VPC 환경에서 이용 가능합니다.
클러스터 생성시 부트스트랩 클러스터 관리자 허용을 선택하거나, [클러스터 상세] - [인증] 탭에서 AccessEntry를 추가하여 접근 가능한 보안주체를 등록합니다
클러스터를 생성한 액세스 항목을 클러스터 관리자로 추가
- 클러스터 생성 화면의 부트스트랩 클러스터 관리자 액세스 항목에서 클러스터 관리자 액세스 허용을 선택 합니다.
- 클러스터 생성을 요청한 사용자가 액세스 > AccessEntry에 IAM 액세스 항목 NRN에 등록됩니다.
참고
액세스 항목 방식의 클러스터는 SubAccount로 클러스터를 생성 할 때, 메인 계정이 클러스터 관리자로 자동 추가되지 않습니다.
액세스 항목을 클러스터에 추가
- 클러스터 상세화면 > 액세스 탭 > AccessEntry > [생성하기] 버튼을 클릭합니다.
- 추가할 액세스 항목의 정보를 입력합니다.
- IAM 보안 주체 : 정책을 적용할 액세스 항목의 NRN
- 그룹(선택사항) : 클러스터에서 인증되는 사용자 그룹. (최대 30개)
- 정책 : 보안주체에 적용될 클러스터 접근 정책의 목록.
- Scope: 정책의 적용 범위 (Cluster / Namespace)
- Namespaces(선택사항): Scope이 Namespace인 경우 정책이 적용될 Namespace 목록. '*-ns'로 패턴 지정 가능. (최대 50개)
- Policy: 적용될 정책
- NKSClusterAdminPolicy: 클러스터의 모든 권한 보유
- NKSAdminPolicy : 리소스의 대부분 권한 보유
- NKSEditPolicy: 쓰기 권한 보유
- NKSViewPolicy: 읽기 권한 보유
- [생성] 버튼을 눌러 정책을 등록합니다.
- 등록된 보안 주체의 AccessKey로 권한이 부여되었는지 확인합니다.
액세스 정책
Ncloud Kubernetes Service 클러스터의 IAM 인증 액세스 항목에 적용 가능한 정책은 NKSClusterAdminPolicy, NKSAdminPolicy, NKSEditPolicy, NKSViewPolicy이 있습니다.
주의
- Managed NKS의 경우 아래 권한에서 노드, 시스템 Namespace등의 리소스 사용 및 사용자가장 등이 제한됩니다.
- 액세스 정책을 통해 적용된 권한은 kubectl auth can-i --list 명령으로 확인이 불가능합니다.
- 사용자/그룹 가장하여 kubectl 명령을 사용하는 경우 액세스 항목에 적용된 액세스 정책이 적용되지 않습니다.
-
NKSClusterAdminPolicy
모든 권한 -
NKSAdminPolicy
| API 그룹 | 리소스 | 동사 |
|---|---|---|
| apps | daemonsets, deployments, deployments/rollback, deployments/scale, replicasets, replicasets/scale, statefulsets, statefulsets/scale | create, delete, deletecollection, patch, update |
| apps | controllerrevisions, daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, replicasets, replicasets/scale, replicasets/status, statefulsets, statefulsets/scale, statefulsets/status | get, list, watch |
| authorization.k8s.io | localsubjectaccessreviews | create |
| autoscaling | horizontalpodautoscalers | create, delete, deletecollection, patch, update |
| autoscaling | horizontalpodautoscalers, horizontalpodautoscalers/status | get, list, watch |
| batch | cronjobs, jobs | create, delete, deletecollection, patch, update |
| batch | cronjobs, cronjobs/status, jobs, jobs/status | get, list, watch |
| discovery.k8s.io | endpointslices | get, list, watch |
| extensions | daemonsets, deployments, deployments/rollback, deployments/scale, ingresses, networkpolicies, replicasets, replicasets/scale, replicationcontrollers/scale | create, delete, deletecollection, patch, update |
| extensions | daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, ingresses, ingresses/status, networkpolicies, replicasets, replicasets/scale, replicasets/status, replicationcontrollers/scale | get, list, watch |
| networking.k8s.io | ingresses, ingresses/status, networkpolicies | get, list, watch |
| networking.k8s.io | ingresses, networkpolicies | create, delete, deletecollection, patch, update |
| policy | poddisruptionbudgets | create, delete, deletecollection, patch, update |
| policy | poddisruptionbudgets, poddisruptionbudgets/status | get, list, watch |
| rbac.authorization.k8s.io | rolebindings, roles | create, delete, deletecollection, get, list, patch, update, watch |
| configmaps, endpoints, persistentvolumeclaims, persistentvolumeclaims/status, pods, replicationcontrollers, replicationcontrollers/scale, serviceaccounts, services, services/status | get,list, watch | |
| pods/attach, pods/exec, pods/portforward, pods/proxy, secrets, services/proxy | get, list, watch | |
| configmaps, events, persistentvolumeclaims, replicationcontrollers, replicationcontrollers/scale, secrets, serviceaccounts, services, services/proxy | create, delete, deletecollection, patch, update | |
| pods, pods/attach, pods/exec, pods/portforward, pods/proxy | create, delete, deletecollection, patch, update | |
| serviceaccounts | impersonate | |
| bindings, events, limitranges, namespaces/status, pods/log, pods/status, replicationcontrollers/status, resourcequotas, resourcequotas/status | get, list, watch | |
| namespaces | get,list, watch |
- NKSEditPolicy
| API 그룹 | 리소스 | 동사 |
|---|---|---|
| apps | daemonsets, deployments, deployments/rollback, deployments/scale, replicasets, replicasets/scale, statefulsets, statefulsets/scale | create, delete, deletecollection, patch, update |
| apps | controllerrevisions, daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, replicasets, replicasets/scale, replicasets/status, statefulsets, statefulsets/scale, statefulsets/status | get, list, watch |
| autoscaling | horizontalpodautoscalers, horizontalpodautoscalers/status | get, list, watch |
| autoscaling | horizontalpodautoscalers | create, delete, deletecollection, patch, update |
| batch | cronjobs, jobs | create, delete, deletecollection, patch, update |
| batch | cronjobs, cronjobs/status, jobs, jobs/status | get, list, watch |
| discovery.k8s.io | endpointslices | get, list, watch |
| extensions | daemonsets, deployments, deployments/rollback, deployments/scale, ingresses, networkpolicies, replicasets, replicasets/scale, replicationcontrollers/scale | create, delete, deletecollection, patch, update |
| extensions | daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, ingresses, ingresses/status, networkpolicies, replicasets, replicasets/scale, replicasets/status, replicationcontrollers/scale | get, list, watch |
| networking.k8s.io | ingresses, networkpolicies | create, delete, deletecollection, patch, update |
| networking.k8s.io | ingresses, ingresses/status, networkpolicies | get, list, watch |
| policy | poddisruptionbudgets | create, delete, deletecollection, patch, update |
| policy | poddisruptionbudgets, poddisruptionbudgets/status | get, list, watch |
| namespaces | get, list, watch | |
| pods/attach, pods/exec, pods/portforward, pods/proxy, secrets, services/proxy | get, list, watch | |
| serviceaccounts | impersonate | |
| pods, pods/attach, pods/exec, pods/portforward, pods/proxy | create, delete, deletecollection, patch, update | |
| configmaps, events, persistentvolumeclaims, replicationcontrollers, replicationcontrollers/scale, secrets, serviceaccounts, services, services/proxy | create, delete, deletecollection, patch, update | |
| configmaps, endpoints, persistentvolumeclaims, persistentvolumeclaims/status, pods, replicationcontrollers, replicationcontrollers/scale, serviceaccounts, services, services/status | get, list, watch | |
| bindings, events, limitranges, namespaces/status, pods/log, pods/status, replicationcontrollers/status, resourcequotas, resourcequotas/status | get, list, watch |
- NKSViewPolicy
| API 그룹 | 리소스 | 동사 |
|---|---|---|
| autoscaling | controllerrevisions, daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, replicasets, replicasets/scale, replicasets/status, statefulsets, statefulsets/scale, statefulsets/status | get, list, watch |
| batch | horizontalpodautoscalers, horizontalpodautoscalers/status | get, list, watch |
| discovery.k8s.io | cronjobs, cronjobs/status, jobs, jobs/status | get, list, watch |
| extensions | endpointslices | get, list, watch |
| networking.k8s.io | daemonsets, daemonsets/status, deployments, deployments/scale, deployments/status, ingresses, ingresses/status, networkpolicies, replicasets, replicasets/scale, replicasets/status, replicationcontrollers/scale | get, list, watch |
| policy | ingresses, ingresses/status, networkpolicies | get, list, watch |
| poddisruptionbudgets, poddisruptionbudgets/status | get, list, watch | |
| configmaps, endpoints, persistentvolumeclaims, persistentvolumeclaims/status, pods, replicationcontrollers, replicationcontrollers/scale, serviceaccounts, services, services/status | get, list, watch | |
| bindings, events, limitranges, namespaces/status, pods/log, pods/status, replicationcontrollers/status, resourcequotas, resourcequotas/status | get, list, watch | |
| namespaces | get, list, watch |