Login
      Contents x
      Managing Ncloud Kubernetes Service Permissions
        • Print
        • PDF
        Contents

        Managing Ncloud Kubernetes Service Permissions

          • Print
          • PDF
          Article Summary

          Available in VPC

          By using Sub Account, NAVER Cloud Platform's account management service, you can set various access permissions for Ncloud Kubernetes Service. Sub Account provides System Managed policies and User Created policies for setting management and administration permissions.

          Note

          Sub Account is a service provided free of charge upon subscription request. For more details about Sub Account, see the Services > Management & Governance > Sub Account menu and Sub Account User Guide in NAVER Cloud Platform portal.

          System Managed policies

          System Managed policies are role-based policies defined by NAVER Cloud Platform for user convenience. Once System Managed policies are granted to a sub account created in Sub Account, that sub account can use Ncloud Kubernetes Service. The following is a brief description about the managed policies of Ncloud Kubernetes Service.

          Policy namePolicy description
          NCP_ADMINISTRATORPermission to access the portal and console in NAVER Cloud Platform in the same manner as main accounts
          NCP_INFRA_MANAGERPermission to use all services in NAVER Cloud Platform and access My Page > Manage notifications in the portal
          NCP_VPC_KUBERNETES_SERVICE_MANAGERPermission to use all features of VPC-based Ncloud Kubernetes Service (including Server (MANAGER), NAS (MANAGER), and Load Balancer (MANAGER) permissions)
          NCP_VPC_KUBERNETES_SERVICE_VIEWERPermission to only use View List and View features VPC-based Ncloud Kubernetes Service (including Server (VIEWER), Load Balancer (VIEWER), and NAS (MANAGER) permissions)

          User Created policies

          User Created policies are policies that users may create. Once User Created policies are granted to a sub account created in Sub Account, that sub account can only use the user-assigned action combinations. The following is a brief description about User Created policies of Ncloud Kubernetes Service.

          Actions related to cluster

          ClassificationAction nameRelated action(s)Resource typeGroup by resource typeAction description
          ViewView/getClusterListView/getWorkerNodeList
          View/getVPCList
          View/getSubnetList          		--View Kubernetes Cluster list
          ViewView/getClusterDetailView/getClusterList--View the detailed status of Kubernetes Cluster
          ViewView/downloadClusterKubeConfigView/getClusterList
          View/getClusterDetail          		--Download Kubeconfig settings
          ViewView/getIpAclView/getClusterDetail--View IP ACL settings of control plane
          ViewView/getOidc---Views OIDC settings
          ChangeChange/createClusterView/getClusterList
          View/getVPCList
          View/getVPCDetail
          View/getSubnetList
          View/getSubnetDetail
          View/getLogInKeyList
          Change/createLoginKey          		--Create Kubernetes Cluster
          ChangeChange/deleteClusterView/getClusterDetail--Delete Kubernetes Cluster
          ChangeChange/resetClusterKubeConfigView/getClusterDetail--Reset Kubeconfig settings
          ChangeChange/setInitscriptView/getClusterDetail--Change Initscript settings of Kubernetes Cluster
          ChangeChange/setPodSecurityPolicyView/getClusterDetail--Change pod security policy settings of Kubernetes Cluster
          ChangeChange/setAuditLogView/getClusterDetail--Change audit log settings of Kubernetes Cluster
          ChangeChange/setIpAclView/getClusterDetail
          View/getIpAcl          		--Change IP ACL settings of control plane
          ChangeChange/upgradeClusterView/getClusterDetail
          View/getNodePoolDetail
          View/getWorkerNodeDetail          		--Upgrade Kubernetes Cluster
          ChangeChange/setOidcView/getOidc--Change OIDC configuration
          ChangeChange/setSubnetView/getSubnetList
          View/getClusterDetail          		--Change Subnet settings

          Actions related to node pool

          ClassificationAction nameRelated action(s)Resource typeGroup by resource typeAction description
          ViewView/getNodePoolListView/getClusterList--View node pool list of Kubernetes Cluster
          ViewView/getNodePoolDetailView/getClusterList
          View/getClusterDetail          		--View node pool information of Kubernetes Cluster
          ChangeChange/createNodePoolView/getClusterDetail
          View/getNodePoolDetail          		--Add node pool of Kubernetes Cluster
          ChangeChange/setNodePoolView/getClusterDetail
          View/getNodePoolDetail          		--Change node pool of Kubernetes Cluster
          ChangeChange/deleteNodePoolView/getClusterDetail
          View/getNodePoolDetail          		--Delete node pool of Kubernetes Cluster

          Node-related actions

          ClassificationAction nameRelated action(s)Resource typeGroup by resource typeAction description
          ViewView/getWorkerNodeListView/getClusterList
          View/getNodePoolList
          View/getServerInstancesList          		--View the list of a Kubernetes cluster's worker nodes
          ViewView/getWorkerNodeDetailView/getClusterList
          View/getServerInstancesList          		--View detailed status of Kubernetes Cluster's node pool
          ChangeChange/deleteWorkerNodeView/getClusterDetail
          View/getNodePoolDetail
          View/getWorkerNodeDetail          		--Delete Kubernetes Cluster's worker node

          Server-related actions

          ClassificationAction nameRelated action(s)Resource typeGroup by resource typeAction description
          ViewView/getServerInstancesList---View list of server instances (VM)

          Actions related to login key

          ClassificationAction nameRelated action(s)Resource typeGroup by resource typeAction description
          ViewView/getLogInKeyList---View authentication key list
          ChangeChange/createLoginKey---Create a new authentication key

          VPC-related actions

          ClassificationAction nameRelated action(s)Resource typeGroup by resource typeAction description
          ViewView/getVPCList---View VPC list
          ViewView/getVPCDetailView/getVPCListVPC:VPC-View VPC details
          ViewView/getSubnetList---View subnet list
          ViewView/getSubnetDetailView/getSubnetListVPC:Subnet-View subnet details

          Actions related to Velero

          ServiceClassificationAction nameRelated action(s)Resource typeGroups per resource typeAction description
          Server(VPC)ViewView/getServerInstanceListView/getPlacementGroupList-ServerView list of server instances (VM)
          Server(VPC)ViewView/getBlockStorageInstanceDetailView/getBlockStorageInstanceListStorageStorageView details of additional server storage
          Server(VPC)ChangeChange/createBlockStorageInstanceView/getBlockStorageSnapshotInstanceList
          View/getServerInstanceList
          View/getServerInstanceDetail
          View/getBlockStorageInstanceDetail
          View/getBlockStorageInstanceList          		-StorageCreate block storage instances
          Server(VPC)ChangeChange/createBlockStorageSnapshotInstanceView/getBlockStorageInstanceDetail
          View/getBlockStorageInstanceList          		StorageStorageCreate snapshot of additional server storage
          Server(VPC)ChangeChange/createBlockStorageWithSnapshotView/getBlockStorageSnapshotInstanceList
          View/getServerInstanceList
          View/getServerInstanceDetail
          View/getBlockStorageSnapshotInstanceDetail
          		SnapshotSnapshotCreate block storage with snapshot
          Server(VPC)ChangeChange/deleteBlockStorageSnapshotInstanceView/getBlockStorageSnapshotInstanceList
          View/getBlockStorageSnapshotInstanceDetail          		SnapshotSnapshotDelete snapshot
          Object StorageViewView/getBucketList--BucketView bucket list
          Object StorageViewView/getObjectListView/getBucketListBucketBucketGet the list of files in the bucket and view bucket details
          Object StorageChangeChange/writeObjectView/getBucketList
          View/getObjectList          		BucketBucketCreate and modify bucket object
          Caution

          Even when you are granted permission for a specific action, if you are not also granted permissions for the related actions that are required, then you won't be able to perform jobs properly. To prevent such issues, Sub Account provides a feature that automatically grants permissions for related actions when granting action permissions. However, if you deselect related actions that are automatically granted, then the system determines that it was done intentionally by the main account user and does not forcibly include them. Thus, be careful when setting permissions.

          Was this article helpful?
          What's Next
          Change password!
          Changing your password will log you out immediately. Use the new password to log back in.
          Change profile
          Success!
          First name must have atleast 2 characters. Numbers and special characters are not allowed.
          Last name must have atleast 1 characters. Numbers and special characters are not allowed.
          Enter a valid email
          Enter a valid password
          Your profile has been successfully updated.
          Logout