Available in VPC
You can set different access permissions for Ncloud Kubernetes Service using NAVER Cloud Platform's Sub Account service. Sub Account offers both system-managed (System Managed) and user-defined (User Created) policies to help you configure management and operation permissions.
Sub Account is a free service with no additional charges. For more information about Sub Account, see Services > Management & Governance > Sub Account and Sub Account user guide on NAVER Cloud Platform portal.
System-managed policies
System-managed policies are pre-built, role-based policies that NAVER Cloud Platform provides for your convenience. When you assign one of these policies to a sub account, that account gets access to Ncloud Kubernetes Service. Here are the available system-managed policies for Ncloud Kubernetes Service:
| Policy name | Policy description |
|---|---|
| NCP_ADMINISTRATOR | Access to all services with the same scope as your main account |
| NCP_INFRA_MANAGER | Permission to access all services, but only My Account > Billing Information and Expense Management > Billing and Payment Management menu in the console is blocked |
| NCP_FINANCE_MANAGER | Permission to access only My Account > Billing Information and Expense Management > Billing and Payment Management menu in the Cost Explorer service and console |
| NCP_VPC_KUBERNETES_SERVICE_MANAGER | Full access to all features of VPC-based Ncloud Kubernetes Service (including Server (MANAGER), NAS (MANAGER) and Load Balancer (MANAGER) permissions) |
| NCP_VPC_KUBERNETES_SERVICE_VIEWER | View-only access to use View List and View features VPC-based Ncloud Kubernetes Service (including Server (VIEWER), Load Balancer (VIEWER) and NAS (MANAGER) permissions) |
User-defined policies
User-defined policies let you create custom permissions. When you assign a user-defined policy to a sub account, that account can only perform the specific actions you've allowed. Here are the available user-defined policies for Ncloud Kubernetes Service.
Actions related to cluster
| Type | Action | Related action | Resources type | Group by resources type | Action description |
| ---- | ---- | ---- | ---- | ---- | ---- |
| View | View/getClusterList | View/getWorkerNodeList
View/getVPCList
View/getSubnetList | - | - | View Kubernetes Cluster list |
| View | View/getClusterDetail | View/getClusterList | - | - | View the detailed status of Kubernetes Cluster |
| View | View/downloadClusterKubeConfig | View/getClusterList
View/getClusterDetail | - | - | Download Kubeconfig settings |
| View | View/getIpAcl | View/getClusterDetail | - | - | View IP ACL settings of Control Plane |
| View | View/getOidc | - | - | - | Views OIDC settings |
| Change | Change/createCluster | View/getClusterList
View/getVPCList
View/getVPCDetail
View/getSubnetList
View/getSubnetDetail
View/getLogInKeyList
Change/createLoginKey | - | - | Create Kubernetes Cluster |
| Change | Change/deleteCluster | View/getClusterDetail | - | - | Delete Kubernetes Cluster |
| Change | Change/resetClusterKubeConfig | View/getClusterDetail | - | - | Initialize Kubeconfig settings |
| Change | Change/setInitscript | View/getClusterDetail | - | - | Change Initscript settings of Kubernetes Cluster |
| Change | Change/setPodSecurityPolicy | View/getClusterDetail | - | - | Change Pod Security Policy settings of Kubernetes Cluster |
| Change | Change/setAuditLog | View/getClusterDetail | - | - | Change Audit log settings of Kubernetes Cluster |
| Change | Change/setIpAcl | View/getClusterDetail
View/getIpAcl | - | - | Change IP ACL settings of Control Plane |
| Change | Change/upgradeCluster | View/getClusterDetail
View/getNodePoolDetail
View/getWorkerNodeDetail | - | - | Upgrade Kubernetes Cluster |
| Change | Change/setOidc | View/getOidc | - | - | Change OIDC settings |
| Change | Change/setSubnet | View/getSubnetList
View/getClusterDetail | - | - | Change Subnet settings |
Actions related to node pools
| Type | Action | Related action | Resources type | Group by resources type | Action description |
| ---- | ---- | ---- | ---- | ---- | ---- |
| View | View/getNodePoolList | View/getClusterList | - | - | View Node pool list of Kubernetes Cluster |
| View | View/getNodePoolDetail | View/getClusterList
View/getClusterDetail | - | - | View node pools information of Kubernetes Cluster |
| Change | Change/createNodePool | View/getClusterDetail
View/getNodePoolDetail | - | - | Add node pools of Kubernetes Cluster |
| Change | Change/setNodePool | View/getClusterDetail
View/getNodePoolDetail | - | - | Change node pools of Kubernetes Cluster |
| Change | Change/deleteNodePool | View/getClusterDetail
View/getNodePoolDetail | - | - | Delete node pools of Kubernetes Cluster |
Node-related actions
| Type | Action | Related action | Resources type | Group by resources type | Action description |
| ---- | ---- | ---- | ---- | ---- | ---- |
| View | View/getWorkerNodeList | View/getClusterList
View/getNodePoolList
View/getServerInstancesList | - | - | View Worker Node list of Kubernetes Cluster |
| View | View/getWorkerNodeDetail | View/getClusterList
View/getServerInstancesList | - | - | View detailed status of Kubernetes Cluster's node pools |
| Change | Change/deleteWorkerNode | View/getClusterDetail
View/getNodePoolDetail
View/getWorkerNodeDetail | - | - | Delete Kubernetes Cluster's worker node |
Server-related actions
| Type | Action | Related action | Resources type | Group by resources type | Action description |
| ---- | ---- | ---- | ---- | ---- | ---- |
| View | View/getServerInstancesList | - | - | - | View list of server instances (VM) |
Actions related to login key
| Type | Action | Related action | Resources type | Group by resources type | Action description |
| ---- | ---- | ---- | ---- | ---- | ---- |
| View | View/getLogInKeyList | - | - | - | View authentication key list |
| Change | Change/createLoginKey | - | - | - | Create a new authentication key |
VPC-related actions
| Type | Action | Related action | Resources type | Group by resources type | Action description |
| ---- | ---- | ---- | ---- | ---- | ---- |
| View | View/getVPCList | - | - | - | View VPC list |
| View | View/getVPCDetail | View/getVPCList | VPC:VPC | - | View VPC details |
| View | View/getSubnetList | - | - | - | View Subnet list |
| View | View/getSubnetDetail | View/getSubnetList | VPC:Subnet | - | View Subnet details |
Actions related to Velero
| Service | Type | Action | Related action | Resources type | Groups by resource type | Action description |
|---|---|---|---|---|---|---|
| Server(VPC) | View | View/getServerInstanceList | View/getPlacementGroupList | - | Server | View list of server instances (VM) |
| Server(VPC) | View | View/getBlockStorageInstanceDetail | View/getBlockStorageInstanceList | Storage | Storage | View details of additional server storage |
| Server(VPC) | Change | Change/createBlockStorageInstance | View/getBlockStorageSnapshotInstanceList View/getServerInstanceList View/getServerInstanceDetail View/getBlockStorageInstanceDetail View/getBlockStorageInstanceList |
- | Storage | Create block storage instances |
| Server(VPC) | Change | Change/createBlockStorageSnapshotInstance | View/getBlockStorageInstanceDetail View/getBlockStorageInstanceList |
Storage | Storage | Create snapshot of additional server storage |
| Server(VPC) | Change | Change/createBlockStorageWithSnapshot | View/getBlockStorageSnapshotInstanceList View/getServerInstanceList View/getServerInstanceDetail View/getBlockStorageSnapshotInstanceDetail |
Snapshot | Snapshot | Create block storage with snapshot |
| Server(VPC) | Change | Change/deleteBlockStorageSnapshotInstance | View/getBlockStorageSnapshotInstanceList View/getBlockStorageSnapshotInstanceDetail |
Snapshot | Snapshot | Delete snapshot |
| Object Storage | View | View/getBucketList | - | - | Bucket | View bucket list |
| Object Storage | View | View/getObjectList | View/getBucketList | Bucket | Bucket | View a list of files and details in buckets |
| Object Storage | Change | Change/writeObject | View/getBucketList View/getObjectList |
Bucket | Bucket | Create and change bucket object |
If you grant someone access to a specific action but not to the required related actions, they won't be able to complete their tasks. Sub Account automatically includes these related permissions to prevent this issue. However, if you manually uncheck these auto-selected related actions, the system assumes this was intentional and won't override your selection.