- Print
- PDF
Managing Ncloud Kubernetes Service Permissions
- Print
- PDF
Available in VPC
By using Sub Account, NAVER Cloud Platform's account management service, you can set various access permissions for Ncloud Kubernetes Service. Sub Account provides System Managed policies and User Created policies for setting management and administration permissions.
Sub Account is a service provided free of charge upon subscription request. For more details about Sub Account, see the Services > Management & Governance > Sub Account menu and Sub Account User Guide in NAVER Cloud Platform portal.
System Managed policies
System Managed policies are role-based policies defined by NAVER Cloud Platform for user convenience. Once System Managed policies are granted to a sub account created in Sub Account, that sub account can use Ncloud Kubernetes Service. The following is a brief description about the managed policies of Ncloud Kubernetes Service.
Policy name | Policy description |
---|---|
NCP_ADMINISTRATOR | Permission to access the portal and console in NAVER Cloud Platform in the same manner as main accounts |
NCP_INFRA_MANAGER | Permission to use all services in NAVER Cloud Platform and access My Page > Manage notifications in the portal |
NCP_VPC_KUBERNETES_SERVICE_MANAGER | Permission to use all features of VPC-based Ncloud Kubernetes Service (including Server (MANAGER), NAS (MANAGER), and Load Balancer (MANAGER) permissions) |
NCP_VPC_KUBERNETES_SERVICE_VIEWER | Permission to only use View List and View features VPC-based Ncloud Kubernetes Service (including Server (VIEWER), Load Balancer (VIEWER), and NAS (MANAGER) permissions) |
User Created policies
User Created policies are policies that users may create. Once User Created policies are granted to a sub account created in Sub Account, that sub account can only use the user-assigned action combinations. The following is a brief description about User Created policies of Ncloud Kubernetes Service.
Actions related to cluster
Classification | Action name | Related action(s) | Resource type | Group by resource type | Action description |
---|---|---|---|---|---|
View | View/getClusterList | View/getWorkerNodeList View/getVPCList View/getSubnetList | - | - | View Kubernetes Cluster list |
View | View/getClusterDetail | View/getClusterList | - | - | View the detailed status of Kubernetes Cluster |
View | View/downloadClusterKubeConfig | View/getClusterList View/getClusterDetail | - | - | Download Kubeconfig settings |
View | View/getIpAcl | View/getClusterDetail | - | - | View IP ACL settings of control plane |
View | View/getOidc | - | - | - | Views OIDC settings |
Change | Change/createCluster | View/getClusterList View/getVPCList View/getVPCDetail View/getSubnetList View/getSubnetDetail View/getLogInKeyList Change/createLoginKey | - | - | Create Kubernetes Cluster |
Change | Change/deleteCluster | View/getClusterDetail | - | - | Delete Kubernetes Cluster |
Change | Change/resetClusterKubeConfig | View/getClusterDetail | - | - | Reset Kubeconfig settings |
Change | Change/setInitscript | View/getClusterDetail | - | - | Change Initscript settings of Kubernetes Cluster |
Change | Change/setPodSecurityPolicy | View/getClusterDetail | - | - | Change pod security policy settings of Kubernetes Cluster |
Change | Change/setAuditLog | View/getClusterDetail | - | - | Change audit log settings of Kubernetes Cluster |
Change | Change/setIpAcl | View/getClusterDetail View/getIpAcl | - | - | Change IP ACL settings of control plane |
Change | Change/upgradeCluster | View/getClusterDetail View/getNodePoolDetail View/getWorkerNodeDetail | - | - | Upgrade Kubernetes Cluster |
Change | Change/setOidc | View/getOidc | - | - | Change OIDC configuration |
Change | Change/setSubnet | View/getSubnetList View/getClusterDetail | - | - | Change Subnet settings |
Actions related to node pool
Classification | Action name | Related action(s) | Resource type | Group by resource type | Action description |
---|---|---|---|---|---|
View | View/getNodePoolList | View/getClusterList | - | - | View node pool list of Kubernetes Cluster |
View | View/getNodePoolDetail | View/getClusterList View/getClusterDetail | - | - | View node pool information of Kubernetes Cluster |
Change | Change/createNodePool | View/getClusterDetail View/getNodePoolDetail | - | - | Add node pool of Kubernetes Cluster |
Change | Change/setNodePool | View/getClusterDetail View/getNodePoolDetail | - | - | Change node pool of Kubernetes Cluster |
Change | Change/deleteNodePool | View/getClusterDetail View/getNodePoolDetail | - | - | Delete node pool of Kubernetes Cluster |
Node-related actions
Classification | Action name | Related action(s) | Resource type | Group by resource type | Action description |
---|---|---|---|---|---|
View | View/getWorkerNodeList | View/getClusterList View/getNodePoolList View/getServerInstancesList | - | - | View the list of a Kubernetes cluster's worker nodes |
View | View/getWorkerNodeDetail | View/getClusterList View/getServerInstancesList | - | - | View detailed status of Kubernetes Cluster's node pool |
Change | Change/deleteWorkerNode | View/getClusterDetail View/getNodePoolDetail View/getWorkerNodeDetail | - | - | Delete Kubernetes Cluster's worker node |
Server-related actions
Classification | Action name | Related action(s) | Resource type | Group by resource type | Action description |
---|---|---|---|---|---|
View | View/getServerInstancesList | - | - | - | View list of server instances (VM) |
Actions related to login key
Classification | Action name | Related action(s) | Resource type | Group by resource type | Action description |
---|---|---|---|---|---|
View | View/getLogInKeyList | - | - | - | View authentication key list |
Change | Change/createLoginKey | - | - | - | Create a new authentication key |
VPC-related actions
Classification | Action name | Related action(s) | Resource type | Group by resource type | Action description |
---|---|---|---|---|---|
View | View/getVPCList | - | - | - | View VPC list |
View | View/getVPCDetail | View/getVPCList | VPC:VPC | - | View VPC details |
View | View/getSubnetList | - | - | - | View subnet list |
View | View/getSubnetDetail | View/getSubnetList | VPC:Subnet | - | View subnet details |
Actions related to Velero
Service | Classification | Action name | Related action(s) | Resource type | Groups per resource type | Action description |
---|---|---|---|---|---|---|
Server(VPC) | View | View/getServerInstanceList | View/getPlacementGroupList | - | Server | View list of server instances (VM) |
Server(VPC) | View | View/getBlockStorageInstanceDetail | View/getBlockStorageInstanceList | Storage | Storage | View details of additional server storage |
Server(VPC) | Change | Change/createBlockStorageInstance | View/getBlockStorageSnapshotInstanceList View/getServerInstanceList View/getServerInstanceDetail View/getBlockStorageInstanceDetail View/getBlockStorageInstanceList | - | Storage | Create block storage instances |
Server(VPC) | Change | Change/createBlockStorageSnapshotInstance | View/getBlockStorageInstanceDetail View/getBlockStorageInstanceList | Storage | Storage | Create snapshot of additional server storage |
Server(VPC) | Change | Change/createBlockStorageWithSnapshot | View/getBlockStorageSnapshotInstanceList View/getServerInstanceList View/getServerInstanceDetail View/getBlockStorageSnapshotInstanceDetail | Snapshot | Snapshot | Create block storage with snapshot |
Server(VPC) | Change | Change/deleteBlockStorageSnapshotInstance | View/getBlockStorageSnapshotInstanceList View/getBlockStorageSnapshotInstanceDetail | Snapshot | Snapshot | Delete snapshot |
Object Storage | View | View/getBucketList | - | - | Bucket | View bucket list |
Object Storage | View | View/getObjectList | View/getBucketList | Bucket | Bucket | Get the list of files in the bucket and view bucket details |
Object Storage | Change | Change/writeObject | View/getBucketList View/getObjectList | Bucket | Bucket | Create and modify bucket object |
Even when you are granted permission for a specific action, if you are not also granted permissions for the related actions that are required, then you won't be able to perform jobs properly. To prevent such issues, Sub Account provides a feature that automatically grants permissions for related actions when granting action permissions. However, if you deselect related actions that are automatically granted, then the system determines that it was done intentionally by the main account user and does not forcibly include them. Thus, be careful when setting permissions.