tencent cloud

文档反馈

容器服务

最后更新时间:2024-11-26 10:00:51

    服务(相关)角色是由腾讯云服务预定义,经用户授权后相应服务即可通过扮演服务相关角色对用户资源进行访问操作。本文档介绍具体服务相关角色的使用场景及相关权限策略信息。

    CAM中产品名 角色名称 角色类型 角色载体
    容器服务 TKE_QCSLinkedRoleInTDCC 服务相关角色 cvm.qcloud.com
    tdcc.tke.cloud.tencent.com
    容器服务 TKE_QCSLinkedRoleInEKSLog 服务相关角色 cvm.qcloud.com
    ekslog.tke.cloud.tencent.com
    容器服务 TKE_QCSLinkedRoleInEtcdService 服务相关角色 cvm.qcloud.com
    etcdservice.tke.cloud.tencent.com
    容器服务 TKE_QCSLinkedRoleInEKSCostMaster 服务相关角色 cvm.qcloud.com
    ekscostmaster.tke.cloud.tencent.com
    容器服务 TKE_QCSLinkedRoleInPrometheusService 服务相关角色 cvm.qcloud.com
    prometheusservice.tke.cloud.tencent.com

    TKE_QCSLinkedRoleInTDCC

    使用场景: 当前角色为容器服务(TKE)服务相关角色,该角色将在已关联策略的权限范围内访问您的其他云服务资源。
    权限策略

    • 策略名称: QcloudAccessForTKELinkedRoleInTDCC
    • 策略内容:
    {
        "version": "2.0",
        "statement": [
            {
                "effect": "allow",
                "action": [
                    "cls:listTopic",
                    "cls:getTopic",
                    "cls:createTopic",
                    "cls:modifyTopic",
                    "cls:listMachineGroup",
                    "cls:getMachineGroup",
                    "cls:createMachineGroup",
                    "cls:modifyMachineGroup",
                    "cls:deleteMachineGroup",
                    "cls:getMachineStatus",
                    "cls:pushLog",
                    "cls:agentHeartBeat",
                    "cls:getConfig",
                    "cls:getIndex",
                    "cls:modifyIndex",
                    "cls:ApplyConfigToMachineGroup",
                    "cls:CreateConfig",
                    "cls:CreateIndex",
                    "cls:CreateLogset",
                    "cls:CreateMachineGroup",
                    "cls:CreateTopic",
                    "cls:DeleteConfig",
                    "cls:DeleteConfigFromMachineGroup",
                    "cls:DeleteLogset",
                    "cls:DeleteMachineGroup",
                    "cls:DeleteTopic",
                    "cls:DescribeConfigMachineGroups",
                    "cls:DescribeConfigs",
                    "cls:DescribeLogsets",
                    "cls:DescribeMachineGroupConfigs",
                    "cls:DescribeMachineGroups",
                    "cls:DescribeTopics",
                    "cls:ModifyConfig",
                    "cls:ModifyIndex",
                    "cls:ModifyMachineGroup",
                    "cls:ModifyTopic"
                ],
                "resource": [
                    "*"
                ]
            }
        ]
    }
    

    TKE_QCSLinkedRoleInEKSLog

    使用场景: 当前角色为容器服务(TKE)服务角色,该角色将在已关联策略的权限范围内访问您的其他云服务资源。
    权限策略

    • 策略名称: QcloudAccessForTKELinkedRoleInEKSLog
    • 策略内容:
    {
        "version": "2.0",
        "statement": [
            {
                "effect": "allow",
                "action": [
                    "cls:pushLog",
                    "cls:agentHeartBeat",
                    "cls:getConfig"
                ],
                "resource": [
                    "*"
                ]
            }
        ]
    }
    

    TKE_QCSLinkedRoleInEtcdService

    使用场景: 当前角色为容器服务(TKE)服务角色,该角色将在已关联策略的权限范围内访问您的其他云服务资源。
    权限策略

    • 策略名称: QcloudAccessForTKELinkedRoleInEtcdService
    • 策略内容:
    {
        "version": "2.0",
        "statement": [
            {
                "effect": "allow",
                "resource": [
                    "*"
                ],
                "action": [
                    "cos:DeleteBucket",
                    "cos:GetBucket",
                    "cos:PutBucket",
                    "cos:HeadBucket",
                    "cos:GetObject",
                    "cos:HeadObject",
                    "cos:PutObject",
                    "cos:DeleteObject",
                    "cos:DeleteMultipleObjects",
                    "cos:ListMultipartUploads",
                    "cos:AbortMultipartUpload"
                ]
            }
        ]
    }
    

    TKE_QCSLinkedRoleInEKSCostMaster

    使用场景: 当前角色为容器服务(TKE)服务相关角色,该角色将在已关联策略的权限范围内访问您的其他云服务资源。
    权限策略

    • 策略名称: QcloudAccessForTKELinkedRoleInEKSCostMaster
    • 策略内容:
    {
        "version": "2.0",
        "statement": [
            {
                "action": [
                    "monitor:DescribeMidDimensionValueList",
                    "monitor:DescribeStatisticData",
                    "monitor:GetMonitorData"
                ],
                "resource": "*",
                "effect": "allow"
            }
        ]
    }
    

    TKE_QCSLinkedRoleInPrometheusService

    使用场景: 当前角色为容器服务(TKE)服务角色,该角色将在已关联策略的权限范围内访问您的其他云服务资源。
    权限策略

    • 策略名称: QcloudAccessForTKELinkedRoleInPrometheusService
    • 策略内容:
    {
        "statement": [
            {
                "action": [
                    "cos:DeleteBucket",
                    "cos:GetBucket",
                    "cos:PutBucket",
                    "cos:HeadBucket",
                    "cos:GetObject",
                    "cos:HeadObject",
                    "cos:PutObject",
                    "cos:DeleteObject",
                    "cos:DeleteMultipleObjects",
                    "cos:ListMultipartUploads",
                    "cos:AbortMultipartUpload",
                    "cos:AbortMultipartUpload",
                    "cos:ListMultipartUploads",
                    "monitor:DescribePrometheusInstances",
                    "monitor:DescribeRecordingRules",
                    "monitor:DescribeAlertRules",
                    "monitor:DescribeAlarmNotice",
                    "monitor:DescribeAlarmNotices",
                    "monitor:DescribeAlarmNoticeCallbacks",
                    "monitor:DescribeAlarmHistories",
                    "monitor:CreatePrometheusMultiTenantInstance",
                    "monitor:TerminatePrometheusInstances",
                    "monitor:ModifyPrometheusInstanceAttributes",
                    "monitor:CreateRecordingRule",
                    "monitor:DeleteRecordingRules",
                    "monitor:UpdateRecordingRule",
                    "monitor:CreateAlertRule",
                    "monitor:DeleteAlertRules",
                    "monitor:UpdateAlertRule",
                    "monitor:UpdateAlertRuleState",
                    "monitor:CreateAlarmNotice",
                    "monitor:DeleteAlarmNotices",
                    "monitor:ModifyAlarmNotice",
                    "monitor:ModifyAlarmPolicyNotice",
                    "monitor:CreateManagedEKSAgent",
                    "monitor:DescribeManagedEKSAgent",
                    "monitor:CreateAlertRuleReceiverNotRequired",
                    "monitor:UpdateAlertRuleReceiverNotRequired",
                    "monitor:DescribeExporterIntegrations",
                    "monitor:CreateExporterIntegration",
                    "monitor:UpdateExporterIntegration",
                    "monitor:DeleteExporterIntegration",
                    "monitor:CreateGrafanaInstance",
                    "monitor:CreatePrometheusMultiTenantInstancePostPayMode",
                    "monitor:BindPrometheusManagedGrafana",
                    "monitor:DescribeGrafanaInstances",
                    "tdcc:DescribeExternalClusters",
                    "tdcc:DescribeExternalClusterCredential",
                    "monitor:UpgradeGrafanaDashboard",
                    "monitor:UninstallGrafanaDashboard",
                    "monitor:DescribePrometheusAlertGroups",
                    "monitor:CreatePrometheusAlertGroup",
                    "monitor:UpdatePrometheusAlertGroup",
                    "monitor:DeletePrometheusAlertGroups",
                    "monitor:UpdatePrometheusAlertGroupState",
                    "tke:DescribeTKEEdgeExternalKubeconfig",
                    "tke:DescribeTKEEdgeClusterCredential",
                    "tke:DescribeTKEEdgeClusters",
                    "tke:DescribeClusters",
                    "tke:DescribeClusterSecurity"
                ],
                "effect": "allow",
                "resource": [
                    "*"
                ]
            }
        ],
        "version": "2.0"
    }
    
    联系我们

    联系我们,为您的业务提供专属服务。

    技术支持

    如果你想寻求进一步的帮助,通过工单与我们进行联络。我们提供7x24的工单服务。

    7x24 电话支持