Tencent Kubernetes Engine (TKE) implements the following features based on x509 certificates:
Each sub-account has a unique client certificate used for accessing Kubernetes API servers.
In the new authorization method adopted by TKE, when different sub-accounts obtain the credentials for accessing a cluster (accessing the basic information page of the cluster or calling Tencent API DescribeClusterKubeconfig), the sub-accounts can obtain their unique x509 client certificates, which are issued by the self-signed CA of each cluster.
When a sub-account accesses Kubernetes resources in the console, the backend uses the client certificate of the sub-account to access the user's Kubernetes API server by default.
A sub-account can update its unique client certificate to prevent disclosure of the credentials.
A root account or an account that has the tke:admin permission for a cluster can view and update the certificates of other sub-accounts.
Instructions
1. Log in to the TKE console and click Cluster in the left sidebar.
2. On the Cluster Management page, click the ID of the target cluster.
3. On the cluster details page, select Basic Information in the left sidebar, and click Kubeconfig Permission Management in the "Cluster API Server Information" section.
4. In the displayed "Kubeconfig Permission Management" window, select the required authentication accounts and click Update as needed. As shown in the following figure:
