tencent cloud

PrevNext

文档反馈

请输入关键字

Recent Pages

文档
容器服务
    文档
    Download PDF

    授权腾讯云售后运维排障

    最后更新时间:2023-05-22 10:13:27
    下载PDF
      默认情况下腾讯云无法登录集群进行问题排障,如果您需要腾讯云售后协助进行运维排障,请参考以下步骤授予腾讯云运维权限。您有权随时吊销回收授予腾讯云的运维排障权限。

      通过控制台授予腾讯云权限

      1. 登录 容器服务控制台
      2. 在集群管理中选择需要腾讯云协助的集群。
      3. 在集群详情页,选择授权管理 > 授权腾讯云运维
      4. 集群RBAC设置中,选择赋予腾讯云的操作权限。如下图所示:
      
      
      5. 设置完成后,您可在 我的工单 中查看问题处理进度。
      注意:
      默认情况下腾讯云无法登录集群进行问题排障,如果您需要腾讯云售后协助进行运维排障,您可以授予腾讯云指定的运维权限,同时您有权随时吊销回收授予腾讯云的运维排障权限。 您可以通过删除相关资源(ClusterRoleBinding/tkeopsaccount-ClusterRole、ServiceAccount/tkeopsaccount、Sercet/tkeopsaccount-token-xxxx)吊销腾讯云运维权限

      通过 Kubernetes API 授予腾讯云权限

      您可以通过创建以下 Kubernetes 资源授予腾讯云指定权限。

      ServiceAccount 授予腾讯云访问集群凭证

      kind: ServiceAccount
      apiVersion: v1
      metadata:
        name: tkeopsaccount
        namespace: kube-system
        labels:
          cloud.tencent.com/tke-ops-account: tkeops

      ClusterRoleBinding/RoleBing 授予腾讯云的操作权限规则

      说明:
      1. 名称和 label 需按如下规则创建。
      2. roleRef 可替换为您期望授权腾讯云的权限。
      apiVersion: rbac.authorization.k8s.io/v1beta1
      kind: ClusterRoleBinding
      metadata:
        annotations:
          cloud.tencent.com/tke-ops-account: tkeops
        labels:
          cloud.tencent.com/tke-ops-account: tkeops
        name: tkeopsaccount-ClusterRole
      roleRef:
        apiGroup: rbac.authorization.k8s.io
        kind: ClusterRole
        name: tke:admin
      subjects:
      - kind: ServiceAccount
        name: tkeopsaccount
        namespace: kube-system

      (可选)ClusterRole/Role 授予腾讯云的操作权限

      如集群内有相关 ClusterRole/Role 可直接使用 ClusterRoleBinding/RoleBinding 关联。通过控制台授权,将自动创建策略,无需单独创建。
      管理员权限
      只读权限
      apiVersion: rbac.authorization.k8s.io/v1beta1
      kind: ClusterRole
      metadata:
        labels:
          cloud.tencent.com/tke-rbac-generated: "true"
        name: tke:admin
      rules:
      - apiGroups:
        - '*'
        resources:
        - '*'
        verbs:
        - '*'
      - nonResourceURLs:
        - '*'
        verbs:
        - '*'
      apiVersion: rbac.authorization.k8s.io/v1beta1
      kind: ClusterRole
      metadata:
        labels:
          cloud.tencent.com/tke-rbac-generated: "true"
        name: tke:ro
      rules:
      - apiGroups:
        - ""
        resources:
        - pods
        - pods/attach
        - pods/exec
        - pods/portforward
        - pods/proxy
        verbs:
        - get
        - list
        - watch
      - apiGroups:
        - ""
        resources:
        - configmaps
        - endpoints
        - persistentvolumeclaims
        - replicationcontrollers
        - replicationcontrollers/scale
        - secrets
        - serviceaccounts
        - services
        - services/proxy
        verbs:
        - get
        - list
        - watch
      - apiGroups:
        - ""
        resources:
        - nodes
        - persistentvolumes
        verbs:
        - get
        - list
        - watch
      - apiGroups:
        - ""
        resources:
        - events
        - replicationcontrollers/status
        - pods/log
        - pods/status
        - componentstatuses
        verbs:
        - get
        - list
        - watch
      - apiGroups:
        - apps
        resources:
        - daemonsets
        - deployments
        - deployments/rollback
        - deployments/scale
        - replicasets
        - replicasets/scale
        - statefulsets
        verbs:
        - get
        - list
        - watch
      - apiGroups:
        - autoscaling
        resources:
        - horizontalpodautoscalers
        verbs:
        - get
        - list
        - watch
      - apiGroups:
        - storage.k8s.io
        resources:
        - storageclasses
        verbs:
        - get
        - list
        - watch
      - apiGroups:
        - batch
        resources:
        - cronjobs
        - jobs
        verbs:
        - get
        - list
        - watch
      - apiGroups:
        - extensions
        - networking.k8s.io
        resources:
        - daemonsets
        - deployments
        - deployments/rollback
        - deployments/scale
        - ingresses
        - replicasets
        - replicasets/scale
        - replicationcontrollers/scale
        verbs:
        - get
        - list
        - watch
      - apiGroups:
        - servicecatalog.k8s.io
        resources:
        - clusterserviceclasses
        - clusterserviceplans
        - clusterservicebrokers
        - serviceinstances
        - servicebindings
        verbs:
        - get
        - list
        - watch
      - apiGroups:
        - policy
        resources:
        - poddisruptionbudgets
        verbs:
        - get
        - list
      - apiGroups:
        - networking.istio.io
        - config.istio.io
        - rbac.istio.io
        - authentication.istio.io
        - security.istio.io
        - install.istio.io
        resources:
        - '*'
        verbs:
        - get
        - list
        - watch
      - apiGroups:
        - apiextensions.k8s.io
        resources:
        - customresourcedefinitions
        verbs:
        - get
        - list
        - watch
      - apiGroups:
        - networking.tke.cloud.tencent.com
        resources:
        - '*'
        verbs:
        - get
        - list
        - watch
      - apiGroups:
        - cloud.tencent.com
        resources:
        - '*'
        verbs:
        - get
        - list
        - watch
      - apiGroups:
        - ccs.cloud.tencent.com
        resources:
        - '*'
        verbs:
        - get
        - list
        - watch
      - apiGroups:
        - cls.cloud.tencent.com
        resources:
        - '*'
        verbs:
        - get
        - list
        - watch
      
      联系我们

      联系我们,为您的业务提供专属服务。

      联系我们
      技术支持

      如果你想寻求进一步的帮助,通过工单与我们进行联络。我们提供7x24的工单服务。

      提交工单
      7x24 电话支持
      Copyright © 2013-2024 Tencent Cloud. All Rights Reserved.
      隐私条款服务条款缓存条款