This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Using Kubernetes Engine

1: Authentication and Authorization
2: Accessing the Cluster
3: Using type LoadBalancer Service
4: Considerations for Use
5: Version Information

Configure external network communication to expose HTTP and HTTPS services from the cluster to the outside. To configure external network communication, you can create a service of type LoadBalancer.

Using Kubernetes Engine Guide

The Using Kubernetes Engine guide describes the following features. For more information, refer to the corresponding guide.

Guide	Description
Creating a LoadBalancer Service	Instructions on how to create a LoadBalancer-type service through a service manifest file For more information, see Using LoadBalancer Services

Table. Description of Using Kubernetes Engine Guide

1 - Authentication and Authorization

Kubernetes Engine has Kubernetes’ authentication and RBAC authorization features applied. This explains the authentication and authorization features of Kubernetes and how to link them with Kubernetes Engine and IAM.

Kubernetes Authentication and Authorization

This explains the authentication and RBAC authorization features of Kubernetes.

Authentication

The Kubernetes API server acquires the necessary information for user or account authentication from certificates or authentication tokens and proceeds with the authentication process.

Note

For a detailed explanation of Kubernetes authentication, refer to the following document: https://kubernetes.io/docs/reference/access-authn-authz/authentication/

Note

For a detailed explanation of using kubectl and kubeconfig, refer to Accessing the Cluster.

Authorization

The Kubernetes API server checks if the user has permission for the requested action using the user information obtained through the authentication process and the RBAC-related objects. There are four types of RBAC-related objects as follows:

Object	Scope	Description
ClusterRole	Cluster-wide	Definition of permissions across all namespaces in the cluster
ClusterRoleBinding	Cluster-wide	Binding definition between ClusterRole and user
Role	Namespace	Definition of permissions for a specific namespace
RoleBinding	Namespace	Binding definition between ClusterRole or Role and user

Table. RBAC-related objects

Note

For a detailed explanation of Kubernetes RBAC authorization, refer to the following document: https://kubernetes.io/docs/reference/access-authn-authz/rbac/

Role

Kubernetes has several predefined ClusterRoles. Some of these ClusterRoles do not have the prefix system:, which means they are intended for user use. These include the cluster-admin role that can be applied to the entire cluster using ClusterRoleBinding, and the admin, edit, and view roles that can be applied to a specific namespace using RoleBinding.

Default ClusterRole	Default ClusterRoleBinding	Description
cluster-admin	system:masters group	Grants superuser access to perform all actions on all resources. When used in ClusterRoleBinding, it grants full control over all resources in the cluster and all namespaces. When used in RoleBinding, it grants full control over the namespace and all resources in the namespace bound to the RoleBinding.
admin	None	Grants administrator access to the namespace when used with RoleBinding. When used in RoleBinding, it grants read/write access to most resources in the namespace, including the ability to create roles and role bindings. However, this role does not grant write access to resource quotas or the namespace itself.
edit	None	Grants read/write access to most objects in the namespace. This role does not grant the ability to view or modify roles and role bindings. However, this role allows access to secrets, which can be used to run pods in the namespace as any account, effectively granting API access at the account level.
view	None	Grants read-only access to most objects in the namespace. Roles and role bindings cannot be viewed. This role does not grant access to secrets, as reading secret contents would allow access to account credentials and potentially grant API access at the account level (a form of privilege escalation).

Table. Default ClusterRole and ClusterRoleBinding descriptions

Note

For a detailed explanation of user-facing roles, refer to the following document: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles

In addition to the predefined ClusterRoles, you can define separate roles (or ClusterRoles) as needed. For example:

Color mode

# Role that grants permission to view pods in the "default" namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]

# Role that grants permission to view pods in the "default" namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]

Code block. Role that grants permission to view pods in a namespace

Color mode

# ClusterRole that grants permission to view nodes
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-viewer
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch"]

# ClusterRole that grants permission to view nodes
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-viewer
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch"]

Code block. ClusterRole that grants permission to view nodes

Note

For more information about roles and cluster roles, see the following document: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole

Role Binding

To manage access to the Kubernetes Engine using Samsung Cloud Platform IAM, you need to understand the relationship between Kubernetes’ role binding and IAM. The target (subjects) of role binding (or cluster role binding) can include individual users (User) or groups (Group).

User matches the Samsung Cloud Platform username, and Group matches the IAM user group name.

For role binding/cluster role binding, subjects.kind can be one of the following:

User: Binds to a Samsung Cloud Platform individual user.
Group: Binds to a Samsung Cloud Platform IAM user group.

Note

In addition to the above, a service account can also be specified, but a service account is generally not for users and cannot be bound to a Samsung Cloud Platform user.

The subjects.name of role binding/cluster role binding can be specified as follows:

User case: Samsung Cloud Platform individual username (e.g. jane.doe)
Group case: Samsung Cloud Platform IAM user group name (e.g. ReadPodsGroup)

Note

subjects.name is case-sensitive.

In this way, an IAM user group is bound to a role binding (or cluster role binding) written in the Kubernetes Engine cluster. Additionally, the permission to perform API operations included in the role (or cluster role) bound to the group is granted.

Example) Role Binding read-pods #1

An example of writing a User (Samsung Cloud Platform individual user) to a role binding is as follows:

Color mode

# This role binding allows the user "jane.doe@example.com" to view pods in the "default" namespace.
# A "pod-reader" role must exist in the namespace.
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
roleRef:
  # "roleRef" specifies the binding to a role or cluster role.
  kind: Role       # Must be Role or ClusterRole.
  name: pod-reader # Must match the name of the role or cluster role to bind.
  apiGroup: rbac.authorization.k8s.io
subjects:
# One or more "targets" can be specified.
- kind: User
  name: jane.doe
  apiGroup: rbac.authorization.k8s.io

# This role binding allows the user "jane.doe@example.com" to view pods in the "default" namespace.
# A "pod-reader" role must exist in the namespace.
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
roleRef:
  # "roleRef" specifies the binding to a role or cluster role.
  kind: Role       # Must be Role or ClusterRole.
  name: pod-reader # Must match the name of the role or cluster role to bind.
  apiGroup: rbac.authorization.k8s.io
subjects:
# One or more "targets" can be specified.
- kind: User
  name: jane.doe
  apiGroup: rbac.authorization.k8s.io

Code block. Example of writing a User (Samsung Cloud Platform individual user) to a role binding

If a role binding like the above is created in a cluster, a user with the username jane.doe is granted the permission to perform the API actions defined in the pod-reader role.

Example) Role Binding read-pods #2

An example of writing a group (IAM user group) to a role binding is as follows:

Color mode

# This role binding allows users in the "ReadPodsGroup" group to view pods in the "default" namespace.
# A "pod-reader" role must exist in the namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
subjects:
# One or more "targets" can be specified.
- kind: Group
  name: ReadPodsGroup
  apiGroup: rbac.authorization.k8s.io

# This role binding allows users in the "ReadPodsGroup" group to view pods in the "default" namespace.
# A "pod-reader" role must exist in the namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
subjects:
# One or more "targets" can be specified.
- kind: Group
  name: ReadPodsGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Example of Role binding that allows the ReadPodsGroup group to view pods

If a role binding like the above is created in the cluster, users in the IAM user group ReadPodsGroup are granted the permission to perform API operations written in the pod-reader role.

Example) Cluster Role Binding read-nodes

Color mode

# This cluster role binding allows users in the "ReadNodesGroup" group to view nodes.
# A cluster role named "node-reader" must exist.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-nodes
roleRef:
  kind: ClusterRole
  name: node-reader
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ReadNodesGroup
  apiGroup: rbac.authorization.k8s.io

# This cluster role binding allows users in the "ReadNodesGroup" group to view nodes.
# A cluster role named "node-reader" must exist.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-nodes
roleRef:
  kind: ClusterRole
  name: node-reader
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ReadNodesGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Example of a cluster role binding that allows the ReadNodesGroup group to view nodes

When a cluster role binding like the one above is created in the cluster, users in the IAM user group ReadNodesGroup are granted the permissions to perform the API actions written in the cluster role node-reader.

Note

For more detailed explanations on role binding creation, refer to the following document: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-binding-examples

Predefined Roles and Role Bindings for Samsung Cloud Platform

The Kubernetes Engine of Samsung Cloud Platform has predefined cluster role bindings scp-cluster-admin, scp-view, scp-namespace-view, and cluster roles scp-namespace-view. The following table shows the binding relationship between predefined roles and role bindings, and Samsung Cloud Platform users. Here, cluster roles cluster-admin and view are predefined within the Kubernetes cluster. For more detailed explanations, refer to the Roles section.

Cluster Role Binding	Cluster Role	Subjects (User)
scp-cluster-admin	cluster-admin	Group AdministratorGroup Group OperatorGroup User john.smith
scp-view	view	Group ViewerGroup
scp-namespace-view	scp-namespace-view	All authenticated users in the cluster

Table. Predefined Roles and Role Bindings for Samsung Cloud Platform, IAM User Groups, and User Binding Relationships

According to the cluster role binding scp-cluster-admin, users in the IAM user groups AdministratorGroup or OperatorGroup, as well as the Kubernetes Engine product applicant, are granted cluster administrator permissions.
According to the cluster role binding scp-view, users in the ViewerGroup are granted cluster viewer permissions. More precisely, since it is linked to the predefined cluster role view in Kubernetes, access permissions for cluster-scoped resources (e.g., namespaces, nodes, ingress classes, etc.) and secrets within namespaces are not included. For more detailed explanations, refer to the Roles section.
According to the cluster role binding scp-namespace-view, all authenticated users in the cluster are granted namespace viewer permissions.

Note

Predefined roles and role bindings for Samsung Cloud Platform are created only once when the cluster product is applied.
Users can modify or delete predefined cluster role bindings and cluster roles for Samsung Cloud Platform as needed.

The details of predefined roles and role bindings for Samsung Cloud Platform are as follows:

Cluster Role Binding scp-cluster-admin

The cluster role binding scp-cluster-admin is bound to the cluster role cluster-admin and bound to the IAM user groups AdministratorGroup, OperatorGroup, and the SCP user (Kubernetes Engine cluster creator) according to the subjects.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
  name: scp-cluster-admin
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: AdministratorGroup
  apiGroup: rbac.authorization.k8s.io
- kind: Group
  name: OperatorGroup
  apiGroup: rbac.authorization.k8s.io
- kind: User                 # Cluster creator
  name: jane.doe # cluster creater name
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
  name: scp-cluster-admin
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: AdministratorGroup
  apiGroup: rbac.authorization.k8s.io
- kind: Group
  name: OperatorGroup
  apiGroup: rbac.authorization.k8s.io
- kind: User                 # Cluster creator
  name: jane.doe # cluster creater name
  apiGroup: rbac.authorization.k8s.io

Code Block. Example of Cluster Role Binding scp-cluster-admin

Cluster Role Binding scp-view

The cluster role binding scp-view is bound to the cluster role view and bound to the IAM user group ViewerGroup according to the subjects.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: scp-view
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ViewerGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: scp-view
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ViewerGroup
  apiGroup: rbac.authorization.k8s.io

Code Block. Example of Cluster Role Binding scp-view

Cluster Role and Cluster Role Binding scp-namespace-view

Cluster Role scp-namespace-view is a role that defines the authority to view namespaces. Cluster Role Binding scp-namespace-view is associated with Cluster Role scp-namespace-view and grants namespace view authority to all authenticated users in the cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: scp-namespace-view
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: scp-namespace-view
roleRef:
  kind: ClusterRole
  name: scp-namespace-view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: system:authenticated
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: scp-namespace-view
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: scp-namespace-view
roleRef:
  kind: ClusterRole
  name: scp-namespace-view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: system:authenticated
  apiGroup: rbac.authorization.k8s.io

Code Block. Cluster Role and Cluster Role Binding scp-namespace-view Example

IAM User Group RBAC Use Case

This chapter explains examples of granting authority by major user scenarios. The names of IAM user groups, ClusterRoleBindings/RoleBindings, and ClusterRoles presented here are examples for understanding. Administrators should define and apply appropriate names and authorities according to their needs.

Scope	Use Case	IAM User Group	ClusterRoleBinding/RoleBinding	ClusterRole	Note
Cluster	Cluster Administrator	ClusterAdminGroup	ClusterRoleBinding cluster-admin-group	cluster-admin	Administrator for a specific cluster
Cluster	Cluster Editor	ClusterEditGroup	ClusterRoleBinding cluster-edit-group	edit	Editor for a specific cluster
Cluster	Cluster Viewer	ClusterViewGroup	ClusterRoleBinding cluster-view-group	view	Viewer for a specific cluster
Namespace	Namespace Administrator	NamespaceAdminGroup	RoleBinding namespace-admin-group	admin	Administrator for a specific namespace
Namespace	Namespace Editor	NamespaceEditGroup	RoleBinding namespace-edit-group	edit	Editor for a specific namespace
Namespace	Namespace Viewer	NamespaceViewGroup	RoleBinding namespace-view-group	view	Viewer for a specific namespace

Table. Predefined Roles and RoleBindings, IAM User Groups, and Binding Relationships for Samsung Cloud Platform

Note

The ClusterRoles (cluster-admin, admin, edit, view) in the table above are predefined in the Kubernetes cluster. For more information, see the Role section.

Cluster Administrator

To create a cluster administrator, follow these steps:

Create an IAM user group named ClusterAdminGroup.
Create a ClusterRoleBinding with the following content in the target cluster:

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-admin-group
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterAdminGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-admin-group
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterAdminGroup
  apiGroup: rbac.authorization.k8s.io

Code Block. Create Cluster Administrator

It is associated with the default ClusterRole cluster-admin, granting administrator authority for the cluster.

Cluster Editor

To create a cluster editor, follow these steps:

Create an IAM user group named ClusterEditGroup.
Create a ClusterRoleBinding with the following content in the target cluster:

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-edit-group
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterEditGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-edit-group
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterEditGroup
  apiGroup: rbac.authorization.k8s.io

Code Block. Create Cluster Editor

The default cluster role edit is associated with it, and editor permissions are granted for the cluster.

Cluster Viewer

To create a cluster viewer, follow these steps:

Create an IAM user group named ClusterViewGroup.
Create a cluster role binding with the following content in the target cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-view-group
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterViewGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-view-group
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterViewGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Create Cluster Viewer

The default cluster role view is associated with it, and viewer permissions are granted for the cluster.

Namespace Administrator

To create a namespace administrator, follow these steps:

Create an IAM user group named NamespaceAdminGroup.
Create a role binding with the following content in the target cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-admin-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceAdminGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-admin-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceAdminGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Create Namespace Administrator

The default cluster role admin is associated with it, and administrator permissions are granted for the namespace.

Namespace Editor

To create a namespace editor, follow these steps:

Create an IAM user group named NamespaceEditGroup.
Create a role binding with the following content in the target cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-edit-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceEditGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-edit-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceEditGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Create Namespace Editor

The default cluster role edit is associated with it, and editor permissions are granted for the namespace.

Namespace Viewer

To create a namespace viewer, follow these steps:

Create an IAM user group named NamespaceViewGroup.
Create a role binding with the following content in the target cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-view-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceViewGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-view-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceViewGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Create Namespace Viewer

The default cluster role view is associated with it, and viewer permissions are granted for the namespace. To create a namespace viewer, follow these steps:

Create an IAM user group: Create an IAM user group named NamespaceViewGroup.
Create a role binding: Create a role binding with the following content in the target cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-view-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceViewGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-view-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceViewGroup
  apiGroup: rbac.authorization.k8s.io

Code Block. Create Namespace Viewer

The view cluster role is associated with the viewer permission for the specified namespace.

Practice Example

This chapter describes an example and procedure for applying an administrator to a specific namespace.

IAM user group: NamespaceAdminGroup
IAM policy: NamespaceAdminAccess
Role binding: namespace-admin-group

Create an IAM User Group

Note

For more information about IAM user groups, see IAM > User Group.

To create an IAM user group in Samsung Cloud Platform, follow these steps:

Click All Services > Management > IAM. The Identity and Access Management (IAM) Service Home page appears.
On the Service Home page, click User Group. The User Group List page appears.

On the User Group List page, click Create User Group.

Enter the required information in the Basic Information, Add User, Attach Policy, and Additional Information sections.

Category	Required	Description
User Group Name	Required	Enter the user group name Use Korean, English, numbers, and special characters (`+=,.@-_`) to enter a value between 3 and 24 characters Enter NamespaceAdminGroup as the user group name
Description	Optional	Description of the user group name Enter a detailed description of the user group name, up to 1,000 characters
User	Optional	Users to add to the user group The list of users registered in the account is displayed, and the selected user’s name is displayed at the top of the screen when the checkbox is selected Click the Delete button at the top of the screen or uncheck the checkbox in the user list to cancel the selection of the selected user If there are no users to add, click Create User at the bottom of the user list to register a new user, and then refresh the user list to select the user
Policy	Optional	Policy to attach to the user group The list of policies registered in the account is displayed, and the selected policy name is displayed at the top of the screen when the checkbox is selected Select ViewerAccess in the policy list
Tag	Optional	Tags to add to the user group Up to 50 tags can be added per resource

Table. User Group Creation Information Input Items

Click the Complete button. The User Group List page appears.

Note

In this practice example, the ViewerAccess policy (permission to view all resources) is attached for demonstration purposes.

If you do not need permission to view all resources in the Samsung Cloud Platform Console, you do not need to attach the ViewerAccess policy. Define and apply a separate policy according to your actual situation.

Create an IAM Policy

Note

If you do not need to grant Samsung Cloud Platform Console usage permissions, you do not need to perform this step.

Note

For more information about IAM policies, see IAM > Policy.

To create an IAM policy in Samsung Cloud Platform, follow these steps:

Click All Services > Management > IAM. The Identity and Access Management (IAM) Service Home page appears.
On the Service Home page, click Policy. The Policy List page appears.
On the Policy List page, click Create Policy. The Create Policy page appears.

Enter the required information in the Basic Information and Additional Information sections.

Category	Required	Description
Policy Name	Required	Enter the policy name Use Korean, English, numbers, and special characters (`+=,.@-_`) to enter a value between 3 and 128 characters Enter NamespaceAdminAccess as the policy name
Description	Optional	Description of the policy name Enter a detailed description of the policy name, up to 1,000 characters
Tag	Optional	Tags to add to the policy Up to 50 tags can be added per resource

Table. Policy Creation Information Input Items - Basic Information and Additional Information

Click the Next button. The Permission Settings section appears.

Enter the required information in the Permission Settings section.

Select Kubernetes Engine in the Service section.

You can create a policy by importing an existing policy using Policy Import. For more information about Policy Import, see Policy Import.

Category	Required	Description
Control Type	Required	Select the policy control type Allow Policy: A policy that allows defined permissions Deny Policy: A policy that denies defined permissions The deny policy takes precedence for the same target
Action	Required	Select actions provided by each service Create: CreateKubernetesObject selected Delete: DeleteKubernetesObject selected List: ListKubernetesEngine, ListKubernetesObject selected Read: DetailKubernetesObject selected Update: UpdateKubernetesObject selected Add Action Directly: Use wildcard `*` to specify multiple actions at once
Applied Resource	Required	Resource to which the action is applied All Resources: Apply to all resources for the selected action Individual Resource: Apply only to the specified resource for the selected action Individual resources are only possible when selecting actions that allow individual resource selection (purple actions) Click the Add Resource button to specify the target resource by resource type For more information on Add Resource, see Registering individual resources as applied resources
Authentication Type	Required	Authentication method for the target user All Authentication: Apply regardless of authentication method API Key Authentication: Apply to users who use API key authentication IAM Key Authentication, Console Login: Apply to users who use IAM key authentication or console login
Applied IP	Required	IP addresses to which the policy is applied User-specified IP: Register and manage IP addresses directly by the user Applied IP: Register IP addresses directly by the user as IP addresses or ranges to which the policy is applied Excluded IP: Register IP addresses to be excluded from Applied IP as IP addresses or ranges All IP: Do not restrict IP access Allow access to all IP addresses, but if exceptions are needed, register Excluded IP to restrict access to registered IP addresses

Table. Policy creation information input items - Permission settings

Note

Permission settings provide Basic Mode and JSON Mode.

If you write in Basic Mode and enter JSON Mode or move to another screen, services with the same conditions will be integrated into one, and settings that are not completed will be deleted.
If the content written in JSON Mode does not match the JSON format, you cannot switch to Basic Mode.

Click the Next button. Move to the Input Information Check page.
Check the input information and click the Complete button. Move to the Policy List page.

Add a user to an IAM user group

Reference

For more information on managing IAM user groups, see IAM > Managing User Groups.

To add a user to an IAM user group in Samsung Cloud Platform, follow these steps.

Click All Services > Management > IAM menu. Move to the Identity and Access Management (IAM) Service Home page.
On the Service Home page, click the User menu. Move to the User List page.
On the User List page, click the user to be added to the IAM user group. Move to the User Details page.
On the User Details page, click the User Group tab.
On the user group tab, select the Add User Group button. Move to the Add User Group page.
On the Add User Group page, select the user group to be added and click the Complete button. Move to the User Details page.
- Select NamespaceAdminGroup from the user group.

Create a role binding

Create a role binding by referring to the example below.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-admin-group
  namespace: dev # target namespace
roleRef:
  kind: ClusterRole
  name: admin # pre-defined cluster role in Kubernetes
  apiGroup: rbac.authorization.k8s.io
subjects: 
- kind: Group
  name: NamespaceAdminGroup # IAM user group created earlier
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-admin-group
  namespace: dev # target namespace
roleRef:
  kind: ClusterRole
  name: admin # pre-defined cluster role in Kubernetes
  apiGroup: rbac.authorization.k8s.io
subjects: 
- kind: Group
  name: NamespaceAdminGroup # IAM user group created earlier
  apiGroup: rbac.authorization.k8s.io

Code block. Create a role binding

Verify the user

Verify that the user’s namespace permissions are applied normally.

To verify namespace user permissions in Samsung Cloud Platform, follow these steps.

Click All Services > Container > Kubernetes Engine menu. Move to the Kubernetes Engine Service Home page.
On the Service Home page, click Workload menu under Pod. Move to the Pod List page.
On the Pod List page, select the cluster and namespace from the gear button at the top left and click Confirm.
On the Pod List page, verify that the pod list is retrieved.
- If you select a namespace with permissions, the pod list will be displayed.
- If you select a namespace without permissions, a confirmation window will be displayed indicating that you do not have permission to retrieve the list.

2 - Accessing the Cluster

kubectl Installation and Usage Guide

After creating a Kubernetes Engine service, you can use the Kubernetes command-line tool kubectl to execute commands on a Kubernetes cluster. Using kubectl, you can deploy applications, inspect and manage cluster resources, and view logs. You can find how to install and use kubectl in the official Kubernetes documentation as follows.

Category	Reference URL
kubectl installation (Linux)	https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/
kubectl install (Windows)	https://kubernetes.io/docs/tasks/tools/install-kubectl-windows/
kubectl introduction	https://kubernetes.io/docs/reference/kubectl/
kubectl Quick Reference	https://kubernetes.io/docs/reference/kubectl/quick-reference/
kubectl command reference	https://kubernetes.io/docs/reference/kubectl/kubectl/

Table. kubectl reference documentation

Reference

You must use a kubectl version that is within the minor version difference of the cluster. For example, if the cluster version is 1.30, you can use kubectl versions 1.29, 1.30, or 1.31.

Please refer to the following document about kubectl’s version skew policy. https://kubernetes.io/releases/version-skew-policy/#kubectl

To access a Kubernetes cluster with kubectl, you need a kubeconfig file containing the Kubernetes server address and authentication information.

Reference

For detailed information on Kubernetes authentication and authorization, see Authentication and Authorization.

Kubernetes Engine supports authentication via admin certificate kubeconfig and user authentication key kubeconfig.

admin certificate kubeconfig

This kubeconfig uses the admin certificate as an authentication method when accessing the Kubernetes API.

Admin kubeconfig download

Kubernetes Engine > Cluster List > Cluster Details > Admin kubeconfig Download button to click and download the kubeconfig file.

Caution

Administrator kubeconfig download is only possible for Admin.
There are separate private endpoint and public endpoint versions, and you can download each only once.

Admin kubeconfig use

Reference

By default, kubectl looks for a file named config in the $HOME/.kube directory. Or you can set the KUBECONFIG environment variable or specify the kubeconfig flag to use a different kubeconfig file.
Private endpoints are by default only accessible from nodes of the respective cluster. For resources in the same Account and same region, you can allow access by adding them to the private endpoint access control settings.
If you need to access the cluster from the external internet, setting public endpoint access to enabled allows you to access using the public endpoint kubeconfig.

User authentication key kubeconfig

This kubeconfig uses the user’s Open API authentication key as the authentication method when accessing the Kubernetes API.

User kubeconfig download

Kubernetes Engine > Cluster List > Cluster Details > User kubeconfig download Click the button to download the kubeconfig file.

Caution

User kubeconfig download is only possible for users with cluster view permission.
There are separate ones for private endpoint and public endpoint.
Since the downloaded kubeconfig file does not contain the authentication key token, you need to add the authentication key token information before using it. (See the next paragraph)

Add authentication key token to user kubeconfig file

Below is an example of a user’s kubeconfig file. To use the kubeconfig file, you need to add the authentication key token (AUTHKEY_TOKEN) information in the token field inside the file.

Color mode

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0t...
    server: https://my-cluster-a1c3e.ske.xxx.samsungsdscloud.com:6443
  name: my-cluster-a1c3e
contexts:
- context:
    cluster: my-cluster-a1c3e
    user: jane.doe
  name: jane.doe@my-cluster-a1c3e
current-context: jane.doe@my-cluster-a1c3e
kind: Config
preferences: {}
users:
- name: jane.doe
  user:
    token: <AUTHKEY_TOKEN> #### writing needed

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0t...
    server: https://my-cluster-a1c3e.ske.xxx.samsungsdscloud.com:6443
  name: my-cluster-a1c3e
contexts:
- context:
    cluster: my-cluster-a1c3e
    user: jane.doe
  name: jane.doe@my-cluster-a1c3e
current-context: jane.doe@my-cluster-a1c3e
kind: Config
preferences: {}
users:
- name: jane.doe
  user:
    token: <AUTHKEY_TOKEN> #### writing needed

Code block. User kubeconfig file example

AUTHKEY_TOKEN can be generated by concatenating the authentication key’s ACCESS_KEY and SECRET_KEY with a colon (:) and then Base64 encoding it. The following is an example of creating AUTHKEY_TOKEN in a Linux environment.

Color mode

$ ACCESS_KEY=5df418813aed051548a72f4a814cf09e
$ SECRET_KEY=6ba7b810-9dad-11d1-80b4-00c04fd430c8
$ AUTHKEY_TOKEN=$(echo -n "$ACCESS_KEY:$SECRET_KEY" | base64 -w0)
$ echo $AUTHKEY_TOKEN
NWRmNDE4ODEzYWVkMDUxNTQ4YTcyZjRhODE0Y2YwOWU6NmJhN2I4MTAtOWRhZC0xMWQxLTgwYjQtMDBmMDRmZDQzMGM4r

$ ACCESS_KEY=5df418813aed051548a72f4a814cf09e
$ SECRET_KEY=6ba7b810-9dad-11d1-80b4-00c04fd430c8
$ AUTHKEY_TOKEN=$(echo -n "$ACCESS_KEY:$SECRET_KEY" | base64 -w0)
$ echo $AUTHKEY_TOKEN
NWRmNDE4ODEzYWVkMDUxNTQ4YTcyZjRhODE0Y2YwOWU6NmJhN2I4MTAtOWRhZC0xMWQxLTgwYjQtMDBmMDRmZDQzMGM4r

Code block. AUTHKEY_TOKEN value generation example

Note

For detailed information on authentication key generation, please refer to API Reference > Common > Samsung Cloud Platform Open API call procedure.

User kubeconfig execution example

You can see an example of executing the user kubeconfig.

When access is blocked by access control or a firewall

Color mode

$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
Unable to connect to the server: dial tcp 123.123.123.123:6443: i/o timeout

$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
Unable to connect to the server: dial tcp 123.123.123.123:6443: i/o timeout

Code block. Example execution when access is blocked by access control or firewall

When AUTHKEY_TOKEN does not match and authentication fails

Color mode

$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
error: You must be logged in to the server (Unauthorized)

$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
error: You must be logged in to the server (Unauthorized)

Code block. Example execution when authentication fails because AUTHKEY_TOKEN does not match

AUTHKEY_TOKEN When authentication succeeds

Color mode

$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
...
kube-node-lease    Active 10d
kube-public        Active 10d
kube-system        Active 10d

$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
...
kube-node-lease    Active 10d
kube-public        Active 10d
kube-system        Active 10d

Code block. Example execution when AUTHKEY_TOKEN authentication succeeds

AUTHKEY_TOKEN Authentication succeeded but no permission

Color mode

$ kubectl --kubeconfig=user-kubeconfig.yaml get nodes
Error from server (Forbidden): nodes is forbidden: User "jane.doe" cannot list resource "nodes" in API group "" at the cluster scope

$ kubectl --kubeconfig=user-kubeconfig.yaml get nodes
Error from server (Forbidden): nodes is forbidden: User "jane.doe" cannot list resource "nodes" in API group "" at the cluster scope

Code block. Example execution when AUTHKEY_TOKEN authentication succeeds but lacks permission

Reference

If AUTHKEY_TOKEN authentication succeeds but there is no permission, it means that the authentication process was completed correctly, but the authority to perform the requested operation was not granted (authorized). For detailed information about authorization, see Authentication and Authorization.

3 - Using type LoadBalancer Service

Service Configuration Method

You can configure a LoadBalancer type Service by writing and applying a Service manifest file (example: my-lb-svc.yaml ).

Caution

LoadBalancer is created in the cluster Subnet by default.
To create a LoadBalancer in a different Subnet, use the annotation service.beta.kubernetes.io/scp-load-balancer-subnet-id. For details, refer to Annotation Detailed Settings

Follow these steps to write and apply a type LoadBalancer Service.

Write a Service manifest file my-lb-svc.yaml .

Color mode

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  selector:
    app.kubernetes.io/name: MyApp
  ports:
    - protocol: TCP
      port: 80
      targetPort: 9376
      appProtocol: tcp # Refer to LB service protocol type setting section
  type: LoadBalancer

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  selector:
    app.kubernetes.io/name: MyApp
  ports:
    - protocol: TCP
      port: 80
      targetPort: 9376
      appProtocol: tcp # Refer to LB service protocol type setting section
  type: LoadBalancer

Code block. Service manifest file my-lb-svc.yaml writing example

Deploy the Service manifest using the kubectl apply command.
Color mode
kubectl apply -f my-lb-svc.yaml
kubectl apply -f my-lb-svc.yaml
Code block. Deploying Service manifest with kubectl apply command

Caution

When a type LoadBalancer Service is created, a corresponding Load Balancer service is automatically created. It may take a few minutes for the configuration to complete.
Do not arbitrarily modify the automatically created Load Balancer service and LB server group. Changes may be reverted or unexpected behavior may occur.
For detailed configurable features, refer to Annotation Detailed Settings.

Check the Load Balancer configuration using the kubectl get service command.

Color mode

# kubectl get service my-lb-svc
NAMESPACE     NAME         TYPE           CLUSTER-IP       EXTERNAL-IP       PORT(S)         AGE
default       my-lb-svc    LoadBalancer   172.20.49.206    123.123.123.123   80:32068/TCP    3m

# kubectl get service my-lb-svc
NAMESPACE     NAME         TYPE           CLUSTER-IP       EXTERNAL-IP       PORT(S)         AGE
default       my-lb-svc    LoadBalancer   172.20.49.206    123.123.123.123   80:32068/TCP    3m

Code block. Checking Load Balancer configuration with kubectl get service command

Protocol Type

You can use it by writing a Service manifest. The following is a simple example.

Color mode

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  selector:
    ...
  ports:
    - port: 80
      targetPort: 9376
      protocol: TCP    # Required (choose one of TCP, UDP)
      appProtocol: tcp # Optional (leave blank or choose one of tcp, http, https)
  type: LoadBalancer   # Type load balancer

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  selector:
    ...
  ports:
    - port: 80
      targetPort: 9376
      protocol: TCP    # Required (choose one of TCP, UDP)
      appProtocol: tcp # Optional (leave blank or choose one of tcp, http, https)
  type: LoadBalancer   # Type load balancer

Code block. Service manifest writing example

The list of protocols (protocol and appProtocol) supported by Kubernetes Engine’s type Load Balancer Service and the settings applied to the Load Balancer service accordingly are as follows.

Category	(k8s) protocol	(k8s) appProtocol	(LB) Service Category	(LB) LB Listener	(LB) LB Server Group	(LB) Health Check
L4 TCP	TCP	(tcp)	L4	TCP {port}	TCP {nodePort}	TCP {nodePort}
L4 UDP	UDP	-	L4	UDP {port}	UDP {nodePort}	TCP {nodePort}
L7 HTTP	TCP	http	L7	HTTP {port}	TCP {nodePort}	TCP/HTTP {nodePort}
L7 HTTPS	TCP	https	L7	HTTPS {port}	TCP {nodePort}	TCP/HTTP {nodePort}

Table. k8s Service manifest and Load Balancer service application settings

According to the k8s Service manifest spec, you can specify multiple ports for a single service.

Caution

Depending on the Load Balancer service category (L4, L7), you cannot mix and use protocol layers within a single Service.

That is, L4(TCP, UDP) and L7(HTTP, HTTPS) cannot be used together in a single Service.

L4 Service Manifest Writing Example

Color mode

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  selector:
    app.kubernetes.io/name: MyApp
  ports:
    - protocol: TCP
      port: 80
      targetPort: 9376
  type: LoadBalancer

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  selector:
    app.kubernetes.io/name: MyApp
  ports:
    - protocol: TCP
      port: 80
      targetPort: 9376
  type: LoadBalancer

Code block. L4 Service manifest writing example

L7 Service Manifest Writing Example

Color mode

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/scp-load-balancer-layer-type: "L7" # Required
    service.beta.kubernetes.io/scp-load-balancer-client-cert-id: "24da35de187b450eb0cf09fb6fa146de" # Required
  name: my-service
spec:
  selector:
    app.kubernetes.io/name: MyApp
  ports:
    - appProtocol: http # Required
      protocol: TCP
      port: 80
      targetPort: 9376
    - appProtocol: https # Required
      protocol: TCP
      port: 443
      targetPort: 9898
  type: LoadBalancer

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/scp-load-balancer-layer-type: "L7" # Required
    service.beta.kubernetes.io/scp-load-balancer-client-cert-id: "24da35de187b450eb0cf09fb6fa146de" # Required
  name: my-service
spec:
  selector:
    app.kubernetes.io/name: MyApp
  ports:
    - appProtocol: http # Required
      protocol: TCP
      port: 80
      targetPort: 9376
    - appProtocol: https # Required
      protocol: TCP
      port: 443
      targetPort: 9898
  type: LoadBalancer

Code block. L7 Service manifest writing example

Annotation Detailed Settings

You can set detailed features by adding annotations to the service manifest.

Color mode

apiVersion: v1
kind: Service
metatdata:
  name: my-lb-svc
  annotations:
    service.beta.kubernetes.io/scp-load-balancer-public-ip-enabled: "true"
    service.beta.kubernetes.io/scp-load-balancer-health-check-interval: "5"
    service.beta.kubernetes.io/scp-load-balancer-health-check-timeout: "5"
    service.beta.kubernetes.io/scp-load-balancer-health-check-count: "3"
    service.beta.kubernetes.io/scp-load-balancer-session-duration-time: "300"
  spec:
  type: LoadBalancer
  ...

apiVersion: v1
kind: Service
metatdata:
  name: my-lb-svc
  annotations:
    service.beta.kubernetes.io/scp-load-balancer-public-ip-enabled: "true"
    service.beta.kubernetes.io/scp-load-balancer-health-check-interval: "5"
    service.beta.kubernetes.io/scp-load-balancer-health-check-timeout: "5"
    service.beta.kubernetes.io/scp-load-balancer-health-check-count: "3"
    service.beta.kubernetes.io/scp-load-balancer-session-duration-time: "300"
  spec:
  type: LoadBalancer
  ...

Code block. Example of adding annotations to service manifest

Note

If no separate annotation is added to the service, the annotation default value is applied.
Even if the annotation added to the service does not meet the allowed value, the annotation default value is applied.

Below is a description of all annotations available for type LoadBalancer service.

Annotation Protocol Default Value Allowed Value Example Description

service.beta.kubernetes.io/scp-load-balancer-source-ranges-firewall-rules All false true, false false Automatically add firewall rules (LB source ranges → LB service IP)

service.beta.kubernetes.io/scp-load-balancer-snat-healthcheck-firewall-rules

All

Annotation	Protocol	Default Value	Allowed Value	Example	Description
service.beta.kubernetes.io/scp-load-balancer-source-ranges-firewall-rules	All	`false`	`true`, `false`	`false`	Automatically add firewall rules (LB source ranges → LB service IP)
service.beta.kubernetes.io/scp-load-balancer-snat-healthcheck-firewall-rules	All	`false`	`true`,`false`	`false`	Automatically add firewall rules (LB Source NAT IP, HealthCheck IP → member IP:Port) When using this annotation, firewall rules are added as many as the number of ports in the type LB service, so a very large number of firewall rules may be added. If having too many firewall rules is a burden, as an alternative, you can manually add firewall rules without using this annotation. For example, you can add firewall rules with the destination as the member IP’s NodePort range (30000-32767).

false

true,false

false

Automatically add firewall rules (LB Source NAT IP, HealthCheck IP → member IP:Port)

When using this annotation, firewall rules are added as many as the number of ports in the type LB service, so a very large number of firewall rules may be added.

If having too many firewall rules is a burden, as an alternative, you can manually add firewall rules without using this annotation. For example, you can add firewall rules with the destination as the member IP’s NodePort range (30000-32767).

Table. Firewall-related settings in Kubernetes annotations

Annotation Protocol Default Value Allowed Value Example Description

service.beta.kubernetes.io/scp-load-balancer-security-group-id

All

Annotation	Protocol	Default Value	Allowed Value	Example	Description
service.beta.kubernetes.io/scp-load-balancer-security-group-id	All	-	`UUID`	`92d84b44-ee71-493d-9782-3a90481ce5f3`	Automatically add rules to the Security Group corresponding to the specified ID When using this annotation, rules are added to the Security Group as many as the number of ports in the type LB service, so a very large number of Security Group rules may be added. If having too many Security Group rules is a burden, as an alternative, you can manually add Security Group rules without using this annotation. For example, you can add Security Group rules with the destination address as the Load Balancer’s Source NAT IP and health check IP, and the allowed port as the NodePort range (30000-32767). Security Group rules added by this annotation are not automatically deleted even if this annotation is deleted or changed. Can add multiple separated by commas. (example: `ddc25ad8-6d3f-4242-8c86-2a059212ddc6,26ab7fe1-b3ea-4aa9-9e9d-35a7c237904e`) This annotation can be used simultaneously with service.beta.kubernetes.io/scp-load-balancer-security-group-name annotation, and rules are automatically added to all Security Groups that meet the conditions.
service.beta.kubernetes.io/scp-load-balancer-security-group-name	All	-	`String`	`security-group-1`	Automatically add rules to the Security Group corresponding to the specified Name When using this annotation, rules are added to the Security Group as many as the number of ports in the type LB service, so a very large number of Security Group rules may be added. If having too many Security Group rules is a burden, as an alternative, you can manually add Security Group rules without using this annotation. For example, you can add Security Group rules with the destination address as the Load Balancer’s Source NAT IP and health check IP, and the allowed port as the NodePort range (30000-32767). Security Group rules added by this annotation are not automatically deleted even if this annotation is deleted or changed. Can add multiple separated by commas (example: `security-group-1,security-group-2`) This annotation can be used simultaneously with service.beta.kubernetes.io/scp-load-balancer-security-group-id annotation, and rules are automatically added to all Security Groups that meet the conditions.

UUID

92d84b44-ee71-493d-9782-3a90481ce5f3

Automatically add rules to the Security Group corresponding to the specified ID

When using this annotation, rules are added to the Security Group as many as the number of ports in the type LB service, so a very large number of Security Group rules may be added.

If having too many Security Group rules is a burden, as an alternative, you can manually add Security Group rules without using this annotation. For example, you can add Security Group rules with the destination address as the Load Balancer’s Source NAT IP and health check IP, and the allowed port as the NodePort range (30000-32767).

Security Group rules added by this annotation are not automatically deleted even if this annotation is deleted or changed.

Can add multiple separated by commas. (example: ddc25ad8-6d3f-4242-8c86-2a059212ddc6,26ab7fe1-b3ea-4aa9-9e9d-35a7c237904e)

This annotation can be used simultaneously with service.beta.kubernetes.io/scp-load-balancer-security-group-name annotation, and rules are automatically added to all Security Groups that meet the conditions.

service.beta.kubernetes.io/scp-load-balancer-security-group-name

All

String

security-group-1

Automatically add rules to the Security Group corresponding to the specified Name

When using this annotation, rules are added to the Security Group as many as the number of ports in the type LB service, so a very large number of Security Group rules may be added.

If having too many Security Group rules is a burden, as an alternative, you can manually add Security Group rules without using this annotation. For example, you can add Security Group rules with the destination address as the Load Balancer’s Source NAT IP and health check IP, and the allowed port as the NodePort range (30000-32767).

Security Group rules added by this annotation are not automatically deleted even if this annotation is deleted or changed.

Can add multiple separated by commas (example: security-group-1,security-group-2)

This annotation can be used simultaneously with service.beta.kubernetes.io/scp-load-balancer-security-group-id annotation, and rules are automatically added to all Security Groups that meet the conditions.

Table. Security Group-related settings in Kubernetes annotations

Annotation	Protocol	Default Value	Allowed Value	Example	Description
service.beta.kubernetes.io/scp-load-balancer-layer-type	All	`L4`	`L4`, `L7`	`L4`	Specify the Load Balancer service category When using this annotation, if you want to use TCP or UDP, specify L4, and if you want to use HTTP or HTTPS, specify L7. Cannot be changed after initial creation. To change, you must recreate the service.
service.beta.kubernetes.io/scp-load-balancer-subnet-id	All	-	`ID`	`7f05eda5e1cf4a45971227c57a6d60fa`	Specify the Load Balancer Service Subnet If this annotation is not specified, the cluster’s Subnet is used. Cannot be changed after initial creation. To change, you must recreate the service.
service.beta.kubernetes.io/scp-load-balancer-service-ip	All	-	`IP Address`	`192.168.10.7`	Specify the Load Balancer Service IP Cannot be changed after initial creation. To change, you must recreate the service.
service.beta.kubernetes.io/scp-load-balancer-public-ip-enabled	All	`false`	`true`, `false`	`false`	Specify whether to use Load Balancer Public NAT IP If this annotation is set to true and service.beta.kubernetes.io/scp-load-balancer-public-ip-id is not specified, IP is automatically assigned. If this annotation is set to true and service.beta.kubernetes.io/scp-load-balancer-public-ip-id is specified, the Public IP corresponding to the specified ID is applied.
service.beta.kubernetes.io/scp-load-balancer-public-ip-id	All	-	`ID`	`4119894bd9614cef83db6f8dda667a20`	Specify the ID of the Public IP to use as the Load Balancer Public NAT IP If service.beta.kubernetes.io/scp-load-balancer-public-ip-enabled is not set to true, this annotation is ignored. If service.beta.kubernetes.io/scp-load-balancer-public-ip-enabled is set to true and this annotation is specified, the Public IP corresponding to the specified ID is applied.

Table. Load Balancer-related settings in Kubernetes annotations

Annotation	Protocol	Default Value	Allowed Value	Example	Description
service.beta.kubernetes.io/scp-load-balancer-idle-timeout	HTTP, HTTPS	-	`60 - 3600`(in 60-second units)	`600`	Specify the LB Listener’s idle-timeout (seconds) If annotation is not set or is not an allowed value (e.g., “”, “0”), the default value (not used) is applied. Cannot change from used to not used. To change, you must recreate the service. Cannot be set simultaneously with service.beta.kubernetes.io/scp-load-balancer-session-duration-time. Cannot be set simultaneously with service.beta.kubernetes.io/scp-load-balancer-response-timeout.
service.beta.kubernetes.io/scp-load-balancer-session-duration-time	All	L4: `120` L7: -	L4 TCP: `60 - 3600`(in 60-second units) L4 UDP: `60 - 180`(in 60-second units) L7: `0 - 120`	`120`	Specify the LB Listener’s session-duration-time (seconds) L4: If annotation is not set or is not an allowed value, the default value (“120”) is applied. (L4 cannot be not used) L7: If annotation is not set or is not an allowed value (e.g., “”, “0”), the default value (not used) is applied. Cannot change from used to not used. To change, you must recreate the service. Cannot be set simultaneously with service.beta.kubernetes.io/scp-load-balancer-idle-timeout.
service.beta.kubernetes.io/scp-load-balancer-response-timeout	HTTP, HTTPS	-	`0 - 120`	`60`	Specify the LB Listener’s response-timeout (seconds) If annotation is not set or is not an allowed value (e.g., “”, “0”), the default value (not used) is applied. Cannot change from used to not used. To change, you must recreate the service. Cannot be set simultaneously with service.beta.kubernetes.io/scp-load-balancer-idle-timeout.
service.beta.kubernetes.io/scp-load-balancer-insert-client-ip	TCP	`false`	`true`, `false`	`false`	Specify the LB Listener’s Insert Client IP
service.beta.kubernetes.io/scp-load-balancer-x-forwarded-proto	HTTP, HTTPS	`false`	`true`, `false`	`false`	Specify whether to use the LB Listener’s X-Forwarded-Proto header
service.beta.kubernetes.io/scp-load-balancer-x-forwarded-port	HTTP, HTTPS	`false`	`true, false`	`false`	Specify whether to use the LB Listener’s X-Forwarded-Port header
service.beta.kubernetes.io/scp-load-balancer-x-forwarded-for	HTTP, HTTPS	`false`	`true`, `false`	`false`	Specify whether to use the LB Listener’s X-Forwarded-For header
service.beta.kubernetes.io/scp-load-balancer-support-http2	HTTP, HTTPS	`false`	`true`, `false`	`false`	Specify whether to support HTTP 2.0 for LB Listener
service.beta.kubernetes.io/scp-load-balancer-persistence	TCP, HTTP, HTTPS	`""`	`""`, `source-ip`, `cookie`	`source-ip`	Specify the LB Listener’s persistence (one of none, source IP, cookie) For UDP, this annotation cannot be used. For TCP, you can specify `""` or `source-ip` to use. For HTTP/HTTPS, you can specify one of `""`, `source-ip`, `cookie` to use.
service.beta.kubernetes.io/scp-load-balancer-client-cert-id	HTTPS	-	`UUID`	`78b9105e00324715b63700933125fa83`	Specify the ID of the LB Listener’s client SSL certificate Required field when specifying HTTPS.
service.beta.kubernetes.io/scp-load-balancer-client-cert-level	HTTPS	`HIGH`	`HIGH`, `NORMAL`, `LOW`	`HIGH`	Specify the security level of the LB Listener’s client SSL certificate
service.beta.kubernetes.io/scp-load-balancer-server-cert-level	HTTPS	-	`HIGH`, `NORMAL`, `LOW`	`HIGH`	Specify the security level of the LB Listener’s server SSL certificate

Table. LB Listener-related settings in Kubernetes annotations

Annotation	Protocol	Default Value	Allowed Value	Example	Description
service.beta.kubernetes.io/scp-load-balancer-lb-method	All	`ROUND_ROBIN`	`ROUND_ROBIN`, `LEAST_CONNECTION`, `IP_HASH`	`ROUND_ROBIN`	Specify the LB server group load balancing policy

Table. LB server group-related settings in Kubernetes annotations

Annotation	Protocol	Default Value	Allowed Value	Example	Description
service.beta.kubernetes.io/scp-load-balancer-health-check-enabled	All	`true`	`true`, `false`	`true`	Specify whether to use LB health check
service.beta.kubernetes.io/scp-load-balancer-health-check-protocol	All	TCP	TCP, HTTP	TCP	Specify the LB health check protocol
service.beta.kubernetes.io/scp-load-balancer-health-check-port	All	`{nodeport}`	`1 - 65534`	`30000`	Specify the LB health check port Set to `{nodeport}` by default, so generally you don’t need to specify it.
service.beta.kubernetes.io/scp-load-balancer-health-check-count	All	`3`	`1 - 10`	`3`	Specify the LB health check detection count
service.beta.kubernetes.io/scp-load-balancer-health-check-interval	All	`5`	`1 - 180`	`5`	Specify the LB health check interval
service.beta.kubernetes.io/scp-load-balancer-health-check-timeout	All	`5`	`1 - 180`	`5`	Specify the LB health check timeout
service.beta.kubernetes.io/scp-load-balancer-health-check-http-method	HTTP	GET	GET, POST	GET	Specify the LB health check HTTP method
service.beta.kubernetes.io/scp-load-balancer-health-check-url	HTTP	`/`	String	`/healthz`	Specify the LB health check URL
service.beta.kubernetes.io/scp-load-balancer-health-check-response-code	HTTP	`200`	`200 - 500`	`200`	Specify the LB health check response code
service.beta.kubernetes.io/scp-load-balancer-health-check-request-data	HTTP	-	String	`username=admin&password=1234`	Specify the LB health check request string Required field when specifying POST method.
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-enabled	All	`true`	`true`, `false`	`true`	Specify whether to use LB health check for the Service’s {port} port number
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-protocol	All	TCP	TCP, HTTP	TCP	Specify the LB health check protocol for the Service’s {port} port number
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-port	All	-	`1 - 65534`	`30000`	Specify the LB health check port for the Service’s {port} port number
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-count	All	`3`	`1 - 10`	`3`	Specify the LB health check detection count for the Service’s {port} port number
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-interval	All	`5`	`1 - 180`	`5`	Specify the LB health check interval for the Service’s {port} port number
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-timeout	All	`5`	`1 - 180`	`5`	Specify the LB health check timeout for the Service’s {port} port number
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-http-method	HTTP	GET	GET, POST	GET	Specify the LB health check HTTP method for the Service’s {port} port number
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-url	HTTP	`/`	String	`/healthz`	Specify the LB health check URL for the Service’s {port} port number
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-response-code	HTTP	`200`	`200 - 500`	`200`	Specify the LB health check response code for the Service’s {port} port number
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-request-data	HTTP	-	String	`username=admin&password=1234`	Specify the LB health check request string for the Service’s {port} port number Required field when specifying POST method.

Table. LB health check-related settings in Kubernetes annotations

Constraints

The following are constraints to consider when using Kubernetes annotations.

Constraint	Related Annotation
Rules created in existing Security Group are not automatically deleted when changing Security Group	service.beta.kubernetes.io/scp-load-balancer-security-group-id service.beta.kubernetes.io/scp-load-balancer-security-group-name
Cannot change Load Balancer service category (L4/L7)	service.beta.kubernetes.io/scp-load-balancer-layer-type
Cannot use L4 and L7 together in the same k8s Service	service.beta.kubernetes.io/scp-load-balancer-layer-type
Cannot change Load Balancer subnet	service.beta.kubernetes.io/scp-load-balancer-subnet-id
Cannot change Load Balancer Service IP	service.beta.kubernetes.io/scp-load-balancer-service-ip
LB Listener idle-timeout cannot be changed from used to not used	service.beta.kubernetes.io/scp-load-balancer-idle-timeout
LB Listener session-duration-time cannot be changed from used to not used	service.beta.kubernetes.io/scp-load-balancer-session-duration-time
LB Listener response-timeout cannot be changed from used to not used	service.beta.kubernetes.io/scp-load-balancer-response-timeout
LB Listener idle-timeout cannot be set simultaneously with session-duration-time or response-timeout	service.beta.kubernetes.io/scp-load-balancer-idle-timeout service.beta.kubernetes.io/scp-load-balancer-session-duration-time service.beta.kubernetes.io/scp-load-balancer-response-timeout
Cannot use TCP and UDP together with the same port number in the same k8s Service	-
L7 Listener’s routing rules only support the default URL path of the LB server group delivery method To add other URL paths, add them directly in the Samsung Cloud Platform console URL redirection is not supported	-

Table. Constraints when using Kubernetes annotations

4 - Considerations for Use

Managed Port Constraints

The following ports are used for SKE management and cannot be used for service use. In addition, if blocked by OS firewall, etc., node functions or some functions may not work normally.

Port	Description
UDP 4789	calico-vxlan
TCP 5473	calico-typha
TCP 10250	kubelet
TCP 19100	node-exporter
TCP 19400	dcgm-exporter

Table. Managed Port List

kube-reserved resource constraints

kube-reserved is a feature that reserves resources for system daemons that do not run as pods on the node.

There are system daemons that do not run as pods, such as kubelet, container runtime, etc.

Reference

For more information on kube-reserved, please refer to the following document.

https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#kube-reserved

Kubernetes Engine reserves CPU and memory based on the following criteria.

CPU specification	Memory specification
First core’s 6% Next core’s 1% (up to 2 cores) Next 2 cores’ 0.5% (up to 4 cores) Cores exceeding 4 cores’ 0.25%	First 4 GB memory’s 25% Next 4 GB memory’s 20% (up to 8 GB) Next 8 GB memory’s 10% (up to 16 GB) Next 112 GB memory’s 6% (up to 128 GB) Memory exceeding 128 GB’s 2%

CPU specification

Memory specification

First core’s 6%

Next core’s 1% (up to 2 cores)

Next 2 cores’ 0.5% (up to 4 cores)

Cores exceeding 4 cores’ 0.25%

First 4 GB memory’s 25%

Next 4 GB memory’s 20% (up to 8 GB)

Next 8 GB memory’s 10% (up to 16 GB)

Next 112 GB memory’s 6% (up to 128 GB)

Memory exceeding 128 GB’s 2%

Table. Resource reservation items based on CPU and memory

Example: For a Virtual Server with 16-core vCPU and 32G Memory, kube-reserved is calculated as follows.
- CPU: (1 core × 0.06) + (1 core × 0.01) + (2 cores × 0.005) + (12 cores × 0.0025) = 0.11 core
- Memory: (4 GB × 0.25) + (4 GB × 0.2) + (8 GB × 0.1) + (16 GB × 0.06) = 3.56 GB
Example: The resources reserved according to CPU size are as follows.

CPU specification	Resource specification1	Resource specification2	Resource specification3	Resource specification4
kube-reserved CPU	70 m	80 m	90 m	110 m

Table. Example of resources reserved according to CPU size

Example: The resources reserved according to the memory size are as follows.

Memory Specification	Resource Specification1	Resource Specification2	Resource Specification3	Resource Specification4	Resource Specification4	Resource Specification4	Resource Specification4
kube-reserved memory	1 GB	1.8 GB	2.6 GB	3.56 GB	5.48 GB	9.32 GB	11.88 GB

Table. Example of resources reserved according to memory size

5 - Version Information

Kubernetes Version and Support Period

Kubernetes Version Lifecycle

The Kubernetes open source software (OSS) community releases three minor versions annually, with a release cycle of approximately 15 weeks. Released minor versions go through a support period of approximately 14 months (standard patch 12 months, maintenance 2 months) and become EOL (End of Life).

Information

For information on Kubernetes release and EOL timing, and support period, refer to the following links:

Samsung Cloud Platform Kubernetes Engine (SKE) Version Provision Plan

SKE verifies and provides Stable status patch versions among released OSS minor versions. Therefore, there is a difference between the release timing of versions provided by SKE and the release timing of the same OSS version.

Additionally, for previously released versions, technical support is terminated sequentially from older versions considering the open source EOL timing, etc. (End of Tech support, EoTS).

The release and termination schedules for OSS and SKE are as follows.

Version	OSS Release	OSS EOL	SKE Release	SKE EoTS
v1.29	2023-12-13	2025-02-28	2024-10	2026-03-31
v1.30	2024-04-17	2025-06-28	2025-02	2026-06-30
v1.31	2024-08-13	2025-10-28	2025-07	2026-10-28
v1.32	2024-12-11	2026-02-28	2025-10	2027-02-28
v1.33	2025-04-23	2026-06-28	2025-12	2027-06-28
v1.34	2025-08-27	2026-10-27	2026-03	2027-10-27

Table. OSS and SKE release and termination schedules

Feature Limitations at End of Technical Support (EoTS)

When the Kubernetes version provided by SKE reaches the End of Technical Support (EoTS) state, features supported in that version may be limited.

New cluster creation → Creation not possible
Existing cluster upgrade → Upgrade possible (upgrade possible even if upper version is EoTS)
Creating node pools in existing cluster → Creation possible

Note

EOL versions may have vulnerabilities, so upgrading to a higher version is recommended.
You can upgrade the control plane and node pools in the Samsung Cloud Platform Console, and no separate cost is incurred for the upgrade.
- For stable operation, perform compatibility testing for the upgrade version before proceeding with the upgrade.

OS and GPU Driver

The OS and GPU driver version information available for each K8s server type is as follows.

Caution

OS versions provided may vary by K8s version.
When using GPU nodes, related K8s components (nvidia-device-plugin, dcgm-exporter) are configured by default in the cluster.
- When deploying gpu-operator, conflicts may occur due to duplicate component configuration. It is recommended to deploy and use excluding the default provided components.
For OS with ended support, node pool creation is possible, but using the latest OS version is recommended.

k8s Version	Standard and High Capacity	GPU
v1.29	Ubuntu 22.04 RHEL 8.10 RHEL 8.8 (OS with ended support)	Ubuntu 22.04 (nvidia-535.183.06)
v1.30	Ubuntu 22.04 RHEL 8.10 RHEL 8.8 (OS with ended support)	Ubuntu 22.04 (nvidia-535.183.06)
v1.31	Ubuntu 22.04 RHEL 8.10 RHEL 8.8 (OS with ended support)	Ubuntu 22.04 (nvidia-535.183.06)
v1.32	Ubuntu 22.04 RHEL 9.4	Ubuntu 22.04 (nvidia-535.183.06)
v1.33	Ubuntu 22.04 RHEL 9.4	Ubuntu 22.04 (nvidia-535.183.06)
v1.34	Ubuntu 22.04 RHEL 9.4	Ubuntu 22.04 (nvidia-535.183.06)

Table. K8s version and server type-specific OS / GPU driver versions