tencent cloud

Tencent Kubernetes Engine

Release Notes and Announcements
Release Notes
Announcements
Release Notes
Product Introduction
Overview
Strengths
Architecture
Scenarios
Features
Concepts
Native Kubernetes Terms
Common High-Risk Operations
Regions and Availability Zones
Service Regions and Service Providers
Open Source Components
Purchase Guide
Purchase Instructions
Purchase a TKE General Cluster
Purchasing Native Nodes
Purchasing a Super Node
Getting Started
Beginner’s Guide
Quickly Creating a Standard Cluster
Examples
Container Application Deployment Check List
Cluster Configuration
General Cluster Overview
Cluster Management
Network Management
Storage Management
Node Management
GPU Resource Management
Remote Terminals
Application Configuration
Workload Management
Service and Configuration Management
Component and Application Management
Auto Scaling
Container Login Methods
Observability Configuration
Ops Observability
Cost Insights and Optimization
Scheduler Configuration
Scheduling Component Overview
Resource Utilization Optimization Scheduling
Business Priority Assurance Scheduling
QoS Awareness Scheduling
Security and Stability
TKE Security Group Settings
Identity Authentication and Authorization
Application Security
Multi-cluster Management
Planned Upgrade
Backup Center
Cloud Native Service Guide
Cloud Service for etcd
TMP
TKE Serverless Cluster Guide
TKE Registered Cluster Guide
Use Cases
Cluster
Serverless Cluster
Scheduling
Security
Service Deployment
Network
Release
Logs
Monitoring
OPS
Terraform
DevOps
Auto Scaling
Containerization
Microservice
Cost Management
Hybrid Cloud
AI
Troubleshooting
Disk Full
High Workload
Memory Fragmentation
Cluster DNS Troubleshooting
Cluster kube-proxy Troubleshooting
Cluster API Server Inaccessibility Troubleshooting
Service and Ingress Inaccessibility Troubleshooting
Common Service & Ingress Errors and Solutions
Engel Ingres appears in Connechtin Reverside
CLB Ingress Creation Error
Troubleshooting for Pod Network Inaccessibility
Pod Status Exception and Handling
Authorizing Tencent Cloud OPS Team for Troubleshooting
CLB Loopback
API Documentation
History
Introduction
API Category
Making API Requests
Elastic Cluster APIs
Resource Reserved Coupon APIs
Cluster APIs
Third-party Node APIs
Relevant APIs for Addon
Network APIs
Node APIs
Node Pool APIs
TKE Edge Cluster APIs
Cloud Native Monitoring APIs
Scaling group APIs
Super Node APIs
Other APIs
Data Types
Error Codes
TKE API 2022-05-01
FAQs
TKE General Cluster
TKE Serverless Cluster
About OPS
Hidden Danger Handling
About Services
Image Repositories
About Remote Terminals
Event FAQs
Resource Management
Service Agreement
TKE Service Level Agreement
TKE Serverless Service Level Agreement
Contact Us
Glossary
DocumentationTencent Kubernetes EngineApplication ConfigurationComponent and Application Management Add-On ManagementUserGroupAccessControl

UserGroupAccessControl

PDF
Focus Mode
Font Size
Last updated: 2023-08-01 17:07:54

Overview

Add-on description

‍With UserGroupAccessControl, you can integrate Kubernetes RBAC into a Tencent Cloud CAM user group to control sub-account access in a refined manner.

Kubernetes objects deployed in a cluster

Kubernetes object name
Type
Specification
Namespaces
user-group-access-control
ServiceAccount
-
kube-system
user-group-access-control
ClusterRole
-
kube-system
user-group-access-control
ClusterRoleBinding
-
kube-system
user-group-access-control
Service
-
kube-system
user-group-access-control
ConfigMap
-
kube-system
user-group-access-control
Deployment
0.5C1G (for new Kubernetes objects)
kube-system

Use Cases

A CAM user group is a collection of multiple users (sub-accounts) with similar roles. It can provide authorization and set subscription messages in batches. UserGroupAccessControl can help setting the same Kubernetes object access permissions for sub-accounts with the same function in a TKE general cluster.

Limits

Supported ‍K8s cluster versions: v1.16 and later versions.

Directions

Note:
To use the UserGroupAccessControl add-on, please submit a ticket.

Step 1. Create a user group

Create a user group in CAM. For details, see Creating User Group. If you already have a user group, skip this step.

Step 2. Install the add-on

1. Log in to the TKE console. In the left sidebar, click Cluster.
2. On the Cluster page, click the ID of the target cluster to go to the cluster details page.
3. In the left sidebar, click Add-on management. On the page that appears, click Create.
4. On the Create add-on page, select the Authentication authorization module and select UserGroupAccessControl.
5. Click Service authorization. Associate the "TKE_QCSRole" role with the preset policy "QcloudAccessForTKERoleInGroupsForUser" to allow TKE access information of user groups under your account.
On the Service authorization page, confirm the role name and authorization policy, and click Grant.
6. Go back to the Create add-on page, click Complete. Now, you can view the add-on details on the Add-on management page.

Step 3. Create a role and bind the policy to the user group

1. In the left sidebar, click Authorization Management > ClusterRole. Click RBAC Policy Generator on the ClusterRole page.
2. Select User group for account type, and select the target user group.
3. Click Next. In Cluster RBAC settings, set Kubernetes object access permissions for the specified user group.
4. Click Complete.

Step 4: View the role binding policy

In the left sidebar, click Authorization management > ClusterRoleBinding. Check the policy that is named starting with the user group ID.
Note:
To manage permissions for Tencent Cloud resources (such as migrating sub-accounts, adding/removing permission for cloud resources), you only need to make changes in the CAM user group. ‍The policy associated with the created role will be updated at the same time. For details, see Managing User Groups.

Previous Topic: tke-eni-ip-webhookNext Topic: TCR Hosts Updater

Help and Support

Was this page helpful?

Help us improve! Rate your documentation experience in 5 mins.

Feedback