This document describes how to configure custom policies in Tencent Kubernetes Engine (TKE) and grant sub-accounts specific permissions. Reference this document to create custom policies that best fit your business requirements.
Policy Syntax Description
The policy syntax structure is shown below:
action: indicates an API.
resource: indicates a resource.
Note
You can define the policy syntax on your own, or create a custom policy by using the policy generator in CAM. You can configure a custom policy based on the following example.
Configuring TKE API Permissions
This section describes multiple features, their sub-features, corresponding Tencent Cloud APIs, APIs for indirect calls, resource levels for permission control, and Action fields of clusters and node modules.
Cluster modules
The following table describes the mappings between features and APIs.
SDK | Sub-features included | Corresponding TencentCloud APIs | Indirect API Invocation | Resource-level Permission Control | Action Field |
Creating an empty cluster | Kubernetes Version Selection Runtime Component Selection Select a VPC Network Configuring Container Network Custom Image Selection IPVS Settings | tke:CreateCluster | cam:GetRole account:DescribeUserData account:DescribeWhiteList tag:GetTagKeys cvm:GetVmConfigQuota vpc:DescribeVpcEx cvm:DescribeImages | Create Cluster is an API-level permission control. To obtain the VPC list, you need the resource permissions for VPC. | "tke:CreateCluster", "cam:GetRole", "tag:GetTagKeys", "cvm:GetVmConfigQuota", "vpc:DescribeVpcEx", "cvm:DescribeImages" |
| Using an existing CVM to create a managed cluster | Features included in creating an empty cluster Using an Existing CVM as a Node Attach Security Group Mounting a data disk Enable auto-scaling | cvm:DescribeInstances vpc:DescribeSubnetEx cvm:DescribeSecurityGroups vpc:DescribeVpcEx cvm:DescribeImages cvm:ResetInstance cvm:DescribeKeyPairs | Create Cluster is an API-level permission control. To obtain the CVM list, CVM resource permissions are required. | "tke:CreateCluster", "cvm:DescribeInstances", "vpc:DescribeSubnetEx", "cvm:DescribeSecurityGroups", "vpc:DescribeVpcEx", "cvm:DescribeImages", "cvm:ResetInstance", "cvm:DescribeKeyPairs" |
| Using an existing CVM to create a self-deployed cluster | Features included in creating an empty cluster Using an Existing CVM as a Node Using an existing CVM as Master&ETCD Attach Security Group Mounting a data disk Enable auto-scaling | cvm:DescribeInstances vpc:DescribeSubnetEx cvm:DescribeSecurityGroups vpc:DescribeVpcEx cvm:DescribeImages cvm:ResetInstance cvm:DescribeKeyPairs | Create Cluster is an API-level permission control. To obtain the VPC list, you need the resource permissions for VPC. To obtain the CVM list, CVM resource permissions are required. | "tke:CreateCluster", "cvm:DescribeInstances", "vpc:DescribeSubnetEx", "cvm:DescribeSecurityGroups", "vpc:DescribeVpcEx", "cvm:DescribeImages", "cvm:ResetInstance", "cvm:DescribeKeyPairs" |
| Automatically creating a CVM to create a managed cluster | Features included in creating an empty cluster Purchasing CVM as a node Attach Security Group Mounting a data disk Enable auto-scaling | cvm:DescribeSecurityGroups cvm:DescribeKeyPairs cvm:RunInstances vpc:DescribeSubnetEx vpc:DescribeVpcEx cvm:DescribeImages | Create Cluster is an API-level permission control. To obtain the VPC list, you need the resource permissions for VPC. | "cvm:DescribeSecurityGroups", "cvm:DescribeKeyPairs", "cvm:RunInstances", "vpc:DescribeSubnetEx", "vpc:DescribeVpcEx", "cvm:DescribeImages", "tke:CreateCluster" |
| Automatically creating a CVM to create a self-deployed cluster | Features included in creating an empty cluster Purchasing CVM as a node Purchasing CVM as Master&ETCD Attach Security Group Mounting a data disk Enable auto-scaling | cvm:DescribeSecurityGroups cvm:DescribeKeyPairs cvm:RunInstancesvpc:DescribeSubnetEx vpc:DescribeVpcEx cvm:DescribeImages | Create Cluster is an API-level permission control. To obtain the VPC list, you need the resource permissions for VPC. | "cvm:DescribeSecurityGroups", "cvm:DescribeKeyPairs", "cvm:RunInstances", "vpc:DescribeSubnetEx", "vpc:DescribeVpcEx", "cvm:DescribeImages", "tke:CreateCluster" |
Querying a cluster list | - | tke:DescribeClusters | - | Cluster-level permissions are required for obtaining a cluster list. | "tke:DescribeClusters" |
Displaying cluster credentials | - | tke:DescribeClusterSecurity | - | Cluster-level permissions are required for displaying cluster credentials. | "tke:DescribeClusterSecurity" |
Enabling/Disabling the private network/Internet access URL of a cluster | Creating a public network access port for a managed cluster Creating a cluster access endpoint Modifying the security policy for the public network port of a managed cluster Query the status of enabling public network ports for managed clusters Deleting the public network access port of a managed cluster Deleting a cluster access endpoint | tke:CreateClusterEndpointVip tke:CreateClusterEndpoint tke:ModifyClusterEndpointSP tke:DescribeClusterEndpointVipStatus tke:DescribeClusterEndpointStatus tke:DeleteClusterEndpointVip tke:DeleteClusterEndpoint | - | Cluster-level permissions are required for enabling or disabling cluster access. | - |
Deleting a Cluster | - | tke:DeleteCluster | tke:DescribeClusterInstances tke:DescribeInstancesVersion tke:DescribeClusterStatus | Cluster-level permissions are required for deleting a cluster. | "tke:DescribeClusterInstances", "tke:DescribeInstancesVersion", "tke:DescribeClusterStatus", "tke:DeleteCluster" |
Node modules
The following table describes the mappings between features and APIs.
SDK | Sub-features included | Corresponding TencentCloud APIs | Indirect API Invocation | Resource-level Permission Control | Action Field |
Adding an Existing Node | Adding an existing node to the cluster Resetting the Data Disk Configuring a security group | tke:AddExistedInstances | cvm:DescribeInstances vpc:DescribeSubnetEx cvm:DescribeSecurityGroups vpc:DescribeVpcEx cvm:DescribeImages cvm:ResetInstance cvm:DescribeKeyPairs cvm:ModifyInstancesAttribute tke:DescribeClusters | To add an existing node, the corresponding cluster resource permissions are required. To obtain the CVM list, CVM resource permissions are required. | "cvm:DescribeInstances", "vpc:DescribeSubnetEx", "cvm:DescribeSecurityGroups", "vpc:DescribeVpcEx", "cvm:DescribeImages", "cvm:ResetInstance", "cvm:DescribeKeyPairs", "tke:DescribeClusters", "tke:AddExistedInstances" |
Creating a node | Add a new node to the cluster Resetting the Data Disk Configuring a security group | tke:CreateClusterInstances | cvm:DescribeSecurityGroups cvm:DescribeKeyPairs cvm:RunInstances vpc:DescribeSubnetEx vpc:DescribeVpcEx cvm:DescribeImages tke:DescribeClusters | Cluster-level permissions are required for creating a node. | "cvm:DescribeSecurityGroups", "cvm:DescribeKeyPairs", "cvm:RunInstances", "vpc:DescribeSubnetEx", "vpc:DescribeVpcEx", "cvm:DescribeImages", "tke:DescribeClusters" |
Node list | Viewing a cluster node list | tke:DescribeClusterInstances | cvm:DescribeInstances tke:DescribeClusters | Viewing the node list requires the corresponding cluster's resource permissions. To obtain the CVM list, CVM resource permissions are required. | "cvm:DescribeInstances", "tke:DescribeClusters", "tke:DescribeClusterInstances" |
Removing a node | - | tke:DeleteClusterInstances | cvm:TerminateInstances tke:DescribeClusters | Viewing the node list requires the corresponding cluster's resource permissions. To obtain the CVM list, CVM resource permissions are required. To delete a node, the corresponding node termination policy is required. | "cvm:TerminateInstances", "tke:DescribeClusters", "tke:DeleteClusterInstances" |