Manage IAM authentication user (access entry)

Prev Next

Available in VPC

You can register accessible security principals by selecting Allow Bootstrap Cluster Administrator when creating a cluster, or by adding an AccessEntry in [Cluster details] - [Authentication].

Adding the access entry that created the cluster as a cluster administrator

  1. In the cluster creation interface, select Allow cluster administrator access in Bootstrap cluster administrator access.
  2. The user who requested the creation of the cluster is registered in the IAM access entry NRN under [Access] - [AccessEntry].
Note

For clusters created using the access entry method, the main account is not automatically added as a cluster administrator when the cluster is created by a SubAccount.

Adding access entry to the cluster

  1. Click [Cluster detail interface] - [Access tab] - [AccessEntry] - [Create].
  2. Enter the information for the access entry to be added.
  • IAM Security Principal: NRN of the access entry to which the policy will be applied.
  • Group (optional): The user group authenticated in the cluster (up to 30).
  • Policy: The list of cluster access policies to be applied to the security principal.
    • Scope: The application scope of the policy (cluster/namespace).
    • Namespaces (optional): If the scope is namespace, the list of namespace to which the policies will be applied. You can specify a pattern with "*-ns" (up to 50).
    • Policy: Policy to be applied.
      • NKSClusterAdminPolicy: Holds all permissions for the cluster.
      • NKSAdminPolicy: Holds most permissions for the resource.
      • NKSEditPolicy: Holds write permissions.
      • NKSViewPolicy: Holds read-only permissions.
  1. Press [Create] to register the policy.
  2. Verify that the permissions are granted with the AccessKey of the registered security principal.

Access policy

The policies that can be applied to the IAM authentication access entry of the Ncloud Kubernetes Service cluster are NKSClusterAdminPolicy, NKSAdminPolicy, NKSEditPolicy, and NKSViewPolicy.

Caution
  • For Managed NKS, the use of resources such as nodes and system namespaces, as well as user impersonation, are restricted under the following permissions.
  • Permissions applied through access policies cannot be verified using the kubectl auth can-i --list command.
  • When using the kubectl command impersonating a user/group, the access policies applied to the access entry do not take effect.

  • NKSClusterAdminPolicy
    All permissions

  • NKSAdminPolicy

| API group | Resources | Verbs |
| --- | --- | --- |
| apps | daemonsets, deployments, deployments/rollback, deployments/scale, replicasets, replicasets/scale, statefulsets, statefulsets/scale | create, delete, deletecollection, patch, update |
| apps | controllerrevisions, daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, replicasets, replicasets/scale, replicasets/status, statefulsets, statefulsets/scale, statefulsets/status | get, list, watch |
| authorization.k8s.io | localsubjectaccessreviews | create |
| autoscaling | horizontalpodautoscalers | create, delete, deletecollection, patch, update |
| autoscaling | horizontalpodautoscalers, horizontalpodautoscalers/status | get, list, watch |
| batch | cronjobs, jobs | create, delete, deletecollection, patch, update |
| batch | cronjobs, cronjobs/status, jobs, jobs/status | get, list, watch |
| discovery.k8s.io | endpointslices | get, list, watch |
| extensions | daemonsets, deployments, deployments/rollback, deployments/scale, ingresses, networkpolicies, replicasets, replicasets/scale, replicationcontrollers/scale | create, delete, deletecollection, patch, update |
| extensions | daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, ingresses, ingresses/status, networkpolicies, replicasets, replicasets/scale, replicasets/status, replicationcontrollers/scale | get, list, watch |
| networking.k8s.io | ingresses, ingresses/status, networkpolicies | get, list, watch |
| networking.k8s.io | ingresses, networkpolicies | create, delete, deletecollection, patch, update |
| policy | poddisruptionbudgets | create, delete, deletecollection, patch, update |
| policy | poddisruptionbudgets, poddisruptionbudgets/status | get, list, watch |
| rbac.authorization.k8s.io | rolebindings, roles | create, delete, deletecollection, get, list, patch, update, watch |
| | configmaps, endpoints, persistentvolumeclaims, persistentvolumeclaims/status, pods, replicationcontrollers, replicationcontrollers/scale, serviceaccounts, services, services/status | get,list, watch |
| | pods/attach, pods/exec, pods/portforward, pods/proxy, secrets, services/proxy | get, list, watch |
| | configmaps, events, persistentvolumeclaims, replicationcontrollers, replicationcontrollers/scale, secrets, serviceaccounts, services, services/proxy | create, delete, deletecollection, patch, update |
| | pods, pods/attach, pods/exec, pods/portforward, pods/proxy | create, delete, deletecollection, patch, update |
| | serviceaccounts | impersonate |
| | bindings, events, limitranges, namespaces/status, pods/log, pods/status, replicationcontrollers/status, resourcequotas, resourcequotas/status | get, list, watch |
| | namespaces | get,list, watch |

  • NKSEditPolicy

| API group | Resources | Verbs |
| --- | --- | --- |
| apps | daemonsets, deployments, deployments/rollback, deployments/scale, replicasets, replicasets/scale, statefulsets, statefulsets/scale | create, delete, deletecollection, patch, update |
| apps | controllerrevisions, daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, replicasets, replicasets/scale, replicasets/status, statefulsets, statefulsets/scale, statefulsets/status | get, list, watch |
| autoscaling | horizontalpodautoscalers, horizontalpodautoscalers/status | get, list, watch |
| autoscaling | horizontalpodautoscalers | create, delete, deletecollection, patch, update |
| batch | cronjobs, jobs | create, delete, deletecollection, patch, update |
| batch | cronjobs, cronjobs/status, jobs, jobs/status | get, list, watch |
| discovery.k8s.io | endpointslices | get, list, watch |
| extensions | daemonsets, deployments, deployments/rollback, deployments/scale, ingresses, networkpolicies, replicasets, replicasets/scale, replicationcontrollers/scale | create, delete, deletecollection, patch, update |
| extensions | daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, ingresses, ingresses/status, networkpolicies, replicasets, replicasets/scale, replicasets/status, replicationcontrollers/scale | get, list, watch |
| networking.k8s.io | ingresses, networkpolicies | create, delete, deletecollection, patch, update |
| networking.k8s.io | ingresses, ingresses/status, networkpolicies | get, list, watch |
| policy | poddisruptionbudgets | create, delete, deletecollection, patch, update |
| policy | poddisruptionbudgets, poddisruptionbudgets/status | get, list, watch |
| | namespaces | get, list, watch |
| | pods/attach, pods/exec, pods/portforward, pods/proxy, secrets, services/proxy | get, list, watch |
| | serviceaccounts | impersonate |
| | pods, pods/attach, pods/exec, pods/portforward, pods/proxy | create, delete, deletecollection, patch, update |
| | configmaps, events, persistentvolumeclaims, replicationcontrollers, replicationcontrollers/scale, secrets, serviceaccounts, services, services/proxy | create, delete, deletecollection, patch, update |
| | configmaps, endpoints, persistentvolumeclaims, persistentvolumeclaims/status, pods, replicationcontrollers, replicationcontrollers/scale, serviceaccounts, services, services/status | get, list, watch |
| | bindings, events, limitranges, namespaces/status, pods/log, pods/status, replicationcontrollers/status, resourcequotas, resourcequotas/status | get, list, watch |

  • NKSViewPolicy
API group Resources Verbs
apps controllerrevisions, daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, replicasets, replicasets/scale, replicasets/status, statefulsets, statefulsets/scale, statefulsets/status get, list, watch
autoscaling horizontalpodautoscalers, horizontalpodautoscalers/status get, list, watch
batch cronjobs, cronjobs/status, jobs, jobs/status get, list, watch
discovery.k8s.io endpointslices get, list, watch
extensions daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, ingresses, ingresses/status, networkpolicies, replicasets, replicasets/scale, replicasets/status, replicationcontrollers/scale get, list, watch
networking.k8s.io ingresses, ingresses/status, networkpolicies get, list, watch
policy poddisruptionbudgets, poddisruptionbudgets/status get, list, watch
configmaps, endpoints, persistentvolumeclaims, persistentvolumeclaims/status, pods, replicationcontrollers, replicationcontrollers/scale, serviceaccounts, services, services/status get, list, watch
bindings, events, limitranges, namespaces/status, pods/log, pods/status, replicationcontrollers/status, resourcequotas, resourcequotas/status get, list, watch
namespaces get, list, watch