1 - Authentication and Authorization
Kubernetes Engine has Kubernetes’ authentication and RBAC authorization features applied. This explains the authentication and authorization features of Kubernetes and how to link them with Kubernetes Engine and IAM.
Kubernetes Authentication and Authorization
This explains the authentication and RBAC authorization features of Kubernetes.
Authentication
The Kubernetes API server acquires the necessary information for user or account authentication from certificates or authentication tokens and proceeds with the authentication process.
Note
For a detailed explanation of Kubernetes authentication, refer to the following document:
https://kubernetes.io/docs/reference/access-authn-authz/authentication/Note
For a detailed explanation of using kubectl and kubeconfig, refer to
Accessing the Cluster.
Authorization
The Kubernetes API server checks if the user has permission for the requested action using the user information obtained through the authentication process and the RBAC-related objects. There are four types of RBAC-related objects as follows:
| Object | Scope | Description |
|---|
| ClusterRole | Cluster-wide | Definition of permissions across all namespaces in the cluster |
| ClusterRoleBinding | Cluster-wide | Binding definition between ClusterRole and user |
| Role | Namespace | Definition of permissions for a specific namespace |
| RoleBinding | Namespace | Binding definition between ClusterRole or Role and user |
Table. RBAC-related objects
Note
For a detailed explanation of Kubernetes RBAC authorization, refer to the following document:
https://kubernetes.io/docs/reference/access-authn-authz/rbac/Role
Kubernetes has several predefined ClusterRoles. Some of these ClusterRoles do not have the prefix system:, which means they are intended for user use. These include the cluster-admin role that can be applied to the entire cluster using ClusterRoleBinding, and the admin, edit, and view roles that can be applied to a specific namespace using RoleBinding.
| Default ClusterRole | Default ClusterRoleBinding | Description |
|---|
| cluster-admin | system:masters group | Grants superuser access to perform all actions on all resources.- When used in ClusterRoleBinding, it grants full control over all resources in the cluster and all namespaces.
- When used in RoleBinding, it grants full control over the namespace and all resources in the namespace bound to the RoleBinding.
|
| admin | None | Grants administrator access to the namespace when used with RoleBinding. When used in RoleBinding, it grants read/write access to most resources in the namespace, including the ability to create roles and role bindings. However, this role does not grant write access to resource quotas or the namespace itself. |
| edit | None | Grants read/write access to most objects in the namespace. This role does not grant the ability to view or modify roles and role bindings. However, this role allows access to secrets, which can be used to run pods in the namespace as any account, effectively granting API access at the account level. |
| view | None | Grants read-only access to most objects in the namespace. Roles and role bindings cannot be viewed. This role does not grant access to secrets, as reading secret contents would allow access to account credentials and potentially grant API access at the account level (a form of privilege escalation). |
Table. Default ClusterRole and ClusterRoleBinding descriptions
Note
For a detailed explanation of user-facing roles, refer to the following document:
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-rolesIn addition to the predefined ClusterRoles, you can define separate roles (or ClusterRoles) as needed. For example:
# Role that grants permission to view pods in the "default" namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
# Role that grants permission to view pods in the "default" namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
# ClusterRole that grants permission to view nodes
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: node-viewer
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
# ClusterRole that grants permission to view nodes
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: node-viewer
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]
Role Binding
To manage access to the Kubernetes Engine using Samsung Cloud Platform IAM, you need to understand the relationship between Kubernetes’ role binding and IAM.
The target (subjects) of role binding (or cluster role binding) can include individual users (User) or groups (Group).
- User matches the Samsung Cloud Platform username, and Group matches the IAM user group name.
For role binding/cluster role binding, subjects.kind can be one of the following:
- User: Binds to a Samsung Cloud Platform individual user.
- Group: Binds to a Samsung Cloud Platform IAM user group.
Note
In addition to the above, a service account can also be specified, but a service account is generally not for users and cannot be bound to a Samsung Cloud Platform user.
The subjects.name of role binding/cluster role binding can be specified as follows:
- User case: Samsung Cloud Platform individual username (e.g. jane.doe)
- Group case: Samsung Cloud Platform IAM user group name (e.g. ReadPodsGroup)
Note
subjects.name is case-sensitive.
In this way, an IAM user group is bound to a role binding (or cluster role binding) written in the Kubernetes Engine cluster. Additionally, the permission to perform API operations included in the role (or cluster role) bound to the group is granted.
Example) Role Binding read-pods #1
An example of writing a User (Samsung Cloud Platform individual user) to a role binding is as follows:
# This role binding allows the user "jane.doe@example.com" to view pods in the "default" namespace.
# A "pod-reader" role must exist in the namespace.
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
roleRef:
# "roleRef" specifies the binding to a role or cluster role.
kind: Role # Must be Role or ClusterRole.
name: pod-reader # Must match the name of the role or cluster role to bind.
apiGroup: rbac.authorization.k8s.io
subjects:
# One or more "targets" can be specified.
- kind: User
name: jane.doe
apiGroup: rbac.authorization.k8s.io
# This role binding allows the user "jane.doe@example.com" to view pods in the "default" namespace.
# A "pod-reader" role must exist in the namespace.
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
roleRef:
# "roleRef" specifies the binding to a role or cluster role.
kind: Role # Must be Role or ClusterRole.
name: pod-reader # Must match the name of the role or cluster role to bind.
apiGroup: rbac.authorization.k8s.io
subjects:
# One or more "targets" can be specified.
- kind: User
name: jane.doe
apiGroup: rbac.authorization.k8s.io
If a role binding like the above is created in a cluster, a user with the username jane.doe is granted the permission to perform the API actions defined in the pod-reader role.
Example) Role Binding read-pods #2
An example of writing a group (IAM user group) to a role binding is as follows:
# This role binding allows users in the "ReadPodsGroup" group to view pods in the "default" namespace.
# A "pod-reader" role must exist in the namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
subjects:
# One or more "targets" can be specified.
- kind: Group
name: ReadPodsGroup
apiGroup: rbac.authorization.k8s.io
# This role binding allows users in the "ReadPodsGroup" group to view pods in the "default" namespace.
# A "pod-reader" role must exist in the namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
subjects:
# One or more "targets" can be specified.
- kind: Group
name: ReadPodsGroup
apiGroup: rbac.authorization.k8s.io
If a role binding like the above is created in the cluster, users in the IAM user group ReadPodsGroup are granted the permission to perform API operations written in the pod-reader role.
Example) Cluster Role Binding read-nodes
# This cluster role binding allows users in the "ReadNodesGroup" group to view nodes.
# A cluster role named "node-reader" must exist.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: read-nodes
roleRef:
kind: ClusterRole
name: node-reader
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: ReadNodesGroup
apiGroup: rbac.authorization.k8s.io
# This cluster role binding allows users in the "ReadNodesGroup" group to view nodes.
# A cluster role named "node-reader" must exist.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: read-nodes
roleRef:
kind: ClusterRole
name: node-reader
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: ReadNodesGroup
apiGroup: rbac.authorization.k8s.io
When a cluster role binding like the one above is created in the cluster, users in the IAM user group ReadNodesGroup are granted the permissions to perform the API actions written in the cluster role node-reader.
Note
For more detailed explanations on role binding creation, refer to the following document:
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-binding-examplesThe Kubernetes Engine of Samsung Cloud Platform has predefined cluster role bindings scp-cluster-admin, scp-view, scp-namespace-view, and cluster roles scp-namespace-view. The following table shows the binding relationship between predefined roles and role bindings, and Samsung Cloud Platform users. Here, cluster roles cluster-admin and view are predefined within the Kubernetes cluster. For more detailed explanations, refer to the Roles section.
| Cluster Role Binding | Cluster Role | Subjects (User) |
|---|
| scp-cluster-admin | cluster-admin | - Group AdministratorGroup
- Group OperatorGroup
- User john.smith
|
| scp-view | view | Group ViewerGroup |
| scp-namespace-view | scp-namespace-view | All authenticated users in the cluster |
Table. Predefined Roles and Role Bindings for Samsung Cloud Platform, IAM User Groups, and User Binding Relationships
- According to the cluster role binding scp-cluster-admin, users in the IAM user groups AdministratorGroup or OperatorGroup, as well as the Kubernetes Engine product applicant, are granted cluster administrator permissions.
- According to the cluster role binding scp-view, users in the ViewerGroup are granted cluster viewer permissions. More precisely, since it is linked to the predefined cluster role view in Kubernetes, access permissions for cluster-scoped resources (e.g., namespaces, nodes, ingress classes, etc.) and secrets within namespaces are not included. For more detailed explanations, refer to the Roles section.
- According to the cluster role binding scp-namespace-view, all authenticated users in the cluster are granted namespace viewer permissions.
Note
- Predefined roles and role bindings for Samsung Cloud Platform are created only once when the cluster product is applied.
- Users can modify or delete predefined cluster role bindings and cluster roles for Samsung Cloud Platform as needed.
The details of predefined roles and role bindings for Samsung Cloud Platform are as follows:
Cluster Role Binding scp-cluster-admin
The cluster role binding scp-cluster-admin is bound to the cluster role cluster-admin and bound to the IAM user groups AdministratorGroup, OperatorGroup, and the SCP user (Kubernetes Engine cluster creator) according to the subjects.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
name: scp-cluster-admin
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: AdministratorGroup
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: OperatorGroup
apiGroup: rbac.authorization.k8s.io
- kind: User # Cluster creator
name: jane.doe # cluster creater name
apiGroup: rbac.authorization.k8s.io
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
name: scp-cluster-admin
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: AdministratorGroup
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: OperatorGroup
apiGroup: rbac.authorization.k8s.io
- kind: User # Cluster creator
name: jane.doe # cluster creater name
apiGroup: rbac.authorization.k8s.io
Cluster Role Binding scp-view
The cluster role binding scp-view is bound to the cluster role view and bound to the IAM user group ViewerGroup according to the subjects.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: scp-view
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: ViewerGroup
apiGroup: rbac.authorization.k8s.io
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: scp-view
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: ViewerGroup
apiGroup: rbac.authorization.k8s.io
Cluster Role and Cluster Role Binding scp-namespace-view
Cluster Role scp-namespace-view is a role that defines the authority to view namespaces.
Cluster Role Binding scp-namespace-view is associated with Cluster Role scp-namespace-view and grants namespace view authority to all authenticated users in the cluster.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: scp-namespace-view
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: scp-namespace-view
roleRef:
kind: ClusterRole
name: scp-namespace-view
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: scp-namespace-view
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: scp-namespace-view
roleRef:
kind: ClusterRole
name: scp-namespace-view
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
IAM User Group RBAC Use Case
This chapter explains examples of granting authority by major user scenarios.
The names of IAM user groups, ClusterRoleBindings/RoleBindings, and ClusterRoles presented here are examples for understanding. Administrators should define and apply appropriate names and authorities according to their needs.
| Scope | Use Case | IAM User Group | ClusterRoleBinding/RoleBinding | ClusterRole | Note |
|---|
| Cluster | Cluster Administrator | ClusterAdminGroup | ClusterRoleBinding cluster-admin-group | cluster-admin | Administrator for a specific cluster |
| Cluster | Cluster Editor | ClusterEditGroup | ClusterRoleBinding cluster-edit-group | edit | Editor for a specific cluster |
| Cluster | Cluster Viewer | ClusterViewGroup | ClusterRoleBinding cluster-view-group | view | Viewer for a specific cluster |
| Namespace | Namespace Administrator | NamespaceAdminGroup | RoleBinding namespace-admin-group | admin | Administrator for a specific namespace |
| Namespace | Namespace Editor | NamespaceEditGroup | RoleBinding namespace-edit-group | edit | Editor for a specific namespace |
| Namespace | Namespace Viewer | NamespaceViewGroup | RoleBinding namespace-view-group | view | Viewer for a specific namespace |
Table. Predefined Roles and RoleBindings, IAM User Groups, and Binding Relationships for Samsung Cloud Platform
Note
The ClusterRoles (cluster-admin, admin, edit, view) in the table above are predefined in the Kubernetes cluster. For more information, see the
Role section.
Cluster Administrator
To create a cluster administrator, follow these steps:
- Create an IAM user group named ClusterAdminGroup.
- Create a ClusterRoleBinding with the following content in the target cluster:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admin-group
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: ClusterAdminGroup
apiGroup: rbac.authorization.k8s.io
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admin-group
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: ClusterAdminGroup
apiGroup: rbac.authorization.k8s.io
- It is associated with the default ClusterRole cluster-admin, granting administrator authority for the cluster.
Cluster Editor
To create a cluster editor, follow these steps:
- Create an IAM user group named ClusterEditGroup.
- Create a ClusterRoleBinding with the following content in the target cluster:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-edit-group
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: ClusterEditGroup
apiGroup: rbac.authorization.k8s.io
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-edit-group
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: ClusterEditGroup
apiGroup: rbac.authorization.k8s.io
- The default cluster role edit is associated with it, and editor permissions are granted for the cluster.
Cluster Viewer
To create a cluster viewer, follow these steps:
- Create an IAM user group named ClusterViewGroup.
- Create a cluster role binding with the following content in the target cluster.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-view-group
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: ClusterViewGroup
apiGroup: rbac.authorization.k8s.io
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-view-group
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: ClusterViewGroup
apiGroup: rbac.authorization.k8s.io
- The default cluster role view is associated with it, and viewer permissions are granted for the cluster.
Namespace Administrator
To create a namespace administrator, follow these steps:
- Create an IAM user group named NamespaceAdminGroup.
- Create a role binding with the following content in the target cluster.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: namespace-admin-group
namespace: <namespace_name>
roleRef:
kind: ClusterRole
name: admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: NamespaceAdminGroup
apiGroup: rbac.authorization.k8s.io
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: namespace-admin-group
namespace: <namespace_name>
roleRef:
kind: ClusterRole
name: admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: NamespaceAdminGroup
apiGroup: rbac.authorization.k8s.io
- The default cluster role admin is associated with it, and administrator permissions are granted for the namespace.
Namespace Editor
To create a namespace editor, follow these steps:
- Create an IAM user group named NamespaceEditGroup.
- Create a role binding with the following content in the target cluster.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: namespace-edit-group
namespace: <namespace_name>
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: NamespaceEditGroup
apiGroup: rbac.authorization.k8s.io
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: namespace-edit-group
namespace: <namespace_name>
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: NamespaceEditGroup
apiGroup: rbac.authorization.k8s.io
- The default cluster role edit is associated with it, and editor permissions are granted for the namespace.
Namespace Viewer
To create a namespace viewer, follow these steps:
- Create an IAM user group named NamespaceViewGroup.
- Create a role binding with the following content in the target cluster.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: namespace-view-group
namespace: <namespace_name>
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: NamespaceViewGroup
apiGroup: rbac.authorization.k8s.io
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: namespace-view-group
namespace: <namespace_name>
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: NamespaceViewGroup
apiGroup: rbac.authorization.k8s.io
- The default cluster role view is associated with it, and viewer permissions are granted for the namespace.
To create a namespace viewer, follow these steps:
- Create an IAM user group: Create an IAM user group named NamespaceViewGroup.
- Create a role binding: Create a role binding with the following content in the target cluster.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: namespace-view-group
namespace: <namespace_name>
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: NamespaceViewGroup
apiGroup: rbac.authorization.k8s.io
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: namespace-view-group
namespace: <namespace_name>
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: NamespaceViewGroup
apiGroup: rbac.authorization.k8s.io
- The view cluster role is associated with the viewer permission for the specified namespace.
Practice Example
This chapter describes an example and procedure for applying an administrator to a specific namespace.
- IAM user group: NamespaceAdminGroup
- IAM policy: NamespaceAdminAccess
- Role binding: namespace-admin-group
Create an IAM User Group
Note
For more information about IAM user groups, see
IAM > User Group.
To create an IAM user group in Samsung Cloud Platform, follow these steps:
Click All Services > Management > IAM. The Identity and Access Management (IAM) Service Home page appears.
On the Service Home page, click User Group. The User Group List page appears.
On the User Group List page, click Create User Group.
Enter the required information in the Basic Information, Add User, Attach Policy, and Additional Information sections.
| Category | Required | Description |
|---|
| User Group Name | Required | Enter the user group name- Use Korean, English, numbers, and special characters (
+=,.@-_) to enter a value between 3 and 24 characters - Enter NamespaceAdminGroup as the user group name
|
| Description | Optional | Description of the user group name- Enter a detailed description of the user group name, up to 1,000 characters
|
| User | Optional | Users to add to the user group- The list of users registered in the account is displayed, and the selected user’s name is displayed at the top of the screen when the checkbox is selected
- Click the Delete button at the top of the screen or uncheck the checkbox in the user list to cancel the selection of the selected user
- If there are no users to add, click Create User at the bottom of the user list to register a new user, and then refresh the user list to select the user
|
| Policy | Optional | Policy to attach to the user group- The list of policies registered in the account is displayed, and the selected policy name is displayed at the top of the screen when the checkbox is selected
- Select ViewerAccess in the policy list
|
| Tag | Optional | Tags to add to the user group- Up to 50 tags can be added per resource
|
Table. User Group Creation Information Input Items
Click the Complete button. The User Group List page appears.
Note
In this practice example, the ViewerAccess policy (permission to view all resources) is attached for demonstration purposes.
- If you do not need permission to view all resources in the Samsung Cloud Platform Console, you do not need to attach the ViewerAccess policy. Define and apply a separate policy according to your actual situation.
Create an IAM Policy
Note
If you do not need to grant Samsung Cloud Platform Console usage permissions, you do not need to perform this step.
Note
For more information about IAM policies, see
IAM > Policy.
To create an IAM policy in Samsung Cloud Platform, follow these steps:
Click All Services > Management > IAM. The Identity and Access Management (IAM) Service Home page appears.
On the Service Home page, click Policy. The Policy List page appears.
On the Policy List page, click Create Policy. The Create Policy page appears.
Enter the required information in the Basic Information and Additional Information sections.
| Category | Required | Description |
|---|
| Policy Name | Required | Enter the policy name- Use Korean, English, numbers, and special characters (
+=,.@-_) to enter a value between 3 and 128 characters - Enter NamespaceAdminAccess as the policy name
|
| Description | Optional | Description of the policy name- Enter a detailed description of the policy name, up to 1,000 characters
|
| Tag | Optional | Tags to add to the policy- Up to 50 tags can be added per resource
|
Table. Policy Creation Information Input Items - Basic Information and Additional Information
Click the Next button. The Permission Settings section appears.
Enter the required information in the Permission Settings section.
Select Kubernetes Engine in the Service section.
You can create a policy by importing an existing policy using Policy Import. For more information about Policy Import, see Policy Import.
| Category | Required | Description |
|---|
| Control Type | Required | Select the policy control type- Allow Policy: A policy that allows defined permissions
- Deny Policy: A policy that denies defined permissions
The deny policy takes precedence for the same target |
| Action | Required | Select actions provided by each service- Create: CreateKubernetesObject selected
- Delete: DeleteKubernetesObject selected
- List: ListKubernetesEngine, ListKubernetesObject selected
- Read: DetailKubernetesObject selected
- Update: UpdateKubernetesObject selected
- Add Action Directly: Use wildcard
* to specify multiple actions at once
|
| Applied Resource | Required | Resource to which the action is applied- All Resources: Apply to all resources for the selected action
- Individual Resource: Apply only to the specified resource for the selected action
- Individual resources are only possible when selecting actions that allow individual resource selection (purple actions)
- Click the Add Resource button to specify the target resource by resource type
- For more information on Add Resource, see Registering individual resources as applied resources
|
| Authentication Type | Required | Authentication method for the target user- All Authentication: Apply regardless of authentication method
- API Key Authentication: Apply to users who use API key authentication
- IAM Key Authentication, Console Login: Apply to users who use IAM key authentication or console login
|
| Applied IP | Required | IP addresses to which the policy is applied- User-specified IP: Register and manage IP addresses directly by the user
- Applied IP: Register IP addresses directly by the user as IP addresses or ranges to which the policy is applied
- Excluded IP: Register IP addresses to be excluded from Applied IP as IP addresses or ranges
- All IP: Do not restrict IP access
- Allow access to all IP addresses, but if exceptions are needed, register Excluded IP to restrict access to registered IP addresses
|
Table. Policy creation information input items - Permission settings
Note
Permission settings provide Basic Mode and JSON Mode.
- If you write in Basic Mode and enter JSON Mode or move to another screen, services with the same conditions will be integrated into one, and settings that are not completed will be deleted.
- If the content written in JSON Mode does not match the JSON format, you cannot switch to Basic Mode.
- Click the Next button. Move to the Input Information Check page.
- Check the input information and click the Complete button. Move to the Policy List page.
Add a user to an IAM user group
Reference
For more information on managing IAM user groups, see
IAM > Managing User Groups.
To add a user to an IAM user group in Samsung Cloud Platform, follow these steps.
- Click All Services > Management > IAM menu. Move to the Identity and Access Management (IAM) Service Home page.
- On the Service Home page, click the User menu. Move to the User List page.
- On the User List page, click the user to be added to the IAM user group. Move to the User Details page.
- On the User Details page, click the User Group tab.
- On the user group tab, select the Add User Group button. Move to the Add User Group page.
- On the Add User Group page, select the user group to be added and click the Complete button. Move to the User Details page.
- Select NamespaceAdminGroup from the user group.
Create a role binding
Create a role binding by referring to the example below.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: namespace-admin-group
namespace: dev # target namespace
roleRef:
kind: ClusterRole
name: admin # pre-defined cluster role in Kubernetes
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: NamespaceAdminGroup # IAM user group created earlier
apiGroup: rbac.authorization.k8s.io
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: namespace-admin-group
namespace: dev # target namespace
roleRef:
kind: ClusterRole
name: admin # pre-defined cluster role in Kubernetes
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: NamespaceAdminGroup # IAM user group created earlier
apiGroup: rbac.authorization.k8s.io
Verify the user
Verify that the user’s namespace permissions are applied normally.
To verify namespace user permissions in Samsung Cloud Platform, follow these steps.
- Click All Services > Container > Kubernetes Engine menu. Move to the Kubernetes Engine Service Home page.
- On the Service Home page, click Workload menu under Pod. Move to the Pod List page.
- On the Pod List page, select the cluster and namespace from the gear button at the top left and click Confirm.
- On the Pod List page, verify that the pod list is retrieved.
- If you select a namespace with permissions, the pod list will be displayed.
- If you select a namespace without permissions, a confirmation window will be displayed indicating that you do not have permission to retrieve the list.
2 - Accessing the Cluster
kubectl Installation and Usage Guide
After creating a Kubernetes Engine service, you can use the Kubernetes command-line tool kubectl to execute commands on a Kubernetes cluster. Using kubectl, you can deploy applications, inspect and manage cluster resources, and view logs. You can find how to install and use kubectl in the official Kubernetes documentation as follows.
Table. kubectl reference documentation
Reference
You must use a kubectl version that is within the minor version difference of the cluster. For example, if the cluster version is 1.30, you can use kubectl versions 1.29, 1.30, or 1.31.
To access a Kubernetes cluster with kubectl, you need a kubeconfig file containing the Kubernetes server address and authentication information.
Reference
For detailed information on Kubernetes authentication and authorization, see
Authentication and Authorization.
Kubernetes Engine supports authentication via admin certificate kubeconfig and user authentication key kubeconfig.
admin certificate kubeconfig
This kubeconfig uses the admin certificate as an authentication method when accessing the Kubernetes API.
Admin kubeconfig download
Kubernetes Engine > Cluster List > Cluster Details > Admin kubeconfig Download button to click and download the kubeconfig file.
Caution
- Administrator kubeconfig download is only possible for Admin.
- There are separate private endpoint and public endpoint versions, and you can download each only once.
Admin kubeconfig use
Reference
- By default, kubectl looks for a file named config in the $HOME/.kube directory. Or you can set the KUBECONFIG environment variable or specify the
kubeconfig flag to use a different kubeconfig file. - Private endpoints are by default only accessible from nodes of the respective cluster. For resources in the same Account and same region, you can allow access by adding them to the private endpoint access control settings.
- If you need to access the cluster from the external internet, setting public endpoint access to enabled allows you to access using the public endpoint kubeconfig.
User authentication key kubeconfig
This kubeconfig uses the user’s Open API authentication key as the authentication method when accessing the Kubernetes API.
User kubeconfig download
Kubernetes Engine > Cluster List > Cluster Details > User kubeconfig download Click the button to download the kubeconfig file.
Caution
- User kubeconfig download is only possible for users with cluster view permission.
- There are separate ones for private endpoint and public endpoint.
- Since the downloaded kubeconfig file does not contain the authentication key token, you need to add the authentication key token information before using it. (See the next paragraph)
Add authentication key token to user kubeconfig file
Below is an example of a user’s kubeconfig file. To use the kubeconfig file, you need to add the authentication key token (AUTHKEY_TOKEN) information in the token field inside the file.
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0t...
server: https://my-cluster-a1c3e.ske.xxx.samsungsdscloud.com:6443
name: my-cluster-a1c3e
contexts:
- context:
cluster: my-cluster-a1c3e
user: jane.doe
name: jane.doe@my-cluster-a1c3e
current-context: jane.doe@my-cluster-a1c3e
kind: Config
preferences: {}
users:
- name: jane.doe
user:
token: <AUTHKEY_TOKEN> #### writing needed
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0t...
server: https://my-cluster-a1c3e.ske.xxx.samsungsdscloud.com:6443
name: my-cluster-a1c3e
contexts:
- context:
cluster: my-cluster-a1c3e
user: jane.doe
name: jane.doe@my-cluster-a1c3e
current-context: jane.doe@my-cluster-a1c3e
kind: Config
preferences: {}
users:
- name: jane.doe
user:
token: <AUTHKEY_TOKEN> #### writing needed
AUTHKEY_TOKEN can be generated by concatenating the authentication key’s ACCESS_KEY and SECRET_KEY with a colon (:) and then Base64 encoding it. The following is an example of creating AUTHKEY_TOKEN in a Linux environment.
$ ACCESS_KEY=5df418813aed051548a72f4a814cf09e
$ SECRET_KEY=6ba7b810-9dad-11d1-80b4-00c04fd430c8
$ AUTHKEY_TOKEN=$(echo -n "$ACCESS_KEY:$SECRET_KEY" | base64 -w0)
$ echo $AUTHKEY_TOKEN
NWRmNDE4ODEzYWVkMDUxNTQ4YTcyZjRhODE0Y2YwOWU6NmJhN2I4MTAtOWRhZC0xMWQxLTgwYjQtMDBmMDRmZDQzMGM4r
$ ACCESS_KEY=5df418813aed051548a72f4a814cf09e
$ SECRET_KEY=6ba7b810-9dad-11d1-80b4-00c04fd430c8
$ AUTHKEY_TOKEN=$(echo -n "$ACCESS_KEY:$SECRET_KEY" | base64 -w0)
$ echo $AUTHKEY_TOKEN
NWRmNDE4ODEzYWVkMDUxNTQ4YTcyZjRhODE0Y2YwOWU6NmJhN2I4MTAtOWRhZC0xMWQxLTgwYjQtMDBmMDRmZDQzMGM4r
Note
- For detailed information on authentication key generation, please refer to API Reference > Common > Samsung Cloud Platform Open API call procedure.
User kubeconfig execution example
You can see an example of executing the user kubeconfig.
When access is blocked by access control or a firewall
$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
Unable to connect to the server: dial tcp 123.123.123.123:6443: i/o timeout
$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
Unable to connect to the server: dial tcp 123.123.123.123:6443: i/o timeout
When AUTHKEY_TOKEN does not match and authentication fails
$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
error: You must be logged in to the server (Unauthorized)
$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
error: You must be logged in to the server (Unauthorized)
AUTHKEY_TOKEN When authentication succeeds
$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
...
kube-node-lease Active 10d
kube-public Active 10d
kube-system Active 10d
$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
...
kube-node-lease Active 10d
kube-public Active 10d
kube-system Active 10d
AUTHKEY_TOKEN Authentication succeeded but no permission
$ kubectl --kubeconfig=user-kubeconfig.yaml get nodes
Error from server (Forbidden): nodes is forbidden: User "jane.doe" cannot list resource "nodes" in API group "" at the cluster scope
$ kubectl --kubeconfig=user-kubeconfig.yaml get nodes
Error from server (Forbidden): nodes is forbidden: User "jane.doe" cannot list resource "nodes" in API group "" at the cluster scope
Reference
If AUTHKEY_TOKEN authentication succeeds but there is no permission, it means that the authentication process was completed correctly, but the authority to perform the requested operation was not granted (authorized). For detailed information about authorization, see
Authentication and Authorization.
3 - type LoadBalancer Service Usage
Service Configuration Method
Service manifest file (example:
my-lb-svc.yaml
) can be written and applied to configure a Service of type LoadBalancer.
Caution
- LoadBalancer is created in the cluster Subnet by default.
- To create a LoadBalancer in a different Subnet, use the annotation service.beta.kubernetes.io/scp-load-balancer-subnet-id. For more details, see Annotation Detailed Settings
To create and apply a type LoadBalancer Service, follow the steps below.
Service manifest file
my-lb-svc.yaml
write.
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
selector:
app.kubernetes.io/name: MyApp
ports:
- protocol: TCP
port: 80
targetPort: 9376
appProtocol: tcp # Refer to the LB service protocol type setting section
type: LoadBalancer
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
selector:
app.kubernetes.io/name: MyApp
ports:
- protocol: TCP
port: 80
targetPort: 9376
appProtocol: tcp # Refer to the LB service protocol type setting section
type: LoadBalancer
Deploy the Service manifest using the kubectl apply command.
kubectl apply -f my-lb-svc.yaml
kubectl apply -f my-lb-svc.yaml
Caution
- When a type LoadBalancer Service is created, the corresponding Load Balancer service is automatically created. It may take a few minutes for the configuration to complete.
- Do not arbitrarily modify the automatically generated Load Balancer service and LB server group. Changes may be reverted or cause unexpected behavior.
- For configurable detailed functions, refer to Annotation Detailed Settings.
kubectl get service
Use the command to check the Load Balancer configuration.# kubectl get service my-lb-svc
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default my-lb-svc LoadBalancer 172.20.49.206 123.123.123.123 80:32068/TCP 3m
# kubectl get service my-lb-svc
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
default my-lb-svc LoadBalancer 172.20.49.206 123.123.123.123 80:32068/TCP 3m
Protocol Type
You can create a Service manifest and use it. Here is a simple example.
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
selector:
...
ports:
- port: 80
targetPort: 9376
protocol: TCP # required (choose one of TCP, UDP)
appProtocol: tcp # choice (if not entered, select one of tcp, http, https)
type: LoadBalancer # type LoadBalancer
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
selector:
...
ports:
- port: 80
targetPort: 9376
protocol: TCP # required (choose one of TCP, UDP)
appProtocol: tcp # choice (if not entered, select one of tcp, http, https)
type: LoadBalancer # type LoadBalancer
The list of protocols (protocol and appProtocol) supported by the type Load Balancer Service in Kubernetes Engine, and the settings applied to the Load Balancer service accordingly, are as follows.
| Category | (k8s)
protocol | (k8s)
appProtocol | (LB)
Service Category | (LB)
LB Listener | (LB)
LB Server Group | (LB)
Health Check |
|---|
| L4 TCP | TCP | (tcp) | L4 | TCP {port} | TCP {nodePort} | TCP {nodePort} |
| L4 UDP | UDP | - | L4 | UDP {port} | UDP {nodePort} | TCP {nodePort} |
| L7 HTTP | TCP | http | L7 | HTTP {port} | TCP {nodePort} | TCP/HTTP {nodePort} |
| L7 HTTPS | TCP | https | L7 | HTTPS {port} | TCP {nodePort} | TCP/HTTP {nodePort} |
Table. k8s Service manifest and Load Balancer service configuration
- k8s Service can specify multiple ports for a single service according to the manifest spec.
Caution
According to the Load Balancer service classification (L4, L7), you cannot mix protocol layers within a single Service.
- Thus L4 (TCP, UDP) and L7 (HTTP, HTTPS) cannot be used together in a single Service.
L4 Service Manifest creation example
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
selector:
app.kubernetes.io/name: MyApp
ports:
- protocol: TCP
port: 80
targetPort: 9376
type: LoadBalancer
apiVersion: v1
kind: Service
metadata:
name: my-service
spec:
selector:
app.kubernetes.io/name: MyApp
ports:
- protocol: TCP
port: 80
targetPort: 9376
type: LoadBalancer
L7 Service Manifest creation example
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/scp-load-balancer-layer-type: "L7" # required
service.beta.kubernetes.io/scp-load-balancer-client-cert-id: "24da35de187b450eb0cf09fb6fa146de" # required
name: my-service
spec:
selector:
app.kubernetes.io/name: MyApp
ports:
- appProtocol: http # required
protocol: TCP
port: 80
targetPort: 9376
- appProtocol: https # required
protocol: TCP
port: 443
targetPort: 9898
type: LoadBalancer
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/scp-load-balancer-layer-type: "L7" # required
service.beta.kubernetes.io/scp-load-balancer-client-cert-id: "24da35de187b450eb0cf09fb6fa146de" # required
name: my-service
spec:
selector:
app.kubernetes.io/name: MyApp
ports:
- appProtocol: http # required
protocol: TCP
port: 80
targetPort: 9376
- appProtocol: https # required
protocol: TCP
port: 443
targetPort: 9898
type: LoadBalancer
Annotation Detailed Settings
You can add annotations to the service manifest to configure detailed functions.
apiVersion: v1
kind: Service
metatdata:
name: my-lb-svc
annotations:
service.beta.kubernetes.io/scp-load-balancer-public-ip-enabled: "true"
service.beta.kubernetes.io/scp-load-balancer-health-check-interval: "5"
service.beta.kubernetes.io/scp-load-balancer-health-check-timeout: "5"
service.beta.kubernetes.io/scp-load-balancer-health-check-count: "3"
service.beta.kubernetes.io/scp-load-balancer-session-duration-time: "300"
spec:
type: LoadBalancer
...
apiVersion: v1
kind: Service
metatdata:
name: my-lb-svc
annotations:
service.beta.kubernetes.io/scp-load-balancer-public-ip-enabled: "true"
service.beta.kubernetes.io/scp-load-balancer-health-check-interval: "5"
service.beta.kubernetes.io/scp-load-balancer-health-check-timeout: "5"
service.beta.kubernetes.io/scp-load-balancer-health-check-count: "3"
service.beta.kubernetes.io/scp-load-balancer-session-duration-time: "300"
spec:
type: LoadBalancer
...
If no separate annotation is added to the service, the default and allowed values of the applied annotation are as follows. Also, check the precautions for each annotation.
| Annotation | Protocol | Default | Allowed values | Example | Description |
|---|
| service.beta.kubernetes.io/scp-load-balancer-source-ranges-firewall-rules | All | false | true, false | false | Automatically add firewall rules (LB source ranges → LB service IP) |
| service.beta.kubernetes.io/scp-load-balancer-snat-healthcheck-firewall-rules | All | false | true,false | false | Automatically add firewall rules (LB Source NAT IP, HealthCheck IP → member IP:Port)- If you use this annotation, firewall rules are added for each port of a type LB service, so the number of firewall rules can become very large.
- If having too many firewall rules is a burden, as an alternative you can add firewall rules manually without using this annotation. For example, you can add firewall rules that target the member IP’s NodePort range (30000-32767).
|
Table. Firewall-related settings in Kubernetes annotations
| Annotation | Protocol | Default | Allowed values | Example | Description |
|---|
| service.beta.kubernetes.io/scp-load-balancer-security-group-id | All | - | UUID | 92d84b44-ee71-493d-9782-3a90481ce5f3 | Automatically adds rules to the Security Group corresponding to the specified ID- If you use this annotation, rules are added to the Security Group for each port of the type LB service, so Security Group rules can become very numerous.
- If having too many Security Group rules is burdensome, you can alternatively add Security Group rules manually without using this annotation. For example, you can set the target address to the Load Balancer’s Source NAT IP and health check IP, and add a Security Group rule that allows ports in the NodePort range (30000-32767).
- Security Group rules added by this annotation are not automatically deleted even if this annotation is removed or changed.
- Multiple entries can be added separated by commas. (Example:
ddc25ad8-6d3f-4242-8c86-2a059212ddc6,26ab7fe1-b3ea-4aa9-9e9d-35a7c237904e)
- This annotation can be used together with the service.beta.kubernetes.io/scp-load-balancer-security-group-name annotation, and rules are automatically added to all Security Groups that meet the criteria.
|
| service.beta.kubernetes.io/scp-load-balancer-security-group-name | All | - | string | security-group-1 | Automatically adds rules to the Security Group corresponding to the specified Name- If you use this annotation, rules are added to the Security Group for each port of the type LB service, so Security Group rules can become very numerous.
- If having too many Security Group rules is burdensome, you can alternatively add Security Group rules manually without using this annotation. For example, you can set the target address to the Load Balancer’s Source NAT IP and health check IP, and add a Security Group rule that allows ports in the NodePort range (30000-32767).
- Security Group rules added by this annotation are not automatically removed even if the annotation is deleted or changed.
- Multiple can be added separated by commas (e.g.,
security-group-1,security-group-2)
- This annotation can be used together with the service.beta.kubernetes.io/scp-load-balancer-security-group-id annotation, and rules are automatically added to all Security Groups that meet the conditions.
|
Table. Security Group related settings in Kubernetes annotations
| Annotation | Protocol | Default | Allowed values | Example | Description |
|---|
| service.beta.kubernetes.io/scp-load-balancer-layer-type | All | L4 | L4, L7 | L4 | Specify the service type of the Load Balancer- When using this annotation, specify L4 if you want to use TCP or UDP, and L7 if you want to use HTTP or HTTPS.
- Cannot be changed after initial creation. To change it, you must recreate the service.
|
| service.beta.kubernetes.io/scp-load-balancer-subnet-id | All | - | ID | 7f05eda5e1cf4a45971227c57a6d60fa | Specify the Service Subnet of the Load Balancer- If this annotation is not specified, the cluster’s Subnet is used.
- It cannot be changed after initial creation. To change it, the service must be recreated.
|
| service.beta.kubernetes.io/scp-load-balancer-service-ip | All | - | IP address | 192.168.10.7 | Specify the Service IP of the Load Balancer- Cannot be changed after initial creation. To change it, you must recreate the service.
|
| service.beta.kubernetes.io/scp-load-balancer-public-ip-enabled | All | false | true, false | false | Specify whether to use the Load Balancer’s Public NAT IP- If this annotation is set to true and service.beta.kubernetes.io/scp-load-balancer-public-ip-id is not specified, an IP is automatically assigned.
- If this annotation is set to true and service.beta.kubernetes.io/scp-load-balancer-public-ip-id is specified, the Public IP corresponding to the specified ID is applied.
|
| service.beta.kubernetes.io/scp-load-balancer-public-ip-id | All | - | ID | 4119894bd9614cef83db6f8dda667a20 | Specify the ID of the Public IP to be used as the Load Balancer’s Public NAT IP- If service.beta.kubernetes.io/scp-load-balancer-public-ip-enabled is not set to true, this annotation is ignored.
- If service.beta.kubernetes.io/scp-load-balancer-public-ip-enabled is set to true and this annotation is specified, the Public IP corresponding to the specified ID is applied.
|
Table. Load Balancer related settings in Kubernetes annotations
| Annotation | Protocol | Default | Allowed values | Example | Description |
|---|
| service.beta.kubernetes.io/scp-load-balancer-response-timeout | HTTP, HTTPS | 0 | 0 - 120 | 60 | Specify the response timeout (seconds) of the LB Listener- 0 means the response timeout feature is disabled.
- After setting to 1 - 120, it cannot be changed to 0. To change, you must recreate the service.
|
| service.beta.kubernetes.io/scp-load-balancer-session-duration-time | All | 120 | 0 - 120 | 120 | Specify the session persistence time (seconds) of the LB Listener- 0 means the session persistence feature is disabled.
- After setting to 1 - 120, it cannot be changed to 0. To change, you must recreate the service.
|
| service.beta.kubernetes.io/scp-load-balancer-insert-client-ip | TCP | false | true, false | false | Specify Insert Client IP of LB Listener |
| service.beta.kubernetes.io/scp-load-balancer-x-forwarded-proto | HTTP, HTTPS | false | true, false | false | Specify whether to use the X-Forwarded-Proto header of the LB Listener |
| service.beta.kubernetes.io/scp-load-balancer-x-forwarded-port | HTTP, HTTPS | false | true, false | false | Specify whether to use the X-Forwarded-Port header of the LB Listener |
| service.beta.kubernetes.io/scp-load-balancer-x-forwarded-for | HTTP, HTTPS | false | true, false | false | Specify whether to use the X-Forwarded-For header of the LB Listener |
| service.beta.kubernetes.io/scp-load-balancer-support-http2 | HTTP, HTTPS | false | true, false | false | Specify whether the LB Listener supports HTTP 2.0 |
| service.beta.kubernetes.io/scp-load-balancer-persistence | TCP, HTTP, HTTPS | "" | "", source-ip, cookie | source-ip | Specify the LB Listener’s persistence (none, source IP, or cookie)- For UDP, this annotation cannot be used.
- For TCP, you can specify "" or
source-ip to use.
- For HTTP/HTTPS, you can specify one of “”,
source-ip, cookie to use.
|
| service.beta.kubernetes.io/scp-load-balancer-client-cert-id | HTTPS | - | UUID | 78b9105e00324715b63700933125fa83 | Specify the ID of the client SSL certificate for the LB Listener- HTTPS is a required field when selected.
|
| service.beta.kubernetes.io/scp-load-balancer-client-cert-level | HTTPS | HIGH | HIGH, NORMAL, LOW | HIGH | Specify the security level of the client SSL certificate for the LB Listener |
| service.beta.kubernetes.io/scp-load-balancer-server-cert-level | HTTPS | - | HIGH, NORMAL, LOW | HIGH | Specifies the security level of the LB Listener’s server SSL certificate |
Table. Settings related to LB Listener in Kubernetes annotations
| Annotation | Protocol | Default value | Allowed values | Example | Description |
|---|
| service.beta.kubernetes.io/scp-load-balancer-lb-method | All | ROUND_ROBIN | ROUND_ROBIN, LEAST_CONNECTION, IP_HASH | ROUND_ROBIN | Specify the load balancing policy of the LB server group |
Table. Settings related to LB server group in Kubernetes annotations
| Annotation | Protocol | Default | Allowed values | Example | Description |
|---|
| service.beta.kubernetes.io/scp-load-balancer-health-check-enabled | All | true | true, false | true | Specify whether to use LB health check |
| service.beta.kubernetes.io/scp-load-balancer-health-check-protocol | All | TCP | TCP, HTTP | TCP | Specify the protocol for LB health check |
| service.beta.kubernetes.io/scp-load-balancer-health-check-port | All | {nodeport} | 1 - 65534 | 30000 | Specify the health check port for LB health check{nodeport} is set as default, so generally you don’t need to specify it.
|
| service.beta.kubernetes.io/scp-load-balancer-health-check-count | All | 3 | 1 - 10 | 3 | Specify the detection count of LB health check |
| service.beta.kubernetes.io/scp-load-balancer-health-check-interval | All | 5 | 1 - 180 | 5 | Specifies the LB health check interval |
| service.beta.kubernetes.io/scp-load-balancer-health-check-timeout | All | 5 | 1 - 180 | 5 | Specify the LB health check’s wait time |
| service.beta.kubernetes.io/scp-load-balancer-health-check-http-method | HTTP | GET | GET, POST | GET | Specify the HTTP method for LB health check |
| service.beta.kubernetes.io/scp-load-balancer-health-check-url | HTTP | / | string | /healthz | Specify the URL for LB health check |
| service.beta.kubernetes.io/scp-load-balancer-health-check-response-code | HTTP | 200 | 200 - 500 | 200 | Specify the response code for LB health check |
| service.beta.kubernetes.io/scp-load-balancer-health-check-request-data | HTTP | - | string | username=admin&password=1234 | Specify the request string for LB health check- HTTPS is required input when specified.
|
| service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-enabled | All | true | true, false | true | Specifies whether to use LB health check for the Service’s {port} port number |
| service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-protocol | All | TCP | TCP, HTTP | TCP | Specifies the LB health check protocol for the Service’s {port} port number |
| service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-port | All | - | 1 - 65534 | 30000 | Specify the LB health check port for the Service’s {port} port number |
| service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-count | All | 3 | 1 - 10 | 3 | Specifies the number of LB health check detections for the Service’s {port} port number |
| service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-interval | All | 5 | 1 - 180 | 5 | Specifies the LB health check interval for the Service’s {port} port number |
| service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-timeout | All | 5 | 1 - 180 | 5 | Specifies the LB health check timeout for the Service’s {port} port number |
| service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-http-method | HTTP | GET | GET, POST | GET | Specify the LB health check HTTP method for the Service’s {port} port number |
| service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-url | HTTP | / | string | /healthz | Specifies the LB health check URL for the Service’s {port} port number |
| service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-response-code | HTTP | 200 | 200 - 500 | 200 | Specifies the LB health check response code for the Service’s {port} port number |
| service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-request-data | HTTP | - | String | username=admin&password=1234 | Specify the LB health check request string for the Service’s {port} port number- It is a required field when HTTPS is specified.
|
Table. Settings related to LB health check in Kubernetes annotations
Constraints
The constraints to consider when using Kubernetes annotations are as follows.
| Constraints | Related Annotations |
|---|
| When changing the Security Group, rules created in the existing Security Group are not automatically deleted | service.beta.kubernetes.io/scp-load-balancer-security-group-id
service.beta.kubernetes.io/scp-load-balancer-security-group-name |
| Cannot change the service classification (L4/L7) of the Load Balancer | service.beta.kubernetes.io/scp-load-balancer-layer-type |
| Cannot use L4 and L7 together within the same k8s Service | service.beta.kubernetes.io/scp-load-balancer-layer-type |
| Load Balancer cannot change subnet | service.beta.kubernetes.io/scp-load-balancer-subnet-id |
| Cannot change the Service IP of the Load Balancer | service.beta.kubernetes.io/scp-load-balancer-service-ip |
| LB Listener response timeout cannot be changed from enabled (1 - 120) to disabled (0) | service.beta.kubernetes.io/scp-load-balancer-response-timeout |
| Cannot use TCP and UDP together on the same port number within the same k8s Service | - |
For L7 HTTP/HTTPS, the routing action applies the URL processing Default pattern ("/")- To add other URL patterns, you must add them directly in the Samsung Cloud Platform console
- URL processing only supported and URL redirection is not supported
| - |
Table. Constraints when using Kubernetes annotations
4 - Considerations for Use
Managed Port Constraints
The following ports are used for SKE management and cannot be used for service use. In addition, if blocked by OS firewall, etc., node functions or some functions may not work normally.
| Port | Description |
|---|
| UDP 4789 | calico-vxlan |
| TCP 5473 | calico-typha |
| TCP 10250 | kubelet |
| TCP 19100 | node-exporter |
| TCP 19400 | dcgm-exporter |
Table. Managed Port List
kube-reserved resource constraints
kube-reserved is a feature that reserves resources for system daemons that do not run as pods on the node.
- There are system daemons that do not run as pods, such as kubelet, container runtime, etc.
Reference
For more information on kube-reserved, please refer to the following document.
Kubernetes Engine reserves CPU and memory based on the following criteria.
| CPU specification | Memory specification |
|---|
- Next core’s 1% (up to 2 cores)
- Next 2 cores’ 0.5% (up to 4 cores)
- Cores exceeding 4 cores’ 0.25%
| - Next 4 GB memory’s 20% (up to 8 GB)
- Next 8 GB memory’s 10% (up to 16 GB)
- Next 112 GB memory’s 6% (up to 128 GB)
- Memory exceeding 128 GB’s 2%
|
Table. Resource reservation items based on CPU and memory
Example: For a Virtual Server with 16-core vCPU and 32G Memory, kube-reserved is calculated as follows.
- CPU: (1 core × 0.06) + (1 core × 0.01) + (2 cores × 0.005) + (12 cores × 0.0025) = 0.11 core
- Memory: (4 GB × 0.25) + (4 GB × 0.2) + (8 GB × 0.1) + (16 GB × 0.06) = 3.56 GB
Example: The resources reserved according to CPU size are as follows.
| CPU specification | Resource specification1 | Resource specification2 | Resource specification3 | Resource specification4 |
|---|
| kube-reserved CPU | 70 m | 80 m | 90 m | 110 m |
Table. Example of resources reserved according to CPU size
- Example: The resources reserved according to the memory size are as follows.
| Memory Specification | Resource Specification1 | Resource Specification2 | Resource Specification3 | Resource Specification4 | Resource Specification4 | Resource Specification4 | Resource Specification4 |
|---|
| kube-reserved memory | 1 GB | 1.8 GB | 2.6 GB | 3.56 GB | 5.48 GB | 9.32 GB | 11.88 GB |
Table. Example of resources reserved according to memory size