tencent cloud

Feedback

Tencent Kubernetes Engine

Last updated: 2024-06-13 09:22:33

    Service roles and service-linked roles are predefined by Tencent Cloud services and, upon user authorization, the corresponding services can access and use resources by assuming these service-linked roles. This document provides detailed information on the use cases and associated authorization policies of these specific service-linked roles.

    Product Role Name Role Types Role Entity
    Tencent Kubernetes Engine TKE_QCSLinkedRoleInTDCC Service-Related Roles cvm.qcloud.com
    tdcc.tke.cloud.tencent.com
    Tencent Kubernetes Engine TKE_QCSLinkedRoleInEKSLog Service-Related Roles cvm.qcloud.com
    ekslog.tke.cloud.tencent.com
    Tencent Kubernetes Engine TKE_QCSLinkedRoleInEtcdService Service-Related Roles cvm.qcloud.com
    etcdservice.tke.cloud.tencent.com
    Tencent Kubernetes Engine TKE_QCSLinkedRoleInEKSCostMaster Service-Related Roles cvm.qcloud.com
    ekscostmaster.tke.cloud.tencent.com
    Tencent Kubernetes Engine TKE_QCSLinkedRoleInPrometheusService Service-Related Roles cvm.qcloud.com
    prometheusservice.tke.cloud.tencent.com

    TKE_QCSLinkedRoleInTDCC

    Use Cases: The current role is the TKE service linked role, which will access your other service resources within the scope of the permissions of the associated policy.
    Authorization Polices

    • Policy Name: QcloudAccessForTKELinkedRoleInTDCC
    • Policy Information:
    {
        "version": "2.0",
        "statement": [
            {
                "effect": "allow",
                "action": [
                    "cls:listTopic",
                    "cls:getTopic",
                    "cls:createTopic",
                    "cls:modifyTopic",
                    "cls:listMachineGroup",
                    "cls:getMachineGroup",
                    "cls:createMachineGroup",
                    "cls:modifyMachineGroup",
                    "cls:deleteMachineGroup",
                    "cls:getMachineStatus",
                    "cls:pushLog",
                    "cls:agentHeartBeat",
                    "cls:getConfig",
                    "cls:getIndex",
                    "cls:modifyIndex",
                    "cls:ApplyConfigToMachineGroup",
                    "cls:CreateConfig",
                    "cls:CreateIndex",
                    "cls:CreateLogset",
                    "cls:CreateMachineGroup",
                    "cls:CreateTopic",
                    "cls:DeleteConfig",
                    "cls:DeleteConfigFromMachineGroup",
                    "cls:DeleteLogset",
                    "cls:DeleteMachineGroup",
                    "cls:DeleteTopic",
                    "cls:DescribeConfigMachineGroups",
                    "cls:DescribeConfigs",
                    "cls:DescribeLogsets",
                    "cls:DescribeMachineGroupConfigs",
                    "cls:DescribeMachineGroups",
                    "cls:DescribeTopics",
                    "cls:ModifyConfig",
                    "cls:ModifyIndex",
                    "cls:ModifyMachineGroup",
                    "cls:ModifyTopic"
                ],
                "resource": [
                    "*"
                ]
            }
        ]
    }
    

    TKE_QCSLinkedRoleInEKSLog

    Use Cases: The current role is the TKE service role, which will access your other service resources within the scope of the permissions of the associated policy.
    Authorization Polices

    • Policy Name: QcloudAccessForTKELinkedRoleInEKSLog
    • Policy Information:
    {
        "version": "2.0",
        "statement": [
            {
                "effect": "allow",
                "action": [
                    "cls:listTopic",
                    "cls:getTopic",
                    "cls:createTopic",
                    "cls:modifyTopic",
                    "cls:listMachineGroup",
                    "cls:getMachineGroup",
                    "cls:createMachineGroup",
                    "cls:modifyMachineGroup",
                    "cls:deleteMachineGroup",
                    "cls:getMachineStatus",
                    "cls:pushLog",
                    "cls:agentHeartBeat",
                    "cls:getConfig",
                    "cls:getIndex",
                    "cls:modifyIndex",
                    "cls:ApplyConfigToMachineGroup",
                    "cls:CreateConfig",
                    "cls:CreateIndex",
                    "cls:CreateLogset",
                    "cls:CreateMachineGroup",
                    "cls:CreateTopic",
                    "cls:DeleteConfig",
                    "cls:DeleteConfigFromMachineGroup",
                    "cls:DeleteLogset",
                    "cls:DeleteMachineGroup",
                    "cls:DeleteTopic",
                    "cls:DescribeConfigMachineGroups",
                    "cls:DescribeConfigs",
                    "cls:DescribeLogsets",
                    "cls:DescribeMachineGroupConfigs",
                    "cls:DescribeMachineGroups",
                    "cls:DescribeTopics",
                    "cls:ModifyConfig",
                    "cls:ModifyIndex",
                    "cls:ModifyMachineGroup",
                    "cls:ModifyTopic"
                ],
                "resource": [
                    "*"
                ]
            }
        ]
    }
    

    TKE_QCSLinkedRoleInEtcdService

    Use Cases: The current role is the TKE service role, which will access your other service resources within the scope of the permissions of the associated policy.
    Authorization Polices

    • Policy Name: QcloudAccessForTKELinkedRoleInEtcdService
    • Policy Information:
    {
        "version": "2.0",
        "statement": [
            {
                "effect": "allow",
                "resource": [
                    "*"
                ],
                "action": [
                    "cos:DeleteBucket",
                    "cos:GetBucket",
                    "cos:PutBucket",
                    "cos:HeadBucket",
                    "cos:GetObject",
                    "cos:HeadObject",
                    "cos:PutObject",
                    "cos:DeleteObject",
                    "cos:DeleteMultipleObjects",
                    "cos:ListMultipartUploads",
                    "cos:AbortMultipartUpload"
                ]
            }
        ]
    }
    

    TKE_QCSLinkedRoleInEKSCostMaster

    Use Cases: The current role is the TKE service linked role, which will access your other service resources within the scope of the permissions of the associated policy.
    Authorization Polices

    • Policy Name: QcloudAccessForTKELinkedRoleInEKSCostMaster
    • Policy Information:
    {
        "version": "2.0",
        "statement": [
            {
                "action": [
                    "monitor:DescribeMidDimensionValueList",
                    "monitor:DescribeStatisticData",
                    "monitor:GetMonitorData"
                ],
                "resource": "*",
                "effect": "allow"
            }
        ]
    }
    

    TKE_QCSLinkedRoleInPrometheusService

    Use Cases: The current role is the TKE service role, which will access your other service resources within the scope of the permissions of the associated policy.
    Authorization Polices

    • Policy Name: QcloudAccessForTKELinkedRoleInPrometheusService
    • Policy Information:
    {
        "statement": [
            {
                "action": [
                    "cos:DeleteBucket",
                    "cos:GetBucket",
                    "cos:PutBucket",
                    "cos:HeadBucket",
                    "cos:GetObject",
                    "cos:HeadObject",
                    "cos:PutObject",
                    "cos:DeleteObject",
                    "cos:DeleteMultipleObjects",
                    "cos:ListMultipartUploads",
                    "cos:AbortMultipartUpload",
                    "cos:AbortMultipartUpload",
                    "cos:ListMultipartUploads",
                    "monitor:DescribePrometheusInstances",
                    "monitor:DescribeRecordingRules",
                    "monitor:DescribeAlertRules",
                    "monitor:DescribeAlarmNotice",
                    "monitor:DescribeAlarmNotices",
                    "monitor:DescribeAlarmNoticeCallbacks",
                    "monitor:DescribeAlarmHistories",
                    "monitor:CreatePrometheusMultiTenantInstance",
                    "monitor:TerminatePrometheusInstances",
                    "monitor:ModifyPrometheusInstanceAttributes",
                    "monitor:CreateRecordingRule",
                    "monitor:DeleteRecordingRules",
                    "monitor:UpdateRecordingRule",
                    "monitor:CreateAlertRule",
                    "monitor:DeleteAlertRules",
                    "monitor:UpdateAlertRule",
                    "monitor:UpdateAlertRuleState",
                    "monitor:CreateAlarmNotice",
                    "monitor:DeleteAlarmNotices",
                    "monitor:ModifyAlarmNotice",
                    "monitor:ModifyAlarmPolicyNotice",
                    "monitor:CreateManagedEKSAgent",
                    "monitor:DescribeManagedEKSAgent",
                    "monitor:CreateAlertRuleReceiverNotRequired",
                    "monitor:UpdateAlertRuleReceiverNotRequired",
                    "monitor:DescribeExporterIntegrations",
                    "monitor:CreateExporterIntegration",
                    "monitor:UpdateExporterIntegration",
                    "monitor:DeleteExporterIntegration",
                    "monitor:CreateGrafanaInstance",
                    "monitor:CreatePrometheusMultiTenantInstancePostPayMode",
                    "monitor:BindPrometheusManagedGrafana",
                    "monitor:DescribeGrafanaInstances",
                    "tdcc:DescribeExternalClusters",
                    "tdcc:DescribeExternalClusterCredential",
                    "monitor:UpgradeGrafanaDashboard",
                    "monitor:UninstallGrafanaDashboard",
                    "monitor:DescribePrometheusAlertGroups",
                    "monitor:CreatePrometheusAlertGroup",
                    "monitor:UpdatePrometheusAlertGroup",
                    "monitor:DeletePrometheusAlertGroups",
                    "monitor:UpdatePrometheusAlertGroupState",
                    "tke:DescribeTKEEdgeExternalKubeconfig",
                    "tke:DescribeTKEEdgeClusterCredential",
                    "tke:DescribeTKEEdgeClusters",
                    "tke:DescribeClusters",
                    "tke:DescribeClusterSecurity"
                ],
                "effect": "allow",
                "resource": [
                    "*"
                ]
            }
        ],
        "version": "2.0"
    }
    
    Contact Us

    Contact our sales team or business advisors to help your business.

    Technical Support

    Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

    7x24 Phone Support