Enterprise Instance to Create a Workload
- Auto Scaling
- Configuration
- Service Management
- Ingress Management
- Storage Management
- Policy Management
- Application and Add-On Feature Management Description
- Add-On Management
- Add-on Overview
- Add-On Lifecycle Management
- Cluster Autoscaler
- OOMGuard
- NodeProblemDetectorPlus Add-on
- NodeLocalDNSCache
- DNSAutoscaler
- COS-CSI
- CFS-CSI
- CFSTURBO-CSI
- CBS-CSI Description
- UserGroupAccessControl
- TCR Introduction
- TCR Hosts Updater
- DynamicScheduler
- DeScheduler
- Network Policy
- Nginx-ingress
- HPC
- Description of tke-monitor-agent
- tke-log-agent
- GPU-Manager Add-on
- Helm Application
- Application Market
- Network Management
- Container Network Overview
- GlobalRouter Mode
- VPC-CNI Mode
- VPC-CNI Mode
- Multiple Pods with Shared ENI Mode
- Pods with Exclusive ENI Mode
- Static IP Address Mode Instructions
- Non-static IP Address Mode Instructions
- Interconnection Between VPC-CNI and Other Cloud Resources/IDC Resources
- Security Group of VPC-CNI Mode
- Instructions on Binding an EIP to a Pod
- VPC-CNI Component Description
- Limits on the Number of Pods in VPC-CNI Mode
- Cilium-Overlay Mode
- OPS Center
- Log Management
- Backup Center
- Remote Terminals
- TKE Serverless Cluster Guide
- TKE Registered Cluster Guide
- TKE Insight
- TKE Scheduling
- Cloud Native Service Guide
- Practical Tutorial
- Cluster
- Cluster Migration
- Serverless Cluster
- Security
- Service Deployment
- Network
- DNS
- Self-Built Nginx Ingress Practice Tutorial
- Quick Start
- Custom Load Balancer
- Enabling CLB Direct Connection
- Optimization for High Concurrency Scenarios
- High Availability Configuration Optimization
- Observability Integration
- Access to Tencent Cloud WAF
- Installing Multiple Nginx Ingress Controllers
- Migrating from TKE Nginx Ingress Plugin to Self-Built Nginx Ingress
- Complete Example of values.yaml Configuration
- Using Network Policy for Network Access Control
- Deploying NGINX Ingress on TKE
- Nginx Ingress High-Concurrency Practices
- Nginx Ingress Best Practices
- Limiting the bandwidth on pods in TKE
- Directly connecting TKE to the CLB of pods based on the ENI
- Use CLB-Pod Direct Connection on TKE
- Obtaining the Real Client Source IP in TKE
- Using Traefik Ingress in TKE
- Release
- Logs
- Monitoring
- OPS
- Removing and Re-adding Nodes from and to Cluster
- Using Ansible to Batch Operate TKE Nodes
- Using Cluster Audit for Troubleshooting
- Renewing a TKE Ingress Certificate
- Using cert-manager to Issue Free Certificates
- Using cert-manager to Issue Free Certificate for DNSPod Domain Name
- Using the TKE NPDPlus Plug-In to Enhance the Self-Healing Capability of Nodes
- Using kubecm to Manage Multiple Clusters kubeconfig
- Quick Troubleshooting Using TKE Audit and Event Services
- Customizing RBAC Authorization in TKE
- Clearing De-registered Tencent Cloud Account Resources
- Terraform
- DevOps
- Auto Scaling
- Cluster Auto Scaling Practices
- Using tke-autoscaling-placeholder to Implement Auto Scaling in Seconds
- Installing metrics-server on TKE
- Using Custom Metrics for Auto Scaling in TKE
- Utilizing HPA to Auto Scale Businesses on TKE
- Using VPA to Realize Pod Scaling up and Scaling down in TKE
- Adjusting HPA Scaling Sensitivity Based on Different Business Scenarios
- Implementing elasticity based on traffic prediction with EHPA
- Implementing Horizontal Scaling based on CLB monitoring metrics using KEDA in TKE
- Containerization
- Microservice
- Cost Management
- Hybrid Cloud
- Fault Handling
- Disk Full
- High Workload
- Memory Fragmentation
- Cluster DNS Troubleshooting
- Cluster kube-proxy Troubleshooting
- Cluster API Server Inaccessibility Troubleshooting
- Service and Ingress Inaccessibility Troubleshooting
- Common Service & Ingress Errors and Solutions
- Engel Ingres appears in Connechtin Reverside
- CLB Ingress Creation Error
- Troubleshooting for Pod Network Inaccessibility
- Pod Status Exception and Handling
- Authorizing Tencent Cloud OPS Team for Troubleshooting
- CLB Loopback
- API Documentation
- History
- API Category
- Elastic Cluster APIs
- Resource Reserved Coupon APIs
- Cluster APIs
- AcquireClusterAdminRole
- CreateClusterEndpoint
- CreateClusterEndpointVip
- DeleteCluster
- DeleteClusterEndpoint
- DeleteClusterEndpointVip
- DescribeAvailableClusterVersion
- DescribeClusterAuthenticationOptions
- DescribeClusterCommonNames
- DescribeClusterEndpointStatus
- DescribeClusterEndpointVipStatus
- DescribeClusterEndpoints
- DescribeClusterKubeconfig
- DescribeClusterLevelAttribute
- DescribeClusterLevelChangeRecords
- DescribeClusterSecurity
- DescribeClusterStatus
- DescribeClusters
- DescribeEdgeAvailableExtraArgs
- DescribeEdgeClusterExtraArgs
- DescribeResourceUsage
- DisableClusterDeletionProtection
- EnableClusterDeletionProtection
- GetClusterLevelPrice
- GetUpgradeInstanceProgress
- ModifyClusterAttribute
- ModifyClusterAuthenticationOptions
- ModifyClusterEndpointSP
- UpgradeClusterInstances
- CreateBackupStorageLocation
- CreateCluster
- DeleteBackupStorageLocation
- DescribeBackupStorageLocations
- DescribeEncryptionStatus
- DisableEncryptionProtection
- EnableEncryptionProtection
- UpdateClusterKubeconfig
- UpdateClusterVersion
- Third-party Node APIs
- Network APIs
- Node APIs
- Node Pool APIs
- TKE Edge Cluster APIs
- CheckEdgeClusterCIDR
- DescribeAvailableTKEEdgeVersion
- DescribeECMInstances
- DescribeEdgeCVMInstances
- DescribeEdgeClusterInstances
- DescribeEdgeClusterUpgradeInfo
- DescribeTKEEdgeClusterStatus
- ForwardTKEEdgeApplicationRequestV3
- DescribeEdgeLogSwitches
- CreateECMInstances
- CreateEdgeCVMInstances
- CreateEdgeLogConfig
- DeleteECMInstances
- DeleteEdgeCVMInstances
- DeleteEdgeClusterInstances
- DeleteTKEEdgeCluster
- DescribeTKEEdgeClusterCredential
- DescribeTKEEdgeExternalKubeconfig
- DescribeTKEEdgeScript
- InstallEdgeLogAgent
- UninstallEdgeLogAgent
- UpdateEdgeClusterVersion
- DescribeTKEEdgeClusters
- CreateTKEEdgeCluster
- Cloud Native Monitoring APIs
- Scaling group APIs
- Super Node APIs
- Introduction
- Making API Requests
- Add-on APIs
- Other APIs
- Data Types
- Error Codes
- API Mapping Guide
- FAQs
- Service Agreement
- Contact Us
- Glossary
- User Guide(Old)
- Release Notes and Announcements
- Release Notes
- Announcements
- Security Vulnerability Fix Description
- Announcement on Authentication Upgrade of Some TKE APIs
- Discontinuing Update of NginxIngress Addon
- qGPU Service Adjustment
- Version Upgrade of Master Add-On of TKE Managed Cluster
- Upgrading tke-monitor-agent
- Discontinuing TKE API 2.0
- Instructions on Cluster Resource Quota Adjustment
- Decommissioning Kubernetes Version
- Deactivation of Scaling Group Feature
- Notice on TPS Discontinuation on May 16, 2022 at 10:00 (UTC +8)
- Basic Monitoring Architecture Upgrade
- Starting Charging on Managed Clusters
- Instructions on Stopping Delivering the Kubeconfig File to Nodes
- Release Notes
- Product Introduction
- Purchase Guide
- Quick Start
- TKE General Cluster Guide
- TKE General Cluster Overview
- Purchase a TKE General Cluster
- High-risk Operations of Container Service
- Deploying Containerized Applications in the Cloud
- Open Source Components
- Permission Management
- Cluster Management
- Cluster Overview
- Cluster Hosting Modes Introduction
- Cluster Lifecycle
- Creating a Cluster
- Changing the Cluster Operating System
- Deleting a Cluster
- Cluster Scaling
- Connecting to a Cluster
- Upgrading a Cluster
- Enabling IPVS for a Cluster
- Custom Kubernetes Component Launch Parameters
- Using KMS for Kubernetes Data Source Encryption
- Images
- Worker node introduction
- Normal Node Management
- Native Node Management
- Overview
- Native Node Parameters
- Purchasing Native Nodes
- Lifecycle of a Native Node
- Creating Native Nodes
- Modifying Native Nodes
- Deleting Native Nodes
- Self-Heal Rules
- Declarative Operation Practice
- Native Node Scaling
- In-place Pod Configuration Adjustment
- Enabling Public Network Access for a Native Node
- Management Parameters
- Enabling SSH Key Login for a Native Node
- FAQs for Native Nodes
- Supernode management
- Registered Node Management
- Memory Compression Instructions
- GPU Share
- Kubernetes Object Management
- Overview
- Namespace
- Workload
- Deployment Management
- StatefulSet Management
- DaemonSet Management
- CronJob Management
- Job Management
- Setting the Resource Limit of Workload
- Setting the Scheduling Rule for a Workload
- Setting the Health Check for a Workload
- Setting the Run Command and Parameter for a Workload
- Using a Container Image in a TCR Enterprise Instance to Create a Workload
- Auto Scaling
- Configuration
- Service Management
- Ingress Management
- Storage Management
- Policy Management
- Application and Add-On Feature Management Description
- Add-On Management
- Add-on Overview
- Add-On Lifecycle Management
- Cluster Autoscaler
- OOMGuard
- NodeProblemDetectorPlus Add-on
- NodeLocalDNSCache
- DNSAutoscaler
- COS-CSI
- CFS-CSI
- CFSTURBO-CSI
- CBS-CSI Description
- UserGroupAccessControl
- TCR Introduction
- TCR Hosts Updater
- DynamicScheduler
- DeScheduler
- Network Policy
- Nginx-ingress
- HPC
- Description of tke-monitor-agent
- tke-log-agent
- GPU-Manager Add-on
- Helm Application
- Application Market
- Network Management
- Container Network Overview
- GlobalRouter Mode
- VPC-CNI Mode
- VPC-CNI Mode
- Multiple Pods with Shared ENI Mode
- Pods with Exclusive ENI Mode
- Static IP Address Mode Instructions
- Non-static IP Address Mode Instructions
- Interconnection Between VPC-CNI and Other Cloud Resources/IDC Resources
- Security Group of VPC-CNI Mode
- Instructions on Binding an EIP to a Pod
- VPC-CNI Component Description
- Limits on the Number of Pods in VPC-CNI Mode
- Cilium-Overlay Mode
- OPS Center
- Log Management
- Backup Center
- Remote Terminals
- TKE Serverless Cluster Guide
- TKE Registered Cluster Guide
- TKE Insight
- TKE Scheduling
- Cloud Native Service Guide
- Practical Tutorial
- Cluster
- Cluster Migration
- Serverless Cluster
- Security
- Service Deployment
- Network
- DNS
- Self-Built Nginx Ingress Practice Tutorial
- Quick Start
- Custom Load Balancer
- Enabling CLB Direct Connection
- Optimization for High Concurrency Scenarios
- High Availability Configuration Optimization
- Observability Integration
- Access to Tencent Cloud WAF
- Installing Multiple Nginx Ingress Controllers
- Migrating from TKE Nginx Ingress Plugin to Self-Built Nginx Ingress
- Complete Example of values.yaml Configuration
- Using Network Policy for Network Access Control
- Deploying NGINX Ingress on TKE
- Nginx Ingress High-Concurrency Practices
- Nginx Ingress Best Practices
- Limiting the bandwidth on pods in TKE
- Directly connecting TKE to the CLB of pods based on the ENI
- Use CLB-Pod Direct Connection on TKE
- Obtaining the Real Client Source IP in TKE
- Using Traefik Ingress in TKE
- Release
- Logs
- Monitoring
- OPS
- Removing and Re-adding Nodes from and to Cluster
- Using Ansible to Batch Operate TKE Nodes
- Using Cluster Audit for Troubleshooting
- Renewing a TKE Ingress Certificate
- Using cert-manager to Issue Free Certificates
- Using cert-manager to Issue Free Certificate for DNSPod Domain Name
- Using the TKE NPDPlus Plug-In to Enhance the Self-Healing Capability of Nodes
- Using kubecm to Manage Multiple Clusters kubeconfig
- Quick Troubleshooting Using TKE Audit and Event Services
- Customizing RBAC Authorization in TKE
- Clearing De-registered Tencent Cloud Account Resources
- Terraform
- DevOps
- Auto Scaling
- Cluster Auto Scaling Practices
- Using tke-autoscaling-placeholder to Implement Auto Scaling in Seconds
- Installing metrics-server on TKE
- Using Custom Metrics for Auto Scaling in TKE
- Utilizing HPA to Auto Scale Businesses on TKE
- Using VPA to Realize Pod Scaling up and Scaling down in TKE
- Adjusting HPA Scaling Sensitivity Based on Different Business Scenarios
- Implementing elasticity based on traffic prediction with EHPA
- Implementing Horizontal Scaling based on CLB monitoring metrics using KEDA in TKE
- Containerization
- Microservice
- Cost Management
- Hybrid Cloud
- Fault Handling
- Disk Full
- High Workload
- Memory Fragmentation
- Cluster DNS Troubleshooting
- Cluster kube-proxy Troubleshooting
- Cluster API Server Inaccessibility Troubleshooting
- Service and Ingress Inaccessibility Troubleshooting
- Common Service & Ingress Errors and Solutions
- Engel Ingres appears in Connechtin Reverside
- CLB Ingress Creation Error
- Troubleshooting for Pod Network Inaccessibility
- Pod Status Exception and Handling
- Authorizing Tencent Cloud OPS Team for Troubleshooting
- CLB Loopback
- API Documentation
- History
- API Category
- Elastic Cluster APIs
- Resource Reserved Coupon APIs
- Cluster APIs
- AcquireClusterAdminRole
- CreateClusterEndpoint
- CreateClusterEndpointVip
- DeleteCluster
- DeleteClusterEndpoint
- DeleteClusterEndpointVip
- DescribeAvailableClusterVersion
- DescribeClusterAuthenticationOptions
- DescribeClusterCommonNames
- DescribeClusterEndpointStatus
- DescribeClusterEndpointVipStatus
- DescribeClusterEndpoints
- DescribeClusterKubeconfig
- DescribeClusterLevelAttribute
- DescribeClusterLevelChangeRecords
- DescribeClusterSecurity
- DescribeClusterStatus
- DescribeClusters
- DescribeEdgeAvailableExtraArgs
- DescribeEdgeClusterExtraArgs
- DescribeResourceUsage
- DisableClusterDeletionProtection
- EnableClusterDeletionProtection
- GetClusterLevelPrice
- GetUpgradeInstanceProgress
- ModifyClusterAttribute
- ModifyClusterAuthenticationOptions
- ModifyClusterEndpointSP
- UpgradeClusterInstances
- CreateBackupStorageLocation
- CreateCluster
- DeleteBackupStorageLocation
- DescribeBackupStorageLocations
- DescribeEncryptionStatus
- DisableEncryptionProtection
- EnableEncryptionProtection
- UpdateClusterKubeconfig
- UpdateClusterVersion
- Third-party Node APIs
- Network APIs
- Node APIs
- Node Pool APIs
- TKE Edge Cluster APIs
- CheckEdgeClusterCIDR
- DescribeAvailableTKEEdgeVersion
- DescribeECMInstances
- DescribeEdgeCVMInstances
- DescribeEdgeClusterInstances
- DescribeEdgeClusterUpgradeInfo
- DescribeTKEEdgeClusterStatus
- ForwardTKEEdgeApplicationRequestV3
- DescribeEdgeLogSwitches
- CreateECMInstances
- CreateEdgeCVMInstances
- CreateEdgeLogConfig
- DeleteECMInstances
- DeleteEdgeCVMInstances
- DeleteEdgeClusterInstances
- DeleteTKEEdgeCluster
- DescribeTKEEdgeClusterCredential
- DescribeTKEEdgeExternalKubeconfig
- DescribeTKEEdgeScript
- InstallEdgeLogAgent
- UninstallEdgeLogAgent
- UpdateEdgeClusterVersion
- DescribeTKEEdgeClusters
- CreateTKEEdgeCluster
- Cloud Native Monitoring APIs
- Scaling group APIs
- Super Node APIs
- Introduction
- Making API Requests
- Add-on APIs
- Other APIs
- Data Types
- Error Codes
- API Mapping Guide
- FAQs
- Service Agreement
- Contact Us
- Glossary
- User Guide(Old)
Description of Role Permissions Related to Service Authorization
Terakhir diperbarui:2022-05-09 11:40:29
When you use Tencent Kubernetes Engine (TKE), you need to authorize services to use relevant cloud resources. Each scenario usually contains policies that are defined for different roles in advance. The main roles involved are TKE_QCSRole and IPAMDofTKE_QCSRole. This document introduces the details of each authorization policy, and the authorization scenarios and authorization steps for each role.
Note:The sample role in this document does not contain the authorization policy related to container image repositories. For more information about TKE image related permissions, see TKE Image Registry Resource-level Permission Settings.
TKE_QCSRole
After TKE is activated, Tencent Cloud grants your account the permissions of the role TKE_QCSRole, which is associated with multiple preset policies by default. To obtain relevant permissions, you need to perform the corresponding preset policy authorization operations in specific authorization scenarios. After these operations are completed, the corresponding policy will appear in the role's list of authorized policies. The preset policies associated with TKE_QCSRole by default include:
The default associated preset policies
QcloudAccessForTKERole: The permission for TKE to access cloud resourcesQcloudAccessForTKERoleInOpsManagement: The permission for Ops management, including the log service
Other associated preset policies
QcloudAccessForTKERoleInCreatingCFSStorageclass: The permission for TKE to operate on Cloud File Storage (CFS), including adding/deleting/querying CFS systems, and querying the mount targets of a file system.QcloudCVMFinanceAccess: CVM finance permission
Preset policy QcloudAccessForTKERole
Authorization scenario
When you log in to the TKE console for the first time after registering and logging in to a Tencent Cloud account, you need to go to the "Cloud Access Management" page to grant the current account TKE permissions for operating on CVMs, CLBs, CBS, and other cloud resources.
Authorization steps
- Log in to the TKE console and click Cluster in the left sidebar to pop up the Service authorization window.
- Click Go to Cloud Access Management to enter the Role management page.
- Click Grant to complete authentication.
Permission content
- CVM
Permission Name Permission Description cvm:DescribeInstancesQuerying the list of server instances cvm:*Cbs*CBS-related permissions - Tag
Permission Name Permission Description tag:*All features related to tags - CLB
Permission Name Permission Description clb:*All features related to CLB - TKE
Permission Name Permission Description ccs:DescribeClusterQuerying a cluster list ccs:DescribeClusterInstancesQuerying cluster node information
Preset policy QcloudAccessForTKERoleInOpsManagement
Authorization scenario
This policy is associated with TKE_QCSRole by default. After TKE is activated and TKE_QCSRole is granted, you have the permissions of various Ops-related features, including log features.
Authorization steps
This policy and the preset policy QcloudAccessForTKERole are authorized at the same time, so no extra operation is needed.
Permission content
Log service
| Permission Name | Permission Description |
|---|---|
cls:listTopic |
Displaying the list of log topics under a specified logset |
cls:getTopic |
Viewing log topic information |
cls:createTopic |
Creating a log topic |
cls:modifyTopic |
Modifying a log topic |
cls:deleteTopic |
Deleting a log topic |
cls:listLogset |
Displaying the logset list |
cls:getLogset |
Viewing logset information |
cls:createLogset |
Creating a logset |
cls:modifyLogset |
Modifying a logset |
cls:deleteLogset |
Deleting a logset |
cls:listMachineGroup |
Displaying the server group list |
cls:getMachineGroup |
Viewing server group information |
cls:createMachineGroup |
Creating a server group |
cls:modifyMachineGroup |
Modifying a server group |
cls:deleteMachineGroup |
Deleting a server group |
cls:getMachineStatus |
Viewing server group status |
cls:pushLog |
Uploading logs |
cls:searchLog |
Querying logs |
cls:downloadLog |
Downloading logs |
cls:getCursor |
Getting the cursor based on time |
cls:getIndex |
Viewing indexes |
cls:modifyIndex |
Modifying indexes |
cls:agentHeartBeat |
Heartbeat |
cls:getConfig |
Getting the pusher configuration information |
Preset policy QcloudAccessForTKERoleInCreatingCFSStorageclass
Authorization scenario
The Tencent Cloud CFS add-on can help you use file storage in TKE clusters. When using this add-on for the first time, you need to authorize relevant resources, such as file systems in CFS, via TKE.
Authorization steps
- Log in to the TKE console and click Cluster in the left sidebar.
- On the "Cluster management" page, select the region and ID of the target cluster to go to the cluster details page.
- Select Add-on management and click Create.
- On the Add-on management page, if the add-on is selected as "CFS" for the first time, click Service Authorization at the bottom of the page.
- In the "Service authorization" window that pops up, click Cloud Access Management.
- On the "Role management" page, click Grant to complete authentication.
Permission content
File storage
| Permission Name | Permission Description |
|---|---|
| cfs:CreateCfsFileSystem | Creating a file system |
| cfs:DescribeCfsFileSystems | Querying a file system |
| cfs:DescribeMountTargets | Querying mount targets of a file system |
| cfs:DeleteCfsFileSystem | Deletes a file system |
Preset policy QcloudCVMFinanceAccess
Authorization steps
- Log in to the CAM console, and select Roles in the left sidebar.
- On the role list page, click TKE_QCSRole to enter the role management page.
- Select Associate policy on the TKE_QCSRole page, and confirm the operation in the "Risk tips" pop-up window.
- In the "Associate policy" window that pops up, find the policy
QcloudCVMFinanceAccessand select it.
- Click Confirm to complete the process.
Permission content
| Permission Name | Permission Description |
|---|---|
finance:* |
CVM finance permission |
IPAMDofTKE_QCSRole
IPAMDofTKE_QCSRole is the TKE IPAMD support service role. After the permissions of this role are granted, you need to associate preset policies in the authorization scenarios described in this document. After these operations are completed, the following policies will appear in the list of authorized policies of the role:
QcloudAccessForIPAMDofTKERole: The permission for TKE IPAMD to access cloud resources
Preset policy QcloudAccessForIPAMDofTKERole
Authorization scenario
When using the VPC-CNI network mode to create a cluster for the first time, you need to grant permission for TKE IPAMD to access cloud resources, so that you can use the VPC-CNI network mode normally.
Authorization steps
- Log in to the TKE console and click Cluster in the left sidebar.
- On the "Cluster Management" page, click Create or Create with a template above the cluster list.
- On the "Create cluster" page, select VPC-CNI for Container network add-on in "Cluster information" section, and click "Service Authorization".
- In the displayed "Service authorization" window, click Go to Cloud Access Management.
- On the "Role management" page, click Grant to complete authentication.
Permission content
- CVM
Permission Name Permission Description cvm:DescribeInstancesViewing the list of instances - Tag
Permission Name Permission Description tag:GetResourcesByTagsQuerying the resource list by tag tag:ModifyResourceTagsBatch modifying tags associated with a resource tag:GetResourceTagsByResourceIdsQuerying tags associated with a resource - VPC
Permission Name Permission Description vpc:DescribeSubnetQuerying the list of subnets vpc:CreateNetworkInterfaceCreating an ENI vpc:DescribeNetworkInterfacesQuerying the list of ENIs vpc:AttachNetworkInterfaceBinding an ENI with a CVM vpc:DetachNetworkInterfaceUnbinding an ENI from a CVM vpc:DeleteNetworkInterfaceDeleting an ENI vpc:AssignPrivateIpAddressesApplying for private IP addresses for an ENI vpc:UnassignPrivateIpAddressesReturning the private IP addresses of an ENI vpc:MigratePrivateIpAddressMigrating the private IP addresses of an ENI vpc:DescribeSubnetExQuerying the list of subnets vpc:DescribeVpcExQuerying peering connection vpc:DescribeNetworkInterfaceLimitQuerying the ENI quota vpc:DescribeVpcPrivateIpAddressesQuerying the private IP address of a VPC
Ya
Tidak
Apakah halaman ini membantu?