Node IAM Role use cases

Available in VPC

The API of NAVER Cloud Platform can be used without having to install AccessKey and SecretKey as this assigns the Server Role type role to the worker node of Ncloud Kubernetes Service.

Example of viewing Object Storage Bucket list

To create a node pool that can access Object Storage and check if the object storage bucket list is viewed in POD, perform the following tasks:

1. Create Sub Account role

See the Create role guide to create a Server type role and add the NCP_OBJECT_STORAGE_VIEWER policy.

2. Create a node pool

Select Node IAM Role for the role created in Step 1 when you create a node pool.

3. Verify role assignment

After you create a node pool, select Sub Account > Roles - Role name > Role target to check if the node of the created node pool is added.

4. Verify role application

1. Copy the following code and save it as an alpine.yaml file:

apiVersion: v1
kind: Pod
metadata:
  name: alpine
spec:
  containers:
  - name: alpine
    image: alpine:3.12
    command:
      - sleep
      - "3600"
    imagePullPolicy: IfNotPresent
  restartPolicy: Always

2. Run the following command to deploy POD:

$ kubectl apply -f alpine.yaml
pod/node-iam-test created

3. Run the following command to access POD via shell:

$ kubectl exec -it alpine -- sh
/ # 

4. Run the following command to install aws-cli.

/ # apk add aws-cli
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/x86_64/APKINDEX.tar.gz
(1/46) Installing libbz2 (1.0.8-r1)
(2/46) Installing expat (2.2.10-r4)
...
(46/46) Installing aws-cli (1.18.55-r0)
Executing busybox-1.31.1-r22.trigger
OK: 134 MiB in 60 packages

5. Run the following command to view the Bucket list of Object Storage:

/ # aws s3 ls --endpoint-url=https://kr.object.ncloudstorage.com
2020-09-01 07:58:31 bucket1
2020-12-08 14:52:07 bucket2
2020-07-20 06:37:20 bucket3
...

Example of pulling Container Registry image

You can create a node pool that can access Container Registry and pull images from Container Registry without a separate Authentication from POD.
To use this function, see Using Container Registry and prepare registry and images.

1. Create Sub Account role

See the Create role guide to create a Server type role and add the NCP_CONTAINER_REGISTRY_VIEWER policy.

2. Create a node pool

Select Node IAM Role for the role created in Step 1 when you create a node pool.

3. Verify role assignment

After you create a node pool, select Sub Account > Roles - Role name > Role target to check if the node of the created node pool is added.

4. Verify role application

1. Copy the following code and save it as an alpine.yaml file:

apiVersion: v1
kind: Pod
metadata:
  name: alpine
spec:
  containers:
  - name: alpine
    image: <registry-name>.ncr.ntruss.com/alpine:3.12
    command:
      - sleep
      - "3600"
    imagePullPolicy: IfNotPresent
  restartPolicy: Always

2. Run the following command to deploy POD:

$ kubectl apply -f alpine.yaml
pod/node-iam-test created

3. Run the following command to check if the image is pulled properly and POD is running:

$ kubectl get pod
NAME                      READY   STATUS    RESTARTS   AGE
alpine                    1/1     Running   0          16s