Tencent Container Registry (TCR) provides two modes of access permission management for Enterprise Edition instances. An instance administrator can allocate independent access credentials to the instance development and Ops personnel and internal automated systems such as continuous integration (CI)/continuous deployment (CD), and implement fine-grained user permission management to ensure instance data security.
Scenarios
Personnel Permission Control
An Enterprise Edition instance purchased is usually used by multiple teams that include various roles such as R&D, Ops, and testing roles. While normal business requirements are met, the minimum permissions should be configured for different teams and roles to avoid data security issues such as accidental deletion or leakage of images.
For the specified personnel, an independent account needs to be assigned for identity authentication and independent permissions be configured for operation authentication. When image repositories are used, access credentials (username + password) for login to the repositories (docker login) need to be allocated to the specified personnel, and the account permissions need to be configured, for example, the permissions to push images only to or pull images only from repository A, or the permissions to pull images only from repository B.
Meanwhile, enterprises need to assign personnel to audit image repository operations and trace abnormal operations.
System Permission Control
The production and deployment of container images also involve automated systems, such as CI/CD pipelines. In automation scenarios, using the accounts of the specified personnel may cause severe consequences. For example, if an Ops person's access credential is configured in the release system to enable cluster nodes to pull images, the image access credential will become invalid if the person's account is accidentally deleted, or the technician is transferred or leaves, leading to release failures. Therefore, in the scenarios, access credentials irrelevant to designated personnel should be used, and account permissions should be managed independently.
Product Feature
For the above two typical scenarios, the product provides two access permission management features: user-level account and service-level account. You can use them in combination to meet the requirements for internal permission management.
User-Level Accounts
User-level accounts are directly associated with Tencent Cloud accounts, and account permissions are managed based on Cloud Access Management (CAM). To grant permissions to a specified person within the enterprise, you need to create a dedicated sub-account for the person under the Tencent Cloud root account and associate the sub-account with the permission policy in CAM. For details, see Managing Sub-account Permissions Based on CAM. The user can use the sub-account to log in to the product console and go to the Access Credential–User-Level Account feature page to create an exclusive access credential. This credential is associated with the sub-account and can only be viewed and managed by the sub-account. The user can use this credential to log in to image repositories and push and pull images. Actual operations are controlled by the associated policy.
Note:
Note that when a sub-account is disabled or deleted, the associated access credential will become invalid. Therefore, you are not advised to configure access credentials associated with the sub-account in automated systems.
Service-Level Accounts
Service-level accounts are not directly associated with Tencent Cloud accounts and belong to resources within instances. Their permission management is independent of CAM. To configure access credentials for automatically pushing or pulling images for automated systems such as CI/CD pipelines and Kubernetes clusters, you can create a service-level account within an instance and configure the namespaces that can be accessed by using the access credentials.
Note:
Because a service-level account is a resource within an instance, all sub-accounts with API permissions related to the service-level account feature can view and manage the service-level account. Meanwhile, because the service-level account has permissions independent of the CAM permission system, the risk of unauthorized access may occur. Strictly control the authorization scope of relevant APIs.