Release Notes and Announcements

Release Notes

Announcements

Release Notes

Product Introduction

Overview

Strengths

Architecture

Scenarios

Features

Concepts

Native Kubernetes Terms

Common High-Risk Operations

Regions and Availability Zones

Service Regions and Service Providers

Open Source Components

Purchase Guide

Purchase Instructions

Purchase a TKE General Cluster

Purchasing Native Nodes

Purchasing a Super Node

Getting Started

Beginner’s Guide

Quickly Creating a Standard Cluster

Examples

Container Application Deployment Check List

Cluster Configuration

General Cluster Overview

Cluster Management

Network Management

Storage Management

Node Management

GPU Resource Management

Remote Terminals

Application Configuration

Workload Management

Service and Configuration Management

Component and Application Management

Auto Scaling

Container Login Methods

Observability Configuration

Ops Observability

Cost Insights and Optimization

Scheduler Configuration

Scheduling Component Overview

Resource Utilization Optimization Scheduling

Business Priority Assurance Scheduling

QoS Awareness Scheduling

Security and Stability

TKE Security Group Settings

Identity Authentication and Authorization

Application Security

Multi-cluster Management

Planned Upgrade

Backup Center

Cloud Native Service Guide

Cloud Service for etcd

TMP

TKE Serverless Cluster Guide

TKE Registered Cluster Guide

Use Cases

Cluster

Serverless Cluster

Scheduling

Security

Service Deployment

Network

Release

Logs

Monitoring

OPS

Terraform

DevOps

Auto Scaling

Containerization

Microservice

Cost Management

Hybrid Cloud

Troubleshooting

Disk Full

High Workload

Memory Fragmentation

Cluster DNS Troubleshooting

Cluster kube-proxy Troubleshooting

Cluster API Server Inaccessibility Troubleshooting

Service and Ingress Inaccessibility Troubleshooting

Common Service & Ingress Errors and Solutions

Engel Ingres appears in Connechtin Reverside

CLB Ingress Creation Error

Troubleshooting for Pod Network Inaccessibility

Pod Status Exception and Handling

Authorizing Tencent Cloud OPS Team for Troubleshooting

CLB Loopback

API Documentation

History

Introduction

API Category

Making API Requests

Elastic Cluster APIs

Resource Reserved Coupon APIs

Cluster APIs

Third-party Node APIs

Relevant APIs for Addon

Network APIs

Node APIs

Node Pool APIs

TKE Edge Cluster APIs

Cloud Native Monitoring APIs

Scaling group APIs

Super Node APIs

Other APIs

Data Types

Error Codes

TKE API 2022-05-01

FAQs

TKE General Cluster

TKE Serverless Cluster

About OPS

Hidden Danger Handling

About Services

Image Repositories

About Remote Terminals

Event FAQs

Resource Management

Service Agreement

TKE Service Level Agreement

TKE Serverless Service Level Agreement

Glossary

Granting TKE Cluster Permissions to API Gateway

Focus Mode

Font Size

Last updated: 2024-12-23 11:30:47

Scenario
This document describes how to authorize API Gateway to access the API server of a TKE cluster, offers solutions to authorization issues, and lists the permissions obtained by API Gateway in an YAML file.
Prerequisites
1. You have logged in to the API Gateway console.
2. You have a TKE cluster and have obtained its admin role.
Directions
In the TKE tunnel configuration of API Gateway, if you reference a TKE cluster for the first time, you need to grant API Gateway the access to the cluster's API server and ensure that the cluster has private network access enabled.
When the TKE tunnel is configured, the API Gateway system will automatically check whether the cluster has been authorized, and if not, it will prompt you for authorization.
If the cluster access has already been granted to API Gateway, the system will display Authorized API Gateway. Each cluster only needs to be authorized for API Gateway once and doesn't require repeated authorizations for subsequent operations.
How It Works
The process for API Gateway to get the authorization is as follows:
1. Under the kube-system namespace, create a ServiceAccount named apigw-ingress and a ClusterRole named apigw-ingress-clusterrole.
2. Bind apigw-ingress and apigw-ingress-clusterrole through ClusterRoleBinding. Then, the permission of the apigw-ingress ServiceAccount is obtained by API Gateway to access the API server of the cluster.
The permission of the apigw-ingress ServiceAccount is stored in the Secret prefixed with apigw-ingress-token-.
For more information on the permissions obtained by API Gateway and the specific method, see the YAML used to create resources:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: apigw-ingress-clusterrole
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - namespaces
      - endpoints
      - nodes
      - pods
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - apps
    resources:
      - deployments
      - replicasets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - ""
    resources:
      - configmaps
      - secrets
    verbs:
      - "*"
  - apiGroups:
      - extensions
    resources:
      - ingresses
      - ingresses/status
    verbs:
      - "*"
  - apiGroups:
      - ""
    resources:
      - events
    verbs:
      - create
      - patch
      - list
      - update
  - apiGroups:
      - apiextensions.k8s.io
    resources:
      - customresourcedefinitions
    verbs:
      - "*"
  - apiGroups:
      - cloud.tencent.com
    resources:
      - tkeserviceconfigs
    verbs:
      - "*"
---
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: kube-system
  name: apigw-ingress
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: apigw-ingress-clusterrole-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: apigw-ingress-clusterrole
subjects:
  - kind: ServiceAccount
    name: apigw-ingress
    namespace: kube-system
Reminders
After you successfully grant API Gateway the access to the TKE cluster, you cannot modify the resources reserved by API Gateway, including:
The ServiceAccount named apigw-ingress under the kube-system namespace.
The ClusterRole named apigw-ingress-clusterrole under the kube-system namespace.
The ClusterRoleBinding named apigw-ingress-clusterrole-binding under the kube-system namespace.
The Secret prefixed with apigw-ingress-token- in the kube-system namespace.
FAQs
Problem: During authorization, it is found that the private network access feature is not enabled for the TKE cluster.
Solution: Enable the TKE cluster's private network access feature and then click Retry.

Help and Support

Was this page helpful?

You can also Contact sales or Submit a Ticket for help.

Help us improve! Rate your documentation experience in 5 mins.

Feedback

tencent cloud

Tencent Kubernetes Engine

Granting TKE Cluster Permissions to API Gateway

Scenario

Prerequisites

Directions

How It Works

Reminders

FAQs

Help and Support