Container

• 1: Kubernetes Engine
• 1.1: Overview
• 1.1.1: Monitoring Metrics
• 1.1.2: ServiceWatch metric
• 1.2: How-to guides
• 1.2.1: Managing Namespaces
• 1.2.2: Managing Workloads
• 1.2.3: Managing Services and Ingress
• 1.2.4: Managing Storage
• 1.2.5: Configuration Management
• 1.2.6: Managing Permissions
• 1.2.7:
• 1.3: Using Kubernetes Engine
• 1.3.1: Authentication and Authorization
• 1.3.2: Accessing the Cluster
• 1.3.3: type LoadBalancer Service Usage
• 1.3.4: Considerations for Use
• 1.3.5:
• 1.4: API Reference
• 1.5: CLI Reference
• 1.6: Release Note
• 2: Container Registry
• 2.1: Overview
• 2.1.1: Monitoring Metrics
• 2.1.2: ServiceWatch Metrics
• 2.2: How-to guides
• 2.2.1: Managing Repository
• 2.2.2: Managing Images and Tags
• 2.2.3: Managing Image Security Vulnerabilities
• 2.2.4: Managing Image Tag Deletion Policies
• 2.2.5: Using Container Registry with CLI
• 2.3: API Reference
• 2.4: CLI Reference
• 2.5: Release Note

1 - Kubernetes Engine

1.1 - Overview

Service Overview

Kubernetes Engine is a service that provides lightweight virtual computing and containers, as well as a Kubernetes cluster to manage them. Users can utilize the Kubernetes environment without complex preparation by installing, operating, and maintaining the Kubernetes Control Plane.

Features

• Standard Kubernetes Environment Configuration: The standard Kubernetes environment can be used without separate configuration through the default Kubernetes Control Plane provided. It is compatible with applications in other standard Kubernetes environments, so you can use standard Kubernetes applications without modifying the code.

• Easy Kubernetes Deployment: Provides secure communication between worker nodes and managed control planes, and quickly provisions worker nodes, allowing users to focus on building applications on the provided container environment.

• Convenient Kubernetes Management: Provides various management features to conveniently use the created Kubernetes cluster, such as cluster information inquiry and cluster management, namespace management, and workload management through the dashboard for enterprise environments.

Service Composition Diagram

Provided Features

Kubernetes Engine provides the following features.

• Cluster Management: You can create and manage clusters to use the Kubernetes Engine service. After creating a cluster, you can add services necessary for operation, such as nodes, namespaces, and workloads.
• Node Management: A node is a set of machines that run containerized applications. Every cluster must have at least one worker node to deploy applications. Nodes can be defined and used by defining a node pool. Nodes belonging to a node pool must have the same server type, size, and OS image, and multiple node pools can be created to establish a flexible deployment strategy.
• Namespace Management: Namespace is a logical separation unit within a Kubernetes cluster, and is used to specify access permissions or resource usage limits by namespace.
• Workload Management: Workload is an application running on Kubernetes Engine. You can create a namespace, then add or delete workloads. Workloads are created and managed item by item, such as deployments, pods, stateful sets, daemon sets, jobs, and cron jobs.
• Service and Ingress Management: Service is an abstraction method that exposes applications running in a set of pods as a network service, and Ingress is used to expose HTTP and HTTPS paths from outside the cluster to the inside. After creating a namespace, you can create or delete services, endpoints, ingresses, and ingress classes.
• Storage Management: When using Kubernetes Engine, you can create and manage the storage to be used. Storage is created and managed by items such as PVC, PV, and storage class.
• Configuration Management: When there is a need to manage values that change inside a container according to multiple environments such as Dev/Prod, managing them with separate images due to environment variables is inconvenient and causes significant cost waste. In Kubernetes, you can manage environment variables or configuration values as variables from the outside so that they can be inserted when a Pod is created, and at this time, ConfigMap and Secret can be used.
• Access Control: In cases where multiple users access a Kubernetes cluster, you can grant permissions for specific APIs or namespaces to restrict access. You can apply Kubernetes’ role-based access control (RBAC) feature to set permissions for clusters or namespaces. You can create and manage cluster roles, cluster role bindings, roles, and role bindings.

Component

Control Plane

The Control Plane is the master node role in the Kubernetes Engine service. The master node is the management node of the cluster, and it plays a role in managing other nodes in the cluster. The cluster is the basic creation unit of the Kubernetes Engine service, and it is used to manage node pools, objects, controllers, and other components within it. Users set up the cluster name, control plane, network, File Storage, and other settings, and then create a node pool within the cluster to use it. The master node assigns tasks to the cluster, monitors the status of the nodes, and plays a role in data communication between nodes.

The cluster name creation rule is as follows.

• It starts with English and can be set within 3-30 characters using English, numbers, and special characters (-).
• The cluster name must not be duplicated with the existing one.

Worker Node

The Worker Node is a work node in the cluster, playing a role in performing the cluster’s tasks. The Worker Node receives tasks from the cluster’s master node, performs them, and reports the task results to the cluster’s master node. All nodes created within the node pool and namespace play the role of a worker node.

The creation rule of the node pool, which is a collection of worker nodes, is as follows.

• A node pool must have at least one node to be created for application deployment to be possible.
• Up to 100 nodes can be created in a node pool.
• Since the maximum number of nodes is 100, if there are 100 node pools, 1 node per node pool, and if there are 50 node pools, 2 nodes per node pool, the total number of nodes can be created freely within 100 nodes.
• It is possible to set up Block Storage connected to the node pool.
• It is possible to set the server type, size, and OS image for nodes belonging to the node pool, and all must be the same.
• Auto-Scaling service allows you to set automatic node pool expansion/reduction according to the requirements of the deployed application.

Preceding Service

This is a list of services that must be pre-configured before creating this service. Please refer to the guide provided for each service and prepare in advance for more details.

1.1.1 - Monitoring Metrics

Kubernetes Engine Monitoring Metrics

The following table shows the monitoring metrics of Kubernetes Engine that can be checked through Cloud Monitoring. For detailed instructions on using Cloud Monitoring, refer to the Cloud Monitoring guide.

1.1.2 - ServiceWatch metric

Kubernetes Engine sends metrics to ServiceWatch. The metrics provided by default monitoring are data collected at a 1‑minute interval.

Basic Indicators

The following are the basic metrics for the namespace Kubernetes Engine.

1.2 - How-to guides

The user can enter required information for the Kubernetes Engine through the Samsung Cloud Platform Console, select detailed options, and create a service.

Create Kubernetes Engine

You can create and use the Kubernetes Engine service from the Samsung Cloud Platform Console.

You can create and manage clusters to use the Kubernetes Engine service. After creating a cluster, you can add services needed for operation such as nodes, namespaces, and workloads.

Creating a Cluster

You can create and use a Kubernetes Engine cluster service from the Samsung Cloud Platform Console.

To create a Kubernetes Engine cluster, follow these steps.

1. All Services > Container > Kubernetes Engine Click the menu. Navigate to the Service Home page of Kubernetes Engine.
2. Click the Create Cluster button on the Service Home page. You will be taken to the Create Cluster page.
3. Cluster Creation page, enter the information required to create the service, and select detailed options.

• Enter service information area, input or select the required information.

  Category	Required or not	Detailed description
  Cluster Name	Required	Cluster Name Start with an English letter and use English letters, numbers, special character (-) within 3-30 characters
  Control Plane Settings > Kubernetes Version	Required	Select Kubernetes Version
  Control Area Settings > Private Endpoint Access Control	Select	Select whether to use Private Endpoint Access Control After selecting Use, click Add to select resources that are allowed to access the private endpoint Only resources in the same Account and same region can be registered Regardless of the Use setting, the nodes of the cluster can access the private endpoint
  Control Area Settings > Public Endpoint Access/Access Control	Select	Select whether to use Public Endpoint Access/Access Control After selecting Use, enter the Allowed Access IP Range as 192.168.99.0/24 Set the access control IP range so that external users can access the Kubernetes API server endpoint If external access is not needed, you can disable it to reduce security threats
  ServiceWatch log collection	Optional	Set whether to enable log collection so that logs for the cluster can be viewed in ServiceWatch. Log storage up to 5 GB for all services within the account is provided for free, and fees are charged based on storage volume if it exceeds 5 GB. If you need to check cluster logs, it is recommended to enable the ServiceWatch log collection feature
  Cloud Monitoring log collection	Optional	Set whether to enable log collection so that logs for the cluster can be viewed in Cloud Monitoring. Up to 1 GB of log storage for all services within the account is provided for free, and any amount exceeding 1 GB is deleted sequentially.
  Network Settings	Required	Network connection settings for node pool VPC: Select a pre-created VPC Subnet: Choose a standard Subnet to use from the subnets of the selected VPC Security Group: after clicking the Select button, select a Security Group in the Security Group Selection popup Up to 4 Security Group can be selected
  File Storage Settings	Required	Select the file storage volume to be used in the cluster Default Volume (NFS): Click the Search button and then select the file storage in the File Storage Selection popup. The default Volume file storage can only use the NFS format.

  Table. Kubernetes Engine Service Information Input Items
  • Additional Information Input Enter or select the required information in the area.

    Category	Required	Detailed description
    Tag	Select	Add Tag Up to 50 can be added per resource After clicking the Add Tag button, enter or select Key, Value values

    Table. Kubernetes Engine Additional Information Input Items

4. Summary Check the detailed information and estimated billing amount generated in the panel, and click the Complete button.
   • When creation is complete, check the created resources on the Cluster List page.

Check cluster detailed information

Kubernetes Engine service can view and edit the full resource list and detailed information. Cluster Details page consists of Details, Node Pools, Tags, Activity History tabs.

To view detailed cluster information, follow the steps below.

1. All Services > Container > Kubernetes Engine Click the menu. Navigate to the Service Home page of Kubernetes Engine.
2. Click the Cluster menu on the Service Home page. Navigate to the Cluster List page.
3. Click the resource (cluster) you want to view detailed information for on the Cluster List page. You will be taken to the Cluster Details page.
   • Cluster Details page displays the cluster’s status information and detailed information, and consists of Details, Node Pool, Tags, Job History tabs.

     Category	Detailed description
     Cluster Status	Kubernetes Engine cluster status Creating: Creating Running: Created / Running Error: Error occurred
     Service Termination	Button to terminate a Kubernetes Engine cluster To terminate the Kubernetes Engine service, you must delete all node pools added to the cluster If the service is terminated, the running service may be stopped immediately, so termination is necessary after considering the impact of service interruption

     Table. Status Information and Additional Functions

Detailed Information

Cluster List page allows you to view detailed information of the selected resource and, if necessary, edit the information.

Node Pool

You can view, add, modify, or delete cluster node pool information. For detailed information on using node pools, refer to Managing Nodes.

Tag

On the Cluster List page, you can view the tag information of the selected resource, and you can add, modify, or delete it.

Work History

You can view the operation history of the selected resource on the Cluster List page.

Managing Cluster Resources

To manage cluster resources, we provide cluster version upgrade, kubeconfig download, and control plane logging modification features.

Cluster Version Upgrade

If there is a version that can be upgraded from the cluster’s Kubernetes version, you can perform the upgrade on the Cluster Details page.

Cluster version upgrade preparation

There is no need to delete and recreate API objects when upgrading the cluster version. For the transitioned API, all existing API objects can be read and updated using the new API version. However, due to deprecated APIs in older Kubernetes versions, you may be unable to read or modify existing objects or create new ones. Therefore, to ensure system stability, it is recommended to migrate clients and manifests before the upgrade.

Migrate the client and manifest using the following method.

• Download the new version of the client (e.g., kubectl), install it on the cluster, and modify the Yaml to refer to the new API.
• or use a separate plugin (kubectl convert) to automatically convert. For detailed instructions, refer to the Kubernetes official documentation > Install and set up kubectl on Linux.

Upgrade Cluster and Node Pool Versions

To update the cluster and node pool, follow the steps below.

1. All Services > Container > Kubernetes Engine Click the menu. Navigate to the Service Home page of Kubernetes Engines.
2. Click the Cluster menu on the Service Home page. It navigates to the Cluster List page.
3. Cluster List page, click the resource (cluster) to upgrade the version. It navigates to the Cluster Details page.
4. Click the Edit icon of Kubernetes version on the Cluster Details page. Navigate to the Cluster Version Upgrade popup.
5. Select the Kubernetes version to upgrade, and click the Confirm button.
   • It may take a few minutes for the cluster upgrade to complete.
   • During the upgrade, the cluster status is shown as Updating, and when the upgrade is complete, it is shown as Running.
6. When the upgrade is complete, select the Node Pool tab. Go to the Node Pool page.
7. Click the More button of the node pool item and click Node Pool Upgrade. It will move to the Node Pool Version Upgrade popup window.
8. Node Pool Version Upgrade After checking the message in the popup window, click the Confirm button.
   • It may take a few minutes until the node pool upgrade is completed.
   • During the upgrade, the node pool status is shown as Updating, and when the upgrade is complete, it is shown as Running.

kubeconfig download

You can download the admin/user kubeconfig settings of the cluster’s public and private endpoints as a yaml document.

To download the cluster’s kubeconfig settings, follow the steps below.

1. All Services > Container > Kubernetes Engine Click the menu. Navigate to the Service Home page of Kubernetes Engines.
2. Click the Cluster menu on the Service Home page. You will be taken to the Cluster List page.
3. On the Cluster List page, click the resource (cluster) to download the kubeconfig. You will be taken to the Cluster Details page.
4. On the Cluster Details page, click the Admin kubeconfig download/User kubeconfig download button for the desired endpoint.
   • You can download the kubeconfig file in yaml format for each permission.

Edit Private Endpoint Access Control

You can change the private endpoint access control settings of the cluster.

1. Click the All Services > Container > Kubernetes Engine menu. Navigate to the Service Home page of Kubernetes Engines.
2. Click the Cluster menu on the Service Home page. Navigate to the Cluster List page.
3. On the Cluster List page, click the resource (cluster) to modify private endpoint access control. You will be taken to the Cluster Details page.
4. Cluster Details page, click the Edit icon of Private Endpoint Access Control. Navigate to the Private Endpoint Access Control Edit popup.
5. Private Endpoint Access Control Modification in the popup window, check the Private Endpoint Access Control Usage, add the allowed access resources, and click the Confirm button.

Modify public endpoint access/access control

You can change the public endpoint access control settings of the cluster.

1. All Services > Container > Kubernetes Engine Click the menu. Navigate to the Service Home page of Kubernetes Engines.
2. Click the Cluster menu on the Service Home page. Navigate to the Cluster List page.
3. Click the resource (cluster) to modify public endpoint access control on the Cluster List page. You will be taken to the Cluster Details page.
4. Click the Edit icon of Public Endpoint Access/Access Control on the Cluster Details page. It moves to the Public Endpoint Access/Access Control Edit popup.
5. Public Endpoint Access/Access Control Modification In the popup window, check the Public Endpoint Access Control Use status and add the allowed IP range, then click the Confirm button.

Modify control area log collection settings

You can change the log collection settings of the cluster’s control plane. Detailed logs of the cluster can be viewed in the ServiceWatch service or the Cloud Monitoring service.

Follow the steps below to change the control plane log collection settings of the cluster.

1. Click the All Services > Container > Kubernetes Engine menu. Navigate to the Service Home page of Kubernetes Engines.
2. Click the Cluster menu on the Service Home page. Navigate to the Cluster List page.
3. Cluster List page, click the resource (cluster) to modify control plane logging. Cluster Details page will be opened.
4. Cluster Details page, click the Edit icon of ServiceWatch Log Collection. It will navigate to the ServiceWatch Log Collection popup.
   • Cloud Monitoring log collection feature can also be set the same way.
5. In the ServiceWatch log collection popup, after checking the use of ServiceWatch log modification, click the Confirm button.

Security Group Edit

You can modify the cluster’s Security Group.

To modify the cluster’s Security Group, follow the steps below.

1. All Services > Container > Kubernetes Engine menu를 클릭하세요. Kubernetes Engines의 Service Home 페이지로 이동합니다.
2. Click the Cluster menu on the Service Home page. You will be taken to the Cluster List page.
3. Cluster List page, click the resource (cluster) whose Security Group you want to modify. You will be taken to the Cluster Details page.
4. Click the Edit icon of Security Group on the Cluster Details page. It will navigate to the Security Group Edit popup.
5. After selecting or deselecting the Security Group to modify, click the Confirm button.

Cancel Cluster

To cancel the cluster, follow the steps below.

1. All Services > Container > Kubernetes Engine Click the menu. Navigate to the Service Home page of Kubernetes Engines.
2. Click the Cluster menu on the Service Home page. You will be taken to the Cluster List page.
3. Click the resource (cluster) on the Cluster List page to view detailed information. You will be taken to the Cluster Detail page.
4. On the Cluster Details page, click Service Termination.
5. Service termination After checking the contents in the popup window, click the Confirm button.

1.2.1 - Managing Namespaces

A namespace is a logical separation unit within a Kubernetes cluster, and is used to specify access permissions or resource usage limits by namespace.

Create namespace

To create a namespace, follow these steps.

1. Click on the menu for all services > Container > Kubernetes Engine. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click the Namespace menu. It moves to the Namespace List page.
3. On the Namespace List page, select the cluster where you want to create a namespace from the gear button at the top left, then click Create Object.
4. Object creation popup where you enter object information and click the Confirm button.

Check namespace details

You can check the namespace status and detailed information on the namespace detail page.

To check namespace details, follow the next procedure.

1. Click on the menu for all services > Container > Kubernetes Engine. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click the Namespace menu. It moves to the Namespace List page.
3. On the Namespace List page, select the cluster where the namespace that requires detailed information is located from the gear button in the top left, and then click OK.
4. On the Namespace List page, select and click the item you want to check the details for. It moves to the Namespace Details page.

Deleting a namespace

To delete a namespace, follow these steps.

1. Click on the menu for all services > Container > Kubernetes Engine. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click the Namespace menu. It moves to the Namespace List page.
3. On the Namespace List page, select the cluster where the namespace you want to delete is located from the gear button at the top left, then click the OK button.
4. On the Namespace List page, select and click the item you want to check the details for. It moves to the Namespace Details page.
5. Click Namespace Delete on the Namespace Details page.
6. When the Notification Confirmation Window appears, click the OK button.

1.2.2 - Managing Workloads

The workload is an application running on Kubernetes Engine. You can create a namespace and then add or remove workloads. Workloads are created and managed item by item, such as deployments, pods, stateful sets, daemon sets, jobs, and cron jobs.

Managing Deployment

Deployment is a resource that provides updates for pods and replica sets. You can create a deployment in a workload, check its details, or delete it.

Creating Deployment

To create a deployment, follow these steps.

1. Click on the menu for all services > Container > Kubernetes Engine. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click Deployment under the Workload menu. It moves to the List Deployment page.
3. Deployment list page, select the cluster and namespace from the gear button at the top left, then click Create object.
4. Object Creation Popup where you enter object information and click the Confirm button.
   • The following is an example of a .yaml file showing the required fields and object Spec for deployment creation. (application/deployment.yaml)
     Sample Code Download

     Copy Code

     Color mode

      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: nginx-deployment
      spec:
        selector:
           matchLabels:
              app: nginx
        replicas: 2 # tells deployment to run 2 pods matching the template
        template:
          metadata:
             labels:
                app: nginx
          spec:
             containers:
             - name: nginx
               image: nginx:1.14.2
               ports:
               - containerPort: 80

      apiVersion: apps/v1
      kind: Deployment
      metadata:
        name: nginx-deployment
      spec:
        selector:
           matchLabels:
              app: nginx
        replicas: 2 # tells deployment to run 2 pods matching the template
        template:
          metadata:
             labels:
                app: nginx
          spec:
             containers:
             - name: nginx
               image: nginx:1.14.2
               ports:
               - containerPort: 80

Check Deployment Details

To check the deployment details, follow the next procedure.

1. Click on the menu for all services > Container > Kubernetes Engine. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click Deployment under the Workload menu. It moves to the Deployment List page.
3. Deployment list page, select the cluster and namespace from the gear button at the top left, then click OK.
4. Deployment List page, select the item you want to check the detailed information. It moves to the Deployment Details page.
   • Selecting Show System Objects at the top of the list displays all items except Kubernetes object entries.
5. Click each tab to check service information.

Deleting Deployment

To delete a deployment, follow these steps.

1. Click on the menu for all services > Container > Kubernetes Engine. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click Deployment under the Workload menu. It moves to the Deployment List page.
3. Deployment list page, select the cluster and namespace from the gear button at the top left, then click OK.
4. Deployment List page, select the item you want to delete. It moves to the Deployment Details page.
5. Deployment Details page, click Delete Deployment.
6. When the Notification Confirmation Window appears, click the Confirm button.

Managing Pods

A Pod is the smallest computing unit that can be created, managed, and deployed in Kubernetes, referring to a group of one or more containers. You can create pods in workloads and view or delete their details.

Creating a Pod

To create a pod, follow the next procedure.

1. Click on the menu for all services > Container > Kubernetes Engine. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click Pods under the Workload menu. It moves to the Pod List page.
3. Pod list page, select the cluster and namespace from the gear button at the top left, then click Create object.
4. Object Creation Popup where you enter object information and click the Confirm button.

Check Pod Details

To check the pod details, follow the next procedure.

1. Click on the menu for all services > Container > Kubernetes Engine. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click Pods under the Workload menu. It moves to the Pod List page.
3. Pod list page, select the cluster and namespace from the gear button at the top left, then click OK.
4. Pod List page, select the item you want to check the detailed information. It moves to the Pod Detail page.
   • Selecting Show System Objects at the top of the list displays all items except Kubernetes object entries.
5. Click each tab to check the service information.

Deleting Pods

To delete a pod, follow these steps.

1. Click on the menu for all services > Container > Kubernetes Engine. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click Pods under the Workload menu. It moves to the Pod List page.
3. Pod List page, select the cluster and namespace from the gear button at the top left, then click OK.
4. Select the item to delete on the Pod List page. It moves to the Pod Detail page.
5. Pod Details page, click Delete Pod.
6. When the Notification Confirmation Window appears, click the OK button.

Managing StatefulSets

A StatefulSet is a workload API object used to manage stateful applications, you can create, describe, or delete StatefulSet in the workload.

Creating a StatefulSet

To create a stateful set, follow these steps.

1. Click on the menu for all services > Container > Kubernetes Engine. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click StatefulSet under the Workload menu. It moves to the Statefulset List page.
3. StatefulSet list page, select the cluster and namespace from the gear button at the top left, then click Create object.
4. Object creation popup where you enter object information and click the OK button.

Checking Detailed Information of StatefulSet

To view detailed information about a StatefulSet, follow these steps.

1. Click on the menu for all services > Container > Kubernetes Engine. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click StatefulSet under the Workload menu. It moves to the StatefulSet List page.
3. StatefulSet list page, select the cluster and namespace from the gear button at the top left, then click OK.
4. StatefulSet list page, select the item you want to check the detailed information. It moves to the StatefulSet detail page.
   • Selecting Show System Objects at the top of the list displays all items except Kubernetes object entries.
5. Click each tab to check service information.

Deleting a StatefulSet

To delete a stateful set, follow these steps.

1. Click on the menu for all services > Container > Kubernetes Engine. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click StatefulSet under the Workload menu. It moves to the StatefulSet List page.
3. StatefulSet list page, select the cluster and namespace from the gear button at the top left, then click OK.
4. StatefulSet list page, select the item you want to delete. It moves to the StatefulSet details page.
5. StatefulSet details page, click Delete StatefulSet.
6. When the Notification Confirmation Window appears, click the Confirm button.

Managing DaemonSets

A daemon set is a resource that allows all nodes or some nodes to run a copy of a pod. You can create a daemon set in a workload, check its details, or delete it.

Creating a DaemonSet

To create a daemon set, follow these steps.

1. Click on the menu for all services > Container > Kubernetes Engine. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click DaemonSet under the Workload menu. It moves to the DaemonSet list page.
3. On the DaemonSet list page, select the cluster and namespace from the gear button in the top left, then click Create object.
4. Object creation popup where you enter object information and click the OK button.

Checking DaemonSet Details

To check the details of the daemon set, follow the next procedure.

1. Click on the menu for all services > Container > Kubernetes Engine. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click DaemonSet under the Workload menu. It moves to the DaemonSet list page.
3. On the DaemonSet list page, select the cluster and namespace from the gear button at the top left, then click OK.
4. Select an item to check the detailed information on the DaemonSet list page. It moves to the DaemonSet details page.
   • Selecting Show System Objects at the top of the list displays all items except Kubernetes object entries.
5. Click each tab to check service information.

Deleting DaemonSets

To delete a daemon set, follow these steps.

1. Click on the menu for all services > Container > Kubernetes Engine. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click DaemonSet under the Workload menu. It moves to the DaemonSet list page.
3. On the DaemonSet list page, select the cluster and namespace from the gear button at the top left, then click OK.
4. Select the item to delete from the DaemonSet list page. It will move to the DaemonSet details page.
5. DaemonSet details page, click Delete DaemonSet.
6. When the Notification Confirmation Window appears, click the Confirm button.

Job Management

A job is a resource that creates one or more pods and continues to run them until a specified number of pods complete successfully. You can create a job in a workload and view or delete its details.

Creating a Job

To create a job, follow these steps.

1. Click on the menu for all services > Container > Kubernetes Engine. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click Job under the Workload menu. It moves to the Job List page.
3. Job list page, select the cluster and namespace from the gear button at the top left, then click Create object.
4. Object Creation Popup where you enter object information and click the Confirm button.

Check Job Details

To check the job details, follow the next procedure.

1. Click on the menu for all services > Container > Kubernetes Engine. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click Job under the Workload menu. It moves to the Job List page.
3. Job List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
4. Job list page, select the item you want to check the details. It moves to the Job details page.
   • Selecting Show System Objects at the top of the list displays all items except Kubernetes object entries.
5. Click each tab to check service information.

Delete Job

To delete a job, follow these steps.

1. Click on the menu for all services > Container > Kubernetes Engine. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click Job under the Workload menu. It moves to the Job List page.
3. Job list page, select the cluster and namespace from the gear button at the top left, then click OK.
4. Job List page, select the item you want to delete. It moves to the Job Detail page.
5. Click Job Delete on the Job Details page.
6. When the Notification Confirmation Window appears, click the Confirm button.

Managing Cron Jobs

A cron job is a resource that runs a job periodically according to a schedule written in cron format. It can be used to execute repetitive tasks at a fixed interval, such as backup and report creation. You can create a cron job in the workload and check or delete detailed information.

Creating a Cron Job

To create a cron job, follow these steps.

1. Click on the menu for all services > Container > Kubernetes Engine. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click CronJob under the Workload menu. It moves to the CronJob List page.
3. CronJob list page, select the cluster and namespace from the gear button at the top left, then click Create Object.
4. Object Creation Popup where you enter object information and click the Confirm button.

Check Cron Job Details

To check the detailed information of the cron job, follow the next procedure.

1. Click on the menu for all services > Container > Kubernetes Engine. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click CronJob under the Workload menu. It moves to the CronJob List page.
3. CronJob list page, select the cluster and namespace from the gear button at the top left, then click OK.
4. Cron Job List page, select the item you want to check the detailed information. It moves to the Cron Job Detail page.
   • Selecting Show System Objects at the top of the list displays all items except Kubernetes object entries.
5. Click each tab to check the service information.

Deleting a Cron Job

To delete a cron job, follow these steps.

1. Click on the menu for all services > Container > Kubernetes Engine. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click CronJob under the Workload menu. It moves to the CronJob List page.
3. CronJob list page, select the cluster and namespace from the gear button at the top left, then click OK.
4. Select the item to be deleted from the Cron Job List page. It will move to the Cron Job Details page.
5. Cron Job Details page, click Delete Cron Job.
6. When the Notification Confirmation Window appears, click the Confirm button.

1.2.3 - Managing Services and Ingress

The service is an abstraction method that exposes applications running in a set of pods as a network service, and ingress is used to expose HTTP and HTTPS paths from outside the cluster to inside the cluster. After creating a namespace, you can create or delete services, endpoints, ingresses, and ingress classes.

Managing Services

You can create a service, check detailed information, or delete it.

Creating a Service

To create a service, follow these steps.

1. Click All services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click Service under the Service and Ingress menu. It moves to the Service List page.
3. On the Service List page, select the cluster and namespace from the gear button at the top left, then click Create Object.
4. Object Creation Popup에서 오브젝트 정보를 입력하고 Confirm 버튼을 클릭하세요.

Check Service Details

To check the service details, follow the next procedure.

1. Click all services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. Service Home page, click Service under the Service and Ingress menu. It moves to the Service List page.
3. On the Service List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
4. On the Service List page, select the item you want to check the detailed information. It moves to the Service Detail page.
   • Selecting System Object View at the top of the list displays all items except Kubernetes object entries.
5. Click each tab to check the service information.

Delete Service

To delete a service, follow these steps.

1. Click all services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click Services under the Services and Ingress menu. It moves to the Service List page.
3. On the Service List page, select the cluster and namespace from the gear button at the top left, then click OK.
4. Select the item to be deleted on the Service List page. It moves to the Service Detail page.
5. Click Service Delete on the Service Details page.
6. When the Notification Confirmation Window appears, click the Confirm button.

Managing Endpoints

You can create an endpoint and check or delete detailed information.

Creating Endpoints

To create an endpoint, follow these steps.

1. Click All services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. Service Home page, click Endpoints under the Services and Ingress menu. It moves to the Endpoint List page.
3. On the Endpoint List page, select the cluster and namespace from the gear button at the top left, then click Create Object.
4. Object Creation Popup에서 오브젝트 정보를 입력하고 확인 버튼을 클릭하세요.

Check Endpoint Details

To check the endpoint details, follow the next procedure.

1. Click all services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. Service Home page, click Endpoints under the Services and Ingress menu. It moves to the Endpoint List page.
3. Endpoint list page, select the cluster and namespace from the gear button at the top left, then click OK.
4. On the Endpoint List page, select the item you want to check the detailed information. It moves to the Endpoint Detail page.
   • Selecting System Object View at the top of the list displays all items except Kubernetes object entries.
5. Click each tab to check the service information.

Deleting Endpoints

To delete an endpoint, follow these steps.

1. Click all services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click Endpoints under the Services and Ingress menu. It moves to the Endpoint List page.
3. Endpoint list page, select cluster and namespace from the gear button at the top left, then click OK.
4. Select the item to delete on the Endpoint List page. It moves to the Endpoint Detail page.
5. Endpoint Details page, click Delete Endpoint.
6. When the Notification Confirmation Window appears, click the Confirm button.

Managing Ingress

Ingress is an API object that manages external access (HTTP, HTTPS) to services within Kubernetes Engine, used to expose workloads to the outside, and provides L7 load balancing functionality.

Creating an Ingress

To create an ingress, follow these steps.

1. Click All services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click Ingress under the Services and Ingress menu. It moves to the Ingress List page.
3. Ingress List page, select the cluster and namespace from the gear button at the top left, then click Create Object.
4. Object Creation Popup에서 오브젝트 정보를 입력하고 Confirm 버튼을 클릭하세요.

Check Ingress Details

To check the details of the ingress, follow the next procedure.

1. Click All services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. Service Home page, click Ingress under the Service and Ingress menu. It moves to the Ingress List page.
3. Ingress list page, select the cluster and namespace from the gear button at the top left, then click OK.
4. Ingress List page, select the item you want to check the detailed information. It moves to the Ingress Detail page.
   • Selecting System Object View at the top of the list displays all items except Kubernetes object entries.
5. Click each tab to check service information.

Deleting Ingress

To delete an Ingress, follow these steps.

1. Click all services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click Ingress under the Services and Ingress menu. It moves to the Ingress List page.
3. Ingress list page, select the cluster and namespace from the gear button at the top left, then click OK.
4. Ingress List page, select the item you want to delete. It moves to the Ingress Detail page.
5. Ingress Details page, click Delete Ingress.
6. When the Notification Confirmation Window appears, click the Confirm button.

Managing Ingress Classes

An IngressClass is an API resource that allows you to use multiple Ingress controllers in a single cluster. Each Ingress must specify a class that includes the configuration for the IngressClass resource that it refers to, including the controller it should be implemented by.

Creating an Ingress Class

To create an IngressClass, follow these steps.

1. Click all services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click Ingress Class under the Services and Ingress menu. It moves to the Ingress Class List page.
3. IngressClass list page, select the cluster and namespace from the gear button in the top left, then click Create object.
4. Object Creation Popup에서 오브젝트 정보를 입력하고 Confirm 버튼을 클릭하세요.

Checking Ingress Class Details

To check the details of the IngressClass, follow the next procedure.

1. Click All services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click Ingress Class under the Services and Ingress menu. It moves to the Ingress Class List page.
3. IngressClass list page, select the cluster and namespace from the gear button at the top left, then click OK.
4. IngressClass list page, select the item you want to check the detailed information. It moves to the IngressClass details page.
   • Selecting System Object View at the top of the list displays all items except Kubernetes object entries.
5. Click each tab to check the service information.

Deleting IngressClass

To delete an IngressClass, follow these steps.

1. Click all services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click Ingress Class under the Services and Ingress menu. It moves to the Ingress Class List page.
3. IngressClass list page, select the cluster and namespace from the gear button at the top left, then click OK.
4. Select the item to delete on the IngressClass list page. It moves to the IngressClass detail page.
5. Ingress Class Details page, click Delete Ingress Class.
6. When the Notification Confirmation Window appears, click the Confirm button.

1.2.4 - Managing Storage

When using the Kubernetes Engine, you can create and manage storage. Storage is created and managed by item, including PVC, PV, and storage classes.

Managing PVC

A Persistent Volume Claim (PVC) is an object that defines the storage capacity to be allocated. PVC provides high usability through abstraction and can prevent data from being deleted together with the container lifecycle (maintaining Data Persistence).

Creating a PVC

To create a PVC, follow these steps:

1. Click All Services > Container > Kubernetes Engine. You will be taken to the Kubernetes Engine Service Home page.
2. On the Service Home page, click Storage under the menu, then click PVC. You will be taken to the PVC List page.
3. On the PVC List page, select the cluster and namespace from the gear button at the top left, then click Create Object.
4. In the Create Object popup window, enter the object information and click the OK button.

Viewing PVC Details

To view PVC details, follow these steps:

1. Click All Services > Container > Kubernetes Engine. You will be taken to the Kubernetes Engine Service Home page.
2. On the Service Home page, click Storage under the menu, then click PVC. You will be taken to the PVC List page.
3. On the PVC List page, select the cluster and namespace from the gear button at the top left, then click OK.
4. On the PVC List page, select the item you want to view details for. You will be taken to the PVC Details page.
   • Select Show System Objects at the top of the list to display Kubernetes objects.
5. Click each tab to view the service information.

   Category	Detailed Description
   Status	Displays the current status of the PVC. Bound: Normal connection
   Delete PVC	Deletes the PVC
   Details	Displays detailed information about the PVC
   YAML	Allows you to modify the PVC resource file in the YAML editor Click the Edit button, modify the resource, and click the Save button to apply the changes
   Events	Displays events that occurred within the PVC
   Account Information	Displays basic information about the account, such as the account name, location, and creation time
   Metadata Information	Displays metadata information about the PVC
   Object Information	Displays object information about the PVC

   Table. PVC detail items

Delete PVC

To delete a PVC, follow these steps:

1. Click All Services > Container > Kubernetes Engine menu. Move to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click PVC under the Storage menu. Move to the PVC List page.
3. On the PVC List page, select a cluster and namespace from the gear button at the top left, and click Confirm.
4. On the PVC List page, select the item you want to delete. Move to the PVC Details page.
5. On the PVC Details page, click Delete PVC.
6. When the Notification Confirmation window appears, click the Confirm button.

Manage PV

Persistent Volume (PV) refers to a physical disk created by the system administrator in Kubernetes Engine.

Create PV

To create a PV, follow these steps:

1. Click All Services > Container > Kubernetes Engine menu. Move to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click PV under the Storage menu. Move to the PV List page.
3. On the PV List page, select a cluster and namespace from the gear button at the top left, and click Create Object.
4. In the Create Object popup window, enter object information and click the Confirm button.

Check PV Details

To check the PV details, follow these steps:

1. Click All Services > Container > Kubernetes Engine menu. Move to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click PV under the Storage menu. Move to the PV List page.
3. On the PV List page, select a cluster and namespace from the gear button at the top left, and click Confirm.
4. On the PV List page, select the item you want to check the details of. Move to the PV Details page.
   • Select Show System Objects at the top of the list to display items other than Kubernetes objects.
5. Click each tab to check the service information.

   Category	Description
   Status	Displays the current status of the PV. Bound: Normal connection
   Delete PV	Delete PV
   Details	Check the detailed information of the PV
   YAML	Modify the PV resource file in the YAML editor Click the Edit button, modify the resource, and click the Save button to apply the changes
   Events	Check the events that occurred within the PV
   Account Information	Check the basic information of the account, such as account name, location, and creation time
   Metadata Information	Check the metadata information of the PV
   Object Information	Check the object information of the PV

   Table. PV Details Items

Delete PV

To delete a PV, follow these steps:

1. Click All Services > Container > Kubernetes Engine menu. Move to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click PV under the Storage menu. Move to the PV List page.
3. On the PV List page, select a cluster and namespace from the gear button at the top left, and click Confirm.
4. On the PV List page, select the item you want to delete. Move to the PV Details page.
5. On the PV Details page, click Delete PV.
6. When the Notification Confirmation window appears, click the Confirm button.

Managing Storage Classes

A Storage Class (Storage Class) is a Kubernetes resource that defines the type or performance level of storage.

Predefined Storage Classes

Creating a Storage Class

To create a storage class, follow these steps:

1. Click All Services > Container > Kubernetes Engine. The Kubernetes Engine Service Home page appears.
2. On the Service Home page, click Storage under the Storage menu. The Storage Class List page appears.
3. On the Storage Class List page, select the cluster and namespace from the gear button at the top left, and then click Create Object.
4. In the Create Object popup, enter the object information and click OK.
   Note

   For more information on the concept of storage classes and object creation, see the Kubernetes official documentation > Storage Classes.

Checking Storage Class Details

To check the details of a storage class, follow these steps:

1. Click All Services > Container > Kubernetes Engine. The Kubernetes Engine Service Home page appears.
2. On the Service Home page, click Storage under the Storage menu. The Storage Class List page appears.
3. On the Storage Class List page, select the cluster and namespace from the gear button at the top left, and then click OK.
4. On the Storage Class List page, select the item for which you want to check the details. The Storage Class Details page appears.
   • Select Show System Objects at the top of the list to display items other than Kubernetes objects.
5. Click each tab to check the service information.

   Category	Description
   Delete Storage Class	Delete the storage class
   Details	Check the detailed information of the storage class
   YAML	Modify the storage class resource file in the YAML editor Click the Edit button, modify the resource, and click the Save button to apply the changes
   Events	Check the events that occurred within the storage class
   Account Information	Check the basic information of the account, such as the account name, location, and creation time
   Metadata Information	Check the metadata information of the storage class
   Object Information	Check the object information of the storage class

   Table. Storage class details items

Deleting a Storage Class

To delete a storage class, follow these steps:

1. Click All Services > Container > Kubernetes Engine. The Kubernetes Engine Service Home page appears.
2. On the Service Home page, click Storage under the Storage menu. The Storage Class List page appears.
3. On the Storage Class List page, select the cluster and namespace from the gear button at the top left, and then click OK.
4. On the Storage Class List page, select the item you want to delete. The Storage Class Details page appears.
5. On the Storage Class Details page, click Delete Storage Class.
6. In the Confirmation window, click OK.
   Caution

   On the storage class list page, you can delete the selected storage class by clicking Delete after selecting the item you want to delete.

1.2.5 - Configuration Management

When there is a need to manage changing values inside the container according to various environments such as development and operation, managing separate images due to environment variables is inconvenient and costly. In Kubernetes, you can manage environment variables or configuration values as variables so that they can be changed from outside, and at this time, ConfigMap and Secret can be used to insert them when a Pod is created.

Managing Config Maps

You can write and manage Config information used in the namespace as a config map.

Creating a Config Map

To create a configmap, follow these steps.

1. Click all services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click ConfigMap under the Configuration menu. It moves to the ConfigMap list page.
3. ConfigMap List page, select the cluster and namespace from the gear button at the top left, then click Create Object.
4. Object Creation Popup에서 오브젝트 정보를 입력하고 Confirm 버튼을 클릭하세요.

Checking ConfigMap Details

To check the config map details, follow the next procedure.

1. Click all services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click ConfigMap under the Configuration menu. It moves to the ConfigMap list page.
3. ConfigMap List page, select the cluster and namespace from the gear button at the top left, then click OK.
4. On the Config Map List page, select the item you want to check the detailed information. It moves to the Config Map Detail page.
   • Selecting System Object View at the top of the list displays all items except for Kubernetes object entries.
5. Click each tab to check the service information.

Deleting ConfigMap

To delete a configmap, follow this procedure.

1. Click All services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click ConfigMap under the Configuration menu. It moves to the ConfigMap list page.
3. ConfigMap list page, select the cluster and namespace from the gear button at the top left, then click OK.
4. Configmap List page, select the item you want to delete. It moves to the Configmap Detail page.
5. Configmap Details page, click Delete Configmap.
6. When the Notification Confirmation Window appears, click the Confirm button.

Managing Secrets

Using secrets, you can safely store and manage sensitive information such as passwords, OAuth tokens, and SSH keys.

Creating a Secret

To create a secret, follow these steps.

1. Click All services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click 시크릿 under the 구성 menu. It moves to the 시크릿 목록 page.
3. Secret List page, select cluster and namespace from the gear button at the top left, then click Create Object.
4. Object Creation Popup에서 오브젝트 정보를 입력하고 Confirm 버튼을 클릭하세요.

Check Secret Details

To check the secret details, follow the following procedure.

1. Click All services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click 시크릿 under the 구성 menu. It moves to the 시크릿 목록 page.
3. Secret List page, select cluster and namespace from the gear button at the top left, then click Confirm.
4. Secret List page, select the item you want to check the detailed information. It moves to the Secret Detail page.
   • Selecting Show System Objects at the top of the list displays all items except Kubernetes object entries.
5. Click each tab to check the service information.

Deleting Secrets

To delete a secret, follow these steps.

1. Click all services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click 시크릿 under the 구성 menu. It moves to the 시크릿 목록 page.
3. Secret List page, select the cluster and namespace from the gear button at the top left, then click OK.
4. Secret List page, select the item you want to delete. It moves to the Secret Detail page.
5. Secret Detail page, click Delete Secret.
6. When the Notification Confirmation Window appears, click the Confirm button.

1.2.6 - Managing Permissions

When multiple users access the Kubernetes cluster, you can grant permissions by specific API or namespace and specify the access range. You can apply the Role-Based Access Control (RBAC) feature of Kubernetes to set permissions by cluster or namespace. You can create and manage ClusterRole, ClusterRoleBinding, Role, and RoleBinding.

Managing Cluster Roles

You can set and manage access permissions on a cluster unit basis. You can also set permissions for APIs or resources that are not limited to a namespace.

Creating a Cluster Role

To create a cluster role, follow these steps.

1. Click All services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click ClusterRole under the Authorities menu. It moves to the ClusterRole list page.
3. Cluster Role List page, select the cluster and namespace from the gear button at the top left, then click Create Object.
4. Enter object information in the object creation popup window and click the OK button.

Check Cluster Role Details

To view detailed information about the cluster role, follow these steps.

1. Click All services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click 클러스터롤 under the 권한 menu. It moves to the 클러스터롤 목록 page.
3. Cluster Role List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
4. Cluster Roll List page, select the item you want to check the detailed information. Move to the Cluster Roll Detail page.
   • Selecting System Object View at the top of the list displays all items except Kubernetes object entries.
5. Click each tab to check the service information.

Deleting a Cluster Role

To delete a cluster role, follow this procedure.

1. Click all services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click ClusterRole under the Authority menu. It moves to the ClusterRole list page.
3. Cluster Role List page, select the cluster and namespace from the gear button at the top left, then click OK.
4. Select the item to delete on the Cluster Role List page. It moves to the Cluster Role Detail page.
5. Cluster Role Detail page, click Delete Cluster Role.
6. When the Notification Confirmation Window appears, click the Confirm button.

Managing Cluster Role Bindings

You can create and manage cluster role bindings by connecting cluster roles and specific targets.

Creating Cluster Role Binding

To create a cluster role binding, follow these steps.

1. Click all services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click ClusterRoleBinding under the Authority menu. It moves to the ClusterRoleBinding list page.
3. Cluster Role Binding List page, select the cluster and namespace from the gear button at the top left, then click Create Object.
4. Object Creation Popup에서 오브젝트 정보를 입력하고 Confirm 버튼을 클릭하세요.

Check Cluster Role Binding Details

To check the cluster role binding details, follow the next procedure.

1. Click all services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click ClusterRoleBinding under the Authority menu. It moves to the ClusterRoleBinding list page.
3. Cluster Role Binding List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
4. On the Cluster Role Binding List page, select the item you want to check the detailed information. It moves to the Cluster Role Binding Detail page.
   • Selecting Show System Objects at the top of the list displays all items except Kubernetes object entries.
5. Click each tab to check the service information.

Deleting Cluster Role Binding

To delete a cluster role binding, follow these steps.

1. Click all services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click ClusterRoleBinding under the Authority menu. It moves to the ClusterRoleBinding list page.
3. Cluster Role Binding List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
4. Cluster Role Binding List page, select the item you want to delete. It moves to the Cluster Role Binding Details page.
5. Cluster Role Binding Detail page, click Delete Cluster Role Binding.
6. When the Notification Confirmation Window appears, click the Confirm button.

Managing Roles

A role is a set of rules that explicitly define permissions for a specific API or resource, and it can create and manage permissions that can only be accessed within the namespace to which the role belongs.

Create Role

To create a role, follow these steps.

1. Click All services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click 롤 under the 권한 menu. It moves to the 롤 목록 page.
3. Roll list page, select cluster and namespace from the gear button at the top left, then click Create Object.
4. Object Creation Popup에서 오브젝트 정보를 입력하고 Confirm 버튼을 클릭하세요.

Check Roll Details

To check the roll details, follow the next procedure.

1. Click All services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click 롤 under the 권한 menu. It moves to the 롤 목록 page.
3. On the Roll List page, select the cluster and namespace from the Gear button at the top left, then click OK.
4. Role List page, select the item you want to check the detailed information. Move to the Role Detail page.
   • Selecting System Object View at the top of the list displays all items except Kubernetes object entries.
5. Click each tab to check the service information.

Delete Role

To delete a role, follow these steps.

1. Click All services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click 롤 under the 권한 menu. It moves to the 롤 목록 page.
3. On the Roll List page, select the cluster and namespace from the gear button at the top left, then click OK.
4. Select the item you want to delete from the Role List page. It moves to the Role Detail page.
5. Role Details page, click Delete Role.
6. When the Notification Confirmation Window appears, click the Confirm button.

Managing Roll Binding

You can create and manage role bindings by linking roles to specific targets.

Creating Roll Binding

To create a role binding, follow these steps.

1. Click All services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click 롤바인딩 under the 권한 menu. It moves to the 롤바인딩 목록 page.
3. Role Binding List page, select the cluster and namespace from the gear button at the top left, then click Create Object.
4. Object Creation Popup에서 오브젝트 정보를 입력하고 확인 버튼을 클릭하세요.

Check Roll Binding Details

To check the details of the roll binding, follow the next procedure.

1. Click all services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click 롤바인딩 under the 권한 menu. It moves to the 롤바인딩 목록 page.
3. On the 롤바인딩 목록 page, select the cluster and namespace from the 톱니바퀴 button at the top left, then click 확인.
4. On the Roll Binding List page, select the item you want to check the detailed information. It moves to the Roll Binding Details page.
   • Selecting Show System Objects at the top of the list displays all items except Kubernetes object entries.
5. Click each tab to check the service information.

Deleting Roll Binding

To delete a role binding, follow these steps.

1. Click all services > Container > Kubernetes Engine menu. It moves to the Service Home page of Kubernetes Engine.
2. On the Service Home page, click 롤바인딩 under the 권한 menu. It moves to the 롤바인딩 목록 page.
3. Rollbinding List page, select the cluster and namespace from the gear button at the top left, then click OK.
4. Select the item to delete from the Roll Binding List page. It moves to the Roll Binding Details page.
5. On the Roll Binding Details page, click Delete Roll Binding.
6. When the Notification Confirmation Window appears, click the OK button.

1.2.7 -

1.3 - Using Kubernetes Engine

Configure external network communication to expose HTTP and HTTPS services from the cluster to the outside. To configure external network communication, you can create a service of type LoadBalancer.

Using Kubernetes Engine Guide

The Using Kubernetes Engine guide describes the following features. For more information, refer to the corresponding guide.

1.3.1 - Authentication and Authorization

Kubernetes Engine has Kubernetes’ authentication and RBAC authorization features applied. This explains the authentication and authorization features of Kubernetes and how to link them with Kubernetes Engine and IAM.

Kubernetes Authentication and Authorization

This explains the authentication and RBAC authorization features of Kubernetes.

Authentication

The Kubernetes API server acquires the necessary information for user or account authentication from certificates or authentication tokens and proceeds with the authentication process.

Authorization

The Kubernetes API server checks if the user has permission for the requested action using the user information obtained through the authentication process and the RBAC-related objects. There are four types of RBAC-related objects as follows:

Role

Kubernetes has several predefined ClusterRoles. Some of these ClusterRoles do not have the prefix system:, which means they are intended for user use. These include the cluster-admin role that can be applied to the entire cluster using ClusterRoleBinding, and the admin, edit, and view roles that can be applied to a specific namespace using RoleBinding.

In addition to the predefined ClusterRoles, you can define separate roles (or ClusterRoles) as needed. For example:

# Role that grants permission to view pods in the "default" namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]

# Role that grants permission to view pods in the "default" namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]

# ClusterRole that grants permission to view nodes
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-viewer
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch"]

# ClusterRole that grants permission to view nodes
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-viewer
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch"]

Role Binding

To manage access to the Kubernetes Engine using Samsung Cloud Platform IAM, you need to understand the relationship between Kubernetes’ role binding and IAM. The target (subjects) of role binding (or cluster role binding) can include individual users (User) or groups (Group).

• User matches the Samsung Cloud Platform username, and Group matches the IAM user group name.

For role binding/cluster role binding, subjects.kind can be one of the following:

• User: Binds to a Samsung Cloud Platform individual user.
• Group: Binds to a Samsung Cloud Platform IAM user group.

The subjects.name of role binding/cluster role binding can be specified as follows:

• User case: Samsung Cloud Platform individual username (e.g. jane.doe)
• Group case: Samsung Cloud Platform IAM user group name (e.g. ReadPodsGroup)

In this way, an IAM user group is bound to a role binding (or cluster role binding) written in the Kubernetes Engine cluster. Additionally, the permission to perform API operations included in the role (or cluster role) bound to the group is granted.

Example) Role Binding read-pods #1

An example of writing a User (Samsung Cloud Platform individual user) to a role binding is as follows:

# This role binding allows the user "jane.doe@example.com" to view pods in the "default" namespace.
# A "pod-reader" role must exist in the namespace.
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
roleRef:
  # "roleRef" specifies the binding to a role or cluster role.
  kind: Role       # Must be Role or ClusterRole.
  name: pod-reader # Must match the name of the role or cluster role to bind.
  apiGroup: rbac.authorization.k8s.io
subjects:
# One or more "targets" can be specified.
- kind: User
  name: jane.doe
  apiGroup: rbac.authorization.k8s.io

# This role binding allows the user "jane.doe@example.com" to view pods in the "default" namespace.
# A "pod-reader" role must exist in the namespace.
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
roleRef:
  # "roleRef" specifies the binding to a role or cluster role.
  kind: Role       # Must be Role or ClusterRole.
  name: pod-reader # Must match the name of the role or cluster role to bind.
  apiGroup: rbac.authorization.k8s.io
subjects:
# One or more "targets" can be specified.
- kind: User
  name: jane.doe
  apiGroup: rbac.authorization.k8s.io

If a role binding like the above is created in a cluster, a user with the username jane.doe is granted the permission to perform the API actions defined in the pod-reader role.

Example) Role Binding read-pods #2

An example of writing a group (IAM user group) to a role binding is as follows:

# This role binding allows users in the "ReadPodsGroup" group to view pods in the "default" namespace.
# A "pod-reader" role must exist in the namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
subjects:
# One or more "targets" can be specified.
- kind: Group
  name: ReadPodsGroup
  apiGroup: rbac.authorization.k8s.io

# This role binding allows users in the "ReadPodsGroup" group to view pods in the "default" namespace.
# A "pod-reader" role must exist in the namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
subjects:
# One or more "targets" can be specified.
- kind: Group
  name: ReadPodsGroup
  apiGroup: rbac.authorization.k8s.io

If a role binding like the above is created in the cluster, users in the IAM user group ReadPodsGroup are granted the permission to perform API operations written in the pod-reader role.

Example) Cluster Role Binding read-nodes

# This cluster role binding allows users in the "ReadNodesGroup" group to view nodes.
# A cluster role named "node-reader" must exist.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-nodes
roleRef:
  kind: ClusterRole
  name: node-reader
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ReadNodesGroup
  apiGroup: rbac.authorization.k8s.io

# This cluster role binding allows users in the "ReadNodesGroup" group to view nodes.
# A cluster role named "node-reader" must exist.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-nodes
roleRef:
  kind: ClusterRole
  name: node-reader
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ReadNodesGroup
  apiGroup: rbac.authorization.k8s.io

When a cluster role binding like the one above is created in the cluster, users in the IAM user group ReadNodesGroup are granted the permissions to perform the API actions written in the cluster role node-reader.

Predefined Roles and Role Bindings for Samsung Cloud Platform

The Kubernetes Engine of Samsung Cloud Platform has predefined cluster role bindings scp-cluster-admin, scp-view, scp-namespace-view, and cluster roles scp-namespace-view. The following table shows the binding relationship between predefined roles and role bindings, and Samsung Cloud Platform users. Here, cluster roles cluster-admin and view are predefined within the Kubernetes cluster. For more detailed explanations, refer to the Roles section.

• According to the cluster role binding scp-cluster-admin, users in the IAM user groups AdministratorGroup or OperatorGroup, as well as the Kubernetes Engine product applicant, are granted cluster administrator permissions.
• According to the cluster role binding scp-view, users in the ViewerGroup are granted cluster viewer permissions. More precisely, since it is linked to the predefined cluster role view in Kubernetes, access permissions for cluster-scoped resources (e.g., namespaces, nodes, ingress classes, etc.) and secrets within namespaces are not included. For more detailed explanations, refer to the Roles section.
• According to the cluster role binding scp-namespace-view, all authenticated users in the cluster are granted namespace viewer permissions.

The details of predefined roles and role bindings for Samsung Cloud Platform are as follows:

Cluster Role Binding scp-cluster-admin

The cluster role binding scp-cluster-admin is bound to the cluster role cluster-admin and bound to the IAM user groups AdministratorGroup, OperatorGroup, and the SCP user (Kubernetes Engine cluster creator) according to the subjects.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
  name: scp-cluster-admin
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: AdministratorGroup
  apiGroup: rbac.authorization.k8s.io
- kind: Group
  name: OperatorGroup
  apiGroup: rbac.authorization.k8s.io
- kind: User                 # Cluster creator
  name: jane.doe # cluster creater name
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
  name: scp-cluster-admin
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: AdministratorGroup
  apiGroup: rbac.authorization.k8s.io
- kind: Group
  name: OperatorGroup
  apiGroup: rbac.authorization.k8s.io
- kind: User                 # Cluster creator
  name: jane.doe # cluster creater name
  apiGroup: rbac.authorization.k8s.io

Cluster Role Binding scp-view

The cluster role binding scp-view is bound to the cluster role view and bound to the IAM user group ViewerGroup according to the subjects.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: scp-view
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ViewerGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: scp-view
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ViewerGroup
  apiGroup: rbac.authorization.k8s.io

Cluster Role and Cluster Role Binding scp-namespace-view

Cluster Role scp-namespace-view is a role that defines the authority to view namespaces. Cluster Role Binding scp-namespace-view is associated with Cluster Role scp-namespace-view and grants namespace view authority to all authenticated users in the cluster.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: scp-namespace-view
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: scp-namespace-view
roleRef:
  kind: ClusterRole
  name: scp-namespace-view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: system:authenticated
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: scp-namespace-view
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: scp-namespace-view
roleRef:
  kind: ClusterRole
  name: scp-namespace-view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: system:authenticated
  apiGroup: rbac.authorization.k8s.io

IAM User Group RBAC Use Case

This chapter explains examples of granting authority by major user scenarios. The names of IAM user groups, ClusterRoleBindings/RoleBindings, and ClusterRoles presented here are examples for understanding. Administrators should define and apply appropriate names and authorities according to their needs.

Cluster Administrator

To create a cluster administrator, follow these steps:

1. Create an IAM user group named ClusterAdminGroup.
2. Create a ClusterRoleBinding with the following content in the target cluster:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-admin-group
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterAdminGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-admin-group
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterAdminGroup
  apiGroup: rbac.authorization.k8s.io

• It is associated with the default ClusterRole cluster-admin, granting administrator authority for the cluster.

Cluster Editor

To create a cluster editor, follow these steps:

1. Create an IAM user group named ClusterEditGroup.
2. Create a ClusterRoleBinding with the following content in the target cluster:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-edit-group
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterEditGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-edit-group
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterEditGroup
  apiGroup: rbac.authorization.k8s.io

• The default cluster role edit is associated with it, and editor permissions are granted for the cluster.

Cluster Viewer

To create a cluster viewer, follow these steps:

1. Create an IAM user group named ClusterViewGroup.
2. Create a cluster role binding with the following content in the target cluster.

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-view-group
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterViewGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-view-group
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterViewGroup
  apiGroup: rbac.authorization.k8s.io

• The default cluster role view is associated with it, and viewer permissions are granted for the cluster.

Namespace Administrator

To create a namespace administrator, follow these steps:

1. Create an IAM user group named NamespaceAdminGroup.
2. Create a role binding with the following content in the target cluster.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-admin-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceAdminGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-admin-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceAdminGroup
  apiGroup: rbac.authorization.k8s.io

• The default cluster role admin is associated with it, and administrator permissions are granted for the namespace.

Namespace Editor

To create a namespace editor, follow these steps:

1. Create an IAM user group named NamespaceEditGroup.
2. Create a role binding with the following content in the target cluster.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-edit-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceEditGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-edit-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceEditGroup
  apiGroup: rbac.authorization.k8s.io

• The default cluster role edit is associated with it, and editor permissions are granted for the namespace.

Namespace Viewer

To create a namespace viewer, follow these steps:

1. Create an IAM user group named NamespaceViewGroup.
2. Create a role binding with the following content in the target cluster.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-view-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceViewGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-view-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceViewGroup
  apiGroup: rbac.authorization.k8s.io

• The default cluster role view is associated with it, and viewer permissions are granted for the namespace. To create a namespace viewer, follow these steps:

1. Create an IAM user group: Create an IAM user group named NamespaceViewGroup.
2. Create a role binding: Create a role binding with the following content in the target cluster.

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-view-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceViewGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-view-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceViewGroup
  apiGroup: rbac.authorization.k8s.io

• The view cluster role is associated with the viewer permission for the specified namespace.

Practice Example

This chapter describes an example and procedure for applying an administrator to a specific namespace.

• IAM user group: NamespaceAdminGroup
• IAM policy: NamespaceAdminAccess
• Role binding: namespace-admin-group

Create an IAM User Group

To create an IAM user group in Samsung Cloud Platform, follow these steps:

1. Click All Services > Management > IAM. The Identity and Access Management (IAM) Service Home page appears.

2. On the Service Home page, click User Group. The User Group List page appears.

3. On the User Group List page, click Create User Group.

   • Enter the required information in the Basic Information, Add User, Attach Policy, and Additional Information sections.

     Category	Required	Description
     User Group Name	Required	Enter the user group name Use Korean, English, numbers, and special characters (+=,.@-_) to enter a value between 3 and 24 characters Enter NamespaceAdminGroup as the user group name
     Description	Optional	Description of the user group name Enter a detailed description of the user group name, up to 1,000 characters
     User	Optional	Users to add to the user group The list of users registered in the account is displayed, and the selected user’s name is displayed at the top of the screen when the checkbox is selected Click the Delete button at the top of the screen or uncheck the checkbox in the user list to cancel the selection of the selected user If there are no users to add, click Create User at the bottom of the user list to register a new user, and then refresh the user list to select the user
     Policy	Optional	Policy to attach to the user group The list of policies registered in the account is displayed, and the selected policy name is displayed at the top of the screen when the checkbox is selected Select ViewerAccess in the policy list
     Tag	Optional	Tags to add to the user group Up to 50 tags can be added per resource

     Table. User Group Creation Information Input Items

4. Click the Complete button. The User Group List page appears.