tencent cloud

Tencent Kubernetes Engine

Release Notes and Announcements
Release Notes
Announcements
Release Notes
Product Introduction
Overview
Strengths
Architecture
Scenarios
Features
Concepts
Native Kubernetes Terms
Common High-Risk Operations
Regions and Availability Zones
Service Regions and Service Providers
Open Source Components
Purchase Guide
Purchase Instructions
Purchase a TKE General Cluster
Purchasing Native Nodes
Purchasing a Super Node
Getting Started
Beginner’s Guide
Quickly Creating a Standard Cluster
Examples
Container Application Deployment Check List
Cluster Configuration
General Cluster Overview
Cluster Management
Network Management
Storage Management
Node Management
GPU Resource Management
Remote Terminals
Application Configuration
Workload Management
Service and Configuration Management
Component and Application Management
Auto Scaling
Container Login Methods
Observability Configuration
Ops Observability
Cost Insights and Optimization
Scheduler Configuration
Scheduling Component Overview
Resource Utilization Optimization Scheduling
Business Priority Assurance Scheduling
QoS Awareness Scheduling
Security and Stability
TKE Security Group Settings
Identity Authentication and Authorization
Application Security
Multi-cluster Management
Planned Upgrade
Backup Center
Cloud Native Service Guide
Cloud Service for etcd
TMP
TKE Serverless Cluster Guide
TKE Registered Cluster Guide
Use Cases
Cluster
Serverless Cluster
Scheduling
Security
Service Deployment
Network
Release
Logs
Monitoring
OPS
Terraform
DevOps
Auto Scaling
Containerization
Microservice
Cost Management
Hybrid Cloud
AI
Troubleshooting
Disk Full
High Workload
Memory Fragmentation
Cluster DNS Troubleshooting
Cluster kube-proxy Troubleshooting
Cluster API Server Inaccessibility Troubleshooting
Service and Ingress Inaccessibility Troubleshooting
Common Service & Ingress Errors and Solutions
Engel Ingres appears in Connechtin Reverside
CLB Ingress Creation Error
Troubleshooting for Pod Network Inaccessibility
Pod Status Exception and Handling
Authorizing Tencent Cloud OPS Team for Troubleshooting
CLB Loopback
API Documentation
History
Introduction
API Category
Making API Requests
Elastic Cluster APIs
Resource Reserved Coupon APIs
Cluster APIs
Third-party Node APIs
Relevant APIs for Addon
Network APIs
Node APIs
Node Pool APIs
TKE Edge Cluster APIs
Cloud Native Monitoring APIs
Scaling group APIs
Super Node APIs
Other APIs
Data Types
Error Codes
TKE API 2022-05-01
FAQs
TKE General Cluster
TKE Serverless Cluster
About OPS
Hidden Danger Handling
About Services
Image Repositories
About Remote Terminals
Event FAQs
Resource Management
Service Agreement
TKE Service Level Agreement
TKE Serverless Service Level Agreement
Contact Us
Glossary
DocumentationTencent Kubernetes EngineSecurity and StabilityIdentity Authentication and Authorization Controlling TKE cluster-level permissions Usage ExamplesConfiguring a Sub-account's Administrative Permissions to a Single TKE Cluster

Configuring a Sub-account's Administrative Permissions to a Single TKE Cluster

PDF
Focus Mode
Font Size
Last updated: 2024-12-11 18:50:30

Overview

You can grant a user the permissions to view and use specific resources in the TKE console by using a CAM policy. This document describes how to configure the CAM policy of a single cluster in the console.

Directions

Configuring full read/write permission for a single cluster

1. Log in to the CAM console.
2. In the left sidebar, click Policies to go to the policy management page.
3. Click Create Custom Policy and select the "Create by Policy Syntax" method.
4. Select the "Blank template" type and click Next.
5. Enter a custom policy name and replace "Edit policy content" with the following content.
{
 "version": "2.0",
 "statement": [
     {
         "action": [
             "ccs:*"
         ],
         "resource": [
             "qcs::ccs:sh::cluster/cls-XXXXXXX",
             "qcs::cvm:sh::instance/*"
         ],
         "effect": "allow"
     },
     {
         "action": [
             "cvm:*"
         ],
         "resource": "*",
         "effect": "allow"
     },
     {
         "action": [
             "vpc:*"
         ],
         "resource": "*",
         "effect": "allow"
     },
     {
         "action": [
             "clb:*"
         ],
         "resource": "*",
         "effect": "allow"
     },
     {
         "action": [
             "monitor:*",
             "cam:ListUsersForGroup",
             "cam:ListGroups",
             "cam:GetGroup",
             "cam:GetRole"
         ],
         "resource": "*",
         "effect": "allow"
     }
 ]
}
6. In "Edit policy content", modify qcs::ccs:sh::cluster/cls-XXXXXXX to the cluster in the specified region for which you want to grant permissions, as shown below: For example, if you need to grant full read/write permission for the cls-69z7ek9l cluster in Guangzhou, modify qcs::ccs:sh::cluster/cls-XXXXXXX to "qcs::ccs:gz::cluster/cls-69z7ek9l".
Edit Policy Content

Note:
Replace with the ID of the cluster in the specified region for which you want to grant permissions. If you want to allow sub-accounts to scale the cluster, you also need to configure the user payment permission for the sub-accounts.
7. Click Create a policy to complete the configuration of full read/write permission for a single cluster.

Configuring read-only permission for a single cluster

1. Log in to the CAM console.
2. In the left sidebar, click Policies to go to the policy management page.
3. Click Create Custom Policy and select the "Create by Policy Syntax" method.
4. Select the "Blank template" type and click Next.
5. Enter a custom policy name and replace "Edit policy content" with the following content.
{
 "version": "2.0",
 "statement": [
     {
         "action": [
             "ccs:Describe*",
             "ccs:Check*"
         ],
         "resource": "qcs::ccs:gz::cluster/cls-1xxxxxx",
         "effect": "allow"
     },
     {
         "action": [
             "cvm:Describe*",
             "cvm:Inquiry*"
         ],
         "resource": "*",
         "effect": "allow"
     },
     {
         "action": [
             "vpc:Describe*",
             "vpc:Inquiry*",
             "vpc:Get*"
         ],
         "resource": "*",
         "effect": "allow"
     },
     {
         "action": [
             "clb:Describe*"
         ],
         "resource": "*",
         "effect": "allow"
     },
     {
         "effect": "allow",
         "action": [
             "monitor:*",
             "cam:ListUsersForGroup",
             "cam:ListGroups",
             "cam:GetGroup",
             "cam:GetRole"
         ],
         "resource": "*"
     }
 ]
}
6. In "Edit policy content", modify qcs::ccs:gz::cluster/cls-1xxxxxx to the cluster in the specified region for which you want to grant permissions, as shown below: For example, if you need to grant ready-only permission for the cls-19a7dz9c cluster in Beijing, modify qcs::ccs:gz::cluster/cls-1xxxxxx to qcs::ccs:bj::cluster/cls-19a7dz9c.
Edit Policy Content 2

7. Click Create a policy to complete the configuration of read-only permission for a single cluster.
Previous Topic: Using Labels to Configure Sub-accounts with Full Read/Write Permissions for Batch ClustersNext Topic: Configuring a Sub-account's Full Read/write or Read-only Permission to TKE

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback