We provide execution and monitoring environments, as well as open-source software, to ensure containerized applications can operate reliably with Kubernetes.

1 - Kubernetes Engine

1.1 - Overview

Service Overview

Kubernetes Engine is a service that provides lightweight virtual computing, containers, and a Kubernetes cluster to manage them. Users can leverage a Kubernetes environment without complex preparation by installing, operating, and maintaining the Kubernetes Control Plane.

Features

Standard Kubernetes Environment Setup: You can use a standard Kubernetes environment without additional configuration through the built-in Kubernetes Control Plane. It is compatible with applications in other standard Kubernetes environments, allowing you to use standard Kubernetes applications without modifying code.
Easy Kubernetes Deployment: provides secure communication between the worker node (Worker Node) and the managed control plane, and quickly provisions worker nodes so users can focus on building applications on the provided container environment.
Convenient Kubernetes Management: For enterprise environments, we provide various management features to conveniently use the created Kubernetes clusters, including cluster information lookup and management via a dashboard, namespace management, and workload management functions.

Service Diagram

Provided features

Kubernetes Engine provides the following features.

Cluster Management: You can create and manage clusters to use the Kubernetes Engine service. After creating a cluster, you can add services needed for operation such as nodes, namespaces, and workloads.
Node Management: A node is a set of machines that run containerized applications. Every cluster must have at least one worker node to deploy applications. Nodes can be used by defining node pools. Nodes belonging to a node pool must have the same server type, size, and OS image, and creating multiple node pools enables flexible deployment strategies.
Namespace Management: A namespace is a logical partition within a Kubernetes cluster and is used to specify access permissions or resource usage limits per namespace.
Workload Management: A workload is an application running on Kubernetes Engine. After creating a namespace, you can add or delete workloads. Workloads are created and managed per item such as Deployment, Pod, StatefulSet, DaemonSet, Job, and CronJob.
Service and Ingress Management: A service is an abstraction that exposes applications running in a set of pods as a network service, and an ingress is used to expose HTTP and HTTPS paths from outside the cluster to inside the cluster. After creating a namespace, you can create or delete services, endpoints, ingresses, and ingress classes.
Storage Management: You can create and manage the storage to be used when using Kubernetes Engine. Storage is created and managed per PVC, PV, and StorageClass items.
Configuration Management: When you need to manage values that change inside containers across multiple environments such as Dev/Prod, creating separate images to handle them via environment variables is inconvenient and wasteful. In Kubernetes, you can manage environment variables or configuration settings as variables that can be changed externally and injected when a Pod is created; at that point you can use ConfigMaps and Secrets.
Permission Management: When multiple users access a Kubernetes cluster, you can assign permissions per specific API or namespace to define the access scope. By applying Kubernetes’ role-based access control (RBAC) feature, you can set permissions for clusters or namespaces. You can create and manage ClusterRoles, ClusterRoleBindings, Roles, and RoleBindings.

Component

control plane

Control Plane is the component that serves as the master node in the Kubernetes Engine service. The master node is the cluster’s management node, responsible for managing the other nodes in the cluster. A cluster is the basic creation unit of the Kubernetes Engine service and is used for managing node pools, objects, controllers, etc., that belong to it. Users configure the cluster name (cluster name), control plane, network, File Storage, and then create node pools within the cluster for use. The master node assigns work to the cluster, monitors node status, and handles data communication between nodes.

The cluster name creation rules are as follows.

It must start with a letter and can be set using letters, numbers, and special characters (-) within 3 to 30 characters.
It must not duplicate an already existing cluster name.

worker node

The worker node (Worker Node) is a compute node in the cluster that performs tasks. It receives task assignments from the cluster’s master node, executes them, and reports the results back to the master node. All nodes created within a node pool and namespace serve as worker nodes.

The rules for creating a node pool, which is a collection of worker nodes, are as follows.

A node pool must contain at least one node for the application deployment to be possible.
A maximum of 100 nodes can be created within a node pool.
Since the maximum number of nodes is 100, you can freely create up to 100 nodes—for example, with 100 node pools you get 1 node per pool, and with 50 node pools you get 2 nodes per pool.
It is possible to configure block storage attached to a node pool.
You can configure the server type, size, and OS image for nodes in a node pool, and they must all be identical.
Through the Auto-Scaling service, you can configure automatic scaling and shrinking of node pools according to the requirements of the deployed application.

Preliminary Service

This is a list of services that must be pre-configured before creating the service. Please refer to the guide provided for each service for details and prepare in advance.

Service Category	service	Detailed description
Networking	VPC	A service that provides an isolated virtual network in a cloud environment
Networking	Security Group	Virtual firewall that controls server traffic
Storage	File Storage	A storage that allows multiple clients to share files over the network used as a Persistant Volume

Table. Kubernetes Engine Prerequisite Services

1.1.1 - Monitoring Metrics

Cloud Monitoring service termination notice

According to Samsung Cloud Platform’s policy, the Cloud Monitoring service is scheduled to be discontinued in September 2026.
Accordingly, after the September 2026 release, resource monitoring of the Samsung Cloud Platform via Cloud Monitoring will no longer be possible.

With the new alternative service, you can continuously perform resource monitoring by using ServiceWatch, released in October 2025.
ServiceWatch provides more modern and powerful features, replacing Cloud Monitoring to deliver a seamless monitoring environment.

Detailed information about ServiceWatch is available in the ServiceWatch Overview.

Kubernetes Engine monitoring metrics

The table below shows the monitoring metrics of Kubernetes Engine that can be viewed through Cloud Monitoring. For detailed usage of Cloud Monitoring, refer to the Cloud Monitoring guide.

Performance items	Detailed description	unit
Cluster Namespaces [Active]	Number of namespaces in active state	cnt
Cluster Namespaces [Total]	Total number of namespaces in the cluster	cnt
Cluster Nodes [Ready]	Number of nodes in READY state	cnt
Cluster Nodes [Total]	Total number of nodes in the cluster	cnt
Cluster Pods [Failed]	Number of failed-state pods in the cluster	cnt
Cluster Pods [Pending]	Number of pending pods in the cluster	cnt
Cluster Pods [Running]	Number of pods in running state within the cluster	cnt
Cluster Pods [Succeeded]	Number of succeeded pods in the cluster	cnt
Cluster Pods [Unknown]	Number of pods in unknown state within the cluster	cnt
Instance Status	cluster status	status
Namespace Pods [Failed]	Number of failed-state pods in a namespace	cnt
Namespace Pods [Pending]	Number of pending pods in a namespace	cnt
Namespace Pods [Running]	Number of running pods in a namespace	cnt
Namespace Pods [Succeeded]	Number of succeeded-state pods in a namespace	cnt
Namespace Pods [Unknown]	Number of pods in unknown state within a namespace	cnt
Namespace GPU Clock Frequency	SM clock frequency in the Namespace	MHz
Namespace GPU Memory Usage	Memory utilization in the Namespace	%
Namespace GPU Usage	GPU utilization in the Namespace	%
Node CPU Size [Allocatable]	Node CPU allocatable	cnt
Node CPU Size [Capacity]	CPU capacity in the node	cnt
Node CPU Usage	CPU usage per node	%
Node CPU Usage [Request]	CPU request_ratio within node	%
Node CPU Used	CPU utilization within the node	status
Node Filesystem Usage	Node FS utilization	%
Node Memory Size [Allocatable]	memory allocatable within the node	bytes
Node Memory Size [Capacity]	Node memory utilization	bytes
Node Memory Usage	Node memory utilization	%
Node Memory Usage [Request]	memory request_ratio within node	%
Node Memory Workingset	memory working set within the node	bytes
Node Network In Bytes	Node network rx bytes	bytes
Node Network Out Bytes	Node network tx bytes	bytes
Node Network Total Bytes	Node network total bytes	bytes
Node Pods [Failed]	Number of pods in failed state within the node	cnt
Node Pods [Pending]	Number of pending pods in the node	cnt
Node Pods [Running]	Number of running pods per node	cnt
Node Pods [Succeeded]	Number of succeeded pods in the node	cnt
Node Pods [Unknown]	Number of unknown‑state pods in the node	cnt
Pod CPU Usage [Limit]	CPU usage_limit_ratio in the pod	%
Pod CPU Usage [Request]	CPU request_ratio in the pod	%
Pod CPU Usage	CPU usage within the pod	%
Pod GPU Clock Frequency	SM clock frequency in the Pod	MHz
Pod GPU Memory Usage	Memory utilization within the Pod	%
Pod GPU Usage	GPU utilization within the Pod	%
Pod Memory Usage [Limit]	memory usage_limit_ratio in pod	%
Pod Memory Usage [Request]	memory request_ratio in pod	%
Pod Memory Usage	Memory usage within pod	bytes
Pod Network In Bytes	network rx bytes in pod	bytes
Pod Network Out Bytes	network tx bytes in pod	bytes
Pod Network Total Bytes	Network total bytes in pod	bytes
Pod Restart Containers	container restart count in pod	cnt
Workload Pods [Running]	-	cnt

Table. Kubernetes Engine monitoring metrics

1.1.2 - ServiceWatch Metrics

Kubernetes Engine sends metrics to ServiceWatch. The metrics provided by default monitoring are data collected at a 1‑minute interval.

Reference

To view metrics in ServiceWatch, refer to the ServiceWatch guide.

Basic Metrics

The following are the basic metrics for the Kubernetes Engine namespace.

The metrics whose names are displayed in bold below are the metrics selected as key metrics among the default metrics provided by Kubernetes Engine. Key metrics are used to configure service dashboards that are automatically generated for each service in ServiceWatch.

Each metric indicates through the user guide which statistical values are meaningful when viewing that metric, and among the meaningful statistics, the values displayed in bold are the primary statistics. In the service dashboard, you can view key metrics using these primary statistical values.

Indicator name	Detailed description	unit	meaningful statistics
cluster_up	Cluster up	Count	Total Average Maximum Minimum
cluster_node_count	Cluster node count	Count	Total Average Maximum Minimum
cluster_failed_node_count	Number of failed nodes in the cluster	Count	Total Average Maximum Minimum
cluster_namespace_phase_count	Number of cluster namespace phases	Count	Total Average Maximum Minimum
cluster_pod_phase_count	Number of cluster pod phases	Count	Total Average Maximum Minimum
node_cpu_allocatable	Node CPU allocatable amount	-	Total Average Maximum Minimum
node_cpu_capacity	Node CPU capacity	-	Total Average Maximum Minimum
node_cpu_usage	Node CPU usage	-	Total Average Maximum Minimum
node_cpu_utilization	Node CPU utilization	-	Total Average Maximum Minimum
node_memory_allocatable	Node memory allocatable amount	Bytes	Total Average Maximum Minimum
node_memory_capacity	Node memory capacity	Bytes	Total Average Maximum Minimum
node_memory_usage	Node memory usage	Bytes	Total Average Maximum Minimum
node_memory_utilization	Node memory usage rate	-	Total Average Maximum Minimum
node_network_rx_bytes	Node network received bytes	Bytes/Second	Total Average Maximum Minimum
node_network_tx_bytes	Node network transmitted bytes	Bytes/Second	Total Average Maximum Minimum
node_network_total_bytes	Total bytes of the node network	Bytes/Second	Total Average Maximum Minimum
node_number_of_running_pods	Number of pods running on a node	Count	Total Average Maximum Minimum
namespace_number_of_running_pods	Number of running pods in a namespace	Count	Total Average Maximum Minimum
namespace_deployment_pod_count	Namespace deployment pod count	Count	Total Average Maximum Minimum
namespace_statefulset_pod_count	Namespace StatefulSet pod count	Count	Total Average Maximum Minimum
namespace_daemonset_pod_count	Namespace DaemonSet Pod Count	Count	Total Average Maximum Minimum
namespace_job_active_count	Active namespace job count	Count	Total Average Maximum Minimum
namespace_cronjob_active_count	Number of active namespace cron jobs	Count	Total Average Maximum Minimum
pod_cpu_usage	Pod CPU usage	-	Total Average Maximum Minimum
pod_memory_usage	Pod memory usage	Bytes	Total Average Maximum Minimum
pod_network_rx_bytes	Pod network received bytes	Bytes/Second	Total Average Maximum Minimum
pod_network_tx_bytes	Pod network transmit bytes	Bytes/Second	Total Average Maximum Minimum
pod_network_total_bytes	Pod network total bytes	Count	Total Average Maximum Minimum
container_cpu_usage	Container CPU usage	-	Total Average Maximum Minimum
container_cpu_limit	Container CPU limit	-	Total Average Maximum Minimum
container_cpu_utilization	Container CPU usage	-	Total Average Maximum Minimum
container_memory_usage	Container memory usage	Bytes	Total Average Maximum Minimum
container_memory_limit	Container memory limit	Bytes	Total Average Maximum Minimum
container_memory_utilization	Container memory usage	-	Total Average Maximum Minimum
node_gpu_count	Number of node GPUs	Count	Total Average Maximum Minimum
gpu_temp	GPU temperature	-	Total Average Maximum Minimum
gpu_power_usage	GPU power consumption	-	Total Average Maximum Minimum
gpu_util	GPU utilization	Percent	Total Average Maximum Minimum
gpu_sm_clock	GPU SM clock	-	Total Average Maximum Minimum
gpu_fb_used	GPU FB usage	Megabytes	Total Average Maximum Minimum
gpu_tensor_active	GPU Tensor Utilization	-	Total Average Maximum Minimum
pod_gpu_util	Pod GPU utilization	Percent	Total Average Maximum Minimum
pod_gpu_tensor_active	Pod GPU Tensor Utilization	-	Total Average Maximum Minimum

Table. Kubernetes Engine Basic Metrics

1.2 - How-to guides

Users can create a service by entering the required information for the Kubernetes Engine and selecting detailed options through the Samsung Cloud Platform Console.

Create Kubernetes Engine

You can create and use the Kubernetes Engine service in the Samsung Cloud Platform Console.

You can create and manage clusters to use the Kubernetes Engine service. After creating the cluster, you can add services needed for operation such as nodes, namespaces, and workloads.

Caution

In the network settings of Kubernetes Engine, you can select up to 4 Security Groups.
- If you manually add a Security Group to a node created by Kubernetes Engine on the Virtual Server service page, it may be automatically removed because it is not managed by Kubernetes Engine.
- For nodes, be sure to add and manage the Security Group in the network settings of the Kubernetes Engine service.
Managed Security Group is automatically managed in Kubernetes Engine.
- Do not use it for any user-defined purpose because if you delete a Managed Security Group or add/delete rules, it will automatically be restored.

Create a cluster

You can create and use a Kubernetes Engine cluster service in the Samsung Cloud Platform Console.

To create a Kubernetes Engine cluster, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click the Create Cluster button. 2. Navigate to the Create Cluster page.

Create Cluster page, enter the information needed to create the service, and select detailed options.

In the Service Information Input area, enter or select the required information.

Category	Required	Detailed description
Cluster name	Required	Cluster name must start with an English letter and be entered using English letters, numbers, and special characters (`-`) within 3 - 30 characters
Control plane settings > Kubernetes version	Required	Select Kubernetes version
Control plane settings > Private endpoint allowed resources	Select	After selecting Enable, click Add to select the resource to allow access to the private endpoint Only resources in the same account and the same region can be registered Regardless of whether Enable is enabled, the nodes of the cluster can access the private endpoint
Control Plane Settings > Public Endpoint	Select	After selecting Use, enter the public endpoint Allowed IP range for access as 192.168.99.0/24 Set the access control IP range to allow external access to the Kubernetes API server endpoint If external access is not required, you can disable it to reduce security threats
ServiceWatch log collection	Select	Set whether to enable log collection so that cluster logs can be viewed in ServiceWatch Enable selection provides 5 GB of log storage free for all services within the Account, and charges apply based on storage volume when exceeding 5 GB If you need to view cluster logs, it is recommended to enable the ServiceWatch log collection feature
Cloud Monitoring log collection	Select	Set whether to enable log collection so that logs for the cluster can be viewed in Cloud Monitoring If you select Use, 1 GB of log storage is provided for free across all services in the Account, and any data exceeding 1 GB will be deleted sequentially
Network Settings	Essential	Network connection settings for the node pool VPC name: Select a pre‑created VPC Subnet name: Select a standard Subnet to use from the subnets of the selected VPC Security Group: Click the Select button and then choose a Security Group in the Select Security Group popup Up to 4 Security Group can be selected
StorageClass setting	Required	Select the storage volume to use in the cluster NFS Volume: After clicking the Search button, select the file storage in the File Storage Selection popup. The default file storage supports only the NFS format

Table. Kubernetes Engine service information input items

Additional Information Input area, please enter or select the required information.
Category
required status
Detailed description
tag Select Add Tag
Up to 50 per resource can be added
After clicking the Add Tag button, input or select Key, Value values
Table. Kubernetes Engine additional information input fields

Summary Check the detailed information and estimated charges generated in the panel, and click the Create button.
- Once creation is complete, verify the created resources on the Cluster List page.

Category	required status	Detailed description
tag	Select	Add Tag Up to 50 per resource can be added After clicking the Add Tag button, input or select Key, Value values

View cluster details

The Kubernetes Engine service allows you to view and edit the full list of resources and detailed information. Cluster Details page consists of Details, Node Pools, Tags, Job History tabs.

To view detailed cluster information, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Navigate to the Service Home page of Kubernetes Engine.
Click the Cluster menu on the Service Home page. 2. Navigate to the Cluster List page.

Cluster List page, click the resource (cluster) whose detailed information you want to view. 3. Navigate to the Cluster Details page.

Cluster Details page displays the cluster’s status information and detailed information, and it consists of Details, Node Pools, Tags, Job History tabs.

Category	Detailed description
Cluster status	Kubernetes Engine cluster status Creating: in progress Running: creation complete / operational Updating: version upgrade in progress Deleting: in progress Error: error occurred
Service cancellation	Button to delete a Kubernetes Engine cluster To delete a Kubernetes Engine service, you must delete all node pools added to the cluster If the service is deleted, the running service may be terminated immediately, so deletion is required after considering the impact of service interruption

Category

Detailed description

Cluster status

Kubernetes Engine cluster status

Creating: in progress

Running: creation complete / operational

Updating: version upgrade in progress

Deleting: in progress

Error: error occurred

Service cancellation

Button to delete a Kubernetes Engine cluster

To delete a Kubernetes Engine service, you must delete all node pools added to the cluster

If the service is deleted, the running service may be terminated immediately, so deletion is required after considering the impact of service interruption

Table. Cluster status information and additional features

Detailed Information

On the Cluster List page, you can view detailed information of the selected resource and edit the information if needed.

Category	Detailed description
service	Service name
Resource type	Resource Type
SRN	Unique resource ID in Samsung Cloud Platform
Resource Name	Resource name In the Kubernetes Engine service, it refers to the cluster name
Resource ID	Unique resource ID in the service
Constructor	User who created the service
Creation date and time	Service creation date and time
Modifier	User who edited the service information
Modification timestamp	Date and time the service information was modified
Cluster name	Cluster name
LLM Endpoint	LLM Endpoint information
Control area configuration	Check the assigned Kubernetes control plane (Control Plane) version and allowed access scope If a Kubernetes version of the control plane that can be upgraded is available, click the Edit icon to perform a cluster version upgrade. See Cluster Version Upgrade for details Click the Admin Kubeconfig Download/User Kubeconfig Download button for the private endpoint address to download the kubeconfig settings for each role as a yaml document Click the Edit icon of the private endpoint access resource to modify the allowed resources Click the Admin Kubeconfig Download/User Kubeconfig Download button for the public endpoint address to download the kubeconfig settings for each role as a yaml document Click the Edit icon of the public endpoint to modify its usage status and allowed IP range Click the Edit icon of ServiceWatch log collection to toggle its usage. When log collection is enabled, view the cluster control plane’s Audit/Event logs in ServiceWatch > Log Groups Click the Edit icon of Cloud Monitoring log collection to toggle its usage. When log collection is enabled, view the cluster control plane’s Audit/Event logs in Cloud Monitoring > Log Analysis
Network Settings	View the VPC, Subnet, and Security Group information configured when creating a Kubernetes Engine cluster Click each setting to view detailed information on the detail page If you need to change the Security Group, click the Edit icon to configure Managed Security Groups are automatically created items provided by the system
StorageClass configuration	If you click the NFS volume name, you can view detailed information on the storage details page

Table. Cluster detail information tab items

Reference

The version of Kubernetes Engine is expressed as [major].[minor].[patch], and you can upgrade only one minor version at a time.
- Example: version 1.11.x > 1.13.x (Not allowed) / version 1.11.x > 1.12.x (Allowed)
If you are using a Kubernetes version that has reached end of support or a version that is scheduled to reach end of support, a red exclamation mark will appear to the right of the version. * If this icon is displayed, we recommend upgrading the Kubernetes version.

Node Pool

You can view, add, modify, or delete cluster node pool information. For detailed information on using node pools, refer to 노드 관리하기.

Category	Detailed description
Add node pool	Add a node pool to the current cluster For details, refer to Add Node Pool
Node pool list	Check the list of node pools created in the current cluster Click the node pool name to go to the details page and view detailed information
More menu	Provides node pool management functionality Node Information: displays node name, version, and status information Node Pool Upgrade: upgrade node pool version Node Pool Deletion: delete node pool

Category

Detailed description

Add node pool

Add a node pool to the current cluster

For details, refer to Add Node Pool

Node pool list

Check the list of node pools created in the current cluster

Click the node pool name to go to the details page and view detailed information

More menu

Provides node pool management functionality

Node Information: displays node name, version, and status information

Node Pool Upgrade: upgrade node pool version

Node Pool Deletion: delete node pool

Table. Node pool tab items

Reference

If a red exclamation‑mark icon appears on the node pool version, the node pool’s server OS is not supported in newer Kubernetes versions. The node pool server OS must be upgraded to ensure stable service.

To upgrade the node pool version, delete the existing node pool and then create a new node pool with a higher server OS version.

Category	Detailed description
Tag list	Tag list Key and Value information of the tag can be checked Up to 50 tags can be added per resource When entering a tag, search the existing Key and Value list and select

Job History

You can view the operation history of the selected resource on the Cluster List page.

Category	Detailed description
Task History List	Resource Change History You can view operation details, operation time, resource type, resource name, operation result, and operator information Operation History List when you click the corresponding resource, the Operation History Details popup opens

Category

Detailed description

Task History List

Resource Change History

You can view operation details, operation time, resource type, resource name, operation result, and operator information

Operation History List when you click the corresponding resource, the Operation History Details popup opens

Table. Cluster Job History Tab Items

Managing Cluster Resources

To manage cluster resources, we provide cluster version upgrades, kubeconfig downloads, and control‑plane logging modification features.

Caution

To use Kubernetes Engine, you need at least read permissions for VPC, VPC Subnet, Security Group, FileStorage, and Virtual Server.
Even without create/delete permissions, Security Group and Virtual Server are created/deleted by Kubernetes Engine for lifecycle management purposes, and the creator/modifier is recorded as System.

Cluster version upgrade

If there is a version available for upgrade from the cluster’s Kubernetes version, you can perform the upgrade on the Cluster Details page.

Reference

Check the following items before upgrading the cluster.
- Check if the cluster’s status is Running
- Check that the status of all node pools in the cluster is Running or Deleting.
- Verify that all node pool versions in the cluster match the cluster version.
- Check whether automatic scaling (up/down) of all node pools in the cluster and the node auto-recovery feature are disabled.
After upgrading the cluster, proceed with the node pool upgrade. * The control plane and node pool upgrades of a Kubernetes cluster are performed separately.
You can upgrade only one minor version at a time.
- Example: version 1.12.x > 1.13.x (possible) / version 1.11.x > 1.13.x (not possible)
After an upgrade, you cannot perform a downgrade or rollback, so to use a previous version again you must create a new cluster.

Caution

User systems that are using an end‑of‑life Kubernetes version may become vulnerable, so upgrade the control plane and node pool versions directly from the Samsung Cloud Platform Console.
- There are no additional costs associated with the upgrade.
Please conduct compatibility testing of the upgrade version in advance to ensure stable system operation for users.

Pre-upgrade preparation for cluster version

When upgrading the cluster version, there is no need to delete and recreate API objects. For the migrated API, all existing API objects can be read and updated using the new API version. However, due to the deprecated API in older versions of Kubernetes, you may be unable to read or modify existing objects, or create new objects. Therefore, for system stability, we recommend migrating the client and manifest before upgrading.

Migrate the client and manifest using the following method.

Download the latest version of the client (e.g., kubectl) and install it on the cluster, then modify the YAML to reference the new API.
Or use a separate plugin (kubectl convert) to convert automatically. For detailed instructions, refer to the Kubernetes official documentation > Install and configure kubectl on Linux.

Reference

Since the deprecated APIs differ for each cluster version, the scope of application and system impact may also vary. For detailed information, refer to the Kubernetes Official Documentation > Deprecation Guide.

Upgrading Cluster and Node Pool Versions

To update the cluster and node pool, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engines.
On the Service Home page, click the Cluster menu. 2. Navigate to the Cluster List page.
On the Cluster List page, click the resource (cluster) to upgrade the version. 3. Navigate to the Cluster Details page.
On the Cluster Details page, click the Edit icon of the Kubernetes version. 4. Cluster version upgrade A popup window opens.
Select the Kubernetes version to upgrade, and click the Confirm button.
- It may take a few minutes for the cluster upgrade to complete.
- During the upgrade, the cluster status is shown as Updating, and when the upgrade is complete, it is shown as Running.
When the upgrade is complete, select the Node Pool tab. 6. Navigate to the Node Pool page.
Click the More button of the node pool item, then click Node Pool Upgrade. 7. Node Pool Version Upgrade A popup window opens.
Node Pool Version Upgrade After reviewing the message in the popup window, click the Confirm button.
- It may take a few minutes for the node pool upgrade to complete.
- While the upgrade is in progress, the node pool status is shown as Updating, and when the upgrade is complete, it is shown as Running.

Download kubeconfig

You can download the administrator/user kubeconfig settings for the cluster’s public and private endpoints as a yaml document.

To download the cluster’s kubeconfig configuration, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engines.
On the Service Home page, click the Cluster menu. 2. Navigate to the Cluster List page.
On the Cluster List page, click the resource (cluster) to download the kubeconfig. 3. Navigate to the Cluster Details page.
On the Cluster Details page, click the Download admin kubeconfig/Download user kubeconfig button of the desired endpoint.
- You can download the kubeconfig file in YAML format for each permission.

Modify resources that allow private endpoint access

You can modify the resource settings that allow private endpoint access to the cluster.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engines.
On the Service Home page, click the Cluster menu. 2. Navigate to the Cluster List page.
Cluster List page, click the resource (cluster) whose private endpoint access control you want to modify. 3. Navigate to the Cluster Details page.
On the Cluster Details page, click the Edit icon for Private Endpoint Access Allowed Resources. 4. Private endpoint access allowed resource edit The popup window opens.
Private Endpoint Access Allowed Resource Modification In the popup, set the Private Endpoint Access Allowed Resource’s Usage and add the allowed access resource, then click the Confirm button.

Modify public endpoint

You can change the public endpoint settings of the cluster.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engines.
On the Service Home page, click the Cluster menu. 2. Navigate to the Cluster List page.
On the Cluster List page, click the resource (cluster) whose public endpoint access control you want to modify. 3. Navigate to the Cluster Details page.
On the Cluster Details page, click the Edit icon of the Public Endpoint. 4. Public Endpoint Edit The popup window opens.
Public Endpoint Edit In the Public Endpoint popup, configure the usage setting and add the allowed IP address range, then click the Confirm button.

Modify control plane log collection settings

You can change the log collection settings of the cluster’s control plane. Detailed logs of the cluster can be viewed in the ServiceWatch service or the Cloud Monitoring service.

Reference

Even if you configure log collection in Cloud Monitoring, you can view the cluster logs.

However, since the Cloud Moniotring log collection feature is scheduled for discontinuation, we recommend using ServiceWatch log collection.

To change the cluster’s control plane log collection settings, follow the steps below.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engines.
On the Service Home page, click the Cluster menu. 2. Navigate to the Cluster List page.
Cluster List page, click the resource (cluster) whose control plane logging you want to modify. 3. Go to the Cluster Details page.
On the Cluster Details page, click the Edit icon of ServiceWatch log collection. 4. ServiceWatch log collection The popup window opens.
- The Cloud Monitoring log collection feature can also be configured in the same way.
In the ServiceWatch Log Collection popup, after setting the Use option for ServiceWatch Log Modification, click the Confirm button.

Reference

When log collection is enabled, you can view the cluster control plane’s Audit/Event logs in each service. Detailed logs can be viewed on the next page.

Modify Security Group

You can modify the cluster’s Security Group.

Caution

In the network settings of Kubernetes Engine, you can select up to 4 Security Groups.
- If you manually add a Security Group to a node created by Kubernetes Engine on the Virtual Server service page, it may be automatically removed because it is not managed by Kubernetes Engine.
- For nodes, be sure to add and manage the Security Group in the network settings of the Kubernetes Engine service.
Managed Security Group is automatically managed in Kubernetes Engine.
- Do not use it for any user-defined purpose because deleting a Managed Security Group or adding/deleting rules will automatically be restored.

To modify the cluster’s Security Group, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engines.
On the Service Home page, click the Cluster menu. 2. Navigate to the Cluster List page.
On the Cluster List page, click the resource (cluster) whose Security Group you want to modify. 3. Navigate to the Cluster Details page.
On the Cluster Details page, click the Edit icon of the Security Group. 4. Security Group Edit The popup window opens.
After selecting or deselecting the Security Group to modify, click the Confirm button.

Terminate Cluster

Caution

If you terminate the cluster, all associated node pools are deleted, and all data in every pod within the cluster is permanently deleted.

To terminate the cluster, follow the steps below.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engines.
On the Service Home page, click the Cluster menu. 2. Navigate to the Cluster List page.
Cluster List page, click the resource (cluster) whose detailed information you want to view. 3. Navigate to the Cluster Details page.
On the Cluster Details page, click Cancel Service.
Service Termination After reviewing the content in the popup window, click the Confirm button.

1.2.1 - Managing Nodes

A node is a set of machines that run containerized applications. A cluster must have at least one node to deploy an application. Nodes can be defined in a node pool for use. Nodes belonging to a node pool must have the same server type, size, and OS image, and flexible deployment strategies can be established by creating multiple node pools.

After creating a Kubernetes Engine cluster, add a node pool and modify or delete it as needed.

Caution

It is recommended not to use the OS firewall on Kubernetes Engine nodes that use Calico.
- The firewall settings of Samsung Cloud Platform are set to Inactive by default.
- As shown in the reference link below, it is recommended to set the firewall to a disabled state in environments that use Calico.
  - (reference) https://docs.tigera.io/calico/3.28/getting-started/kubernetes/requirements
When a node is designated as a Backup service target, it cannot be deleted, so the functions below are unavailable.
- Node pool reduction (including automatic scaling)
- Node pool upgrade
- Automatic node pool recovery
- Delete node pool

Add node pool

A node refers to a machine that runs containerized applications, and at least one node is required to deploy applications in a Kubernetes cluster. After the Kubernetes Engine cluster has been created, add a node pool from the details page.

In Kubernetes Engine, you can define and use a node pool, which is a set of nodes. * Since the nodes in a node pool use the same server type, size, and OS image, users can devise flexible deployment strategies by using multiple node pools.

Reference

In the Virtual Server menu, you can create a node pool using the user’s Custom Image. To create a node pool using a Custom Image, follow these steps.

Create a Virtual Server that includes a Samsung Cloud Platform Kubernetes Engine image.
Use the Virtual Server’s Create Image feature to proceed with image creation.
Select the registered Custom Image and create a node pool.
- For more details, see Virtual Server > Create Image.

To add a node pool, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click the Cluster menu. 2. Navigate to the Cluster List page.
On the Cluster List page, select the cluster to which you want to add a node pool. 3. Navigate to the Cluster Details page.
On the Cluster Details page, select the Node Pool tab, then click the Add Node Pool button. 4. Navigate to the Add Cluster Node Pool page.

On the Add Cluster Node Pool page, enter the information required to create a node pool and select detailed options.

In the Service Information Input area, enter or select the required information.

Category	Required status	Detailed description
Node pool name	Required	Node pool name must start with a lowercase English letter and be entered using lowercase English letters, numbers, and special characters (`-`) within 3 - 20 characters cannot end with a special character (`-`)
Node Pool > Server Type	Required	Virtual Server server types for the node Standard: Standard specifications commonly used High Capacity: Large-scale server specifications beyond Standard GPU: GPU specifications available when securing resources for special requirements such as AI/ML For detailed information about the server types offered by Virtual Server, refer to Virtual Server 서버 타입
Node Pool > Server OS	Essential	Node’s Virtual Sever OS image Standard: RHEL 8.10, Ubuntu 22.04 Custom: Custom image for Kubernetes created from the Virtual Server product (RHEL, Ubuntu)
Node Pool > Block Storage	Essential	Block storage settings used by the node’s Virtual Server SSD: High‑performance general volume HDD: General volume SSD/HDD_KMS: Additional encrypted volume that uses encryption keys from Samsung Cloud Platform KMS(Key Management System) Encryption can be applied only at initial creation and cannot be changed after the service is created Performance degradation occurs when using the SSD_KMS disk type SSD_Provisioned: Enter detailed settings for the selected storage type Enter a value between 5,000 and 20,000 for the Max IOPS field, and between 250 and 1,000 for the Max Throughput field For a Custom Image with SSD_Provisioned, the predetermined values are auto‑filled and the fields are disabled Capacity is entered in Units, with a value between 13 and 125 Since 1 Unit equals 8 GB, this creates 104 ~ 1,000 GB
Node Pool > Server Group	Select	Apply a pre‑created Server Group in the Virtual Server service on the node Click Use to set the Server Group usage When usage is enabled, select a Server Group Supports Affinity or Anti‑Affinity policies Partition policy is not supported Cannot modify after creating a node pool GPU server type cannot be selected
Node pool auto scaling	Essential	Automatically adjust the number of nodes in a node pool For configuration, refer to 노드 풀 자동 확장/축소하기
Number of nodes	Required	Number of nodes to create within a node pool Enter a value in the range 1 - 100
Automatic node recovery	Required	When an abnormal node is detected in the node pool, automatically delete and create a new one For configuration, refer to 노드 풀 자동 복구하기
Keypair	Essential	User authentication method used to connect to a node’s Virtual Server New: Create a new one if a new Keypair is required Refer to Keypair 생성하기 for how to create a new Keypair Default login account list by OS Alma Linux: almalinux RHEL: cloud-user Rocky Linux: rocky Ubuntu: ubuntu Windows: sysadmin
Label	Selection	Optionally schedule the workload on a node Click the Add button to enter the label key and value Refer to 노드 풀 레이블 설정하기 for configuration
Tint	Select	Prevent workloads from being scheduled onto nodes Add button to click for taint effect, enter key and value Refer to 노드 풀 테인트 설정하기 for configuration method
Advanced Settings	Selection	Settings for detailed areas such as pods and logs for the node Click Use to choose whether to apply the advanced settings for the node pool you will create Refer to Configure advanced node pool settings for the configuration method
Connection resource	Select	Configure File Storage and Object Storage resources for nodes at the node pool level Click the Add button to select the File Storage and Object Storage resources to attach to the node pool you will create Refer to Configure Linked Resources for Node Pools for the configuration method

Table. Input fields for Kubernetes Engine node pool service information

Summary Verify the detailed information and estimated charges generated in the panel, then click the Create button.
- When creation is complete, check the created resources on the Cluster Details > Node Pool tab > Node Pool list page.
When the notification popup opens, click the Confirm button.

Update Node Pool

If needed, modify the number of nodes in the node pool on the Kubernetes Engine details page.

Reference

If you change the node count, nodes will be automatically added or removed, and the container operation will be terminated. At this time, because the container moves to another node, the running service may be disrupted.

To modify the number of nodes, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
Click the Cluster menu on the Service Home page. 2. Navigate to the Cluster List page.
Select the cluster whose node count you want to modify on the Cluster List page. 3. Navigate to the Cluster Details page.
On the Cluster Details page, select the Node Pool tab, then click the Node Pool Name you want to edit. 4. Navigate to the Node Pool Details page.
On the Node Pool Details page, click the Edit icon to the right of Node Pool Information. 5. Node Pool Edit The popup window opens.
Edit Node Pool In the popup window, edit the node pool information, then click the Confirm button.

Upgrade Node Pool

If the Kubernetes version of the control plane and the version of the node pool differ, you can upgrade the node pool to synchronize the versions.

Caution

After upgrading the cluster, proceed with the node pool upgrade. The control plane and node pool upgrades of a Kubernetes cluster are performed separately.

When you perform a node pool upgrade, a rolling update is carried out on the nodes belonging to the node pool. During this process, a brief service interruption may occur, which is normal for a rolling update and will automatically recover after a short period.
The server OS version may vary depending on the Kubernetes version of the node pool.

To upgrade the node pool, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Navigate to the Service Home page of Kubernetes Engine.
On the Service Home page, click the Cluster menu. 2. Navigate to the Cluster List page.
On the Cluster List page, select the cluster for which you want to perform a node pool version upgrade. 3. Navigate to the Cluster Details page.
Cluster Details page, select the Node Pool tab, then click More > Node Pool Upgrade at the far right end of the node pool row. 4. Node Pool Version Upgrade A popup window opens.
- You can upgrade the node pool only when the node’s status is Running.
Node Pool Version Upgrade After reviewing the information in the popup window, click the Confirm button.

Auto-scaling node pools

Node pool auto-scaling is a feature that automatically adjusts the number of node pools by adding new nodes to a specified node pool or removing existing nodes based on workload demands. This feature operates based on the node pool.

When automatically scaling a node pool up or down, it is adjusted based on the resource requests of the pods running on the node pool’s nodes rather than the actual resource utilization, and it periodically checks the status of pods and nodes and executes automatic scaling operations.

To set up automatic scaling for a node pool, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click the Cluster menu. 2. Navigate to the Cluster List page.
On the Cluster List page, select the cluster for which you want to use the node auto-scaling feature. 3. Navigate to the Cluster Details page.
Cluster Details page, after selecting the Node Pool tab, click the Node Pool name you wish to modify. 4. Navigate to the Node Pool Details page.
Node Pool Details page, click the Edit icon on the right of Node Pool Information. 5. Edit Node Pool The popup window opens.
Edit Node Pool in the popup window, select Node Pool Auto Scaling as Enable.
After entering the minimum and maximum node counts, click the Confirm button.
Reference
Node pool auto-scaling settings can also be configured on the cluster node pool creation page.
- Node pool scaling conditions
  - When a pod fails to start in the cluster due to insufficient resources (Pending pod occurs)
- Node pool reduction criteria (when all are met)
  - If the sum of resource requests (CPU/Memory) of all pods running on a node is less than 50 % of the node’s allocatable resources.
  - When all pods running on a node can be scheduled on another node (there must be no pods subject to PDB restrictions, etc.)
- When using automatic node pool scaling, to prevent deletion caused by node reduction, add the following annotation to the node.
  - cluster-autoscaler.kubernetes.io/scale-down-disabled: “true”

Caution

Node pool auto scaling/downsizing operates only when NotReady nodes constitute 45% or less of the total nodes in the cluster and there are three or fewer such nodes.
If there are nodes directly attached instead of node pools created by the Kubernetes Engine service, using this feature may cause malfunction.

Automatically Restore Node Pool

Node auto-recovery is a feature that automatically deletes an abnormal node detected in the cluster and creates a new node to restore the node count in the node pool to a normal state. This feature operates based on the node pool.

Caution

Node auto-recovery deletes the existing node and creates a new node when communication between K8S Control Planes fails due to node (Virtual Server) problems, a stopped state, network issues, etc., according to the node auto-recovery conditions, so caution is required when using it.

When creating a node pool, it is restored according to the initially set conditions, and any custom settings made after node creation are not restored.

If there are nodes that were directly connected instead of node pools created by the Kubernetes Engine service, using this feature may cause malfunction.

To configure the node auto-recovery feature, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click the Cluster menu. 2. Go to the Cluster List page.
On the Cluster List page, select the cluster for which you want to use the node auto-recovery feature. 3. Go to the Cluster Details page.
On the Cluster Details page, after selecting the Node Pool tab, click the Node Pool name you wish to edit. 4. Navigate to the Node Pool Details page.
On the Node Pool Details page, click the Edit icon on the right of Node Pool Information. 5. Edit Node Pool A popup window opens.
Node Pool Edit in the popup window, after selecting Node Auto Recovery as Enable, click the Confirm button.

Reference

Node auto-recovery settings can also be configured on the cluster node pool creation page.

When the node is an auto-recovery target
- If a node reports a NotReady status in consecutive checks for a certain time threshold (approximately 10 minutes)
- When a node does not report its status at all for a certain time threshold (approximately 10 minutes)
If the node is not a target for automatic recovery
- When a node is first created, it remains in the Creating state instead of reaching the Running state.
- When more than five abnormal nodes occur simultaneously in the same node pool.

Setting node pool labels

Node pool labels are a feature for optionally scheduling workloads onto nodes.

Caution

When applying a node pool label, it is not applied to existing nodes; the label is applied only to nodes created thereafter.
- If you need to apply a label to an existing node, the user must set it directly with kubectl.

To set the node pool label, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Navigate to the Service Home page of Kubernetes Engine.
Click the Cluster menu on the Service Home page. 2. Navigate to the Cluster List page.
On the Cluster List page, select the cluster for which you want to set the node pool label. 3. Navigate to the Cluster Details page.
On the Cluster Details page, select the Node Pool tab, then click the Node Pool Name you want to edit. 4. Navigate to the Node Pool Details page.
On the Node Pool Details page, when you click the Edit icon of a label, the Edit Label popup opens.
In the Label Edit popup, click the Add button to add as many labels as needed.
Enter the label information and click the Confirm button.

Configure Node Pool Taint

Node pool taint is a feature that prevents workloads from being scheduled onto nodes.

Caution

If you set taints on all node pools, pods required for normal cluster operation may not be scheduled.
When applying a node pool taint, it does not affect existing nodes; the taint is applied only to nodes created thereafter.
- If you need to apply a taint to an existing node, the user must configure it directly with kubectl.

To configure the node pool taint, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click the Cluster menu. 2. Navigate to the Cluster List page.
Select the cluster for which you want to set a node pool taint on the Cluster List page. 3. Navigate to the Cluster Details page.
Cluster Details page, after selecting the Node Pool tab, click the Node Pool name you wish to modify. 4. Navigate to the Node Pool Details page.
On the Node Pool Details page, clicking the Edit icon of a taint opens the Edit Taint popup window.
Tint Edit In the popup window, click the Add button to add the required number of tints.
Enter the tint information and click the Confirm button.

Configure advanced node pool settings

Node pool advanced settings are a feature for applying detailed configurations such as the number of pods per node, PID, logs, and image garbage collection.

Caution

Node pools cannot be modified after creation. If an invalid value is entered, the node may not operate correctly.

Reference

Each setting corresponds to the kubelet configuration as follows.

Maximum pods per node: maxPods
Image GC upper limit percent: imageGCHighThresholdPercent
Image GC low threshold percent: imageGCLowThresholdPercent
Container log maximum size MB: containerLogMaxSize
Container log maximum file count: containerLogMaxFiles
Pod PID limit: podPidsLimit
Allow unsafe Sysctl: allowedUnsafeSysctls

To configure advanced settings for the node pool, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click the Cluster menu. 2. Navigate to the Cluster List page.
On the Cluster List page, select the cluster for which you want to configure advanced node pool settings. 3. Navigate to the Cluster Details page.
Cluster Details page, after selecting the Node Pool tab, click Create Node Pool. 4. Go to the Create Node Pool page.
On the Node Pool Creation page, select Advanced Settings to Enable.
After selecting Use, enter the required information for the displayed items.
After confirming that the required information has been entered correctly in the Summary tab, click the Create button.

Configure linked resources for node pool

Node pool connection resources are a feature for connecting or disconnecting File Storage and Object Storage on a per‑node‑pool basis.

Caution

Node pool connection resources have a quantity limit.
- You can add up to three File Storage and three Object Storage, for a total of six connection resources.
StorageClass and Provisioner for the connected resource are not provided.
Do not arbitrarily modify the connection resources automatically added in the node pool for the File Storage and Object Storage services. * Changes may be reverted or cause unexpected behavior.

To configure node pool connection resources, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Navigate to the Service Home page of Kubernetes Engine.
On the Service Home page, click the Cluster menu. 2. Navigate to the Cluster List page.
On the Cluster List page, select the cluster for which you want to configure node pool connection resources. 3. Navigate to the Cluster Details page.
On the Cluster Details page, select the Node Pool tab, then click the Node Pool Name you want to edit. 4. Navigate to the Node Pool Details page.
When you click the Edit icon of a connection resource on the Node Pool Details page, the Edit Connection Resource popup opens.
In the Edit Connected Resource popup, clicking the Add button opens the Add Connected Resource popup.
Add Connected Resource In the popup window, select File Storage and Object Storage.
After verifying the resources to connect to the node pool, click the Confirm button.

Delete Node Pool

If needed, delete the node pool from the Kubernetes Engine details page.

To delete a node pool, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click the Cluster menu. 2. Navigate to the Cluster List page.
On the Cluster List page, select the cluster whose node count you want to modify. 3. Navigate to the Cluster Details page.
On the Cluster Details page, select the Node Pool tab, then click the More button at the far right of the node pool row. 4. Click Delete Node Pool in the More button.
Node Pool Deletion In the popup window, select the checkbox, enter the name of the node pool to delete, and click the Confirm button.
- You must select the checkbox in the node deletion confirmation message for the confirm button to become active.

View node details

After creating the cluster, you can view metadata, object information, and other details of the added nodes, and edit resource files using a YAML editor.

To view detailed information about the node pool, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Navigate to the Service Home page of Kubernetes Engine.
On the Service Home page, click the Node menu. 2. Go to the Node List page.
On the Node List page, select the cluster whose detailed information you want to view from the gear button at the top left, then click the Confirm button.

Select the node whose detailed information you want to view and click. 4. Navigate to the Node Details page.

Category	Detailed description
Status Indicator	Display the current status of the node
Detailed Information	Check the node’s Account information, metadata, and object information
YAML	Node resources can be edited in the YAML editor Click the Edit button, modify the resource, then click the Save button to apply the changes When editing content, click the Diff button to view the changes
event	Check events that occurred on the node
Pod	Check node pod information A Pod (pod) is the smallest compute unit that can be created, managed, and deployed in Kubernetes Engine
Account Information	Check basic information about the Account, such as the Account name, location, and creation time.
Metadata Information	Check metadata information such as node labels, annotations, and taints.
Object Information	Internal IP and machine ID, capacity, resources, etc., the object information of the created node is displayed If GPU resources exist, check the GPU count in the Capacity > Nvidia.com/GPU column

Table. Node detailed information items

1.2.2 - Managing Namespaces

A namespace is a logical separation unit within a Kubernetes cluster, used to specify access permissions or resource usage limits per namespace.

Create a namespace

To create a namespace, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click the Namespace menu. 2. Navigate to the Namespace List page.
On the Namespace List page, select the cluster where you want to create a namespace from the gear button at the top left, then click Create Object.
Enter the object information in the Object Creation Popup and click the Confirm button.

Reference

For detailed information on object creation, refer to the Kubernetes official documentation > Kubernetes objects.

Check detailed namespace information

On the namespace detail page, you can view the namespace status and detailed information.

To view detailed namespace information, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click the Namespace menu. 2. Navigate to the Namespace List page.
On the Namespace List page, select the cluster that the namespace requiring detailed information belongs to from the gear button at the top left, then click Confirm.

On the Namespace List page, select the item you want to view details for and click it. 4. Go to the Namespace Details page.

Category	Detailed description
Status indicator	Display the current state of the namespace
Delete Namespace	Delete namespace A namespace containing workloads cannot be deleted. To delete a namespace, you must delete all associated workloads
Detailed Information	Check the Account information and metadata of the namespace
YAML	Namespaces can be edited in the YAML editor Click the Edit button, modify the namespace, then click the Done button to apply the changes When editing content, click the Diff button to view the changes
event	Check events that occurred within the namespace
Pod	Check the pod information in the namespace
Account information	Check basic information about the Account, such as name, location, and creation timestamp.
Metadata Information	Check the metadata information of the namespace

Table. Namespace detailed information items

Delete namespace

To delete a namespace, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click the Namespace menu. 2. Navigate to the Namespace List page.
On the Namespace List page, select the cluster that the namespace you want to delete belongs to from the gear button at the top left, then click the Confirm button.
On the Namespace List page, select the item you want to view details for and click it. 4. Navigate to the Namespace Details page.
On the Namespace Details page, click Delete Namespace.
When the notification confirmation window appears, click the Confirm button.

Caution

On the namespace list page, after selecting the item you want to delete, click Delete to remove the selected namespace. A namespace that contains workloads cannot be deleted. To delete a namespace, delete all associated workloads.

1.2.3 - Manage Workloads

The workload is an application running on Kubernetes Engine. You can create a namespace and then add or delete workloads. Workloads are created and then managed for each item: Deployment, Pod, StatefulSet, DaemonSet, Job, and CronJob.

Reference

Deployments, Pods, StatefulSets, DaemonSets, Jobs, and CronJobs are defaulted to the cluster (namespace) selected when creating the service. Even if you select a different item in the list, the default cluster (namespace) setting is retained.

To select a different cluster (namespace), click the gear button on the right side of the list. * Cluster/Namespace Settings In the popup window, select the cluster and namespace to change, and click the Confirm button. * You can view the services created in the selected cluster/namespace.

Managing Deployments

A Deployment refers to a resource that provides updates for Pods and ReplicaSets (ReplicaSet). You can create a deployment in the workload, view its details, or delete it.

Create Deployment

To create a deployment, follow the steps below.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Deployment under the Workload menu. 2. Go to the Deployment List page.
On the Deployment List page, select the cluster and namespace from the gear button at the top left, then click Create Object.

Enter the object information in the Object Creation Popup and click the Confirm button.

The following is an example .yaml file that shows the required fields and object spec for creating a Deployment. * (application/deployment.yaml)

Color mode

 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: nginx-deployment
 spec:
   selector:
      matchLabels:
         app: nginx
   replicas: 2 # tells deployment to run 2 pods matching the template
   template:
     metadata:
        labels:
           app: nginx
     spec:
        containers:
        - name: nginx
          image: nginx:1.14.2
          ports:
          - containerPort: 80

 apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: nginx-deployment
 spec:
   selector:
      matchLabels:
         app: nginx
   replicas: 2 # tells deployment to run 2 pods matching the template
   template:
     metadata:
        labels:
           app: nginx
     spec:
        containers:
        - name: nginx
          image: nginx:1.14.2
          ports:
          - containerPort: 80

Code block. Required fields and object Spec for deployment creation.

Reference

For detailed information on the concept of Deployments and object creation, see the 쿠버네티스 공식 문서 > 디플로이먼트.

View deployment details

To view deployment details, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Deployment under the Workload menu. 2. Go to the Deployment List page.
On the Deployment List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
Select the item you want to view detailed information for on the Deployment List page. 4. Deployment Details page will be opened.
- If you select Show system objects at the top of the list, all items except the Kubernetes object entries will be displayed.

Click each tab to view the service information.

Category	Detailed description
Delete Deployment	Delete the deployment
Detailed Information	Detailed deployment information can be viewed
YAML	The deployment’s resource file can be edited in the YAML editor Edit button, click and modify the resource, then click the Done button to apply the changes When editing content, click the Diff button to view the changes
event	Check events that occurred within the deployment
Pod	Check the pod information of the deployment A Pod (pod) is the smallest compute unit that can be created, managed, and deployed in Kubernetes Engine
Account information	Check basic information about the Account, such as the Account name, location, and creation time.
Metadata Information	Check the deployment’s metadata information
Object Information	Check the deployment’s object information

Table. Deployment detailed information items

Delete Deployment

To delete the deployment, follow the steps below.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Deployment under the Workload menu. 2. Navigate to the Deployment List page.
On the Deployment list page, select the cluster and namespace from the gear button at the top left, then click Confirm.
Select the item you want to delete on the Deployment List page. 4. Navigate to the Deployment Details page.
On the Deployment Details page, click Delete Deployment.
When the notification confirmation window appears, click the Confirm button.

Caution

On the deployment list page, after selecting the item you want to delete, click Delete to remove the selected deployment.

Managing Pods

A pod (Pod) is the smallest compute unit in Kubernetes that can be created, managed, and deployed, representing a group of one or more containers. You can create pods in the workload, view their details, or delete them.

Create Pod

To create a pod, follow the steps below.

All Services > Container > Kubernetes Engine Click the menu. 1. Navigate to the Service Home page of Kubernetes Engine.
On the Service Home page, click Pod under the Workload menu. 2. Navigate to the Pod List page.
On the Pod List page, select the cluster and namespace from the gear button at the top left, then click Create Object.
Enter the object information in the Object Creation Popup and click the Confirm button.

Reference

For detailed information on the concept of pods and object creation, refer to the Kubernetes official documentation > Pods.

Check pod detailed information

To view detailed pod information, follow these steps.

All Services > Container > Kubernetes Engine menu, click it. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Pod under the Workload menu. 2. Navigate to the Pod List page.
On the Pod List page, select the cluster and namespace using the gear button at the top left, then click Confirm.
Select the item you want to view detailed information for on the Pod List page. 4. Navigate to the Pod Details page.
- If you select Show system objects at the top of the list, all items except the Kubernetes object entries will be displayed.

Click each tab to view the service information.

Category	Detailed description
Status indicator	Display the current status of the pod
Delete pod	Delete the pod
Detailed Information	Can view detailed pod information
YAML	The pod’s resource file can be edited in the YAML editor Click the Edit button, modify the resource, then click the Done button to apply the changes When editing content, you can click the Diff button to view the changes
event	Check events that occurred within the pod
log	Select a container to view the pod’s container information.
Account Information	Check basic information about the Account, such as name, location, and creation timestamp.
Metadata Information	Check the pod’s metadata information
Object Information	Check the pod’s object information
Initialization Container Information	Check the pod’s init container information
Container Information	Check the pod’s container information

Table. Pod detailed information items

Delete Pod

To delete a pod, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Pod under the Workload menu. 2. Go to the Pod List page.
On the Pod List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
Select the items you want to delete on the Pod List page. 4. Navigate to the Pod Details page.
On the Pod Details page, click Delete Pod.
When the notification dialog appears, click the Confirm button.

Caution

On the pod list page, after selecting the item you want to delete, click Delete to delete the selected pod.

Managing StatefulSets

A StatefulSet is a workload API object used to manage an application’s stateful components. You can create a StatefulSet in the workload, view its details, or delete it.

Creating a StatefulSet

To create a StatefulSet, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Navigate to the Service Home page of Kubernetes Engine.
On the Service Home page, click StatefulSet under the Workload menu. 2. StatefulSet list page is opened.
On the StatefulSet list page, select the cluster and namespace from the gear button at the top left, then click Create Object.
Enter the object information in the Object Creation Popup and click the Confirm button.

Reference

For detailed information on the StatefulSet concept and object creation, see the Kubernetes official documentation > StatefulSet.

Check detailed information of StatefulSet

To view detailed information about a StatefulSet, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Navigate to the Service Home page of Kubernetes Engine.
On the Service Home page, click StatefulSet under the Workload menu. 2. StatefulSet list page is opened.
On the StatefulSet List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
Select the item whose detailed information you want to view on the StatefulSet List page. 4. Navigate to the StatefulSet Details page.
- If you select Show system objects at the top of the list, all items except the Kubernetes object entries will be displayed.

Click each tab to view the service information.

Category	Detailed description
Delete StatefulSet	Delete the StatefulSet
Detailed Information	Can view detailed information of a StatefulSet
YAML	The resource file of a StatefulSet can be edited in the YAML editor Click the Edit button, modify the resource, then click the Done button to apply the changes When editing content, click the Diff button to view the changes
event	Check events that occurred within the StatefulSet
Pod	Check the pod information of the StatefulSet
Account Information	Check basic information about the Account, such as name, location, creation time, etc.
Metadata Information	Check the metadata information of the StatefulSet
Object Information	Check the object information of the StatefulSet

Table. StatefulSet detailed information items

Delete StatefulSet

To delete a StatefulSet, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click StatefulSet under the Workload menu. 2. Navigate to the StatefulSet list page.
On the StatefulSet List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
StatefulSet list page, select the items you want to delete. 4. Navigate to the StatefulSet Details page.
On the StatefulSet Details page, click Delete StatefulSet.
When the notification confirmation window appears, click the Confirm button.

Caution

On the StatefulSet list page, after selecting the items you want to delete, click Delete to delete the selected StatefulSet.

Managing DaemonSets

A DaemonSet is a resource that ensures a copy of a pod runs on every node or on a subset of nodes. You can create a DaemonSet in the workload, view its details, or delete it.

Creating a DaemonSet

To create a DaemonSet, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click DaemonSet under the Workload menu. 2. Go to the DaemonSet list page.
On the DaemonSet list page, select the cluster and namespace from the gear button at the top left, then click Create object.
Enter the object information in the Object Creation Popup and click the Confirm button.

Reference

For detailed information on the concept of DaemonSets and object creation, see the 쿠버네티스 공식 문서 > 데몬셋.

Check DaemonSet detailed information

To view detailed information about a DaemonSet, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Navigate to the Service Home page of Kubernetes Engine.
On the Service Home page, click DaemonSet under the Workload menu. 2. Go to the DaemonSet List page.
On the DaemonSet list page, select the cluster and namespace from the gear button at the top left, then click Confirm.
Select the item you want to view details for on the DaemonSet List page. 4. Navigate to the DaemonSet Details page.
- If you select Show system objects at the top of the list, all items except the Kubernetes object entries are displayed.

Click each tab to view the service information.

Category	Detailed description
Delete DaemonSet	Delete the DaemonSet
Detailed Information	Can view detailed DaemonSet information
YAML	The DaemonSet’s resource file can be edited in the YAML editor Click the Edit button, modify the resource, then click the Done button to apply the changes When editing content, you can click the Diff button to view the changed content
event	Check events that occurred within the DaemonSet
Pod	Check DaemonSet pod information
Account Information	Check basic information about the Account, such as name, location, creation time, etc.
Metadata Information	Check the DaemonSet’s metadata information
Object Information	Check the DaemonSet object information

Table. DaemonSet detailed information items

Delete DaemonSet

To delete a DaemonSet, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click DaemonSet under the Workload menu. 2. Navigate to the DaemonSet list page.
On the DaemonSet list page, select the cluster and namespace from the gear button at the top left, then click Confirm.
Select the items you want to delete on the DaemonSet List page. 4. DaemonSet Details Navigate to the page.
On the DaemonSet Details page, click Delete DaemonSet.
When the notification confirmation window appears, click the Confirm button.

Caution

On the DaemonSet list page, after selecting the item you want to delete, click Delete to delete the selected DaemonSet.

Job Management

A Job is a resource that creates one or more Pods and continues to run Pods until the specified number of Pods have completed successfully. You can create a job in the workload, view its details, or delete it.

Create Job

To create a job, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Navigate to the Service Home page of Kubernetes Engine.
On the Service Home page, click Job under the Workload menu. 2. Go to the Job List page.
On the Job List page, select the cluster and namespace from the gear button at the top left, then click Create Object.
Enter the object information in the Object Creation Popup and click the Confirm button.

Reference

For detailed information on the concept of jobs and object creation, refer to the Kubernetes official documentation > Job.

Check job details

To view the job details, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Job under the Workload menu. 2. Navigate to the Job List page.
On the Job List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
Select the item you want to view detailed information for on the Job List page. 4. Go to the Job Details page.
- If you select Show system objects at the top of the list, all items except the Kubernetes object entries will be displayed.

Click each tab to view the service information.

Category	Detailed description
Delete Job	Delete the job
Detailed Information	Detailed job information can be viewed
YAML	You can edit the job’s resource file in the YAML editor Click the Edit button, modify the resource, then click the Done button to apply the changes When editing content, click the Diff button to view the changes
event	Check events that occurred within the job
Pod	Check the pod information of the job
Account Information	Check basic information about the Account, such as name, location, creation time, etc.
Metadata Information	Check the job’s metadata information
Object Information	Check job object information

Table. Job detail information items

Delete job

To delete a job, follow the steps below.

Click the All Services > Container > Kubernetes Engine menu. 1. Navigate to the Service Home page of Kubernetes Engine.
On the Service Home page, click Job under the Workload menu. 2. Go to the Job List page.
Job List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
Select the items you want to delete on the Job List page. 4. Navigate to the Job Details page.
On the Job Details page, click Delete Job.
When the notification dialog appears, click the Confirm button.

Caution

On the job list page, after selecting the items you want to delete, click Delete to remove the selected jobs.

Managing Cron Jobs

A cron job is a resource that runs a job periodically according to a schedule written in cron format. It can be used when executing repetitive tasks at regular intervals, such as backups and report generation. In the workload, you can create a cron job and view or delete its details.

Create a cron job

To create a cron job, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click CronJob under the Workload menu. 2. Navigate to the Cron Job List page.
On the CronJob List page, select the cluster and namespace from the gear button at the top left, then click Create Object.
Enter the object information in the Object Creation Popup and click the Confirm button.

Reference

For detailed information on the concept of CronJobs and object creation, see the Kubernetes official documentation > CronJob.

Check detailed cron job information

To view detailed information about the cron job, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click CronJob under the Workload menu. 2. Navigate to the Cron Job List page.
On the CronJob List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
Select the item you want to view detailed information for on the Cron Job List page. 4. Navigate to the Cron Job Details page.
- If you select Show system objects at the top of the list, all items except the Kubernetes object entries will be displayed.

Click each tab to view the service information.

Category	Detailed description
Delete cron job	Delete the cron job
Detailed Information	View detailed information of cron jobs
YAML	The resource file of the cron job can be edited in the YAML editor Edit button, click and modify the resource, then click the Done button to apply the changes When editing content, you can click the Diff button to view the changed content
event	Check events that occurred within the cron job
job	View the cron job’s information. Selecting a job item navigates to the job detail page.
Account Information	Check basic information about the Account, such as name, location, creation time, etc.
Metadata Information	Check the metadata information of the cron job
Object Information	Check the object information of the cron job

Table. Cron job detailed information items

Delete cron job

To delete a cron job, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click CronJob under the Workload menu. 2. Go to the Cron Job List page.
On the CronJob List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
Select the items you want to delete on the Cron Job List page. 4. Go to the Cron Job Details page.
On the Cron Job Details page, click Delete Cron Job.
When the notification confirmation window appears, click the Confirm button.

Caution

On the cron job list page, after selecting the items you want to delete, click Delete to delete the selected cron jobs.

1.2.4 - Manage services and ingresses

A Service is an abstraction that exposes applications running in a set of Pods as a network service, and an Ingress is used to expose HTTP and HTTPS routes from outside the cluster to inside the cluster. After creating a namespace, you can create or delete services, endpoints, ingresses, and ingress classes.

Reference

Services, endpoints, ingresses, and ingress classes are set by default to the cluster (namespace) selected when creating the service. Even if you select a different item in the list, the default cluster (namespace) setting is retained.

To select a different cluster (namespace), click the gear button on the right side of the list. * Cluster/Namespace Settings In the popup window, select the cluster and namespace you want to change, and click the Confirm button. * You can view the services created in the selected cluster/namespace.

Manage Services

You can create a service and view or delete its details.

Create Service

To create a service, follow these steps.

All Services > Container > Kubernetes Engine click the menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Service under the Service and Ingress menu. 2. Go to the Service List page.
On the Service List page, select the cluster and namespace from the gear button at the top left, then click Create Object.
Enter the object information in the Object Creation Popup and click the Confirm button.

Reference

For detailed information on the concept of services and object creation, refer to the Kubernetes official documentation > Service.

Check service detailed information

To view the service details, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Service under the Service and Ingress menu. 2. Go to the Service List page.
Service List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
On the Service List page, select the item for which you want to view detailed information. 4. Go to the Service Details page.
- If you select Show system objects at the top of the list, all items except the Kubernetes object entries will be displayed.

Click each tab to view the service information.

Category	Detailed description
Delete Service	Delete the service
Detailed Information	View detailed service information.
YAML	You can edit the service’s resource file in the YAML editor Click the Edit button, modify the resource, and then click the Done button to apply the changes When editing content, you can click the Diff button to view the changes
event	Check events that occurred within the service
Account Information	Check basic information about the Account, such as name, location, creation time, etc.
Metadata Information	Check the service metadata information
Object Information	Check the service’s object information

Table. Service detailed information items

Delete Service

To delete the service, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Service under the Service and Ingress menu. 2. Navigate to the Service List page.
Service List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
Service List page, select the item you want to delete. 4. Go to the Service Details page.
On the Service Details page, click Delete Service.
When the notification dialog appears, click the Confirm button.

Caution

On the service list page, after selecting the item you want to delete, click Delete to remove the selected service.

Managing Endpoints

You can create an endpoint and view or delete its details.

Create Endpoint

To create an endpoint, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Navigate to the Service Home page of Kubernetes Engine.
On the Service Home page, click Endpoint under the Service and Ingress menu. 2. Go to the Endpoint List page.
On the Endpoint List page, select the cluster and namespace from the gear button at the top left, then click Create Object.
Enter the object information in the Object Creation Popup and click the Confirm button.

View endpoint details

To view detailed endpoint information, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Endpoint under the Service and Ingress menu. 2. Go to the Endpoint List page.
On the Endpoint List page, select the cluster and namespace using the gear button at the top left, then click Confirm.
On the Endpoint List page, select the item for which you want to view detailed information. 4. Navigate to the Endpoint Details page.
- When you select Show system objects at the top of the list, the remaining items, excluding the Kubernetes object entries, are displayed.

Click each tab to view the service information.

Category	Detailed description
Delete Endpoint	Delete the endpoint
Detailed Information	Can view detailed endpoint information
YAML	The endpoint’s resource file can be edited in the YAML editor Edit button, click and modify the resource, then click the Done button to apply the changes When editing content, you can click the Diff button to view the changed content
event	Check events that occurred within the endpoint
Account information	Check basic information about the Account, such as the Account name, location, and creation date/time.
Metadata Information	Check the endpoint’s metadata information
Object Information	Check the endpoint’s object information

Table. Endpoint detailed information items

Delete endpoint

To delete the endpoint, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Endpoint under the Service and Ingress menu. 2. Go to the Endpoint List page.
On the Endpoint List page, select the cluster and namespace from the gear button in the top-left, then click Confirm.
Select the item you want to delete on the Endpoint List page. 4. Navigate to the Endpoint Details page.
On the Endpoint Details page, click Delete Endpoint.
When the notification dialog appears, click the Confirm button.

Reference

On the endpoint list page, after selecting the item you want to delete, click Delete to remove the selected endpoint.

Managing Ingress

Ingress is an API object that manages external access (HTTP, HTTPS) to services within Kubernetes Engine, used to expose workloads externally, and provides L7 load balancing functionality.

Create Ingress

To create an Ingress, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Navigate to the Service Home page of Kubernetes Engine.
On the Service Home page, click Ingress under the Service and Ingress menu. 2. Navigate to the Ingress List page.
On the Ingress List page, select the cluster and namespace from the gear button at the top left, then click Create Object.
Enter the object information in the Object Creation Popup and click the Confirm button.

Reference

For detailed information on the concept of Ingress and object creation, refer to Kubernetes official documentation > Ingress.

Check Ingress detailed information

To view the ingress details, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Ingress under the Service and Ingress menu. 2. Navigate to the Ingress List page.
On the Ingress List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
Select the item whose detailed information you want to view on the Ingress List page. 4. Navigate to the Ingress Details page.
- If you select Show system objects at the top of the list, all items except the Kubernetes object entries will be displayed.

Click each tab to view the service information.

Category	Detailed description
Delete Ingress	Delete ingress
Detailed Information	Ingress detailed information can be viewed
YAML	The Ingress resource file can be edited in the YAML editor Click the Edit button, modify the resource, then click the Done button to apply the changes When editing content, you can click the Diff button to view the changes
event	Check events that occurred within the ingress
Account information	Check basic information about the Account, such as name, location, creation time, etc.
Metadata Information	Check the metadata information of the Ingress
Object Information	Check the Ingress object’s information

Table. Ingress detailed information items

Delete Ingress

To delete the ingress, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Ingress under the Service and Ingress menu. 2. Navigate to the Ingress List page.
Ingress List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
Select the item you want to delete on the Ingress List page. 4. Navigate to the Ingress Details page.
On the Ingress Details page, click Delete Ingress.
When the notification confirmation dialog appears, click the Confirm button.

Caution

On the Ingress list page, after selecting the item you want to delete, click Delete to remove the selected Ingress.

Manage Ingress Class

IngressClass refers to an API resource that enables the use of multiple ingress controllers within a single cluster. Each Ingress must specify a reference class for the IngressClass resource that includes a configuration, including a controller that must implement the class.

Create Ingress Class

To create an Ingress class, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click IngressClass under the Service and Ingress menu. 2. Navigate to the IngressClass List page.
On the IngressClass List page, select the cluster and namespace from the gear button at the top left, then click Create Object.
Enter the object information in the Object Creation Popup and click the Confirm button.

Reference

For detailed information on the concept of IngressClass and object creation, refer to 쿠버네티스 공식 문서 > 인그레스(Ingress).

Check detailed information of Ingress class

To view detailed information about the Ingress class, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Ingress Class under the Service and Ingress menu. 2. Navigate to the IngressClass List page.
IngressClass list page, select the cluster and namespace from the gear button at the top left, then click Confirm.
Select the item you want to view detailed information for on the IngressClass List page. 4. Navigate to the IngressClass Details page.
- When you select Show system objects at the top of the list, the remaining items, excluding the Kubernetes object entries, are displayed.

Click each tab to view the service information.

Category	Detailed description
Delete IngressClass	Delete Ingress class
Detailed Information	Detailed information of the Ingress class can be viewed.
YAML	The resource file of the IngressClass can be edited in the YAML editor Click the Edit button, modify the resource, then click the Done button to apply the changes When editing content, click the Diff button to view the changed content
event	Check events that occurred within the Ingress class
Account information	Check basic information about the Account, such as name, location, and creation date/time.
Metadata Information	Check the metadata information of the Ingress class
Object Information	Check the object information of the Ingress class

Table. Ingress class detailed information items

Delete Ingress Class

To delete an Ingress class, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Ingress Class under the Service and Ingress menu. 2. Navigate to the IngressClass List page.
IngressClass list page, select the cluster and namespace from the gear button at the top left, then click Confirm.
On the IngressClass List page, select the items you want to delete. 4. Navigate to the IngressClass Details page.
On the IngressClass Details page, click Delete IngressClass.
When the notification dialog appears, click the Confirm button.

Caution

On the Ingress Class list page, after selecting the item you want to delete, click Delete to delete the selected Ingress Class.

1.2.5 - Managing Storage

You can create and manage storage for use with Kubernetes Engine. Storage is created and managed for each PVC, PV, and StorageClass.

Reference

PVC, PV, and storage class services are set by default to the cluster (namespace) selected when creating the service. Even if you select a different item in the list, the default cluster (namespace) setting is retained.

To select a different cluster (namespace), click the gear button on the right side of the list. * Cluster/Namespace Settings In the popup window, select the cluster and namespace to change, and click the Confirm button. * You can view the services created in the selected cluster/namespace.

information

The items associated with each storage type are as follows.

type	Detailed description
Block storage	Supports a storage class that uses the volume of the Block storage product within Virtual Server.
Object Storage	Can be integrated with Samsung Cloud Platform products or external Object Storage No additional configuration is required for Kubernetes Engine, and it can be directly configured and integrated with workloads (applications) according to the Object Storage guide
File storage	Supports storage classes for NFS and CIFS protocol volumes in conjunction with the File Storage product For NFS protocol volumes, selection is required when creating a Kubernetes Engine (supports HDD and SSD disk types) For CIFS protocol volumes, selection can be made during or after Kubernetes Engine creation

type

Detailed description

Block storage

Supports a storage class that uses the volume of the Block storage product within Virtual Server.

Object Storage

Can be integrated with Samsung Cloud Platform products or external Object Storage

No additional configuration is required for Kubernetes Engine, and it can be directly configured and integrated with workloads (applications) according to the Object Storage guide

File storage

Supports storage classes for NFS and CIFS protocol volumes in conjunction with the File Storage product

For NFS protocol volumes, selection is required when creating a Kubernetes Engine (supports HDD and SSD disk types)

For CIFS protocol volumes, selection can be made during or after Kubernetes Engine creation

Table. Storage linkage items by type

Managing PVC

Persistent Volume Claim(PVC) is an object defined to allocate the required storage capacity. PVC provides high usability through abstraction and can prevent the problem of data being deleted when the container lifecycle (Container Lifecycle) expires (maintaining Data Persistence).

Create PVC

To create a PVC, follow the steps below.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click PVC under the Storage menu. 2. Go to the PVC List page.
PVC List page, select the cluster and namespace from the gear button at the top left, then click Create Object.
Enter the object information in the Object Creation Popup and click the Confirm button.

Reference

For detailed information on the concept of PVCs and object creation, refer to 쿠버네티스 공식 문서 > 퍼시스턴트 볼륨.

Check PVC detailed information

To view detailed PVC information, follow the steps below.

Click the All Services > Container > Kubernetes Engine menu. 1. Navigate to the Service Home page of Kubernetes Engine.
On the Service Home page, click PVC under the Storage menu. 2. PVC List Navigate to the page.
On the PVC List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
Select the item you want to view detailed information for on the PVC List page. 4. PVC Details Go to the page.
- If you select Show system objects at the top of the list, all items except the Kubernetes object entries will be displayed.

Click each tab to view the service information.

Category	Detailed description
Status display	Displays the current status of the PVC. Bound: Normal connection
Delete PVC	Delete PVC
Detailed Information	Detailed PVC information can be viewed
YAML	The PVC resource file can be edited in the YAML editor Click the Edit button, modify the resource, then click the Done button to apply the changes When editing content, you can click the Diff button to view the changed content
event	Check events that occurred within the PVC
Account Information	Check basic information about the Account, such as name, location, creation time, etc.
Metadata Information	Check the PVC metadata information
Object Information	Check the PVC object information

Table. PVC detailed information items

Delete PVC

To delete a PVC, follow the steps below.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click PVC under the Storage menu. 2. PVC List go to the page.
On the PVC List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
PVC List page, select the items you want to delete. 4. Go to the PVC Details page.
On the PVC Details page, click Delete PVC.
When the notification confirmation window appears, click the Confirm button.

Caution

On the PVC list page, after selecting the item you want to delete, click Delete to delete the selected PVC.

Before deleting the PVC, verify that the PV and volume to be deleted are backed up.

Manage PV

Persistent Volume (PV) refers to the physical disk that a system administrator creates in Kubernetes Engine.

Create PV

To create a PV, follow the steps below.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click PV under the Storage menu. 2. Go to the PV List page.
On the PV List page, select the cluster and namespace from the gear button at the top left, then click Create Object.
Enter the object information in the Object Creation Popup and click the Confirm button.

Reference

For detailed information on the concept of PVs and object creation, please refer to the Kubernetes official documentation > Persistent Volumes.

Check PV detailed information

To view detailed PV information, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Navigate to the Service Home page of Kubernetes Engine.
On the Service Home page, click PV under the Storage menu. 2. Navigate to the PV list page.
PV List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
On the PV List page, select the item for which you want to view detailed information. 4. Navigate to the PV Details page.
- If you select Show system objects at the top of the list, all items except the Kubernetes object entries will be displayed.

Click each tab to view the service information.

Category	Detailed description
Status display	Displays the current status of the PV. Bound: Normal connection
Delete PV	Delete PV
Detailed Information	Detailed information of the PV can be viewed
YAML	The PV’s resource file can be edited in the YAML editor Click the Edit button, modify the resource, then click the Done button to apply the changes When editing content, you can click the Diff button to view the changes
event	Check events that occurred within the PV
Account Information	Check basic information about the Account, such as name, location, creation time, etc.
Metadata Information	Check the PV metadata information
Object Information	Check PV object information

Table. PV detailed information items

Delete PV

To delete a PV, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click PV under the Storage menu. 2. Go to the PV List page.
On the PV List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
Select the item you want to delete on the PV list page. 4. Go to the PV Details page.
Click Delete PV on the PV Details page.
When the notification dialog appears, click the Confirm button.

Caution

After selecting the item you want to delete on the PV list page, click Delete to delete the selected PV.

Managing StorageClass

Storage Class (Storage Class) is a Kubernetes resource that defines the type, performance, and other levels of storage.

Reference

Kubernetes Engine provides the nfs-subdir-external-sc and bs-sc storage classes by default, and has the following characteristics.

The nfs-subdir-external-sc storage class shares and uses the file storage attached to the cluster.
- Access mode: RWX - ReadWriteMany Reclaim policy: Delete(deletes the PV and stored data when the PVC is deleted), Retain(keeps the PV and stored data when the PVC is deleted) Capacity expansion: individual PVC expansion not allowed / entire file storage expansion allowed
The bs-sc storage class supports using SSD-type volumes in conjunction with block storage products.
- Access mode: RWO - ReadWriteOnce Reclaim policy: Delete (deletes PV and stored data when PVC is deleted), Retain (keeps PV and stored data when PVC is deleted)
- Capacity expansion support: individual PVC expansion support (automatic volume expansion in 8 Gi increments)

Predefined storage class

Storage class	Reclaim Policy*	Allow volume expansion**	Mount options	Remarks
nfs-subdir-external-sc (default)	Delete	Not supported	nfsvers=3, noresvport	Basic Volume (NFS) configuration and integration
nfs-subdir-external-sc-retain	Retain	Not supported	nfsvers=3, noresvport	Basic Volume (NFS) configuration and integration
bs-sc	Delete	Support	-	VirtualServer > Integration with BlockStorage product
bs-sc-retain	Retain	Support	-	VirtualServer > Integration with BlockStorage product

(*) To use a storage class other than the default, you need to specify the storage class name in PVC’s spec.storageClassName.
(**) Users can directly change the default storage class (adjust the storageclass.kubernetes.io/is-default-class: “true” annotation)

Table. List of predefined storage classes

Caution

The characteristics of the reclamation policy are as follows.

Delete: Deleting the PVC also deletes the associated PV and physical data.
Retain: Even if the PVC is deleted, the associated PV and physical data are not deleted and are retained. * Physical data not used by the workload may remain in storage, so careful capacity management is required.

Caution

When using volume expansion, consider the following.

nfs-subdir-external-sc storage class
- Cannot resize the PVC. * (Volume expansion not supported)
- All PVs share the total capacity of the File Storage volume, so individual PVC volume expansion is not required.
bs-sc storage class
- You can expand the PVC capacity. * (Zoom function not supported)
- The requested capacity of a PVC does not guarantee that the corresponding PV will have that amount of capacity. * (support expansion in 8 Gi increments)

Creating a StorageClass

To create a storage class, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Storage Class under the Storage menu. 2. Navigate to the StorageClass List page.
StorageClass list on the page, select the cluster and namespace from the top‑left gear button, then click Create Object.
Enter the object information in the Object Creation Popup and click the Confirm button.
Reference
For detailed information on the concept of storage classes and object creation, please refer to 쿠버네티스 공식 문서 > 스토리지 클래스.

View detailed storage class information

To view detailed information about the storage class, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click StorageClass under the Storage menu. 2. Navigate to the StorageClass List page.
On the StorageClass List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
Select the item you want to view detailed information for on the StorageClass List page. 4. Navigate to the StorageClass Details page.
- If you select Show system objects at the top of the list, all items except the Kubernetes object entries will be displayed.

Click each tab to view the service information.

Category	Detailed description
Delete StorageClass	Delete the StorageClass
Detailed Information	Detailed information of the storage class can be viewed
YAML	The resource file of the StorageClass can be edited in the YAML editor Click the Edit button, modify the resource, then click the Done button to apply the changes When editing content, click the Diff button to view the changes
event	Check events that occurred within the storage class
Account information	Check basic information about the Account, such as name, location, and creation time.
Metadata Information	Check the metadata information of the StorageClass
Object Information	Check the object information of the storage class

Table. StorageClass detailed information items

Delete StorageClass

To delete a storage class, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click StorageClass under the Storage menu. 2. Navigate to the StorageClass List page.
StorageClass list page, select the cluster and namespace from the top-left gear button, then click Confirm.
On the StorageClass List page, select the items you want to delete. 4. Navigate to the StorageClass Details page.
On the StorageClass Details page, click Delete StorageClass.
When the notification dialog appears, click the Confirm button.
Caution
On the storage class list page, after selecting the item you want to delete, click Delete to delete the selected storage class.

1.2.6 - Configuration(Configuration) Management

When you need to manage values that change inside a container across various environments such as development and production, creating separate images to handle them via environment variables is inconvenient and costly. In Kubernetes, you can manage environment variables or configuration values as variables so they can be changed externally and injected when a Pod is created; at this point, you can use ConfigMap and Secret.

Reference

ConfigMaps and Secrets are defaulted to the cluster (namespace) selected when creating the service. Even if you select a different item in the list, the default cluster (namespace) setting is retained.

To select a different cluster (namespace), click the gear button on the right side of the list. * Cluster/Namespace Settings In the popup window, select the cluster and namespace to change, and click the Confirm button. * You can view the ConfigMaps and Secret services created in the selected cluster/namespace.

Managing ConfigMaps

Config information used in a namespace can be defined in a ConfigMap and managed.

Create ConfigMap

To create a ConfigMap, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click ConfigMap under the Configuration menu. 2. Navigate to the ConfigMap List page.
On the ConfigMap List page, select the cluster and namespace from the gear button at the top left, then click Create Object.
Enter the object information in the Object Creation Popup and click the Confirm button.

Reference

For detailed information on the concept of ConfigMaps and object creation, refer to the Kubernetes official documentation > ConfigMap.

View ConfigMap detailed information

To view detailed ConfigMap information, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click ConfigMap under the Configuration menu. 2. Navigate to the ConfigMap list page.
On the ConfigMap List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
Select the item you want to view detailed information for on the ConfigMap List page. 4. Go to the ConfigMap Details page.
- If you select Show system objects at the top of the list, all items except the Kubernetes object entries will be displayed.

Click each tab to view the service information.

Category	Detailed description
Delete ConfigMap	Delete ConfigMap
Detailed Information	Detailed ConfigMap information can be viewed
YAML	The resource file of a ConfigMap can be edited in the YAML editor Click the Edit button, modify the resource, then click the Done button to apply the changes When editing content, you can click the Diff button to view the changed content
event	Check events that occurred in the ConfigMap
Account Information	Check basic information about the Account, such as name, location, and creation time.
Metadata Information	Check the metadata information of the ConfigMap
Object Information	Check the object information of the ConfigMap Data separates rows with `- - -`, and value is displayed in a textarea format Binary data’s value outputs the length value

Table. ConfigMap detailed information items

Delete ConfigMap

To delete a ConfigMap, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click ConfigMap under the Configuration menu. 2. Go to the ConfigMap list page.
On the ConfigMap List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
On the ConfigMap List page, select the item you want to delete. 4. Navigate to the ConfigMap Details page.
On the ConfigMap Details page, click Delete ConfigMap.
When the notification confirmation window appears, click the Confirm button.

Caution

On the ConfigMap list page, after selecting the item you want to delete, click Delete to delete the selected ConfigMap.

Managing Secrets

Using secrets allows you to securely store and manage sensitive information such as passwords, OAuth tokens, and SSH keys.

Create Secret

To create a secret, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Secret under the Configuration menu. 2. Go to the Secret List page.
On the Secret List page, select the cluster and namespace from the gear button at the top left, then click Create Object.
In the Object Creation Popup, enter the object information and click the Confirm button.

Reference

For detailed information on the concept of Secrets and object creation, please refer to 쿠버네티스 공식 문서 > 시크릿.

Check secret detailed information

To view the secret details, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Secret under the Configuration menu. 2. Go to the Secret List page.
On the Secret List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
Select the item you want to view detailed information for on the Secret List page. 4. Go to the Secret Details page.
- If you select Show system objects at the top of the list, all items except the Kubernetes object entries will be displayed.

Click each tab to view the service information.

Category	Detailed description
Delete secret	Delete the secret
Detailed Information	Detailed information of the secret can be viewed
YAML	The secret’s resource file can be edited in the YAML editor Click the Edit button, modify the resource, then click the Done button to apply the changes When editing content, you can click the Diff button to view the changed content
event	View events that occurred within the secret
Account information	Check basic information about the Account, such as name, location, and creation timestamp.
Metadata Information	Check the secret’s metadata information
Object Information	Check the secret object’s information

Table. Secret detailed information items

Delete secret

To delete the secret, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Navigate to the Service Home page of Kubernetes Engine.
On the Service Home page, click Secret under the Configuration menu. 2. Go to the Secret List page.
On the Secret List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
Select the items you want to delete on the Secret List page. 4. Navigate to the Secret Details page.
On the Secret Details page, click Delete Secret.
When the notification confirmation window appears, click the Confirm button.

Caution

On the secret list page, after selecting the item you want to delete, click Delete to delete the selected secret.

1.2.7 - Manage Permissions

When multiple users access a Kubernetes cluster, you can assign permissions for specific APIs or namespaces to define access scopes. You can apply Kubernetes’ role-based access control (RBAC) feature to set permissions for each cluster or namespace. You can create and manage ClusterRoles, ClusterRoleBindings, Roles, and RoleBindings.

Reference

ClusterRole, ClusterRoleBinding, Role, and RoleBinding services are set by default to the cluster (namespace) selected when creating the service. Even if you select a different item in the list, the default cluster (namespace) setting is retained.

To select a different cluster (namespace), click the gear button on the right side of the list. * Cluster/Namespace Settings In the popup window, select the cluster and namespace you want to change, and click the Confirm button. * You can view the services created in the selected cluster/namespace.

Reference

The RBAC API declares the following four types of Kubernetes objects.
- Role
- ClusterRole RoleBinding ClusterRoleBinding
For detailed explanations of RBAC description and modification, refer to the Kubernetes authentication and authorization section.(https://kubernetes.io/docs/reference/access-authn-authz/authentication/)

Managing Cluster Roles

You can set and manage access permissions at the cluster level. You can also set permissions for APIs or resources that are not limited to a namespace.

Create ClusterRole

To create a cluster role, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Cluster Role under the Permissions menu. 2. Go to the Cluster role list page.
On the Cluster Role List page, select the cluster and namespace from the gear button at the top left, then click Create Object.
Enter the object information in the Object Creation Popup and click the Confirm button.

Reference

For detailed information about ClusterRoles, refer to the Kubernetes official documentation > Using RBAC Authorization.

Check detailed information of the cluster role

To view detailed information about the cluster role, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Cluster Role under the Permissions menu. 2. Go to the Cluster role list page.
Cluster role list page, select the cluster and namespace from the gear button at the top left, then click Confirm.
ClusterRole list page, select the item you want to view detailed information for. 4. Navigate to the Cluster role details page.
- If you select Show system objects at the top of the list, all items except the Kubernetes object entries will be displayed.

Click each tab to view the service information.

Category	Detailed description
Delete ClusterRole	Delete the ClusterRole
Detailed Information	View detailed information of the cluster role
YAML	The resource file of the ClusterRole can be edited in the YAML editor Click the Edit button, modify the resource, then click the Done button to apply the changes When editing content, click the Diff button to view the changes
event	Check events that occurred within the cluster role
Account Information	Check basic information about the Account, such as name, location, creation time, etc.
Metadata Information	Check the metadata information of the ClusterRole
Policy Rule Information	View the policy rule information of a ClusterRole Resources: List of resources to which the rule applies Non-Resource URLs: Non-Resource URLs are the set of partial URLs that a user needs to access `` is allowed, but only as the final segment of the entire path Non-resource URLs are not namespaced, so this field can only be used in a ClusterRole referenced by a ClusterRoleBinding A rule can apply to an API resource (e.g., “pods” or “secrets”) or a non-resource URL path (e.g., “/api”), but not to both ResourceNames: ResourceNames is an optional whitelist of names that the rule applies to. An empty set means everything is allowed Verbs*: Verbs are the API actions used in resource requests such as get, list, create, update, patch, watch, delete, deletecollection For more information, see the Kubernetes official documentation > API Verbs

Table. Cluster role detailed information items

Delete cluster role

To delete the cluster role, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Cluster Role under the Permissions menu. 2. Navigate to the Cluster Role List page.
On the Cluster role list page, select the cluster and namespace from the gear button at the top left, then click Confirm.
Select the items you want to delete on the Cluster role list page. 4. Navigate to the Cluster role details page.
On the Cluster role details page, click Delete cluster role.
When the notification confirmation window appears, click the Confirm button.

Caution

On the cluster role list page, after selecting the item you want to delete, click Delete to delete the selected cluster role.

Managing ClusterRoleBinding

You can create and manage a cluster role binding by linking a cluster role with a specific target.

Create ClusterRoleBinding

To create a ClusterRoleBinding, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click ClusterRoleBinding under the Permissions menu. 2. Navigate to the ClusterRoleBinding List page.
ClusterRoleBinding List on the page, select the cluster and namespace from the gear button at the top left, then click Create Object.
Enter the object information in the Object Creation Popup and click the Confirm button.

Reference

For detailed information about cluster role binding, see the Kubernetes official documentation > Using RBAC Authorization.

View detailed information of ClusterRoleBinding

To view detailed information about the cluster role binding, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Navigate to the Service Home page of Kubernetes Engine.
On the Service Home page, click ClusterRoleBinding under the Permissions menu. 2. Navigate to the Cluster Role Binding List page.
On the ClusterRoleBinding List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
Select the item you want to view details for on the Cluster Role Binding List page. 4. Navigate to the Cluster Role Binding Details page.
- If you select Show system objects at the top of the list, all items except the Kubernetes object entries will be displayed.

Click each tab to view the service information.

Category	Detailed description
Delete ClusterRoleBinding	Delete the cluster role binding
Detailed Information	View detailed information of the ClusterRoleBinding
YAML	The resource file of the cluster role binding can be edited in the YAML editor Edit button to click and after modifying the resource, click the Done button to apply the changes When editing content, click the Diff button to view the changed content
event	Check the events that occurred within the ClusterRoleBinding
Account Information	Check basic information about the Account, such as name, location, creation time, etc.
Metadata Information	Check the metadata information of the ClusterRoleBinding
Role/Target Information	Check the role and target information of the ClusterRole

Table. Cluster Role Binding detailed information items

Delete ClusterRoleBinding

To delete a ClusterRoleBinding, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Navigate to the Service Home page of Kubernetes Engine.
On the Service Home page, click ClusterRoleBinding under the Permissions menu. 2. Go to the Cluster Role Binding List page.
ClusterRoleBinding List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
Select the item you want to delete on the Cluster Role Binding List page. 4. Navigate to the Cluster Role Binding Details page.
On the Cluster Role Binding Details page, click Delete Cluster Role Binding.
When the notification confirmation window appears, click the Confirm button.

Caution

On the ClusterRoleBinding list page, after selecting the item you want to delete, click Delete to delete the selected ClusterRoleBinding.

Manage roles

A role is a rule that specifies permissions for a specific API or resource. You can create and manage permissions that allow access only to the namespace to which the role belongs.

Create role

To create a role, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Role under the Permissions menu. 2. Go to the Roll List page.
Roles page, select the cluster and namespace from the gear button at the top left, then click Create Object.
Enter the object information in the Object Creation Popup and click the Confirm button.

Reference

For detailed information about roles, refer to the Kubernetes official documentation > Using RBAC Authorization.

Check roll detailed information

To view detailed roll information, follow the steps below.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Role under the Permissions menu. 2. Go to the Role List page.
On the Roles List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
Select the item you want to view detailed information for on the Roll List page. 4. Roll Details navigate to the page.
- If you select Show system objects at the top of the list, all items except the Kubernetes object entries will be displayed.

Click each tab to view the service information.

Category	Detailed description
Delete Role	Delete the role
Detailed Information	View detailed information of the roll
YAML	The resource files of Roll can be edited in a YAML editor Click the Edit button, modify the resource, then click the Done button to apply the changes When editing content, click the Diff button to view the changes
event	Check events that occurred within the roll
Account information	Check basic information about the Account, such as name, location, and creation date and time.
Metadata Information	Check the roll’s metadata information
Policy Rule Information	View Role policy rule information Resources: List of resources to which the rule applies Non-Resource URLs: Non-Resource URLs are the set of partial URLs that a user may access `` is allowed, but only as the final segment of the path Non-resource URLs are not namespaced, so this field can only be used in a ClusterRole referenced by a ClusterRoleBinding A rule can apply to an API resource (e.g., “pods” or “secrets”) or a non-resource URL path (e.g., “/api”), but not both Resource Names: Resource names are an optional whitelist of names the rule applies to; an empty set means all are allowed Verbs*: Verbs are the API actions used in resource requests such as get, list, create, update, patch, watch, delete, deletecollection For more details, see the Kubernetes official documentation > API Verbs

Table. Role detailed information items

Delete role

To delete the role, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Role under the Permissions menu. 2. Navigate to the Role List page.
Role List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
On the Roll List page, select the item you want to delete. 4. Roll Details page will be opened.
On the Roll Details page, click Delete Roll.
When the notification confirmation window appears, click the Confirm button.

Caution

On the role list page, after selecting the item you want to delete, click Delete to delete the selected role.

Managing Role Bindings

You can create and manage role bindings by linking a role to a specific subject.

Create RoleBinding

To create a role binding, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Role Binding under the Permissions menu. 2. Navigate to the Roll Binding List page.
On the Roll Binding List page, select the cluster and namespace from the gear button at the top left, then click Create Object.
Enter the object information in the Object Creation Popup and click the Confirm button.

Reference

For detailed information about RoleBinding, refer to the Kubernetes official documentation > Using RBAC Authorization.

View detailed role binding information

To view detailed roll binding information, follow these steps.

Click the All Services > Container > Kubernetes Engine menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Role Binding under the Permissions menu. 2. Go to the Roll Binding List page.
Roll Binding List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
Roll Binding List page, select the item you want to view detailed information for. 4. Navigate to the Roll Binding Details page.
- If you select Show system objects at the top of the list, all items except the Kubernetes object entries are displayed.

Click each tab to view the service information.

Category	Detailed description
Delete roll binding	Delete roll binding
Detailed Information	View detailed information of roll binding
YAML	The resource file of RollBinding can be edited in a YAML editor Click the Edit button, modify the resource, then click the Done button to apply the changes When editing content, you can click the Diff button to view the changes
event	Check events that occurred within roll binding
Account Information	Check basic information about the Account, such as name, location, creation time, etc.
Metadata Information	Check the metadata information of roll binding
Role/Target Information	Check the role’s responsibilities and target information

Table. Role binding detailed information items

Delete Role Binding

To delete the roll binding, follow these steps.

All Services > Container > Kubernetes Engine Click the menu. 1. Go to the Service Home page of Kubernetes Engine.
On the Service Home page, click Role Binding under the Permissions menu. 2. Go to the Roll Binding List page.
Roll Binding List page, select the cluster and namespace from the gear button at the top left, then click Confirm.
Select the item you want to delete on the Roll Binding List page. 4. Navigate to the Roll Binding Details page.
On the Roll Binding Details page, click Delete Roll Binding.
When the notification dialog appears, click the Confirm button.

Caution

On the role binding list page, after selecting the item you want to delete, click Delete to remove the selected role binding.

1.3 - Kubernetes Engine Usage Guide

Provides a guide for using Kubernetes Engine.

Kubernetes Engine Utilization Guide

In the Kubernetes Engine usage, the following features are described. For more details, refer to the guide.

Provision Guide	Explanation
Access the cluster	kubectl installation and usage guide, kubeconfig download, login method using kubectl plugin For detailed information, refer to Accessing the Cluster
Authentication and Authorization	Explain the authentication and authorization features and how to integrate them with Kubernetes Engine and IAM For more details, see Authentication and Authorization
Configure a LoadBalancer type service	Guide to configuring a Service of type LoadBalancer using a Service manifest file For more details, see Using type LoadBalancer service
Considerations when using	Explanation of constraints when using SKE For more details, refer to Considerations when using
Version information	Kubernetes version and support period description For more details, see Version Information

Table. Description of the Kubernetes Engine Utilization Guide

1.3.1 - Access Cluster

kubectl Installation and Usage

After creating a Kubernetes Engine service, you can use the Kubernetes command-line tool kubectl to execute commands against your Kubernetes cluster. With kubectl, you can deploy applications, inspect and manage cluster resources, and view logs. You can find how to install and use kubectl in the official Kubernetes documentation.

Category	Reference URL
kubectl installation (Linux)	https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/
kubectl installation (Windows)	https://kubernetes.io/docs/tasks/tools/install-kubectl-windows/
kubectl Introduction	https://kubernetes.io/docs/reference/kubectl/
kubectl Quick Reference	https://kubernetes.io/docs/reference/kubectl/quick-reference/
kubectl command reference	https://kubernetes.io/docs/reference/kubectl/kubectl/

Table. kubectl reference documentation

Reference

You must use a kubectl version that is within the cluster’s minor version difference. For example, if the cluster version is 1.30, you can use kubectl versions 1.29, 1.30, or 1.31.

Please refer to the following document for the version skew policy of kubectl. https://kubernetes.io/releases/version-skew-policy/#kubectl

To access a Kubernetes cluster with kubectl, you need a kubeconfig file that contains the Kubernetes server address and authentication information.

Reference

For detailed information on Kubernetes authentication and authorization, refer to the Authentication and Authorization.

Kubernetes Engine supports authentication via admin certificate kubeconfig and user authentication key kubeconfig.

Admin certificate kubeconfig

This kubeconfig uses the admin certificate as the authentication method when accessing the Kubernetes API.

Download admin kubeconfig

Kubernetes Engine > Cluster List > Cluster Details > Admin kubeconfig download Click the button to download the kubeconfig file.

Caution

Downloading the admin kubeconfig is allowed only for Admin.
There are separate private endpoint and public endpoint versions, and each can be downloaded only once.

Use admin kubeconfig

Reference

By default, kubectl looks for a file named config in the $HOME/.kube directory. You can also set the KUBECONFIG environment variable or specify the kubeconfig flag to use a different kubeconfig file.
Private endpoints are, by default, only accessible from the nodes of the respective cluster. For resources in the same account and the same region, you can allow access by adding them to the private endpoint access control settings.
If you need to access the cluster from the external internet, setting public endpoint access to enabled allows you to access it using the public endpoint kubeconfig.

User authentication key kubeconfig

This kubeconfig uses the user’s Open API authentication key as the credential when accessing the Kubernetes API.

User kubeconfig download

Kubernetes Engine > Cluster List > Cluster Details > User kubeconfig Download Click the button to download the kubeconfig file.

Caution

Downloading a user’s kubeconfig is allowed only for users with cluster read permissions.
There are separate ones for private endpoints and public endpoints.
Since the downloaded kubeconfig file does not contain the authentication key token, you must add the authentication key token information before using it. (See the next paragraph)

Add authentication key token to the user kubeconfig file

Below is an example of a user kubeconfig file. To use the kubeconfig file, you must add the authentication key token (AUTHKEY_TOKEN) information to the token field inside the file.

Color mode

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0t...
    server: https://my-cluster-a1c3e.ske.xxx.samsungsdscloud.com:6443
  name: my-cluster-a1c3e
contexts:
- context:
    cluster: my-cluster-a1c3e
    user: jane.doe
  name: jane.doe@my-cluster-a1c3e
current-context: jane.doe@my-cluster-a1c3e
kind: Config
preferences: {}
users:
- name: jane.doe
  user:
    token: <AUTHKEY_TOKEN> #### Writing required

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0t...
    server: https://my-cluster-a1c3e.ske.xxx.samsungsdscloud.com:6443
  name: my-cluster-a1c3e
contexts:
- context:
    cluster: my-cluster-a1c3e
    user: jane.doe
  name: jane.doe@my-cluster-a1c3e
current-context: jane.doe@my-cluster-a1c3e
kind: Config
preferences: {}
users:
- name: jane.doe
  user:
    token: <AUTHKEY_TOKEN> #### Writing required

Code block. Example of a user kubeconfig file

AUTHKEY_TOKEN can be generated by concatenating the ACCESS_KEY and SECRET_KEY of the authentication key with a colon (:) and then Base64 encoding it. The following is an example of creating an AUTHKEY_TOKEN in a Linux environment.

Color mode

$ ACCESS_KEY=5df418813aed051548a72f4a814cf09e
$ SECRET_KEY=6ba7b810-9dad-11d1-80b4-00c04fd430c8
$ AUTHKEY_TOKEN=$(echo -n "$ACCESS_KEY:$SECRET_KEY" | base64 -w0)
$ echo $AUTHKEY_TOKEN
NWRmNDE4ODEzYWVkMDUxNTQ4YTcyZjRhODE0Y2YwOWU6NmJhN2I4MTAtOWRhZC0xMWQxLTgwYjQtMDBjMDRmZDQzMGM4r

$ ACCESS_KEY=5df418813aed051548a72f4a814cf09e
$ SECRET_KEY=6ba7b810-9dad-11d1-80b4-00c04fd430c8
$ AUTHKEY_TOKEN=$(echo -n "$ACCESS_KEY:$SECRET_KEY" | base64 -w0)
$ echo $AUTHKEY_TOKEN
NWRmNDE4ODEzYWVkMDUxNTQ4YTcyZjRhODE0Y2YwOWU6NmJhN2I4MTAtOWRhZC0xMWQxLTgwYjQtMDBjMDRmZDQzMGM4r

Code block. Example of generating AUTHKEY_TOKEN value

Reference

For detailed information on generating authentication keys, refer to API Reference > Common > Samsung Cloud Platform Open API Call Procedure.

User kubeconfig execution example

You can view an example of executing the user kubeconfig.

When access is blocked by access control or a firewall

Color mode

$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
Unable to connect to the server: dial tcp 123.123.123.123:6443: i/o timeout

$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
Unable to connect to the server: dial tcp 123.123.123.123:6443: i/o timeout

Code block. Example execution when access is blocked by access control or firewall.

When authentication fails because the AUTHKEY_TOKEN does not match

Color mode

$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
error: You must be logged in to the server (Unauthorized)

$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
error: You must be logged in to the server (Unauthorized)

Code block. Example execution when authentication fails because the AUTHKEY_TOKEN does not match.

AUTHKEY_TOKEN when authentication succeeds

Color mode

$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
...
kube-node-lease    Active 10d
kube-public        Active 10d
kube-system        Active 10d

$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
...
kube-node-lease    Active 10d
kube-public        Active 10d
kube-system        Active 10d

Code block. Example execution when AUTHKEY_TOKEN authentication succeeds

AUTHKEY_TOKEN Authentication succeeded but lacks permission

Color mode

$ kubectl --kubeconfig=user-kubeconfig.yaml get nodes
Error from server (Forbidden): nodes is forbidden: User "jane.doe" cannot list resource "nodes" in API group "" at the cluster scope

$ kubectl --kubeconfig=user-kubeconfig.yaml get nodes
Error from server (Forbidden): nodes is forbidden: User "jane.doe" cannot list resource "nodes" in API group "" at the cluster scope

Code block. Example execution when AUTHKEY_TOKEN authentication succeeds but the user lacks permission.

Reference

If AUTHKEY_TOKEN authentication succeeds but lacks permission, the authentication process completed correctly, but the authority to perform the requested operation was not granted (authorized). For detailed information about authorization, see 인증 및 인가.

1.3.2 - Authentication and Authorization

Kubernetes Engine applies Kubernetes authentication and RBAC authorization features. It explains how Kubernetes authentication and authorization functions integrate with Kubernetes Engine and IAM.

Kubernetes authentication and authorization

Describes Kubernetes authentication and RBAC authorization features.

Authentication

The Kubernetes API server obtains the information required for authenticating a user (User) or a service account (ServiceAccount) from certificates or authentication tokens, and then carries out the authentication process.

Reference

For a detailed explanation of Kubernetes authentication, refer to the following document. https://kubernetes.io/docs/reference/access-authn-authz/authentication/

Reference

For detailed information on using kubectl and kubeconfig, refer to Accessing the Cluster.

Authorization

The Kubernetes API server uses the user information obtained through the authentication process to verify, via RBAC-related objects, whether the user has permission for the requested operation. RBAC-related objects come in four types as follows.

object	Scope	Explanation
Cluster Role (ClusteRole)	cluster-wide	Definition of permissions across all namespaces in the cluster
ClusterRoleBinding(ClusteRoleBinding)	cluster-wide	Definition of the connection between ClusterRole and user
Roll (Role)	namespace (namespace)	Permission definition for a specific namespace
RoleBinding(RoleBinding)	namespace (namespace)	Definition of the binding between a ClusterRole or Role and a user

Table. RBAC related objects

Reference

For detailed information on Kubernetes RBAC authorization, refer to the following document. https://kubernetes.io/docs/reference/access-authn-authz/rbac/

Roll

Kubernetes defines several cluster roles by default. Some of those cluster roles do not include the prefix (system:). These are cluster roles intended for user use. This includes a superuser role (cluster-admin) applied to the entire cluster using a ClusterRoleBinding, and roles (admin, edit, view) applied to a specific namespace using a RoleBinding.

Default cluster role	Default ClusterRoleBinding	Explanation
cluster-admin	system:masters group	Allows superuser access that can perform any operation on all resources. ClusterRoleBinding grants full control over all resources in the cluster and all namespaces. RoleBinding allows complete control over all resources within the namespace and the namespaces bound to the role.
admin	None	Allows administrator access applied within a namespace using role binding. When used in role binding, it grants read/write access to most resources within the namespace, including the ability to create roles and role bindings inside the namespace. This role does not permit write access to resource quotas or the namespace itself.
edit	None	Allows read/write access to most objects within the namespace. This role does not permit viewing or modifying roles and role bindings. However, because this role can access secrets and run pods as any Account in the namespace, it can obtain the API access level of all Accounts in the namespace.
view	None	Allows read‑only access to view most objects within a namespace. Roles or role bindings cannot be viewed. This role does not permit secret viewing. Reading the contents of a secret would grant access to the credentials of an Account in the namespace, which could then allow API access as any Account in the namespace (a form of privilege escalation).

Table. Description of basic cluster role and cluster role binding

Reference

For detailed information about the user role, refer to the following document. https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles

If necessary, you can define additional roles (or cluster roles) beyond the default cluster role, as shown below.

Color mode

# A role that grants permission to view pods in the "default" namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]

# A role that grants permission to view pods in the "default" namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]

Code block. Role that grants permission to view pods within a namespace

Color mode

# Cluster role that grants permission to view nodes
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-reader
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch"]

# Cluster role that grants permission to view nodes
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-reader
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch"]

Code block. Cluster role that grants permission to view nodes

Reference

For detailed explanations about roles and cluster roles, refer to the following document. https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole

Role Binding

To manage access to the Kubernetes Engine using Samsung Cloud Platform IAM, you need to understand the relationship between Kubernetes role bindings and IAM. The subjects of a role binding (or cluster role binding) may include individual users (User) or groups (Group).

User corresponds to the Samsung Cloud Platform username, and Group corresponds to the IAM user group name, respectively.

For RoleBinding/ClusterRoleBinding, subjects.kind can be set to one of the following.

User: Samsung Cloud Platform is connected to individual users.
Group: Connected to the Samsung Cloud Platform IAM user group.

Reference

In addition, you can also specify a service account, but service accounts are generally not for end users and cannot be linked to a Samsung Cloud Platform user.

The subjects.name of a role binding/cluster role binding can be specified as follows. If the user is a User: individual Samsung Cloud Platform username (e.g., jane.doe) For a group: Samsung Cloud Platform IAM user group name (e.g., ReadPodsGroup)

Reference

subjects.name is case-sensitive.

In this way, the IAM user group is linked to the group defined in the RoleBinding (or ClusterRoleBinding) of the Kubernetes Engine cluster. It is also granted permission to perform the API actions included in the Role (or ClusterRole) associated with the group.

Example) role binding read-pods #1

The example of writing User (individual Samsung Cloud Platform user) in a role binding is as follows.

Color mode

# This role binding allows the user "jane.doe" to view pods in the "default" namespace.
# The namespace must have a role named "pod-reader".
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
roleRef:
  # The "roleRef" specifies the link to a Role or ClusterRole.
  kind: Role       # Must be Role or ClusterRole.
  name: pod-reader # Must match the name of the Role or ClusterRole you want to bind to.
  apiGroup: rbac.authorization.k8s.io
subjects:
# You can specify one or more "target (subject)".
- kind: User
  name: jane.doe
  apiGroup: rbac.authorization.k8s.io

# This role binding allows the user "jane.doe" to view pods in the "default" namespace.
# The namespace must have a role named "pod-reader".
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
roleRef:
  # The "roleRef" specifies the link to a Role or ClusterRole.
  kind: Role       # Must be Role or ClusterRole.
  name: pod-reader # Must match the name of the Role or ClusterRole you want to bind to.
  apiGroup: rbac.authorization.k8s.io
subjects:
# You can specify one or more "target (subject)".
- kind: User
  name: jane.doe
  apiGroup: rbac.authorization.k8s.io

Code block. Example of writing User (individual Samsung Cloud Platform user) in role binding

When a role binding like the above is created in the cluster, a user whose username is jane.doe is granted permission to perform the API actions defined in the pod-reader role.

Example) role binding read-pods #2

The example of creating a group (IAM user group) in role binding is as follows.

Color mode

# This role binding allows users in the "ReadPodsGroup" group to view pods in the "default" namespace.
# The namespace must have a role called "pod-reader".
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
subjects:
# You can specify one or more "target (subject)".
- kind: Group
  name: ReadPodsGroup
  apiGroup: rbac.authorization.k8s.io

# This role binding allows users in the "ReadPodsGroup" group to view pods in the "default" namespace.
# The namespace must have a role called "pod-reader".
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
subjects:
# You can specify one or more "target (subject)".
- kind: Group
  name: ReadPodsGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Example of a RoleBinding that allows the ReadPodsGroup group to list pods.

If a role binding like the above is created in the cluster, users in the IAM user group ReadPodsGroup are granted permission to perform the API actions defined in the role pod-reader.

Example) ClusterRoleBinding read-nodes

Color mode

# This cluster role binding allows users in the "ReadNodesGroup" group to view nodes.
# A cluster role named "node-reader" must exist.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-nodes
roleRef:
  kind: ClusterRole
  name: node-reader
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ReadNodesGroup
  apiGroup: rbac.authorization.k8s.io

# This cluster role binding allows users in the "ReadNodesGroup" group to view nodes.
# A cluster role named "node-reader" must exist.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-nodes
roleRef:
  kind: ClusterRole
  name: node-reader
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ReadNodesGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Example of a cluster role binding that allows node read access for the ReadNodesGroup group.

When a cluster role binding like the above is created in the cluster, users belonging to the IAM user group ReadNodesGroup are granted permission to perform the API actions defined in the cluster role node-reader.

Reference

For detailed instructions on creating role bindings, refer to the following document. https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-binding-examples

Predefined roles and role bindings for Samsung Cloud Platform

In the Kubernetes Engine of Samsung Cloud Platform, the cluster role bindings scp-cluster-admin, scp-view, scp-namespace-view, and the cluster role scp-namespace-view are predefined. The table below shows the predefined roles and role bindings for Samsung Cloud Platform and the relationships of Samsung Cloud Platform users. Here, the cluster roles cluster-admin and view are predefined within the Kubernetes cluster. For more details, see role.

ClusterRoleBinding	ClusterRole	subjects (user)
scp-cluster-admin	cluster-admin	Cluster creator username (e.g., jane.doe)
scp-view	view	-
scp-namespace-view	scp-namespace-view	All users authenticated to this cluster

Table. Predefined roles and role bindings for Samsung Cloud Platform, user relationships

According to the cluster role binding scp-cluster-admin, the Kubernetes Engine service creator is granted cluster admin privileges.
Users or groups registered in the cluster role binding scp-view are granted cluster viewer permissions. It is bound to the predefined Kubernetes cluster role view, and does not grant access to cluster‑scoped resources (e.g., namespaces, nodes, ingress classes, etc.) or to secrets within a namespace. For more details, see role.
According to the cluster role binding scp-namespace-view, all users authenticated to the cluster are granted permission to view namespaces.

Reference

Predefined roles and role bindings for Samsung Cloud Platform are created once during cluster service creation.
Users can modify or delete the predefined cluster role bindings and cluster roles for Samsung Cloud Platform as needed.

The details of the predefined roles and role bindings for Samsung Cloud Platform are as follows.

ClusterRoleBinding scp-cluster-admin

Cluster role binding scp-cluster-admin is linked to the cluster role cluster-admin, and is bound to the Samsung Cloud Platform user (Kubernetes Engine cluster creator) according to the subjects field.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
  name: scp-cluster-admin
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: User               
  name: jane.doe # cluster creator username
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
  name: scp-cluster-admin
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: User               
  name: jane.doe # cluster creator username
  apiGroup: rbac.authorization.k8s.io

Code block. Cluster role binding scp-cluster-admin example

ClusterRoleBinding scp-view

ClusterRoleBinding scp-view is bound to the ClusterRole view, and you can add Samsung Cloud Platform users or IAM user groups to the subjects field.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: scp-view
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: scp-view
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io

Code block. ClusterRoleBinding scp-view example

ClusterRole and ClusterRoleBinding scp-namespace-view

The cluster role scp-namespace-view defines view permissions for namespaces. The cluster role binding scp-namespace-view is bound to the cluster role scp-namespace-view, granting namespace read permissions to all authenticated users in the cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: scp-namespace-view
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: scp-namespace-view
roleRef:
  kind: ClusterRole
  name: scp-namespace-view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: system:authenticated
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: scp-namespace-view
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: scp-namespace-view
roleRef:
  kind: ClusterRole
  name: scp-namespace-view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: system:authenticated
  apiGroup: rbac.authorization.k8s.io

Code block. Cluster role and cluster role binding scp-namespace-view example

IAM user group RBAC use case

This chapter explains examples of granting permissions for each major user scenario. The IAM user groups, ClusterRoleBinding/RoleBinding, and ClusterRole names presented here are just examples to aid understanding. Administrators should define and apply appropriate names and permissions as needed.

Scope	use case	IAM user group	ClusterRoleBinding/RoleBinding	ClusterRole	Remarks
cluster	Cluster Administrator	ClusterAdminGroup	ClusterRoleBinding cluster-admin-group	cluster-admin	Administrator for a specific cluster
cluster	Cluster Editor	ClusterEditGroup	ClusterRoleBinding cluster-edit-group	edit	Editor for a specific cluster
cluster	Cluster Viewer	ClusterViewGroup	ClusterRoleBinding cluster-view-group	view	Viewer for a specific cluster
namespace	Namespace Manager	NamespaceAdminGroup	Role binding namespace-admin-group	admin	Administrator for a specific namespace
namespace	Namespace editor	NamespaceEditGroup	Role binding namespace-edit-group	edit	Editor for a specific namespace
namespace	Namespace viewer	NamespaceViewGroup	Role binding namespace-view-group	view	Viewer for a specific namespace

Table. Example of binding IAM user groups and cluster role users by use case

Reference

The cluster roles (cluster-admin, admin, edit, view) shown in the table are predefined within the Kubernetes cluster. For more details, see role.

Cluster Administrator

To create a cluster administrator, follow these steps.

Create an IAM user group named ClusterAdminGroup.

Create a cluster role binding with the following contents in the target cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-admin-group
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterAdminGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-admin-group
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterAdminGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Create cluster administrator

It is linked with cluster-admin of the base cluster, granting administrator privileges for that cluster.

Cluster Editor

To create a cluster editor, follow these steps.

Create an IAM user group named ClusterEditGroup.

Create a ClusterRoleBinding with the following specifications in the target cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-edit-group
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterEditGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-edit-group
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterEditGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Create cluster editor

It is linked with the edit role of the base cluster, granting editor permissions for that cluster.

Cluster Viewer

To create a cluster viewer, follow these steps.

Create an IAM user group named ClusterViewGroup.

Create a ClusterRoleBinding with the following specifications in the target cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-view-group
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterViewGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-view-group
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterViewGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Create cluster viewer

It is associated with the view role of the default cluster, granting viewer permissions for that cluster.

Namespace Administrator

To create a namespace manager, follow these steps.

Create an IAM user group named NamespaceAdminGroup.

Create a RoleBinding with the following contents in the target cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-admin-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceAdminGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-admin-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceAdminGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Create a namespace manager

It is linked with the admin role of the default cluster, granting administrator privileges for the namespace.

Namespace Editor

To create a namespace editor, follow these steps.

Create an IAM user group named NamespaceEditGroup.

Create a RoleBinding with the following specifications in the target cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-edit-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceEditGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-edit-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceEditGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Create namespace editor

It is linked with the default cluster role edit, granting editor permissions for the namespace.

Namespace Viewer

To create a namespace viewer, follow these steps.

Create an IAM user group named NamespaceViewGroup.

Create a RoleBinding with the following contents in the target cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-view-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceViewGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-view-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceViewGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Create namespace viewer

It is associated with the default cluster role view, granting viewer permissions for the namespace.

1.3.3 - Using type LoadBalancer service

Service Configuration Method

By creating and applying a Service manifest file (example: my-lb-svc.yaml ), you can set up a Service of type LoadBalancer.

Caution

The LoadBalancer is created in the cluster subnet by default.
To create a LoadBalancer in a different Subnet, use the annotation service.beta.kubernetes.io/scp-load-balancer-subnet-id. * For more details, see Annotation detailed settings

To create and apply a type LoadBalancer Service, follow the steps below.

Create the Service manifest file my-lb-svc.yaml .

Color mode

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  selector:
    app.kubernetes.io/name: MyApp
  ports:
    - protocol: TCP
      port: 80
      targetPort: 9376
      appProtocol: tcp # Refer to the LB service protocol type setting section
  type: LoadBalancer

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  selector:
    app.kubernetes.io/name: MyApp
  ports:
    - protocol: TCP
      port: 80
      targetPort: 9376
      appProtocol: tcp # Refer to the LB service protocol type setting section
  type: LoadBalancer

Code block. Service manifest file my-lb-svc.yaml example

Deploy the Service manifest using the kubectl apply command.
Color mode
kubectl apply -f my-lb-svc.yaml
kubectl apply -f my-lb-svc.yaml
Code block. Deploy the Service manifest using the kubectl apply command.

Caution

When a type LoadBalancer Service is created, the corresponding Load Balancer service is automatically created. * It may take a few minutes for the configuration to complete.
Do not arbitrarily modify the automatically generated Load Balancer service and LB server group. * Changes may be reverted or cause unexpected behavior.
For configurable detailed features, please refer to Annotation detailed settings.

kubectl get service command is used to verify the Load Balancer configuration.

Color mode

# kubectl get service my-lb-svc
NAMESPACE     NAME         TYPE           CLUSTER-IP       EXTERNAL-IP       PORT(S)         AGE
default       my-lb-svc    LoadBalancer   172.20.49.206    123.123.123.123   80:32068/TCP    3m

# kubectl get service my-lb-svc
NAMESPACE     NAME         TYPE           CLUSTER-IP       EXTERNAL-IP       PORT(S)         AGE
default       my-lb-svc    LoadBalancer   172.20.49.206    123.123.123.123   80:32068/TCP    3m

Code block. Verify Load Balancer configuration using the `kubectl get service` command

Protocol type

You can create a Service manifest and use it. The following is a simple example.

Color mode

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  selector:
    ...
  ports:
    - port: 80
      targetPort: 9376
      protocol: TCP    # required (choose one of TCP, UDP)
      appProtocol: tcp # optional (leave blank or select one of tcp, http, https)
  type: LoadBalancer   # type LoadBalancer

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  selector:
    ...
  ports:
    - port: 80
      targetPort: 9376
      protocol: TCP    # required (choose one of TCP, UDP)
      appProtocol: tcp # optional (leave blank or select one of tcp, http, https)
  type: LoadBalancer   # type LoadBalancer

Code block. Example of Service manifest creation

The list of protocols (protocol and appProtocol) supported by the Load Balancer Service type in Kubernetes Engine, along with the corresponding settings applied to the Load Balancer service, is as follows.

Category	(k8s) protocol	(k8s) appProtocol	(LB) Service classification	(LB) LB Listener	(LB) LB server group	(LB) health check
L4 TCP	TCP	(tcp)	L4	TCP {port}	TCP {nodePort}	TCP {nodePort}
L4 UDP	UDP	-	L4	UDP {port}	UDP {nodePort}	TCP {nodePort}
L7 HTTP	TCP	http	L7	HTTP {port}	TCP {nodePort}	TCP/HTTP {nodePort}
L7 HTTPS	TCP	https	L7	HTTPS {port}	TCP {nodePort}	TCP/HTTP {nodePort}

Table. k8s Service manifest and Load Balancer service configuration

According to the k8s Service manifest spec, you can specify multiple ports for a single service.

Caution

Depending on the Load Balancer service type (L4, L7), you cannot mix protocol layers within a single Service.

In other words, L4 (TCP, UDP) and L7 (HTTP, HTTPS) cannot be used together in a single Service.

L4 Service Manifest Writing Example

Color mode

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  selector:
    app.kubernetes.io/name: MyApp
  ports:
    - protocol: TCP
      port: 80
      targetPort: 9376
  type: LoadBalancer

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  selector:
    app.kubernetes.io/name: MyApp
  ports:
    - protocol: TCP
      port: 80
      targetPort: 9376
  type: LoadBalancer

Code block. L4 Service manifest writing example

L7 Service Manifest Example

Color mode

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/scp-load-balancer-layer-type: "L7" # required
    service.beta.kubernetes.io/scp-load-balancer-client-cert-id: "24da35de187b450eb0cf09fb6fa146de" # required
  name: my-service
spec:
  selector:
    app.kubernetes.io/name: MyApp
  ports:
    - appProtocol: http # required
      protocol: TCP
      port: 80
      targetPort: 9376
    - appProtocol: https # required
      protocol: TCP
      port: 443
      targetPort: 9898
  type: LoadBalancer

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/scp-load-balancer-layer-type: "L7" # required
    service.beta.kubernetes.io/scp-load-balancer-client-cert-id: "24da35de187b450eb0cf09fb6fa146de" # required
  name: my-service
spec:
  selector:
    app.kubernetes.io/name: MyApp
  ports:
    - appProtocol: http # required
      protocol: TCP
      port: 80
      targetPort: 9376
    - appProtocol: https # required
      protocol: TCP
      port: 443
      targetPort: 9898
  type: LoadBalancer

Code block. Example of L7 Service manifest creation

Annotation detailed settings

You can add annotations to the service manifest to configure detailed features.

Color mode

apiVersion: v1
kind: Service
metatdata:
  name: my-lb-svc
  annotations:
    service.beta.kubernetes.io/scp-load-balancer-public-ip-enabled: "true"
    service.beta.kubernetes.io/scp-load-balancer-health-check-interval: "5"
    service.beta.kubernetes.io/scp-load-balancer-health-check-timeout: "5"
    service.beta.kubernetes.io/scp-load-balancer-health-check-count: "3"
    service.beta.kubernetes.io/scp-load-balancer-session-duration-time: "300"
  spec:
  type: LoadBalancer
  ...

apiVersion: v1
kind: Service
metatdata:
  name: my-lb-svc
  annotations:
    service.beta.kubernetes.io/scp-load-balancer-public-ip-enabled: "true"
    service.beta.kubernetes.io/scp-load-balancer-health-check-interval: "5"
    service.beta.kubernetes.io/scp-load-balancer-health-check-timeout: "5"
    service.beta.kubernetes.io/scp-load-balancer-health-check-count: "3"
    service.beta.kubernetes.io/scp-load-balancer-session-duration-time: "300"
  spec:
  type: LoadBalancer
  ...

Code block. Example of adding annotation to service manifest

Reference

If you do not add any annotation to the service, the annotation’s default values are applied.
Even if the annotation added to the service does not meet the allowed values, the annotation’s default value is applied.

Below is a description of all annotations available for a type LoadBalancer service.

annotation Protocol default allowed value example Explanation

service.beta.kubernetes.io/scp-load-balancer-source-ranges-firewall-rules All false true, false false Automatically add firewall rule (LB source ranges → LB service IP)

service.beta.kubernetes.io/scp-load-balancer-snat-healthcheck-firewall-rules

All

annotation	Protocol	default	allowed value	example	Explanation
service.beta.kubernetes.io/scp-load-balancer-source-ranges-firewall-rules	All	`false`	`true`, `false`	`false`	Automatically add firewall rule (LB source ranges → LB service IP)
service.beta.kubernetes.io/scp-load-balancer-snat-healthcheck-firewall-rules	All	`false`	`true`,`false`	`false`	Automatically add firewall rules (LB Source NAT IP, HealthCheck IP → member IP:Port) When you use this annotation, firewall rules are added for each port of the type LB service, so the firewall rules can become very numerous. If the large number of firewall rules becomes a burden, you can instead add firewall rules manually without using this annotation. For example, you can add a firewall rule that targets the member IP’s NodePort range (30000-32767).

false

true,false

false

Automatically add firewall rules (LB Source NAT IP, HealthCheck IP → member IP:Port)

When you use this annotation, firewall rules are added for each port of the type LB service, so the firewall rules can become very numerous.

If the large number of firewall rules becomes a burden, you can instead add firewall rules manually without using this annotation. For example, you can add a firewall rule that targets the member IP’s NodePort range (30000-32767).

Table. Firewall-related settings in Kubernetes annotations

annotation Protocol default allowed value example Explanation

service.beta.kubernetes.io/scp-load-balancer-security-group-id

All

annotation	Protocol	default	allowed value	example	Explanation
service.beta.kubernetes.io/scp-load-balancer-security-group-id	All	-	`UUID`	`92d84b44-ee71-493d-9782-3a90481ce5f3`	Automatically add rules to the Security Group corresponding to the specified ID When you use this annotation, rules are added to the Security Group for each port of the type LB service, so the Security Group rules can become very numerous. If having too many Security Group rules is burdensome, you can alternatively add Security Group rules manually without using this annotation. For example, you can specify the target address as the Load Balancer’s Source NAT IP and health check IP, and add a Security Group rule that allows ports in the NodePort range (30000-32767). Security Group rules added by this annotation are not automatically removed even if the annotation is deleted or modified. You can add multiple entries separated by commas. (Example: `ddc25ad8-6d3f-4242-8c86-2a059212ddc6,26ab7fe1-b3ea-4aa9-9e9d-35a7c237904e`) This annotation can be used together with the service.beta.kubernetes.io/scp-load-balancer-security-group-name annotation, and rules are automatically added to all Security Groups that meet the criteria.
service.beta.kubernetes.io/scp-load-balancer-security-group-name	All	-	`string`	`security-group-1`	Automatically add rules to the Security Group corresponding to the specified Name When you use this annotation, rules are added to the Security Group for each port of the type LB service, so the number of Security Group rules can become very large. If the large number of Security Group rules is burdensome, you can alternatively add Security Group rules manually without using this annotation. For example, you can specify the target addresses as the Load Balancer’s Source NAT IP and health check IP, and add a Security Group rule that allows ports in the NodePort range (30000-32767). Security Group rules added by this annotation are not automatically removed even if the annotation is deleted or modified. Multiple entries can be added, separated by commas (example: `security-group-1,security-group-2`) This annotation can be used together with the service.beta.kubernetes.io/scp-load-balancer-security-group-id annotation, and rules are automatically added to all Security Groups that meet the criteria.

UUID

92d84b44-ee71-493d-9782-3a90481ce5f3

Automatically add rules to the Security Group corresponding to the specified ID

When you use this annotation, rules are added to the Security Group for each port of the type LB service, so the Security Group rules can become very numerous.

If having too many Security Group rules is burdensome, you can alternatively add Security Group rules manually without using this annotation. For example, you can specify the target address as the Load Balancer’s Source NAT IP and health check IP, and add a Security Group rule that allows ports in the NodePort range (30000-32767).

Security Group rules added by this annotation are not automatically removed even if the annotation is deleted or modified.

You can add multiple entries separated by commas. (Example: ddc25ad8-6d3f-4242-8c86-2a059212ddc6,26ab7fe1-b3ea-4aa9-9e9d-35a7c237904e)

This annotation can be used together with the service.beta.kubernetes.io/scp-load-balancer-security-group-name annotation, and rules are automatically added to all Security Groups that meet the criteria.

service.beta.kubernetes.io/scp-load-balancer-security-group-name

All

string

security-group-1

Automatically add rules to the Security Group corresponding to the specified Name

When you use this annotation, rules are added to the Security Group for each port of the type LB service, so the number of Security Group rules can become very large.

If the large number of Security Group rules is burdensome, you can alternatively add Security Group rules manually without using this annotation. For example, you can specify the target addresses as the Load Balancer’s Source NAT IP and health check IP, and add a Security Group rule that allows ports in the NodePort range (30000-32767).

Security Group rules added by this annotation are not automatically removed even if the annotation is deleted or modified.

Multiple entries can be added, separated by commas (example: security-group-1,security-group-2)

This annotation can be used together with the service.beta.kubernetes.io/scp-load-balancer-security-group-id annotation, and rules are automatically added to all Security Groups that meet the criteria.

Table. Settings related to Security Group in Kubernetes annotations

annotation	Protocol	default	allowed value	example	Explanation
service.beta.kubernetes.io/scp-load-balancer-layer-type	All	`L4`	`L4`, `L7`	`L4`	Specify the service type of the Load Balancer When using this annotation, specify L4 if you want to use TCP or UDP, and L7 if you want to use HTTP or HTTPS. Cannot be changed after initial creation. To change it, you must recreate the service.
service.beta.kubernetes.io/scp-load-balancer-subnet-id	All	-	`ID`	`7f05eda5e1cf4a45971227c57a6d60fa`	Specify the Service Subnet of the Load Balancer If this annotation is not specified, the cluster’s Subnet is used. Cannot be changed after initial creation. To modify, you must recreate the service.
service.beta.kubernetes.io/scp-load-balancer-service-ip	All	-	`IP address`	`192.168.10.7`	Specify the Service IP of the Load Balancer Cannot be changed after initial creation. To change it, you must recreate the service.
service.beta.kubernetes.io/scp-load-balancer-public-ip-enabled	All	`false`	`true`, `false`	`false`	Specify whether to use the Load Balancer’s Public NAT IP If this annotation is set to true and service.beta.kubernetes.io/scp-load-balancer-public-ip-id is not specified, an IP is automatically assigned. If this annotation is set to true and service.beta.kubernetes.io/scp-load-balancer-public-ip-id is specified, the Public IP corresponding to the specified ID is applied.
service.beta.kubernetes.io/scp-load-balancer-public-ip-id	All	-	`ID`	`4119894bd9614cef83db6f8dda667a20`	Specify the ID of the Public IP to be used as the Load Balancer’s Public NAT IP service.beta.kubernetes.io/scp-load-balancer-public-ip-enabled is not set to true, this annotation is ignored. service.beta.kubernetes.io/scp-load-balancer-public-ip-enabled is set to true and this annotation is specified, the Public IP corresponding to the specified ID is applied.

Table. Load Balancer related settings in Kubernetes annotations

annotation	Protocol	default	allowed value	example	Explanation
service.beta.kubernetes.io/scp-load-balancer-idle-timeout	HTTP, HTTPS	-	`60 - 3600`(60-second unit)	`600`	Specify the LB Listener’s idle-timeout (seconds) If the annotation is not set or the value is not allowed (e.g., “”, “0”), the default value (unused) is applied. Cannot change from used to unused after use. To change, you must recreate the service. service.beta.kubernetes.io/scp-load-balancer-session-duration-time cannot be set simultaneously. service.beta.kubernetes.io/scp-load-balancer-response-timeout cannot be set simultaneously.
service.beta.kubernetes.io/scp-load-balancer-session-duration-time	All	L4: `120` L7: -	L4 TCP: `60 - 3600`(60-second unit) L4 UDP: `60 - 180`(60-second unit) L7: `0 - 120`	`120`	Specify the LB Listener’s session-duration-time (seconds) L4: If the annotation is not set or the value is not allowed, the default value (“120”) is applied. (L4 cannot be unused) L7: If the annotation is not set or the value is not allowed (e.g., “”, “0”), the default (unused) is applied. Cannot change from used to unused after deployment. To change, you must recreate the service. service.beta.kubernetes.io/scp-load-balancer-idle-timeout cannot be set simultaneously.
service.beta.kubernetes.io/scp-load-balancer-response-timeout	HTTP, HTTPS	-	`0 - 120`	`60`	Specify the LB Listener response-timeout (seconds) If the annotation is not set or the value is not allowed (e.g., “”, “0”), the default (unused) is applied. Cannot change from used to unused. To change, you must recreate the service. service.beta.kubernetes.io/scp-load-balancer-idle-timeout cannot be set simultaneously.
service.beta.kubernetes.io/scp-load-balancer-insert-client-ip	TCP	`false`	`true`, `false`	`false`	Specify Insert Client IP for LB Listener
service.beta.kubernetes.io/scp-load-balancer-x-forwarded-proto	HTTP, HTTPS	`false`	`true`, `false`	`false`	Specify whether to use the X-Forwarded-Proto header for the LB Listener.
service.beta.kubernetes.io/scp-load-balancer-x-forwarded-port	HTTP, HTTPS	`false`	`true, false`	`false`	Specify whether to use the X-Forwarded-Port header of the LB Listener
service.beta.kubernetes.io/scp-load-balancer-x-forwarded-for	HTTP, HTTPS	`false`	`true`, `false`	`false`	Specify whether to use the X-Forwarded-For header for the LB Listener.
service.beta.kubernetes.io/scp-load-balancer-support-http2	HTTP, HTTPS	`false`	`true`, `false`	`false`	Specify whether the LB Listener supports HTTP 2.0.
service.beta.kubernetes.io/scp-load-balancer-persistence	TCP, HTTP, HTTPS	`""`	`""`, `source-ip`, `cookie`	`source-ip`	Specify the persistence of the LB Listener (none, source IP, or cookie) For UDP, this annotation cannot be used. For TCP, you can specify `""` or `source-ip` . For HTTP/HTTPS, you can specify one of `""`, `source-ip`, `cookie` .
service.beta.kubernetes.io/scp-load-balancer-client-cert-id	HTTPS	-	`UUID`	`78b9105e00324715b63700933125fa83`	Specify the client SSL certificate ID of the LB Listener required input field when HTTPS is specified.
service.beta.kubernetes.io/scp-load-balancer-client-cert-level	HTTPS	`HIGH`	`HIGH`, `NORMAL`, `LOW`	`HIGH`	Specify the security level of the client SSL certificate for the LB Listener.
service.beta.kubernetes.io/scp-load-balancer-server-cert-level	HTTPS	-	`HIGH`, `NORMAL`, `LOW`	`HIGH`	Specify the security level of the server SSL certificate for the LB Listener.

Table. LB Listener related settings in Kubernetes annotations

annotation	Protocol	default	allowed value	example	Explanation
service.beta.kubernetes.io/scp-load-balancer-lb-method	All	`ROUND_ROBIN`	`ROUND_ROBIN`, `LEAST_CONNECTION`, `IP_HASH`	`ROUND_ROBIN`	Specify the load balancing policy for the LB server group

Table. Settings related to LB server group in Kubernetes annotations

annotation	Protocol	default	allowed value	example	Explanation
service.beta.kubernetes.io/scp-load-balancer-health-check-enabled	All	`true`	`true`, `false`	`true`	Specify whether to use LB health check
service.beta.kubernetes.io/scp-load-balancer-health-check-protocol	All	TCP	TCP, HTTP, HTTPS	TCP	Specify the protocol for the LB health check
service.beta.kubernetes.io/scp-load-balancer-health-check-port	All	`{nodeport}`	`1 - 65534`	`30000`	Specify the health check port of the LB health check `{nodeport}` as default so, it is generally not necessary to specify it.
service.beta.kubernetes.io/scp-load-balancer-health-check-count	All	`3`	`1 - 10`	`3`	Specify the number of detection attempts for LB health check
service.beta.kubernetes.io/scp-load-balancer-health-check-interval	All	`5`	`1 - 180`	`5`	Specify the LB health check interval
service.beta.kubernetes.io/scp-load-balancer-health-check-timeout	All	`5`	`1 - 180`	`5`	Specify the wait time for LB health check
service.beta.kubernetes.io/scp-load-balancer-health-check-http-method	HTTP	GET	GET, POST	GET	Specify the HTTP method for the LB health check
service.beta.kubernetes.io/scp-load-balancer-health-check-url	HTTP	`/`	string	`/healthz`	Specify the URL for the LB health check
service.beta.kubernetes.io/scp-load-balancer-health-check-response-code	HTTP	`200`	`200 - 500`	`200`	Specify the response code for the LB health check
service.beta.kubernetes.io/scp-load-balancer-health-check-request-data	HTTP	-	string	`username=admin&password=1234`	Specify the request string for LB health check POST method is a required input field when set.
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-enabled	All	`true`	`true`, `false`	`true`	Specify whether to use LB health check for the Service’s {port} port number
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-protocol	All	TCP	TCP, HTTP, HTTPS	TCP	Specify the LB health check protocol for the Service’s {port} port number.
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-port	All	-	`1 - 65534`	`30000`	Specify the LB health check port for the Service’s {port} port number
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-count	All	`3`	`1 - 10`	`3`	Specify the LB health check detection count for the Service’s {port} port number
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-interval	All	`5`	`1 - 180`	`5`	Specify the LB health check interval for the Service’s {port} port number
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-timeout	All	`5`	`1 - 180`	`5`	Specify the LB health check wait time for the Service’s {port} port number.
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-http-method	HTTP	GET	GET, POST	GET	Specify the LB health check HTTP method for the Service’s {port} port number.
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-url	HTTP	`/`	string	`/healthz`	Specify the LB health check URL for the Service’s {port} port number.
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-response-code	HTTP	`200`	`200 - 500`	`200`	Specify the LB health check response code for the Service’s {port} port number.
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-request-data	HTTP	-	string	`username=admin&password=1234`	Specify the LB health check request string for the Service’s {port} port number POST method is a required field.

Table. Settings related to LB health check in Kubernetes annotations

Constraints

The constraints to consider when using Kubernetes annotations are as follows.

Constraints	Related annotations
When changing the Security Group, rules created in the existing Security Group are not automatically deleted.	service.beta.kubernetes.io/scp-load-balancer-security-group-id service.beta.kubernetes.io/scp-load-balancer-security-group-name
Cannot change the service classification (L4/L7) of the Load Balancer.	service.beta.kubernetes.io/scp-load-balancer-layer-type
L4 and L7 cannot be used together within the same k8s Service.	service.beta.kubernetes.io/scp-load-balancer-layer-type
Cannot change Load Balancer subnet	service.beta.kubernetes.io/scp-load-balancer-subnet-id
Cannot change the Load Balancer’s Service IP	service.beta.kubernetes.io/scp-load-balancer-service-ip
The LB Listener idle-timeout cannot be changed from enabled to disabled after it has been used.	service.beta.kubernetes.io/scp-load-balancer-idle-timeout
The LB Listener session-duration-time cannot be changed from used to unused after it has been used.	service.beta.kubernetes.io/scp-load-balancer-session-duration-time
The LB Listener response-timeout cannot be changed from enabled to disabled after it has been used.	service.beta.kubernetes.io/scp-load-balancer-response-timeout
LB Listener idle-timeout cannot be set simultaneously with session-duration-time or response-timeout.	service.beta.kubernetes.io/scp-load-balancer-idle-timeout service.beta.kubernetes.io/scp-load-balancer-session-duration-time service.beta.kubernetes.io/scp-load-balancer-response-timeout
Cannot use TCP and UDP together on the same port number within the same k8s Service.	-
L7 Listener’s routing rules only support the default URL path of the LB server group delivery method To add other URL paths, you must add them directly in the Samsung Cloud Platform console URL redirection is not supported	-

Table. Constraints when using Kubernetes annotations

1.3.4 - Usage Considerations

Managed Port Constraints

The following ports are used for SKE management and cannot be used for service access. Additionally, if they are blocked by the OS firewall or similar, node functions or some features may not operate correctly.

Port	Explanation
UDP 4789	calico-vxlan
TCP 5473	calico-typha
TCP 10250	kubelet
TCP 19100	node-exporter
TCP 19400	dcgm-exporter

Table. Managed Port List

kube-reserved resource constraints

kube-reserved is a feature that reserves resources for system daemons that do not run as pods on a node.

System daemons that do not run as pods include kubelet, container runtime, etc.

Reference

For detailed information about kube-reserved, refer to the following document.

https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#kube-reserved

Kubernetes Engine reserves CPU and memory based on the following criteria.

CPU specifications	Memory specifications
6% of the first core 1% of the next core (up to 2 cores) 0.5% of the next 2 cores (up to 4 cores) 0.25% of cores exceeding 4 cores	25% of the first 4 GB memory 20% of the next 4 GB memory (up to 8 GB) 10% of the next 8 GB memory (up to 16 GB) 6% of the next 112 GB memory (up to 128 GB) 2% of memory exceeding 128 GB

CPU specifications

Memory specifications

6% of the first core

1% of the next core (up to 2 cores)

0.5% of the next 2 cores (up to 4 cores)

0.25% of cores exceeding 4 cores

25% of the first 4 GB memory

20% of the next 4 GB memory (up to 8 GB)

10% of the next 8 GB memory (up to 16 GB)

6% of the next 112 GB memory (up to 128 GB)

2% of memory exceeding 128 GB

Table. CPU and Memory Standard Resource Reservation Items

Example: For a Virtual Server with 16 vCPU cores and 32 GB memory, kube-reserved is calculated as follows.
- CPU: (1 core × 0.06) + (1 core × 0.01) + (2 core × 0.005) + (12 core × 0.0025) = 0.11 core
- Memory: (4 GB × 0.25) + (4 GB × 0.2) + (8 GB × 0.1) + (16 GB × 0.06) = 3.56 GB
Example: The resources reserved based on CPU size are as follows.

CPU specifications	Resource Specification 1	Resource Specification 2	Resource Specification 3	Resource Specification 4
kube-reserved CPU	70 m	80 m	90 m	110 m

Table. Example of resources reserved according to CPU size

Example: The resources reserved based on memory size are as follows.

Memory specifications	Resource Specification 1	Resource Specification 2	Resource Specification 3	Resource Specification 4	Resource Specification 4	Resource Specification 4	Resource Specification 4
kube-reserved memory	1 GB	1.8 GB	2.6 GB	3.56 GB	5.48 GB	9.32 GB	11.88 GB

Table. Example of resources reserved according to memory size

1.3.5 - Version information

Kubernetes version and support period

Kubernetes version lifecycle

The Kubernetes open-source software (OSS) community releases minor versions three times a year, with a release cycle of approximately 15 weeks. A released minor version goes through a support period of about 14 months (12 months for standard patches, 2 months for maintenance) before reaching EOL (End of Life).

information

For information on Kubernetes release and EOL dates and support periods, refer to the following link.

Samsung Cloud Platform Kubernetes Engine (SKE) version release plan

SKE validates and supplies the stable patch versions among released OSS minor versions. Therefore, the release timing of the version provided by SKE differs from that of the corresponding OSS version.

Also, for previously released versions, considering factors such as the open‑source EOL timing, technical support will be terminated sequentially from the older versions (End of Tech support, EoTS).

The release schedule and end-of-life schedule for OSS and SKE are as follows.

version	OSS release	OSS EOL	SKE release	SKE EoTS
v1.29	2023-12-13	2025-02-28	2024-10	2026-03-31
v1.30	2024-04-17	2025-06-28	2025-02	2026-06-30
v1.31	2024-08-13	2025-10-28	2025-07	2026-10-28
v1.32	2024-12-11	2026-02-28	2025-10	2027-02-28
v1.33	2025-04-23	2026-06-28	2025-12	2027-06-28
v1.34	2025-08-27	2026-10-27	2026-03	2027-10-27

Table. Release and end schedule for OSS and SKE

Feature restrictions when technical support ends (EoTS)

If the Kubernetes version provided by SKE reaches end-of-technical-support (EoTS) status, the features supported in that version may be limited.

Create new cluster → Creation not allowed
Existing cluster upgrade → upgrade possible (upgrade is possible even if the newer version is EoTS)
Create node pool from existing cluster → possible

Reference

Since EOL versions may have vulnerabilities, we recommend upgrading to a newer version.
You can upgrade the control plane and node pools from the Samsung Cloud Platform Console, and no additional costs are incurred for the upgrade.
- For stable operation, perform compatibility testing of the upgrade version before proceeding with the upgrade.

OS and GPU drivers

The OS and GPU driver version information available for each K8s server type is as follows.

Caution

The OS versions provided may vary by K8s version.
When using GPU nodes, the related K8s components (nvidia-device-plugin, dcgm-exporter) are provisioned by default in the cluster.
- When deploying the gpu-operator, conflicts may occur due to duplicate component configurations. We recommend deployment and use, excluding the default-provided components.
For end-of-life OSes, creating a node pool is possible, but we recommend using the latest OS version.

k8s version	Standard and High Capacity	GPU
v1.29	Ubuntu 22.04 RHEL 8.10 RHEL 8.8 (EOL OS)	Ubuntu 22.04 (ND 535.183.06)
v1.30	Ubuntu 22.04 RHEL 8.10 RHEL 8.8 (EOL OS)	Ubuntu 24.04 (ND 580.126.20) Ubuntu 24.04 (ND 570.195.03) Ubuntu 22.04 (ND 535.183.06)
v1.31	Ubuntu 22.04 RHEL 8.10 RHEL 8.8 (EOL OS)	Ubuntu 24.04 (ND 580.126.20) Ubuntu 24.04 (ND 570.195.03) Ubuntu 22.04 (ND 535.183.06)
v1.32	Ubuntu 22.04 RHEL 9.4	Ubuntu 24.04 (ND 580.126.20) Ubuntu 24.04 (ND 570.195.03) Ubuntu 22.04 (ND 535.183.06)
v1.33	Ubuntu 22.04 RHEL 9.4	Ubuntu 24.04 (ND 580.126.20) Ubuntu 24.04 (ND 570.195.03) Ubuntu 22.04 (ND 535.183.06)
v1.34	Ubuntu 22.04 RHEL 9.4	Ubuntu 24.04 (ND 580.126.20) Ubuntu 24.04 (ND 570.195.03) Ubuntu 22.04 (ND 535.183.06)

Table. OS / GPU driver versions by K8s version and server type

The OS versions and supported GPU server models for each GPU driver version are as follows.

Caution

When creating a GPU node with the GPU-B300-3 server type, you must use an image with GPU driver version 580.126.20.

GPU driver version	OS version	Supported model (server type)
ND 535.183.06	Ubuntu 22.04	A100(GPU-A100-1) H100(GPU-H100-2)
ND 570.195.03	Ubuntu 24.04	A100(GPU-A100-1) H100(GPU-H100-2)
ND 580.126.20	Ubuntu 24.04	A100(GPU-A100-1) H100(GPU-H100-2) B300(GPU-B300-3)

Table. OS / supported models by GPU driver version

1.4 - API Reference

API Reference

1.5 - CLI Reference

CLI Reference

1.6 - Release Note

Kubernetes Engine

2026.05.21

FEATURE Node pool Block Storage performance metric configuration, Add B300 GPU node, Improve dropdown functionality to consider GPU driver version when upgrading node pool, type: LB configuration improvements, Event log error and nuri-auth-webhook related improvements

Kubernetes Engine feature changes and bug fixes
- We also provide Block Storage performance metric configuration for node pools.
- We also provide the B300 GPU type among GPU node types.
- When upgrading the node pool, we improved the selection dropdown functionality to consider the GPU driver version.
- type: LB health check protocol has been improved by adding HTTPS.
- Improved the event log timestamp error and the nuri-auth-webhook authentication key expiration and activation status check functionality.

2026.03.19

FEATURE Add Kubernetes version, Provide GPU VM custom image, Provide management logic for k8s and OS version EoTS, Handle node pool OS image EOS and set default values during upgrade, Do not provide kubeconfig in Terraform, Improvements related to type: LB configuration

Kubernetes Engine feature changes
- Supports Kubernetes v1.34.
- Provides a custom image for the node pool’s GPU VM.
- Provides management logic and display functionality for EoTS of cluster and node pool Kubernetes versions and node pool OS versions.
- Provides an OS selection dropdown feature when upgrading a node pool.
- type: LB L7 listener idle-timeout addition and default session-duration-time change are improved.
- Terraform does not provide a kubeconfig feature.

2025.12.18

FEATURE Add Kubernetes version, display GPU Driver version in node pool, support MNGC nodes (SR), change default disk maximum size for node pool, add and improve node pool validation

Kubernetes Engine feature change
- Supports Kubernetes v1.33.
- Provides GPU driver version information on GPU nodes in the node pool.
- Provides the MNGC node in SR request configuration format.
- The maximum Block Storage capacity of the node pool OS is increased from 1 TB to 12 TB to match the VM offering.
- When creating or updating a node pool, we add enhanced label key validation and also provide validation that GPU node pools are not supported in server groups.

2025.10.23

FEATURE Add Kubernetes version, node pool advanced settings feature, node pool server group configuration, ServiceWatch integration, UserKubeconfig download, node pool upgrade enhancements considering OS version

Kubernetes Engine feature changes
- Supports Kubernetes v1.32.
- Provides advanced node pool configuration features.
- Provides node pool server group (Affinity or Anti-affinity) configuration functionality.
- Provides a user Kubeconfig download feature following the admin Kubeconfig download button.
- When upgrading a node pool, we additionally provide upgrade logic that considers the OS version.
- Provides log collection functionality based on ServiceWatch integration.

2025.07.01

FEATURE Add Kubernetes version, Provide public endpoint, Add private endpoint access control target, Node pool Label/Taint, Block Storage CSI, Add kubectl login plugin

Kubernetes Engine feature changes
- Supports Kubernetes version v1.31.
- Provides the cluster’s public endpoint.
- The MNGC (Baremetal) product and the DevOps Service product are added to the cluster’s private endpoint access control targets.
- Provides node pool label and taint configuration functionality.
- Provides Block Storage CSI and kubectl login plugin functionality.
- The kubeconfig vulnerability has been addressed.

2025.04.28

FEATURE Private endpoint access control, type: LB feature added

Kubernetes Engine feature changes
- Provides private endpoint and access control features.
- type: LoadBalancer provides functionality.

2025.02.27

FEATURE Add Kubernetes version and upgrade Kubernetes version, Custom Image, GPU node creation feature added

Kubernetes Engine feature changes
- Supports Kubernetes v1.30.
- Provides Kubernetes version upgrade functionality for clusters and node pools.
- Provides Multi-Security Group functionality.
- Provides the ability to create Custom Image nodes and GPU nodes.
Samsung Cloud Platform Common Feature Changes
- Account, IAM, Service Home, tags, and other common CX changes have been applied.

2024.10.01

NEW Kuberntes Engine service official version release

We have launched the Kuberntes Engine product, which provides lightweight virtual computing containers and the Kubernetes clusters that manage them.
You can create container nodes and centrally manage them through a cluster, enabling deployment of various container applications.

2024.07.02

NEW Beta version release

We have released the beta version of the Kuberntes Engine product.

2 - Container Registry

2.1 - Overview

Service Overview

Container Registry is a service that provides a registry for storing and managing container images and OCI (Open Container Initiative) standard artifacts. Users can easily store, manage, and share images using the Docker CLI.

Features

Simple registry management and image distribution: You can easily create a container registry for your project on Samsung Cloud Platform. By using the standard Docker CLI, you can easily pull images for deployment from the Container Registry, streamlining development and service deployment workflows.
Efficient Container Image Storage: You can easily store container images anytime, anywhere. By integrating with Object Storage, you can store and retrieve images, enabling efficient image management. It also supports the Docker Registry V2 API specification for convenient use.
Enhanced Security Registry Management: You can securely store and use images using Container Registry. Container Registry encrypts images stored in Object Storage and transfers images via HTTPS. Use resource-based IAM policies of Samsung Cloud Platform to set repository-specific access permissions, and you can use images according to the configured permissions.
Container Image Vulnerability Analysis: Container Registry provides a feature that analyzes security vulnerabilities in stored container images. Users can view vulnerability results through a simple process of selecting and scanning an image, and can identify and remediate vulnerabilities based on the analysis results.

Service Architecture Diagram

Provided features

Container Registry provides the following features.

Registry Management: Provides Container Registry creation, deletion, registry access control management (private), and visibility features.
Repository Management: It is created under the Container Registry and provides functions to create, view, delete repositories, and set security policies.
Image Management: Container images stored in the repository, providing image Push, image Pull, view, delete, applied tag management, and security policy configuration functions.
Image Vulnerability Assessment: You can manually or automatically scan OS packages and language packages for security vulnerabilities, as well as secrets embedded in images stored in the Container Registry. Based on the scan results, users can identify and remove known vulnerabilities (CVE) and secrets to prevent the use of insecure images.

Component

Registry

The registry is a repository or collection of repositories used to store, access, and manage container images. Container registries can often support container‑based application development as part of the development and operations process. They can connect directly to container orchestration platforms such as Docker and Kubernetes. A registry acts as an intermediary that shares container images between systems, saving developers time in creating and delivering cloud‑native applications. In the case of Samsung Cloud Platform, it is provided in conjunction with Object Storage and transfers images over HTTPS.

repository

A repository is a logical management unit for image tags. Using a repository allows efficient management of image tags. A repository is a centralized virtual storage that developers use to modify and manage application source code. When developing applications, if there is a need to store and share various types of documents and source code, it enables developers to easily collaborate within the same account, edit simultaneously, and track/manage changes.

image

An image refers to something that includes all files and configuration values required to run a container. An image acts like a class that creates containers, and a container can be seen as the program or process that runs the image. For example, an Ubuntu image contains all files needed to run Ubuntu, and a MySQL image contains all files, IDs, passwords, port information, etc., required to run MySQL.

Preliminary Service

Container Registry has no prerequisite services.

2.1.1 - Monitoring Metrics

Cloud Monitoring service termination notice

With the new alternative service, you can continuously perform resource monitoring by leveraging ServiceWatch released in October 2025.
ServiceWatch provides more modern and powerful features, replacing Cloud Monitoring to deliver a smooth monitoring environment.

Detailed information about ServiceWatch can be found in the ServiceWatch Overview.

Container Registry monitoring metrics

The table below shows the monitoring metrics for Container Registry that can be viewed through Cloud Monitoring. For detailed usage of Cloud Monitoring, see the Cloud Monitoring guide.

Performance items	Detailed description	unit
container.registry.status.alive	Registry status	status
containerregistry.statics.image.pull.count	Allowed Image Tag (digest) Pull Count	cnt
containerregistry.statics.image.denied_pull.count	Number of rejected Image Tag (digest) Pulls	cnt
containerregistry.statics.image.push.count	Allowed Image Tag (digest) Push count	cnt
containerregistry.statics.image.denied_push.count	Number of rejected Image Tag (digest) pushes	cnt
containerregistry.statics.image.scan.count	Allowed Image Tag (digest) Scan count	cnt
containerregistry.statics.image.denied_scan.count	Number of rejected Image Tag (digest) scans	cnt
containerregistry.statics.tag.deleted.count	Number of deleted Image Tags (digest)	cnt
containerregistry.statics.image.created.count	Number of generated images	cnt
containerregistry.statics.image.deleted.count	Number of deleted images	cnt
containerregistry.statics.login.count	Allowed Registry Login count	cnt
containerregistry.statics.denied_login.count	Number of denied registry logins	cnt
containerregistry.statics.repository.created.count	Number of generated repositories	cnt
containerregistry.statics.repository.deleted.count	Number of deleted repositories	cnt

Table. Container Registry monitoring metrics

2.1.2 - ServiceWatch Metrics

Container Registry sends metrics to ServiceWatch. The metrics provided by default monitoring are data collected at a 1‑minute interval.

Reference

For how to view metrics in ServiceWatch, refer to the ServiceWatch guide.

Basic Metrics

The following are the basic metrics for the Container Registry namespace.

The indicators whose names are shown in bold below are the indicators selected as key metrics among the default metrics provided by Container Registry. Key metrics are used to compose the service dashboards that ServiceWatch automatically builds for each service.

Each metric guides users via the user guide on which statistical values are meaningful when viewing that metric, and among the meaningful statistics, the values displayed in bold are the primary statistics. In the service dashboard, you can view key metrics using the primary statistical values.

Indicator Name	Detailed description	unit	meaningful statistics
Image Pull Count [Allowed]	Allowed Image Tag (digest) Pull Count	Count/Minute	Total Average Maximum
Image Push Count [Denied]	Number of rejected Image Tag (digest) pushes	Count/Minute	Total Average Maximum
Repository Count [Deleted]	Number of Deleted Repositories	Count/Minute	Total Average Maximum
Repository Count [Created]	Number of created repositories	Count/Minute	Total Average Maximum
Registry Login Count [Allowed]	Number of allowed Registry Logins	Count/Minute	Total Average Maximum
Image Scan Count [Denied]	Number of rejected Image Tag (digest) scans	Count/Minute	Total Average Maximum
Image Pull Count [Denied]	Number of rejected Image Tag (digest) Pulls	Count/Minute	Total Average Maximum
Registry Login Count [Denied]	Number of denied Registry Logins	Count/Minute	Total Average Maximum
Image Push Count [Allowed]	Allowed Image Tag (digest) Push count	Count/Minute	Total Average Maximum
Image Scan Count [Allowed]	Allowed Image Tag (digest) Scan count	Count/Minute	Total Average Maximum
Image Count [Deleted]	Number of deleted images	Count/Minute	Total Average Maximum
Image Count [Created]	Number of generated images	Count/Minute	Total Average Maximum
Image Tag Count [Deleted]	Number of deleted Image Tag (digest)	Count/Minute	Total Average Maximum

Table. Container Registry Basic Metrics

2.2 - How-to guides

Users can create a service by entering the required information for the Container Registry service and selecting detailed options through the Samsung Cloud Platform Console.

Create Container Registry

You can create and use the Container Registry service in the Samsung Cloud Platform Console.

Note

You can create up to two Container Registries per account (one per visibility type).

Follow these steps to create a Container Registry service.

Click the All Services > Container > Container Registry menu. Navigate to the Service Home page of Container Registry.
Click the Create Registry button on the Service Home page. You will be taken to the Create Registry page.

Registry creation page: enter the information required to create a service and select detailed options.

Enter or select the required information in the Service Information Input area.

Category	Required status	Detailed description
registry name	Required	The registry name created by the user must start with a lowercase English letter and be entered using lowercase English letters and numbers, with a length of 3 to 25 characters
endpoint	Required	Set access type for registry endpoint Private: Only private endpoint access control items can be set Private&Public: Both private endpoint access control items and public endpoint access control can be set
Private endpoint access control	Select	Private endpoint access control settings If you select Use, you can configure it so that only specific resources within the same region’s account, such as the registry, can be accessed Click Add for private access allowed resources to add resources that can access the registry using the private endpoint If Use is not selected, access is allowed from resources in all subnets within the same region
Public endpoint access control	Selection	Public endpoint access control settings If you select Use, you can configure it so that only specific IPs in the same region as the registry can access it. Click Add for the allowed public access IP to add the IPs and resources that can access the registry using the public endpoint. If Use is not selected, access is allowed from resources in all subnets within the same region.
Visibility	Selection	Anonymous access setting for registry read (Pull) operations Selecting Public allows unauthenticated anonymous users to perform read operations (Anonymous Pull) on all registry content. This setting can be enabled as Public only when creating the service.

Table. Container Registry Service Information Input Items

Caution

If you do not select the use of private endpoint access control, the customer’s registry may be exposed to other resources within the Samsung Cloud Platform.
If you do not select the use of public endpoint access control, external IP access is possible in an internet environment, so the user’s bucket may be exposed externally via the internet. If external access is not required, uncheck the usage checkbox to minimize security threats.

In the Additional Information Input area, enter or select the required information.
Category
Required status
Detailed description
tag Selection Add Tag
Up to 50 can be added per resource
After clicking the Add Tag button, enter or select Key, Value values
Table. Container Registry Additional Information Input Fields

Check the detailed information and estimated billing amount generated in the Summary panel, and click the Create button.
- When creation is complete, check the created resource on the Registry list page.

View detailed information of Container Registry

The Container Registry service allows you to view and edit the full list of resources and detailed information. Container Registry Details page consists of Details, Tags, Activity Log tabs.

To view the Container Registry details, follow these steps.

Click the All Services > Container > Container Registry menu. You will be taken to the Service Home page of Container Registry.
On the Service Home page, click the Registry menu. You will be taken to the Registry List page.

On the Registry List page, click the resource (Registry) to view its details. You will be taken to the Registry Details page.

Registry Details page displays the Registry’s status information and detailed information, and consists of Details, Tags, Activity Log tabs.

Category

Detailed description

Registry status

Creating: in progress

Running: creation complete/operating normally

Editing: configuration being changed

Terminating: being deleted

Error: error occurred

Unknown: unknown

User Guide

Guide to Using a CLI-Based Registry

Service termination

Button to cancel the service

Table. Container Registry status information and additional features

Detailed Information

On the Registry list page, you can view detailed information of the selected resource and edit the information if needed.

Category	Detailed description
service	Service name
Resource Type	Resource Type
SRN	Unique resource ID in Samsung Cloud Platform In the Container Registry service, it refers to the registry SRN
Resource name	Resource Name In the Container Registry service, it refers to the registry name
Resource ID	Unique resource ID in the service
constructor	User who created the service
Creation date and time	Service creation date and time
editor	User who edited the service information
Modification date	Date and time the service information was modified
registry name	Registry name
Bucket name	The name of the Samsung Cloud Platform Object Storage bucket where the registry data is stored
Usage	Data usage of the Object Storage bucket for the registry
endpoint	Access type for the registry endpoint Edit icon can be clicked to change the setting
Private endpoint	Private endpoint URL available within the Samsung Cloud Platform network An endpoint that provides Docker and OCI Client Tool compatibility, used to execute Pull and Push client commands Click the Copy button to copy the URL
Public endpoint	Public endpoint URL available within the Samsung Cloud Platform network
Private endpoint access control	Private endpoint access control settings Edit icon to toggle access control and add or remove accessible resources When access control Enabled, configure it so that only specific resources within the same region’s account, such as the registry, can be accessed If access control is not Enabled, access is allowed from resources in all subnets within the same region
Public endpoint access control	Public endpoint access control settings Edit icon to click to change whether access control is used, and add or delete accessible IPs and resources When access control Enabled is selected, it is set so that only specific IPs within the same region’s Account, such as the registry, can access If access control Enabled is not selected, external IP access is possible from the internet
Visibility	Anonymous access setting for registry read (Pull) operations When set to Public, unauthenticated anonymous users are allowed to perform read operations (Anonymous Pull) on all content in the registry. This setting can be set to Public only at service creation.

Table. Container Registry Detailed Information Tab Items

Job History

On the Registry list page, you can view the operation history of the selected resource.

Category

Detailed description

Task History List

Resource Change History

You can view the operation date and time, resource type, resource name, operation details, operation result, operator name, and path information

To perform an advanced search, click the Advanced Search button

Table. Work History Tab Items

Terminate Container Registry

You can cancel unused Container Registries to reduce operating costs. However, if you cancel the service, any running services may be stopped immediately, so consider the impact of service interruption carefully before proceeding with the cancellation.

Caution

You cannot delete a Registry when resources are linked to it. After terminating the linked services shown in the “Service termination not allowed” popup, delete the Registry.
When the service is terminated, all data, including the bucket linked to the Registry, will be deleted. Please note that data cannot be recovered after deletion.

To cancel the Container Registry, follow these steps.

Click the All Services > Container > Container Registry menu. Navigate to the Service Home page of Container Registry.
On the Service Home page, click the Registry menu. You will be taken to the Registry List page.
Registry List On the page, click the resource (Registry) to view detailed information. You will be taken to the Registry Details page.
On the Registry Details page, click Service Cancellation.
Click the checkbox to confirm cancellation and enter the Registry name to delete.
When you enter the Registry name correctly, the Confirm button becomes active. Click the Confirm button.
When termination is complete, check on the Registry list page whether the resource has been terminated.

2.2.1 - Manage Repository

A repository is a logical management unit for images within a registry. Using a repository, you can set the default security policy for images created underneath.

Creating a Repository

To create a repository, follow these steps.

Click the All Services > Container > Container Registry menu. Go to the Service Home page of Container Registry.
On the Service Home page, click the Repository menu. You will be taken to the Repository List page.
On the Repository list page, click the Create Repository button. You will be taken to the Create Repository page.
- Repository list At the top of the page, click the Settings icon to select an existing registry, or click Create new to create a registry.

On the Repository creation page, enter the required information and select the detailed options.

Enter or select the required information in the Service Information Input area.

Category	Required	Detailed description
registry name	Required	Select the registry name for creating the repository If no registry has been created, you can create a new one using the Create New button
Repository name	Required	Repository name to create Enter using lowercase English letters, numbers, and special characters (`-`) with a length of 3 to 30 characters (the start and end must be lowercase English letters or numbers only)

Table. Repository Service Information Input Items

In the Repository Basic Policy Input area, enter or select the required information.

Category	Required	Detailed description
Image scan	option	Automatic scanning of image vulnerabilities generated in the repository and setting scan exclusion policies You can set the default scan policy applied when an image is created in the repository If you set automatic scanning to enabled, the image’s vulnerabilities are automatically checked when the image is pushed. In this case, the vulnerability scanning cost is billed. If you set the scan exclusion policy to enabled, you can specify which inspection targets and vulnerabilities to exclude during image scanning. You can choose to exclude Language Package checks, Secret checks, and vulnerabilities without a Fix Version. Excludable vulnerabilities: you can select one of the following levels (None / Unknown / Negligible / Low / Medium / High / Critical) Exclude vulnerabilities at or below this level
Image Pull limit	Option	Policy settings for enabling the image Pull restriction feature and its limit values for images generated in the repository You can set the default Pull restriction policy applied when an image is created in the repository If you set the Pull restriction for unscanned images to Enabled, pulling images that have not been vulnerability‑checked is not allowed If you set the Pull restriction policy for vulnerable images to Enabled, pulling an image is prohibited when Critical or High‑level vulnerabilities exceeding the specified values are found. The allowable input and selectable values for this policy are as follows Critical: 1 (default) ~ 9,999,999 High: 1 (default) ~ 9,999,999 Exclude vulnerabilities without a Fix Version When Enabled is selected, vulnerabilities lacking a Fix Version (i.e., when a vulnerable package/library has no patch version) are excluded from the Pull restriction policy
Image lock status	option	You can set a lock to prevent deletion or updating of all images within the repository When the repository’s image lock status is Lock, the Lock/Unlock functions for individual images in the repository are disabled. Changing the image lock status of a repository that is in Lock state to Unlock enables the Lock/Unlock functions for individual images. Pushing new images is allowed.
Delete image tags	option	You can set an automatic image deletion policy for images stored in the repository If you select Enabled for deletion policy activation, the image deletion policy is applied. If you set Untagged Image automatic deletion, Old Image automatic deletion items to Enabled, the corresponding image deletion policies are applied. Enter an automatic deletion period in the deletion policy; the image will be automatically deleted after the specified period has elapsed since its initial push. For detailed information on image tag deletion, see Image Tag Deletion Policy Management.

Table. Repository Default Policy Input Items

In the Additional Information Input area, enter or select the required information.

Category

Required status

Detailed description

Explanation

Selection

Repository description

Enter repository description

tag

Selection

Add Tag

Up to 50 can be added per resource

After clicking the Add Tag button, enter or select Key, Value values

Table. Repository Additional Information Input Items

Reference

The Repository default policy input fields are used to set the default (initial) policy for Images created in the Repository. (They serve as a policy configuration template applied when an Image is created.)
This setting can be changed on the detail view screen after creating a Repository, and images created after modifying the Repository’s default policy entries will be configured with the updated policy. Images created before the change will retain their original policy.
The default policy set for the Image can be modified on the Image detail screen.

Summary Check the detailed information and estimated billing amount generated in the panel, and click the Create button.
- Once creation is complete, check the created resources on the Repository List page.

View repository details

Repository service allows you to view and edit the full list of resources and detailed information. The Repository Details page consists of Details, Tags, Activity History tabs.

To view the repository details, follow these steps.

Click the All Services > Container > Container Registry menu. Navigate to the Service Home page of Container Registry.
On the Service Home page, click the Repository menu. You will be taken to the Repository List page.

On the Repository List page, click the resource (Repository) to view detailed information. You will be taken to the Repository Details page.

Repository Details page displays the repository’s status information and detailed information, and consists of Details, Tags, Activity History tabs.

Category

Detailed description

Repository status

Repository status display

Active: available state

Deleting: deleting state

Inactive: state where deletion failed, making it unavailable (only deletion request is possible)

Editing: state where settings are being modified or sub-resources (images, tags) within the image are being deleted

User Guide

Repository usage guide

You can check the commands for using images within the repository via CLI

Delete repository

Button to delete the repository

Table. Status Information and Additional Functions

Detailed Information

Repository list page lets you view detailed information of the selected resource and edit the information if necessary.

Category	Detailed description
service	Service name
Resource Type	Resource Type
SRN	Unique resource ID in Samsung Cloud Platform In Repository, it refers to the repository SRN
Resource name	Resource name In Repository, it means the repository name
Resource ID	Unique resource ID in the service
constructor	User who created the repository
Creation date and time	Repository creation date and time
Editor	User who modified the repository
Modification date	Repository modification timestamp
Repository name	User-created repository name
registry name	Registry name linked to the repository Click the resource name to go to the detail page
description	The description entered by the user for the generated repository Click the Edit icon to change the settings
image	Link to view the list of stored images in the repository
Image scan	Automatic image vulnerability scanning and scan exclusion policy settings for images generated in the repository You can set the default scan policy applied when an image is created in the repository (serves as a policy configuration template applied at image creation) Click the Edit icon to change whether automatic image vulnerability scanning is enabled, whether the scan exclusion policy is used, and the detailed policies If you set automatic scanning to Enabled, the image’s vulnerabilities are automatically checked when the image is pushed. This setting applies only to images pushed after automatic scanning is enabled, and vulnerability scanning costs are billed during automatic scans When the scan exclusion policy is set to Enabled, you can specify the scan targets and vulnerabilities to exclude during image scanning as follows Excludable scan targets Exclude Language Packages Exclude Secrets Exclude vulnerabilities without a Fix Version Excludable vulnerabilities: you can select one of the following levels (None / Unknown / Negligible / Low / Medium / High / Critical) level and below are excluded
Image Pull limit	Policy settings for enabling the image Pull restriction feature and its limit values for images generated in the repository You can set the default Pull restriction policy applied when an image is created in the repository (serves as a policy template applied at image creation) Edit icon can be clicked to change the enablement of the image Pull restriction feature and its limit values If you set the Pull restriction for unscanned images to Enabled, pulling images that have not been vulnerability‑checked is prohibited If you set the Pull restriction for vulnerable images to Enabled, pulling an image is prohibited when Critical or High level vulnerabilities exceeding the specified thresholds are found. The input and selectable values for this policy are as follows Critical: 1 (default) ~ 9,999,999 High: 1 (default) ~ 9,999,999 Exclude vulnerabilities without a Fix Version When Enabled, vulnerabilities lacking a Fix Version (i.e., no patched version for the vulnerable package/library) are excluded from the Pull restriction policy
Image lock status	You can set a lock to prevent deleting or updating any images inside the repository Edit icon can be clicked to change the image lock status If the repository’s image lock status is set to Lock, the Lock/Unlock function for individual images within the repository is disabled If you Unlock the image lock status of a repository that is in the Lock state, the Lock/Unlock function for individual images becomes enabled Pushing new images is allowed
Delete image tag	Set the automatic image deletion policy for images stored in the repository Click the Edit icon to change the image tag deletion policy If you set the deletion policy activation to Enabled, the image tag deletion policy can be applied If you select Enabled for the Untagged Image automatic deletion and Old Image automatic deletion options of the deletion policy, the corresponding image deletion policy is applied Enter an automatic deletion period in the deletion policy; the image will be automatically deleted after the specified period has elapsed since its initial push For detailed information on image tag deletion, see Image Tag Deletion Policy Management reference

Table. Repository Detailed Information Tab Items

Job History

On the Repository list page, you can view the operation history of the selected resource.

Category	Detailed description
Task History List	Resource Change History Operation date and time, resource type, resource name, operation details, operation result, operator name, and path information can be viewed

Table. Work History Tab Items

Delete Repository

Caution

If an Image exists in the repository, you cannot delete the repository. To delete the repository, first delete all Images in the repository, then delete the repository.

To delete a repository, follow these steps.

Click the All Services > Container > Container Registry menu. Navigate to the Service Home page of Container Registry.
Click the Repository menu on the Service Home page. You will be taken to the Repository List page.
Repository List page, click the resource (Repository) to view its details. You will be taken to the Repository Details page.
On the Repository Details page, click Delete Repository.
Delete Repository in the popup window, please enter the Repository name.
If you enter the Repository name correctly, the Confirm button becomes active. Click the Confirm button.
When the termination is complete, verify on the Repository list page that the resource has been terminated.

2.2.2 - Manage Images and Tags

An image is a logical management unit of a tag. Users can efficiently manage image versions using tags.

Create Image

To generate an image, the repository must be created first. For detailed information on creating a repository, see Repository Management.

Images are created by pushing an image or OCI-standard artifact via the CLI using the registry endpoint.
For instructions on pushing an image with the CLI, refer to the official documentation provided by the client tool you are using or see CLI 사용하기.

View image details

Image can view and edit the entire resource list and detailed information. The Image detail page consists of Details, Tags, Delete Policy Test tabs.

To view the image details, follow these steps.

Click the All Services > Container > Container Registry menu. Navigate to the Service Home page of Container Registry.
On the Service Home page, click the Image menu. You will be taken to the Image List page.
Image List Click the Settings icon at the top of the page and select the Registry name and Repository name where the Image to view detailed information is stored.
- If the desired item is not available, click Create New to register a Registry and Repository, then you can select it.

On the Image List page, click the resource (Image) to view detailed information. You will be taken to the Image Detail page.

Image Details page displays the Image’s status information and detailed information, and consists of Details, Tags, Deletion Policy Test tabs.

Category

Detailed description

Image status

Image status representation

Active: available state

Deleting: deleting state

Inactive: state where deletion failed and is not usable (only deletion request is possible)

Editing: state where settings are being modified or image sub-resources (tags) are being deleted

User Guide

CLI-based Image Usage Guide

Delete Image

Delete image button

Table. Image status information and additional functions

Detailed Information

Image list page lets you view detailed information of the selected resource and modify it if necessary.

Category	Detailed description
constructor	User who generated the image
Creation date and time	Image creation timestamp
editor	User who edited the image
Modification date	Image modification timestamp
image name	User-generated image name
registry name	Registry name and view link of the repository storing the image
Pulls	Number of times this image has been pulled
Repository name	Repository name and view link for the stored image
Explanation	The description entered by the user for the image Click the Edit icon to edit the description
Image scan	Image vulnerability automatic scanning and scan exclusion policy settings Set an image scan policy to automatically check vulnerabilities of pushed images, or specify scan targets and vulnerabilities to exclude during image scanning. Edit icon can be clicked to change whether image vulnerability automatic scanning is enabled, whether the scan exclusion policy is used, and the detailed policies. If image automatic scanning is set to Enabled, the image’s vulnerabilities are automatically checked when the image is pushed. This setting applies only to images pushed after automatic scanning is enabled, and vulnerability scanning costs are billed during automatic scans. If the scan exclusion policy is set to Enabled, you can specify scan targets and vulnerabilities to exclude during image scanning as follows. Excludable scan targets Exclude Language Packages Exclude Secrets Exclude vulnerabilities without a Fix Version Excludable vulnerabilities: you can select one of the following levels (None / Unknown / Negligible / Low / Medium / High / Critical) Exclude vulnerabilities at or below the selected level
Image Pull limit	Setting the usage and limit values of the Image Pull restriction feature Using the Image Pull restriction feature limits the pulling of unscanned or vulnerable images, minimizing security threats. Click the Edit icon to change the usage and limit values of the Image Pull restriction feature. If the unscanned image Pull restriction is set to Enabled, pulling images that have not been vulnerability‑checked is not allowed. When the vulnerable image Pull restriction is set to Enabled, pulling an image is prohibited if Critical or High‑level vulnerabilities exceeding the specified value are found. The permissible input and selectable values for this policy are as follows. Critical: 1 (default) ~ 9,999,999 High: 1 (default) ~ 9,999,999 Exclude vulnerabilities without a Fix Version When Enabled, vulnerabilities lacking a Fix Version (i.e., no patched version for the vulnerable package/library) are excluded from the Pull restriction policy.
Image lock status	You can set a lock to prevent the selected image from being deleted or updated Edit icon can be clicked to change the image lock status If the image lock status is Lock, the image and all internal Tags become locked and cannot be deleted or updated Changing the lock status of a locked image to Unlock allows the image and all internal Tags to be deleted or updated
Delete image tag	Set the automatic image deletion policy for images stored in the repository Click the Edit icon to modify the image tag deletion policy If you set the deletion policy activation to Enabled, the image tag deletion policy will be applied Select Enabled for the Untagged Image automatic deletion and Old Image automatic deletion options in the deletion policy to apply those image deletion policies Enter an automatic deletion period in the deletion policy; the image will be automatically deleted after the specified period has elapsed since its initial push For detailed information on image tag deletion, refer to Image Tag Deletion Policy Management

Table. Image detailed information items

Delete Image

Caution

If you delete the image, all tags within the image will also be deleted.

To delete the Image, follow these steps.

Click the All Services > Container > Container Registry menu. Navigate to the Service Home page of Container Registry.
Click the Image menu on the Service Home page. You will be taken to the Image List page.
Image List Click the Settings icon at the top of the page and select the Registry name and Repository name where the Image to be deleted is stored, respectively.
Image List page, click the resource (Image) you want to delete. You will be taken to the Image Details page.
On the Image Details page, click the Delete Image button.
Image Delete When the popup appears, click the Confirm button.
After the deletion is complete, verify on the Image List page that the resource has been deleted.

Check detailed information of image tag

To view detailed information about the image tag, follow these steps.

Click the All Services > Container > Container Registry menu. Navigate to the Service Home page of Container Registry.
On the Service Home page, click the Image menu. You will be taken to the Image List page.
Image List Click the Settings icon at the top of the page and select the Registry name and Repository name where the Image to view detailed information is stored.

Image List page: click the resource (Image) to view detailed information. You will be taken to the Image Details page.

Image Details Click the Tags tab to the right of the Details tab at the top of the page. You will be taken to the Tags List page.

column	Detailed description
Tags	Tag name of the image Digest A single image Digest can have multiple tag names
Digest	Image Digest value
size	Image digest size
Modification date	Image Digest (Tags) Modification Time
Inspection date and time	Image Digest (Tags) Vulnerability Check Date and Time
Vulnerability Assessment Results	Image Digest (Tags) Vulnerability Scan Results Summary of vulnerability count and a button to view scan results are displayed View Results button can be clicked to view detailed vulnerability analysis results for image tags
status	Status of image Digest (Tags) Active: normal, usable state Deleting: being deleted Inactive: deletion failed, not usable (deletion request only)
Copy URL	Copy endpoint URL for using image Digest You can copy the private/public endpoint URL to use in commands for image Digest
More button	Menu for selecting deletion, modification, vulnerability assessment, and detailed usage guide for image Digest (Tags) Delete: Delete the specified image Digest (Tags) Edit Tags: In the tag edit window, you can modify the tag name of the image Digest Vulnerability Scan: Perform vulnerability assessment on image Digest (Tags) Detailed Usage Guide: View a guide for using image Digest (Tags) via CLI Tags Lock: Lock selected image Tags to prevent deletion or updates Tags Unlock: Unlock the lock to allow deletion or updates of selected image Tags

Table. Tags list items

Note

An image digest that is in an Untagged state without a tag name is displayed as None in the Tags field.

Detailed Information

Click the Tags of the image Digest whose details you want to view in the Tags list of the Image details. The detail window for the image Digest (Tags) will appear.

column

Detailed description

Tag information

Display tag name, digest, creation time, and modification time

Click the Copy button at the far right of the digest value to copy the digest value

Manifest information

Display the manifest type and details

Click Copy Manifest to copy the manifest value

Click Download to download the manifest as a JSON file

Table. Tags Detailed Information Window Items

In the tag details window, after reviewing the information and clicking Confirm, the window closes.

Delete image tag

Caution

If other tags reference the selected tag, you cannot delete it. Delete the referencing tags first, then delete the tag.

To delete an image tag, follow these steps.

Click the All Services > Container > Container Registry menu. Navigate to the Service Home page of Container Registry.
On the Service Home page, click the Image menu. You will be taken to the Image List page.
Image List Click the Settings icon at the top of the page and select the Registry name and Repository name where the Image to view detailed information is stored.
Image List On the page, click the resource (Image) to view detailed information. Image Details page will be opened.
- Image Detail page, click the Tags tab to the right of the Details tab at the top of the page. You will be taken to the Tags List page.
From the Tags list, select the checkbox located to the left of the tag you want to delete, then click Delete.
- By selecting the checkboxes of multiple items, you can delete multiple tags at once, and you can select and delete up to 50 tags at a time.
- You can delete tags one by one by clicking the Delete button inside the More button located at the far right of the tag to be deleted.
Delete Tags When the popup window opens, click Confirm.
After deletion is complete, check on the Tags list page whether the resource has been removed.

Testing image tag deletion policy

To test the configured image tag deletion policy, follow these steps.

All Services > Container > Container Registry menu, click it. Go to the Service Home page of Container Registry.
On the Service Home page, click the Image menu. You will be taken to the Image list page.
Image List Click the Settings icon at the top of the page and select the Registry name and Repository name where the Image to view detailed information is stored.
Image List page: click the resource (Image) to view detailed information. You will be taken to the Image Details page.
- Image Details On the top of the page, click the Delete Policy Test tab to the right of the Details tab. You will be taken to the Delete Policy Test tab page.
Delete Policy Test tab page, click the Policy Test button for the Tags item to be deleted. The delete policy test will run.
When the delete policy test execution notification popup opens, click the Confirm button.
- When the test execution request is completed, the phrase Deletion policy test execution request has been completed is displayed.
When the deletion policy test is complete, check the test results.
- Tags to be deleted field displays the image tags (digests) that are subject to the deletion policy.

2.2.3 - Manage Image Security Vulnerabilities

By using the image security vulnerability scanning feature, you can manually or automatically scan OS package security vulnerabilities in images stored in Container Registry and the Secrets contained within the images. Based on the scan results, users can identify and remove known vulnerabilities (CVE) and Secrets, preventing the use of insecure images.

Vulnerability assessment support information

Supported OS

The vulnerability scanning feature supports checking libraries installed via the package manager on the following operating systems.

Supported OS
Ubuntu
Cent OS
Oracle
Debian
Alpine
AlmaLinux
AWS Linux
Rocky Linux
RHEL
Suse
VMWare Photon

Table. Supported OS Types

Supported Language

The vulnerability assessment feature supports checks for the following Language.

Supported Language
Python
PHP
Node.js
.NET
Go

Table. Supported Language Types I (Libraries installed via Language package manager)

Supported Language
Java

Table. Supported Language Types II (Libraries identified based on pom.properties and MANIFEST.MF files contained in jar, war, par, ear type files)

Support Secret

The vulnerability scanning feature supports the following types of Secrets contained in the image.

Support Secret
AWS access key
GitHub personal access token
GitLab personal access token
Asymmetric Private Key

Table. Supported Secret Types

Checking image security vulnerabilities (manual)

To check image security vulnerabilities, follow the steps below.

Click the All Services > Container > Container Registry menu. Navigate to the Service Home page of Container Registry.
On the Service Home page, click the Image menu. You will be taken to the Image List page.
Image List Click the Settings icon at the top of the page and select the Registry name and Repository name where the Image for detailed information is stored.
On the Image List page, click the resource (Image) to check for security vulnerabilities. You will be taken to the Image Details page.
- Image Details Click the Tags tab to the right of the detailed information tab at the top of the page. You will be taken to the Tags tab page.
On the Tags tab page, click the More button located at the far right of the tag you want to check for security vulnerabilities, then click Vulnerability Check.
When the vulnerability check notification popup opens, click the Confirm button.
- When the inspection starts, the phrase Vulnerability assessment will be performed. is displayed.
- When the inspection is finished, the Vulnerability Inspection Results item displays a summary of the inspection results and a View Results button. Clicking the View Results button opens a popup that shows detailed analysis of Vulnerabilities by Image Digest (Tags).
  Reference
  - Click the View Results button to see the detailed vulnerability analysis results for the image tag.
    After a vulnerability scan, if a red exclamation mark icon (!) appears in the scan date/time field, it means the vulnerability scan list for the Container Registry service has been updated. Click Vulnerability Scan to re‑scan, as new vulnerability items need to be checked for the image Digest (Tags).

View Image Security Vulnerability Scan Results

To view the vulnerability assessment results, follow these steps.

Click the All Services > Container > Container Registry menu. Navigate to the Service Home page of Container Registry.
On the Service Home page, click the Image menu. You will be taken to the Image List page.
Click the Settings icon at the top of the Image List page and select the Registry name and Repository name where the Image to be inspected is stored.
Image List page, click the resource (Image) to check for security vulnerabilities. You will be taken to the Image Details page.
- Image Details Click the Tags tab on the right side of the detailed information tab at the top of the page. You will be taken to the Tags tab page.
On the Tags tab page, click the View Results button of the Vulnerability Check Result item for the tag whose vulnerability check results you want to view.
Image Tags Vulnerabilities Check the results in the popup window that displays the detailed analysis results.

View inspection results by vulnerability

Image Tag Vulnerabilities On the detailed page’s Vulnerabilities tab, you can view the image security vulnerability assessment results for each vulnerability.

Item	Detailed description
Vulnerability Assessment	Vulnerability check button When the button is clicked, start the vulnerability check However, if the tag status is Inactive, the vulnerability check button is not enabled
Inspection date and time	Vulnerability assessment date and time
Distribution	OS name and version of the image Digest (Tags) under inspection Refer to the supported OS list
Total number of vulnerabilities	Summary of vulnerability assessment results The total number of detected vulnerabilities and the count of vulnerabilities by severity are displayed as a graph Vulnerabilities are classified into six severity levels (Critical, High, Medium, Low, Negligible, Unknown)

Table. Summary of Vulnerability Inspection Results

In the Vulnerability tab, you can view the list of all discovered vulnerabilities.

Item	Detailed description
CVE	External links to verify the detected vulnerability ID (CVE ID) and detailed information about the vulnerability CVE (Common Vulnerabilities and Exposures)
Severity	Severity of detected vulnerabilities
CVSS	CVSS (Common Vulnerability Scoring System) based vulnerability score
Category	Inspection target type of detected vulnerabilities OS packages or Language packages are displayed
OS/Language	OS or Language package type of the detected vulnerability Refer to the list of supported OSes and supported Languages
package	Package name with the discovered vulnerability
Current version	Current version of the package with the vulnerability (vulnerable version)
Revised version	Version of the package with the vulnerability fixed
Whether to edit	Whether a version with the vulnerability fixed exists for the package with the discovered vulnerability (whether a vulnerability patch version exists)
Expand button	View vulnerability detailed information When you click the Expand button, detailed information about the vulnerability is displayed at the bottom You can view the Description and Vectors results for the vulnerability. Detailed explanations for each Vector value are provided via tooltips. Detailed information opened with the Expand button can be closed by clicking the Collapse button.

Table. Vulnerability List Items

View inspection results by package

Image Tag Vulnerabilities On the detail page, clicking the Package tab navigates to the package-specific vulnerability page. In the Package tab, you can view the image security vulnerability assessment results by package.

Item	Detailed description
Vulnerability Assessment	Vulnerability assessment button When the button is clicked, start vulnerability assessment However, if the tag status is Inactive, the vulnerability assessment button is not enabled
Inspection date and time	Vulnerability assessment date and time
Distribution	OS name and version of the image Digest (Tags) to be inspected refer to the supported OS list
Total number of packages	Overall package information summary The total number of discovered packages and the number of packages based on vulnerability presence are displayed as a graph

Table. Summary Items of Package Vulnerability Inspection Results

In the Package tab, you can view the full list of packages and the lists of packages with detected vulnerabilities and without detected vulnerabilities.

Item	Detailed description
Category	Type of discovered package Display OS package or Language package
OS/Language	Detailed OS or Language type of the discovered package Refer to the list of supported OSes and supported languages
Package	Detected package name
Version	Current version of the package
Vulnerability assessment results	Summary of the number of vulnerabilities contained in the package
type	OS or language type and details of the discovered package

Table. Package list items

Check inspection results by secret unit

Image Tag Vulnerabilities On the detail page, clicking the Secret tab takes you to the vulnerability page for each secret. You can view the image security vulnerability assessment results by secret.

Item	Detailed description
Vulnerability Assessment	Vulnerability check button When the button is clicked, the vulnerability check starts However, if the tag status is Inactive, the Vulnerability Check button is not activated
Inspection date and time	Vulnerability assessment date and time
Distribution	OS name and version of the image Digest (Tags) Refer to the supported OS list
Total number of vulnerabilities	Vulnerability Result Summary The total number of detected vulnerabilities and the count per severity are displayed as a graph Vulnerabilities are classified into six levels based on severity (Critical, High, Medium, Low, Negligible, Unknown)

Table. Summary of Secret Vulnerability Inspection Results

In the Secrets tab, you can view the complete list of secret files, as well as the lists of files with detected vulnerabilities and files without detected vulnerabilities.

Item	Detailed description
File	File name of detected secret
Category	Detected secret type Refer to the supported secret list
Severity	Detected secret severity
Match	Secret match information in the detected file

Table. Secret List Items

2.2.4 - Manage Image Tag Deletion Policy

Users can register and manage image tag deletion policies.

Manage image tag deletion policy

The image tag deletion policy refers to a policy that automatically deletes an image after a specified period has elapsed since the image was first pushed to the repository. Enabling the image tag deletion policy causes image tags (digests) stored in the Container Registry to be automatically deleted according to the configured deletion policy.

guide

After setting the deletion policy activation to use, the image tag (digest) that first receives the deletion policy will be deleted within a maximum of 3 days (72 hours). Subsequent image tags (digests) to which the deletion policy applies will be deleted within a maximum of 1 day (24 hours).
Image tags (digests) subject to the deletion policy are permanently deleted and cannot be recovered.

Support Deletion Policy Information

Describes policy information that supports the removal of image tags.

Support Policy

Supports policies that enable automatic deletion and retention period settings for image tags (digests).

Support Policy
Untagged Image
Old Image

Table. Types of Image Tag Deletion Support Policies

Setting the image tag (digest) deletion policy

To set the image tag (digest) deletion policy, follow these steps.

Click the All Services > Container > Container Registry menu. Navigate to the Service Home page of Container Registry.
On the Service Home page, click the Image menu. You will be taken to the Image List page.
Click the gear button at the top of the Image List page. The Registry/Repository Settings popup will open.
Registry/Repository Settings In the popup window, select the Registry name and Repository name where the image to set the deletion policy is stored, and click the Confirm button.
On the Image List page, click the resource (Image) for which you want to set the deletion policy. You will be taken to the Image Details page.
On the Image Detail page, in the Detail Information tab, click the Edit icon of the Delete Image Tag item. The Edit Delete Image Tag popup opens.
Image Tag Delete Edit In the popup window, enter and select the activation status and required information, then click the Confirm button.
- If you select Enable for Deletion policy activation, image tags (digests) will be automatically deleted according to the configured deletion policy.
- Select the deletion policy to apply and enter the period from when the image is first pushed to the repository until it is automatically deleted.
When the edit notification popup opens, click the Confirm button.
- When the modification is complete, the message Image tag removal edit was successful will be displayed.

Reference

You can also set a deletion policy in the Repository, which serves as the template for Images. When configuring a deletion policy in the Repository, the same policy is applied to all Images stored within it.

Testing image tag (digest) deletion policy

To test the image tag (digest) deletion policy, follow these steps.

Click the All Services > Container > Container Registry menu. Navigate to the Service Home page of Container Registry.
On the Service Home page, click the Image menu. You will be taken to the Image List page.
Image list Click the gear button at the top of the page. Registry/Repository settings A popup window will open.
Registry/Repository Settings In the popup window, select the Registry name and Repository name where the image to set the deletion policy is stored, and click the Confirm button.
Image List page, click the resource (Image) to test the deletion policy. You will be taken to the Image Details page.
On the Image Detail page, click the Delete Policy Test tab. You will be taken to the Delete Policy Test tab page.
On the Delete Policy Test tab page, to test the configured delete policy, click the Policy Test button below the target Tags.
When the delete policy test execution notification popup opens, click the Confirm button.
- When the test execution request is completed, the message Deletion policy test execution request has been completed is displayed.
- When the test is completed, the Deletion Target Tags item will display the image tags (digests) that are subject to the deletion policy.

2.2.5 - Use Container Registry with CLI

This explains how to log in to the Container Registry using CLI commands and manage container images and Helm charts.

Managing container images with CLI

You can log in to the Container Registry using CLI commands and push or pull container images.

Log in to the Container Registry

The user can log in to the Container Registry using an authentication key.

Note

To log in to a Container Registry, you need the LoginContainerRegistry permission for the registry you will use.
For detailed information on policies and permission settings, see Management > IAM > Policies.

Log in with an authentication key

Registry endpoint: can be found on the Container Registry Details page.
Private endpoint: [registryname-registryid].scr.private.[region].[offering].samsungsdscloud.com

1 docker login <registry_endpoint>
2 Username: <accessKey>
3 Password: <secretKey>

Note

To log in with an authentication key, create an authentication key on the IAM > Authentication Key Management page, and set the authentication method to Authentication Key Authentication in Security Settings.
Before modifying Security Settings, be sure to check the guidance text about the authentication key authentication method at the top of the Edit Authentication Key Security Settings popup.
For detailed information on how to create an authentication key and set up authentication key verification, see Management > IAM > Manage Authentication Keys.

Push image

To push an image to the registry, refer to the following command.

1 docker push [registryname]-[registryid].scr.private.[region].[offering].samsungsdscloud.com/[repository]/[image:tag]

Note

To push an image to a registry, you need the LoginContainerRegistry permission for the registry you will use and the PushRepositoryImages permission for the repository.
For detailed information on policy and permission settings, refer to Management > IAM > 정책.

Pull image

To pull an image from the registry, refer to the following command.

1 docker pull [registryname]-[registryid].scr.private.[region].[offering].samsungsdscloud.com/[repository]/[image:tag]

Note

To pull an image from a registry, you need the LoginContainerRegistry permission for the registry you will use and the PullRepositoryImages permission for the repository.
For detailed information on policies and permission settings, see Management > IAM > 정책.

Managing Helm charts with CLI

You can log in to the Container Registry using CLI commands and push or pull Helm charts.

Note

Container Registry supports Helm v3.8.1 or later.

Log in to Container Registry

The user can log in to the Container Registry using an authentication key.

Reference

Log in with authentication key

Registry endpoint: Container Registry Details can be found on the page.
Private endpoint : [registryname-registryid].scr.private.[region].[offering].samsungsdscloud.com

1 helm registry login <registry_endpoint>
2 Username: <accessKey>
3 Password: <secretKey>

Note

To log in with an authentication key, create an authentication key on the IAM > Authentication Key Management page, and set the authentication method to Authentication Key Authentication in Security Settings.
Before modifying Security Settings, be sure to review the guidance text about the authentication key method at the top of the Edit Authentication Key Security Settings popup.
For detailed information on how to create an authentication key and set up authentication key verification, see Management > IAM > Manage Authentication Keys.

Push chart

To push a chart to the registry, refer to the following command.

1 helm push [hello-world-0.1.0].tgz oci://[registryname]-[registryid].scr.private.[region].[offering].samsungsdscloud.com/[mychart]

If you write and execute the command as shown in the example, it saves (uploads) the chart by applying the 0.1.0 tag to the hello-world image in the mychart repository.

To push a chart to a registry, you need the LoginContainerRegistry permission for the registry you will use and the PushRepositoryImages permission for the repository.
For detailed information on policies and permission settings, see Management > IAM > Policies.

Pull chart

To pull a chart from the registry, refer to the following command.

1 helm pull oci://[registryname]-[registryid].scr.private.[region].[offering].samsungsdscloud.com/[mychart/hello-world] -version [0.1.0]

By writing and executing the command as shown in the example, you download the chart stored with tag 0.1.0 in the hello-world image of the mychart repository.

To pull a chart from a registry, you need the LoginContainerRegistry permission for the registry you will use and the PullRepositoryImages permission for the repository.
For detailed information on policies and permission settings, see Management > IAM > Policy.

2.2.6 - Example of Registry and Repository Policies

After creating the Samsung Cloud Platform Container Registry (hereinafter SCR) service, an endpoint is provided. This endpoint provides an example policy that grants specific permissions when using SCR.

Reference

IAM > Policy > Policy List page lets you create permission policies for registries and repositories, and view or edit existing policies.
For detailed information on policy management, please refer to the Samsung Cloud Platform User Guide’s Management > IAM > 정책.
Please refer to the required permissions for using Container Registry with the CLI in Using Container Registry with the CLI.

Allow pulling all repository images created in all registries

If you apply the ScrPullOnlyAccess policy provided as an IAM default policy, you can grant IAM users and user groups permission to pull all repository images created in all registries within the account.

To allow pulling all repository images created in all registries, follow these steps.

All Services > Management > IAM Click the menu. 1. Navigate to the Service Home page of Identity and Access Management (IAM).
On the Service Home page, click the Policy menu. 2. Go to the Policy List page.
On the Policy List page, select ScrPullOnlyAccess. 3. Policy Details navigate to the page.
On the Policy Details page, select the Connected Targets tab.
On the Connection Target tab page, connect the target to which you will grant permissions.
- User: Click User Connection above the list to go to the User Connection page. * Select the user to connect and click Done to complete the user connection.
- User Group: Click User Group Link above the list to go to the User Group Link page. * Select the user group to connect and click Done, and the user group connection will be completed.
- Role: Click Role Link above the list to go to the role link page. * Select the role to connect and click Done to complete the role linking.

Reference

The ScrPullOnlyAccess policy consists of the following permissions.

Permission to allow the LoginContainerRegistry Action required for Registry authentication
Permission to allow the PullRepositoryImages action required for repository image pull

IP access control for SCR endpoints is provided via Private Endpoint Access Control and Public Endpoint Access Control on the Registry detail page.

Please note that when IP access control is used in the IAM policy for the SCR endpoint, you cannot use Registy and Repository Image via the SCR endpoint.
- Set the IP access control entries to Applied IP: All IPs, Excluded IP: Not used.

Allow pulling and pushing all repository images created in all registries

If you apply the ScrPullPushOnlyAccess policy provided as an IAM default policy, you can grant IAM users and user groups permission to allow Pull and Push for all repository images created in all registries within the account.

To allow Pull and Push for all Repository Images created in all Registries, follow these steps.

Click the All Services > Management > IAM menu. 1. Navigate to the Service Home page of Identity and Access Management (IAM).
On the Service Home page, click the Policy menu. 2. Go to the Policy List page.
On the Policy List page, select ScrPullPushOnlyAccess. 3. Navigate to the Policy Details page.
On the Policy Details page, select the Connection Targets tab.
On the Connection Target tab page, connect the target to which you will grant permissions.
- User: Click User Connection above the list to go to the User Connection page. * Select the user to connect and click Done to complete the user connection.
- User Group: Clicking User Group Link above the list navigates to the User Group Link page. * Select the user group to connect and click Done, and the user group connection will be completed.
- Role: Click Role Link above the list to go to the role link page. * Select the role to connect and click Complete, then the role connection will be completed.

Reference

The ScrPullPushOnlyAccess policy consists of the following permissions.

Permission to allow the LoginContainerRegistry Action required for Registry authentication
Permission to allow the PullRepositoryImages Action required for Repository Image Pull
Permission to allow the PushRepositoryImages Action required for Push

IP access control for SCR endpoints is provided via Private Endpoint Access Control and Public Endpoint Access Control on the Registry detail page.

Please note that when IP access control is used in the IAM policy for the SCR endpoint, you cannot use Registy and Repository Image via the SCR endpoint.
- Set the IP access control entries to Applied IP: All IPs, Excluded IP: Not used.

Allow pulling all repository images created in a specific registry

By applying the ScrPullOnlyAccess policy provided as an IAM default policy, you can create a policy that allows only Pull for all repository images created in a specific Registry.

To create a pull permission policy for all repository images created in a specific registry, follow these steps.

All Services > Management > IAM Click the menu. 1. Navigate to the Service Home page of Identity and Access Management (IAM).
On the Service Home page, click the Policy menu. 2. Go to the Policy List page.
On the Policy List page, click Create Policy.
On the Policy Creation page, enter the Basic Information Input fields and click Next.
On the Permission Settings page, click Load Policy.
Load Policy in the window’s list, select ScrPullOnlyAccess and click OK.
On the Permission Settings page, select the Individual Resource of the Applied Resources item.
Click Add Resource in the applied resource list.
In the Add Resource window, select container-registy from the resource type list. 9. In the resource detail list, check the registy resource you want to add, then click Confirm.
Check the individual resources you added in the applied resources list and click Next.
Check the input information and click Create. 11. Policy creation is complete.

Reference

The ScrPullOnlyAccess policy consists of the following permissions.

LoginContainerRegistry Action permission
Permission to allow the PullRepositoryImages action required for repository image pull

IP access control for SCR endpoints is provided via Private Endpoint Access Control and Public Endpoint Access Control on the Registry detail page.

When creating an IAM policy for using the SCR endpoint, if you use IP access control, please note that you cannot use Registy and Repository Image through the SCR endpoint.
- Set the IP access control entries to Applied IP: All IPs, Excluded IP: Not used.

Allow Image Pull and Push for a Specific Repository Created in a Specific Registry

If you apply the ScrPullPushOnlyAccess policy provided as a default IAM policy, you can create a policy that allows Pull and Push for a specific repository image created in a particular registry.

To create a policy that allows Pull and Push for a specific Repository Image created in a specific Registry, follow these steps.

All Services > Management > IAM Click the menu. 1. Navigate to the Service Home page of Identity and Access Management (IAM).
On the Service Home page, click the Policy menu. 2. Go to the Policy List page.
On the Policy List page, click Create Policy.
On the Policy List page, enter the items of Basic Information Input and click Next.
On the Permission Settings page, click Load Policy.
In the Load Policy window’s list, select ScrPullPushOnlyAccess and click OK.
On the Permission Settings page, select the Individual Resource of the Applied Resources item.
Click Add Resource in the applied resource list.
In the Add Resource dialog, select the following items.
- Select container-registy from the resource type list. * In the resource detail list, check the registry resource to add, then click Confirm.
- Select the repository from the resource type list. * In the resource detail list, check the repository resource to add, then click Confirm.
Verify the individual resources you added in the applied resource list and click Next.
Check the input information and click Create. 12. Policy creation is complete.

Reference

The ScrPullPushOnlyAccess policy consists of the following permissions.

Permission to allow the LoginContainerRegistry Action required for Registry authentication
Permission to allow the PullRepositoryImages action required for repository image pull
PushRepositoryImages Action required for Push

IP access control for SCR endpoints is provided via Private Endpoint Access Control and Public Endpoint Access Control on the Registry detail page.

When creating an IAM policy for using the SCR endpoint, if you use IP access control, please note that you will not be able to use Registy and Repository Image through the SCR endpoint.
- Set the IP access control entries to Applied IP: All IPs, Excluded IP: Not used.

2.3 - API Reference

API Reference

2.4 - CLI Reference

CLI Reference

2.5 - Release Note

Container Registry

2026.05.21

FEATURE OCI Distribution Spec. Ensuring compatibility, improving Registry creation/deletion logic, providing per-section refresh buttons

Container Registry feature change
- General-purpose Container Registry OCI (Open Container Initiative) Distribution Spec. * Ensured v1.1.1 compatibility and improved the user Registry.
- Improved internal processes related to the creation/deletion logic of the Container Registry to enhance convenience.
- We added a refresh button where needed, just like with other products, to improve usability.

2026.03.19

FEATURE OCI Distribution Spec. Ensuring compatibility, expanding image vulnerability scanning capabilities

Container Registry feature change
- OCI (Open Container Initiative) Distribution Spec for Registry. * Ensured compatibility with v1.1.1 and improved the user Registry.
- We expand the coverage by adding OS and language types to the container image vulnerability assessment targets.

2025.12.18

FEATURE Add image tag deletion policy, improve Public Endpoint access control IP validation

Container Registry feature changes and improvements
- We additionally offer the image tag deletion policy feature based on count.
- Based on the IP range constraints of the Firewall product, we improve the validation of Public Endpoint access control IP input values.

2025.10.23

FEATURE Add option to enable image tag deletion policy, support ServiceWatch integration

Container Registry feature change
- Provides a feature to enable the deletion policy setting for image tag deletion items.
- Provides log collection functionality based on ServiceWatch integration.

2025.07.01

FEATURE Self-encryption / S3 API-compatible bucket-based Container Registry, provide public endpoint, add private endpoint access control target, support Image Life Cyle Policy

Container Registry feature change
- We provide a Container Registry service based on Object Storage with self‑encryption and S3 API compatibility patches applied.
- Provides public endpoints and access control functionality for the Registry.
- We additionally offer the Multi-Node GPU Cluster product among the Registry’s private endpoint access control targets.
- Provides a function to configure automatic deletion policies for repositories, stored images, and their individual tags (digests).

2025.02.27

FEATURE Add Image Lock functionality and monitoring, and VPC Endpoint integration

Container Registry feature change
- Provides a lock function for images stored in the Registry.
- Provides monitoring capabilities for the Registry in conjunction with the Cloud Monitoring product.
- Provides integration with VPC Endpoint.
Samsung Cloud Platform Common Feature Changes
- Account, IAM, Service Home, tags, and other common CX changes have been reflected.

2024.11.28

NEW Container Registry service temporary version release

Container Registry is a service that provides a registry and repository where you can easily store, manage, and share container images and OCI (Open Container Initiative) standard artifacts.
It was released as a temporary version and will be migrated to the official version once the encryption solution is updated.