This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Kubernetes Engine Usage Guide

1: Access Cluster
2: Authentication and Authorization
3: Using type LoadBalancer service
4: Usage Considerations
5: Version information

Provides a guide for using Kubernetes Engine.

Kubernetes Engine Utilization Guide

In the Kubernetes Engine usage, the following features are described. For more details, refer to the guide.

Provision Guide	Explanation
Access the cluster	kubectl installation and usage guide, kubeconfig download, login method using kubectl plugin For detailed information, refer to Accessing the Cluster
Authentication and Authorization	Explain the authentication and authorization features and how to integrate them with Kubernetes Engine and IAM For more details, see Authentication and Authorization
Configure a LoadBalancer type service	Guide to configuring a Service of type LoadBalancer using a Service manifest file For more details, see Using type LoadBalancer service
Considerations when using	Explanation of constraints when using SKE For more details, refer to Considerations when using
Version information	Kubernetes version and support period description For more details, see Version Information

Table. Description of the Kubernetes Engine Utilization Guide

1 - Access Cluster

kubectl Installation and Usage

After creating a Kubernetes Engine service, you can use the Kubernetes command-line tool kubectl to execute commands against your Kubernetes cluster. With kubectl, you can deploy applications, inspect and manage cluster resources, and view logs. You can find how to install and use kubectl in the official Kubernetes documentation.

Category	Reference URL
kubectl installation (Linux)	https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/
kubectl installation (Windows)	https://kubernetes.io/docs/tasks/tools/install-kubectl-windows/
kubectl Introduction	https://kubernetes.io/docs/reference/kubectl/
kubectl Quick Reference	https://kubernetes.io/docs/reference/kubectl/quick-reference/
kubectl command reference	https://kubernetes.io/docs/reference/kubectl/kubectl/

Table. kubectl reference documentation

Reference

You must use a kubectl version that is within the cluster’s minor version difference. For example, if the cluster version is 1.30, you can use kubectl versions 1.29, 1.30, or 1.31.

Please refer to the following document for the version skew policy of kubectl. https://kubernetes.io/releases/version-skew-policy/#kubectl

To access a Kubernetes cluster with kubectl, you need a kubeconfig file that contains the Kubernetes server address and authentication information.

Reference

For detailed information on Kubernetes authentication and authorization, refer to the Authentication and Authorization.

Kubernetes Engine supports authentication via admin certificate kubeconfig and user authentication key kubeconfig.

Admin certificate kubeconfig

This kubeconfig uses the admin certificate as the authentication method when accessing the Kubernetes API.

Download admin kubeconfig

Kubernetes Engine > Cluster List > Cluster Details > Admin kubeconfig download Click the button to download the kubeconfig file.

Caution

Downloading the admin kubeconfig is allowed only for Admin.
There are separate private endpoint and public endpoint versions, and each can be downloaded only once.

Use admin kubeconfig

Reference

By default, kubectl looks for a file named config in the $HOME/.kube directory. You can also set the KUBECONFIG environment variable or specify the kubeconfig flag to use a different kubeconfig file.
Private endpoints are, by default, only accessible from the nodes of the respective cluster. For resources in the same account and the same region, you can allow access by adding them to the private endpoint access control settings.
If you need to access the cluster from the external internet, setting public endpoint access to enabled allows you to access it using the public endpoint kubeconfig.

User authentication key kubeconfig

This kubeconfig uses the user’s Open API authentication key as the credential when accessing the Kubernetes API.

User kubeconfig download

Kubernetes Engine > Cluster List > Cluster Details > User kubeconfig Download Click the button to download the kubeconfig file.

Caution

Downloading a user’s kubeconfig is allowed only for users with cluster read permissions.
There are separate ones for private endpoints and public endpoints.
Since the downloaded kubeconfig file does not contain the authentication key token, you must add the authentication key token information before using it. (See the next paragraph)

Add authentication key token to the user kubeconfig file

Below is an example of a user kubeconfig file. To use the kubeconfig file, you must add the authentication key token (AUTHKEY_TOKEN) information to the token field inside the file.

Color mode

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0t...
    server: https://my-cluster-a1c3e.ske.xxx.samsungsdscloud.com:6443
  name: my-cluster-a1c3e
contexts:
- context:
    cluster: my-cluster-a1c3e
    user: jane.doe
  name: jane.doe@my-cluster-a1c3e
current-context: jane.doe@my-cluster-a1c3e
kind: Config
preferences: {}
users:
- name: jane.doe
  user:
    token: <AUTHKEY_TOKEN> #### Writing required

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0t...
    server: https://my-cluster-a1c3e.ske.xxx.samsungsdscloud.com:6443
  name: my-cluster-a1c3e
contexts:
- context:
    cluster: my-cluster-a1c3e
    user: jane.doe
  name: jane.doe@my-cluster-a1c3e
current-context: jane.doe@my-cluster-a1c3e
kind: Config
preferences: {}
users:
- name: jane.doe
  user:
    token: <AUTHKEY_TOKEN> #### Writing required

Code block. Example of a user kubeconfig file

AUTHKEY_TOKEN can be generated by concatenating the ACCESS_KEY and SECRET_KEY of the authentication key with a colon (:) and then Base64 encoding it. The following is an example of creating an AUTHKEY_TOKEN in a Linux environment.

Color mode

$ ACCESS_KEY=5df418813aed051548a72f4a814cf09e
$ SECRET_KEY=6ba7b810-9dad-11d1-80b4-00c04fd430c8
$ AUTHKEY_TOKEN=$(echo -n "$ACCESS_KEY:$SECRET_KEY" | base64 -w0)
$ echo $AUTHKEY_TOKEN
NWRmNDE4ODEzYWVkMDUxNTQ4YTcyZjRhODE0Y2YwOWU6NmJhN2I4MTAtOWRhZC0xMWQxLTgwYjQtMDBjMDRmZDQzMGM4r

$ ACCESS_KEY=5df418813aed051548a72f4a814cf09e
$ SECRET_KEY=6ba7b810-9dad-11d1-80b4-00c04fd430c8
$ AUTHKEY_TOKEN=$(echo -n "$ACCESS_KEY:$SECRET_KEY" | base64 -w0)
$ echo $AUTHKEY_TOKEN
NWRmNDE4ODEzYWVkMDUxNTQ4YTcyZjRhODE0Y2YwOWU6NmJhN2I4MTAtOWRhZC0xMWQxLTgwYjQtMDBjMDRmZDQzMGM4r

Code block. Example of generating AUTHKEY_TOKEN value

Reference

For detailed information on generating authentication keys, refer to API Reference > Common > Samsung Cloud Platform Open API Call Procedure.

User kubeconfig execution example

You can view an example of executing the user kubeconfig.

When access is blocked by access control or a firewall

Color mode

$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
Unable to connect to the server: dial tcp 123.123.123.123:6443: i/o timeout

$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
Unable to connect to the server: dial tcp 123.123.123.123:6443: i/o timeout

Code block. Example execution when access is blocked by access control or firewall.

When authentication fails because the AUTHKEY_TOKEN does not match

Color mode

$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
error: You must be logged in to the server (Unauthorized)

$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
error: You must be logged in to the server (Unauthorized)

Code block. Example execution when authentication fails because the AUTHKEY_TOKEN does not match.

AUTHKEY_TOKEN when authentication succeeds

Color mode

$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
...
kube-node-lease    Active 10d
kube-public        Active 10d
kube-system        Active 10d

$ kubectl --kubeconfig=user-kubeconfig.yaml get namespaces
...
kube-node-lease    Active 10d
kube-public        Active 10d
kube-system        Active 10d

Code block. Example execution when AUTHKEY_TOKEN authentication succeeds

AUTHKEY_TOKEN Authentication succeeded but lacks permission

Color mode

$ kubectl --kubeconfig=user-kubeconfig.yaml get nodes
Error from server (Forbidden): nodes is forbidden: User "jane.doe" cannot list resource "nodes" in API group "" at the cluster scope

$ kubectl --kubeconfig=user-kubeconfig.yaml get nodes
Error from server (Forbidden): nodes is forbidden: User "jane.doe" cannot list resource "nodes" in API group "" at the cluster scope

Code block. Example execution when AUTHKEY_TOKEN authentication succeeds but the user lacks permission.

Reference

If AUTHKEY_TOKEN authentication succeeds but lacks permission, the authentication process completed correctly, but the authority to perform the requested operation was not granted (authorized). For detailed information about authorization, see 인증 및 인가.

2 - Authentication and Authorization

Kubernetes Engine applies Kubernetes authentication and RBAC authorization features. It explains how Kubernetes authentication and authorization functions integrate with Kubernetes Engine and IAM.

Kubernetes authentication and authorization

Describes Kubernetes authentication and RBAC authorization features.

Authentication

The Kubernetes API server obtains the information required for authenticating a user (User) or a service account (ServiceAccount) from certificates or authentication tokens, and then carries out the authentication process.

Reference

For a detailed explanation of Kubernetes authentication, refer to the following document. https://kubernetes.io/docs/reference/access-authn-authz/authentication/

Reference

For detailed information on using kubectl and kubeconfig, refer to Accessing the Cluster.

Authorization

The Kubernetes API server uses the user information obtained through the authentication process to verify, via RBAC-related objects, whether the user has permission for the requested operation. RBAC-related objects come in four types as follows.

object	Scope	Explanation
Cluster Role (ClusteRole)	cluster-wide	Definition of permissions across all namespaces in the cluster
ClusterRoleBinding(ClusteRoleBinding)	cluster-wide	Definition of the connection between ClusterRole and user
Roll (Role)	namespace (namespace)	Permission definition for a specific namespace
RoleBinding(RoleBinding)	namespace (namespace)	Definition of the binding between a ClusterRole or Role and a user

Table. RBAC related objects

Reference

For detailed information on Kubernetes RBAC authorization, refer to the following document. https://kubernetes.io/docs/reference/access-authn-authz/rbac/

Roll

Kubernetes defines several cluster roles by default. Some of those cluster roles do not include the prefix (system:). These are cluster roles intended for user use. This includes a superuser role (cluster-admin) applied to the entire cluster using a ClusterRoleBinding, and roles (admin, edit, view) applied to a specific namespace using a RoleBinding.

Default cluster role	Default ClusterRoleBinding	Explanation
cluster-admin	system:masters group	Allows superuser access that can perform any operation on all resources. ClusterRoleBinding grants full control over all resources in the cluster and all namespaces. RoleBinding allows complete control over all resources within the namespace and the namespaces bound to the role.
admin	None	Allows administrator access applied within a namespace using role binding. When used in role binding, it grants read/write access to most resources within the namespace, including the ability to create roles and role bindings inside the namespace. This role does not permit write access to resource quotas or the namespace itself.
edit	None	Allows read/write access to most objects within the namespace. This role does not permit viewing or modifying roles and role bindings. However, because this role can access secrets and run pods as any Account in the namespace, it can obtain the API access level of all Accounts in the namespace.
view	None	Allows read‑only access to view most objects within a namespace. Roles or role bindings cannot be viewed. This role does not permit secret viewing. Reading the contents of a secret would grant access to the credentials of an Account in the namespace, which could then allow API access as any Account in the namespace (a form of privilege escalation).

Table. Description of basic cluster role and cluster role binding

Reference

For detailed information about the user role, refer to the following document. https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles

If necessary, you can define additional roles (or cluster roles) beyond the default cluster role, as shown below.

Color mode

# A role that grants permission to view pods in the "default" namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]

# A role that grants permission to view pods in the "default" namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: default
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "list", "watch"]

Code block. Role that grants permission to view pods within a namespace

Color mode

# Cluster role that grants permission to view nodes
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-reader
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch"]

# Cluster role that grants permission to view nodes
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: node-reader
rules:
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["get", "list", "watch"]

Code block. Cluster role that grants permission to view nodes

Reference

For detailed explanations about roles and cluster roles, refer to the following document. https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole

Role Binding

To manage access to the Kubernetes Engine using Samsung Cloud Platform IAM, you need to understand the relationship between Kubernetes role bindings and IAM. The subjects of a role binding (or cluster role binding) may include individual users (User) or groups (Group).

User corresponds to the Samsung Cloud Platform username, and Group corresponds to the IAM user group name, respectively.

For RoleBinding/ClusterRoleBinding, subjects.kind can be set to one of the following.

User: Samsung Cloud Platform is connected to individual users.
Group: Connected to the Samsung Cloud Platform IAM user group.

Reference

In addition, you can also specify a service account, but service accounts are generally not for end users and cannot be linked to a Samsung Cloud Platform user.

The subjects.name of a role binding/cluster role binding can be specified as follows. If the user is a User: individual Samsung Cloud Platform username (e.g., jane.doe) For a group: Samsung Cloud Platform IAM user group name (e.g., ReadPodsGroup)

Reference

subjects.name is case-sensitive.

In this way, the IAM user group is linked to the group defined in the RoleBinding (or ClusterRoleBinding) of the Kubernetes Engine cluster. It is also granted permission to perform the API actions included in the Role (or ClusterRole) associated with the group.

Example) role binding read-pods #1

The example of writing User (individual Samsung Cloud Platform user) in a role binding is as follows.

Color mode

# This role binding allows the user "jane.doe" to view pods in the "default" namespace.
# The namespace must have a role named "pod-reader".
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
roleRef:
  # The "roleRef" specifies the link to a Role or ClusterRole.
  kind: Role       # Must be Role or ClusterRole.
  name: pod-reader # Must match the name of the Role or ClusterRole you want to bind to.
  apiGroup: rbac.authorization.k8s.io
subjects:
# You can specify one or more "target (subject)".
- kind: User
  name: jane.doe
  apiGroup: rbac.authorization.k8s.io

# This role binding allows the user "jane.doe" to view pods in the "default" namespace.
# The namespace must have a role named "pod-reader".
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: read-pods
  namespace: default
roleRef:
  # The "roleRef" specifies the link to a Role or ClusterRole.
  kind: Role       # Must be Role or ClusterRole.
  name: pod-reader # Must match the name of the Role or ClusterRole you want to bind to.
  apiGroup: rbac.authorization.k8s.io
subjects:
# You can specify one or more "target (subject)".
- kind: User
  name: jane.doe
  apiGroup: rbac.authorization.k8s.io

Code block. Example of writing User (individual Samsung Cloud Platform user) in role binding

When a role binding like the above is created in the cluster, a user whose username is jane.doe is granted permission to perform the API actions defined in the pod-reader role.

Example) role binding read-pods #2

The example of creating a group (IAM user group) in role binding is as follows.

Color mode

# This role binding allows users in the "ReadPodsGroup" group to view pods in the "default" namespace.
# The namespace must have a role called "pod-reader".
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
subjects:
# You can specify one or more "target (subject)".
- kind: Group
  name: ReadPodsGroup
  apiGroup: rbac.authorization.k8s.io

# This role binding allows users in the "ReadPodsGroup" group to view pods in the "default" namespace.
# The namespace must have a role called "pod-reader".
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
  namespace: default
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
subjects:
# You can specify one or more "target (subject)".
- kind: Group
  name: ReadPodsGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Example of a RoleBinding that allows the ReadPodsGroup group to list pods.

If a role binding like the above is created in the cluster, users in the IAM user group ReadPodsGroup are granted permission to perform the API actions defined in the role pod-reader.

Example) ClusterRoleBinding read-nodes

Color mode

# This cluster role binding allows users in the "ReadNodesGroup" group to view nodes.
# A cluster role named "node-reader" must exist.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-nodes
roleRef:
  kind: ClusterRole
  name: node-reader
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ReadNodesGroup
  apiGroup: rbac.authorization.k8s.io

# This cluster role binding allows users in the "ReadNodesGroup" group to view nodes.
# A cluster role named "node-reader" must exist.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: read-nodes
roleRef:
  kind: ClusterRole
  name: node-reader
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ReadNodesGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Example of a cluster role binding that allows node read access for the ReadNodesGroup group.

When a cluster role binding like the above is created in the cluster, users belonging to the IAM user group ReadNodesGroup are granted permission to perform the API actions defined in the cluster role node-reader.

Reference

For detailed instructions on creating role bindings, refer to the following document. https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-binding-examples

Predefined roles and role bindings for Samsung Cloud Platform

In the Kubernetes Engine of Samsung Cloud Platform, the cluster role bindings scp-cluster-admin, scp-view, scp-namespace-view, and the cluster role scp-namespace-view are predefined. The table below shows the predefined roles and role bindings for Samsung Cloud Platform and the relationships of Samsung Cloud Platform users. Here, the cluster roles cluster-admin and view are predefined within the Kubernetes cluster. For more details, see role.

ClusterRoleBinding	ClusterRole	subjects (user)
scp-cluster-admin	cluster-admin	Cluster creator username (e.g., jane.doe)
scp-view	view	-
scp-namespace-view	scp-namespace-view	All users authenticated to this cluster

Table. Predefined roles and role bindings for Samsung Cloud Platform, user relationships

According to the cluster role binding scp-cluster-admin, the Kubernetes Engine service creator is granted cluster admin privileges.
Users or groups registered in the cluster role binding scp-view are granted cluster viewer permissions. It is bound to the predefined Kubernetes cluster role view, and does not grant access to cluster‑scoped resources (e.g., namespaces, nodes, ingress classes, etc.) or to secrets within a namespace. For more details, see role.
According to the cluster role binding scp-namespace-view, all users authenticated to the cluster are granted permission to view namespaces.

Reference

Predefined roles and role bindings for Samsung Cloud Platform are created once during cluster service creation.
Users can modify or delete the predefined cluster role bindings and cluster roles for Samsung Cloud Platform as needed.

The details of the predefined roles and role bindings for Samsung Cloud Platform are as follows.

ClusterRoleBinding scp-cluster-admin

Cluster role binding scp-cluster-admin is linked to the cluster role cluster-admin, and is bound to the Samsung Cloud Platform user (Kubernetes Engine cluster creator) according to the subjects field.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
  name: scp-cluster-admin
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: User               
  name: jane.doe # cluster creator username
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
  name: scp-cluster-admin
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: User               
  name: jane.doe # cluster creator username
  apiGroup: rbac.authorization.k8s.io

Code block. Cluster role binding scp-cluster-admin example

ClusterRoleBinding scp-view

ClusterRoleBinding scp-view is bound to the ClusterRole view, and you can add Samsung Cloud Platform users or IAM user groups to the subjects field.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: scp-view
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: scp-view
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io

Code block. ClusterRoleBinding scp-view example

ClusterRole and ClusterRoleBinding scp-namespace-view

The cluster role scp-namespace-view defines view permissions for namespaces. The cluster role binding scp-namespace-view is bound to the cluster role scp-namespace-view, granting namespace read permissions to all authenticated users in the cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: scp-namespace-view
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: scp-namespace-view
roleRef:
  kind: ClusterRole
  name: scp-namespace-view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: system:authenticated
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: scp-namespace-view
rules:
- apiGroups: [""]
  resources: ["namespaces"]
  verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: scp-namespace-view
roleRef:
  kind: ClusterRole
  name: scp-namespace-view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: system:authenticated
  apiGroup: rbac.authorization.k8s.io

Code block. Cluster role and cluster role binding scp-namespace-view example

IAM user group RBAC use case

This chapter explains examples of granting permissions for each major user scenario. The IAM user groups, ClusterRoleBinding/RoleBinding, and ClusterRole names presented here are just examples to aid understanding. Administrators should define and apply appropriate names and permissions as needed.

Scope	use case	IAM user group	ClusterRoleBinding/RoleBinding	ClusterRole	Remarks
cluster	Cluster Administrator	ClusterAdminGroup	ClusterRoleBinding cluster-admin-group	cluster-admin	Administrator for a specific cluster
cluster	Cluster Editor	ClusterEditGroup	ClusterRoleBinding cluster-edit-group	edit	Editor for a specific cluster
cluster	Cluster Viewer	ClusterViewGroup	ClusterRoleBinding cluster-view-group	view	Viewer for a specific cluster
namespace	Namespace Manager	NamespaceAdminGroup	Role binding namespace-admin-group	admin	Administrator for a specific namespace
namespace	Namespace editor	NamespaceEditGroup	Role binding namespace-edit-group	edit	Editor for a specific namespace
namespace	Namespace viewer	NamespaceViewGroup	Role binding namespace-view-group	view	Viewer for a specific namespace

Table. Example of binding IAM user groups and cluster role users by use case

Reference

The cluster roles (cluster-admin, admin, edit, view) shown in the table are predefined within the Kubernetes cluster. For more details, see role.

Cluster Administrator

To create a cluster administrator, follow these steps.

Create an IAM user group named ClusterAdminGroup.

Create a cluster role binding with the following contents in the target cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-admin-group
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterAdminGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-admin-group
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterAdminGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Create cluster administrator

It is linked with cluster-admin of the base cluster, granting administrator privileges for that cluster.

Cluster Editor

To create a cluster editor, follow these steps.

Create an IAM user group named ClusterEditGroup.

Create a ClusterRoleBinding with the following specifications in the target cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-edit-group
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterEditGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-edit-group
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterEditGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Create cluster editor

It is linked with the edit role of the base cluster, granting editor permissions for that cluster.

Cluster Viewer

To create a cluster viewer, follow these steps.

Create an IAM user group named ClusterViewGroup.

Create a ClusterRoleBinding with the following specifications in the target cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-view-group
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterViewGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cluster-view-group
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: ClusterViewGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Create cluster viewer

It is associated with the view role of the default cluster, granting viewer permissions for that cluster.

Namespace Administrator

To create a namespace manager, follow these steps.

Create an IAM user group named NamespaceAdminGroup.

Create a RoleBinding with the following contents in the target cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-admin-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceAdminGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-admin-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceAdminGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Create a namespace manager

It is linked with the admin role of the default cluster, granting administrator privileges for the namespace.

Namespace Editor

To create a namespace editor, follow these steps.

Create an IAM user group named NamespaceEditGroup.

Create a RoleBinding with the following specifications in the target cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-edit-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceEditGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-edit-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: edit
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceEditGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Create namespace editor

It is linked with the default cluster role edit, granting editor permissions for the namespace.

Namespace Viewer

To create a namespace viewer, follow these steps.

Create an IAM user group named NamespaceViewGroup.

Create a RoleBinding with the following contents in the target cluster.

Color mode

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-view-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceViewGroup
  apiGroup: rbac.authorization.k8s.io

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: namespace-view-group
  namespace: <namespace_name>
roleRef:
  kind: ClusterRole
  name: view
  apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
  name: NamespaceViewGroup
  apiGroup: rbac.authorization.k8s.io

Code block. Create namespace viewer

It is associated with the default cluster role view, granting viewer permissions for the namespace.

3 - Using type LoadBalancer service

Service Configuration Method

By creating and applying a Service manifest file (example: my-lb-svc.yaml ), you can set up a Service of type LoadBalancer.

Caution

The LoadBalancer is created in the cluster subnet by default.
To create a LoadBalancer in a different Subnet, use the annotation service.beta.kubernetes.io/scp-load-balancer-subnet-id. * For more details, see Annotation detailed settings

To create and apply a type LoadBalancer Service, follow the steps below.

Create the Service manifest file my-lb-svc.yaml .

Color mode

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  selector:
    app.kubernetes.io/name: MyApp
  ports:
    - protocol: TCP
      port: 80
      targetPort: 9376
      appProtocol: tcp # Refer to the LB service protocol type setting section
  type: LoadBalancer

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  selector:
    app.kubernetes.io/name: MyApp
  ports:
    - protocol: TCP
      port: 80
      targetPort: 9376
      appProtocol: tcp # Refer to the LB service protocol type setting section
  type: LoadBalancer

Code block. Service manifest file my-lb-svc.yaml example

Deploy the Service manifest using the kubectl apply command.
Color mode
kubectl apply -f my-lb-svc.yaml
kubectl apply -f my-lb-svc.yaml
Code block. Deploy the Service manifest using the kubectl apply command.

Caution

When a type LoadBalancer Service is created, the corresponding Load Balancer service is automatically created. * It may take a few minutes for the configuration to complete.
Do not arbitrarily modify the automatically generated Load Balancer service and LB server group. * Changes may be reverted or cause unexpected behavior.
For configurable detailed features, please refer to Annotation detailed settings.

kubectl get service command is used to verify the Load Balancer configuration.

Color mode

# kubectl get service my-lb-svc
NAMESPACE     NAME         TYPE           CLUSTER-IP       EXTERNAL-IP       PORT(S)         AGE
default       my-lb-svc    LoadBalancer   172.20.49.206    123.123.123.123   80:32068/TCP    3m

# kubectl get service my-lb-svc
NAMESPACE     NAME         TYPE           CLUSTER-IP       EXTERNAL-IP       PORT(S)         AGE
default       my-lb-svc    LoadBalancer   172.20.49.206    123.123.123.123   80:32068/TCP    3m

Code block. Verify Load Balancer configuration using the `kubectl get service` command

Protocol type

You can create a Service manifest and use it. The following is a simple example.

Color mode

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  selector:
    ...
  ports:
    - port: 80
      targetPort: 9376
      protocol: TCP    # required (choose one of TCP, UDP)
      appProtocol: tcp # optional (leave blank or select one of tcp, http, https)
  type: LoadBalancer   # type LoadBalancer

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  selector:
    ...
  ports:
    - port: 80
      targetPort: 9376
      protocol: TCP    # required (choose one of TCP, UDP)
      appProtocol: tcp # optional (leave blank or select one of tcp, http, https)
  type: LoadBalancer   # type LoadBalancer

Code block. Example of Service manifest creation

The list of protocols (protocol and appProtocol) supported by the Load Balancer Service type in Kubernetes Engine, along with the corresponding settings applied to the Load Balancer service, is as follows.

Category	(k8s) protocol	(k8s) appProtocol	(LB) Service classification	(LB) LB Listener	(LB) LB server group	(LB) health check
L4 TCP	TCP	(tcp)	L4	TCP {port}	TCP {nodePort}	TCP {nodePort}
L4 UDP	UDP	-	L4	UDP {port}	UDP {nodePort}	TCP {nodePort}
L7 HTTP	TCP	http	L7	HTTP {port}	TCP {nodePort}	TCP/HTTP {nodePort}
L7 HTTPS	TCP	https	L7	HTTPS {port}	TCP {nodePort}	TCP/HTTP {nodePort}

Table. k8s Service manifest and Load Balancer service configuration

According to the k8s Service manifest spec, you can specify multiple ports for a single service.

Caution

Depending on the Load Balancer service type (L4, L7), you cannot mix protocol layers within a single Service.

In other words, L4 (TCP, UDP) and L7 (HTTP, HTTPS) cannot be used together in a single Service.

L4 Service Manifest Writing Example

Color mode

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  selector:
    app.kubernetes.io/name: MyApp
  ports:
    - protocol: TCP
      port: 80
      targetPort: 9376
  type: LoadBalancer

apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  selector:
    app.kubernetes.io/name: MyApp
  ports:
    - protocol: TCP
      port: 80
      targetPort: 9376
  type: LoadBalancer

Code block. L4 Service manifest writing example

L7 Service Manifest Example

Color mode

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/scp-load-balancer-layer-type: "L7" # required
    service.beta.kubernetes.io/scp-load-balancer-client-cert-id: "24da35de187b450eb0cf09fb6fa146de" # required
  name: my-service
spec:
  selector:
    app.kubernetes.io/name: MyApp
  ports:
    - appProtocol: http # required
      protocol: TCP
      port: 80
      targetPort: 9376
    - appProtocol: https # required
      protocol: TCP
      port: 443
      targetPort: 9898
  type: LoadBalancer

apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/scp-load-balancer-layer-type: "L7" # required
    service.beta.kubernetes.io/scp-load-balancer-client-cert-id: "24da35de187b450eb0cf09fb6fa146de" # required
  name: my-service
spec:
  selector:
    app.kubernetes.io/name: MyApp
  ports:
    - appProtocol: http # required
      protocol: TCP
      port: 80
      targetPort: 9376
    - appProtocol: https # required
      protocol: TCP
      port: 443
      targetPort: 9898
  type: LoadBalancer

Code block. Example of L7 Service manifest creation

Annotation detailed settings

You can add annotations to the service manifest to configure detailed features.

Color mode

apiVersion: v1
kind: Service
metatdata:
  name: my-lb-svc
  annotations:
    service.beta.kubernetes.io/scp-load-balancer-public-ip-enabled: "true"
    service.beta.kubernetes.io/scp-load-balancer-health-check-interval: "5"
    service.beta.kubernetes.io/scp-load-balancer-health-check-timeout: "5"
    service.beta.kubernetes.io/scp-load-balancer-health-check-count: "3"
    service.beta.kubernetes.io/scp-load-balancer-session-duration-time: "300"
  spec:
  type: LoadBalancer
  ...

apiVersion: v1
kind: Service
metatdata:
  name: my-lb-svc
  annotations:
    service.beta.kubernetes.io/scp-load-balancer-public-ip-enabled: "true"
    service.beta.kubernetes.io/scp-load-balancer-health-check-interval: "5"
    service.beta.kubernetes.io/scp-load-balancer-health-check-timeout: "5"
    service.beta.kubernetes.io/scp-load-balancer-health-check-count: "3"
    service.beta.kubernetes.io/scp-load-balancer-session-duration-time: "300"
  spec:
  type: LoadBalancer
  ...

Code block. Example of adding annotation to service manifest

Reference

If you do not add any annotation to the service, the annotation’s default values are applied.
Even if the annotation added to the service does not meet the allowed values, the annotation’s default value is applied.

Below is a description of all annotations available for a type LoadBalancer service.

annotation Protocol default allowed value example Explanation

service.beta.kubernetes.io/scp-load-balancer-source-ranges-firewall-rules All false true, false false Automatically add firewall rule (LB source ranges → LB service IP)

service.beta.kubernetes.io/scp-load-balancer-snat-healthcheck-firewall-rules

All

annotation	Protocol	default	allowed value	example	Explanation
service.beta.kubernetes.io/scp-load-balancer-source-ranges-firewall-rules	All	`false`	`true`, `false`	`false`	Automatically add firewall rule (LB source ranges → LB service IP)
service.beta.kubernetes.io/scp-load-balancer-snat-healthcheck-firewall-rules	All	`false`	`true`,`false`	`false`	Automatically add firewall rules (LB Source NAT IP, HealthCheck IP → member IP:Port) When you use this annotation, firewall rules are added for each port of the type LB service, so the firewall rules can become very numerous. If the large number of firewall rules becomes a burden, you can instead add firewall rules manually without using this annotation. For example, you can add a firewall rule that targets the member IP’s NodePort range (30000-32767).

false

true,false

false

Automatically add firewall rules (LB Source NAT IP, HealthCheck IP → member IP:Port)

When you use this annotation, firewall rules are added for each port of the type LB service, so the firewall rules can become very numerous.

If the large number of firewall rules becomes a burden, you can instead add firewall rules manually without using this annotation. For example, you can add a firewall rule that targets the member IP’s NodePort range (30000-32767).

Table. Firewall-related settings in Kubernetes annotations

annotation Protocol default allowed value example Explanation

service.beta.kubernetes.io/scp-load-balancer-security-group-id

All

annotation	Protocol	default	allowed value	example	Explanation
service.beta.kubernetes.io/scp-load-balancer-security-group-id	All	-	`UUID`	`92d84b44-ee71-493d-9782-3a90481ce5f3`	Automatically add rules to the Security Group corresponding to the specified ID When you use this annotation, rules are added to the Security Group for each port of the type LB service, so the Security Group rules can become very numerous. If having too many Security Group rules is burdensome, you can alternatively add Security Group rules manually without using this annotation. For example, you can specify the target address as the Load Balancer’s Source NAT IP and health check IP, and add a Security Group rule that allows ports in the NodePort range (30000-32767). Security Group rules added by this annotation are not automatically removed even if the annotation is deleted or modified. You can add multiple entries separated by commas. (Example: `ddc25ad8-6d3f-4242-8c86-2a059212ddc6,26ab7fe1-b3ea-4aa9-9e9d-35a7c237904e`) This annotation can be used together with the service.beta.kubernetes.io/scp-load-balancer-security-group-name annotation, and rules are automatically added to all Security Groups that meet the criteria.
service.beta.kubernetes.io/scp-load-balancer-security-group-name	All	-	`string`	`security-group-1`	Automatically add rules to the Security Group corresponding to the specified Name When you use this annotation, rules are added to the Security Group for each port of the type LB service, so the number of Security Group rules can become very large. If the large number of Security Group rules is burdensome, you can alternatively add Security Group rules manually without using this annotation. For example, you can specify the target addresses as the Load Balancer’s Source NAT IP and health check IP, and add a Security Group rule that allows ports in the NodePort range (30000-32767). Security Group rules added by this annotation are not automatically removed even if the annotation is deleted or modified. Multiple entries can be added, separated by commas (example: `security-group-1,security-group-2`) This annotation can be used together with the service.beta.kubernetes.io/scp-load-balancer-security-group-id annotation, and rules are automatically added to all Security Groups that meet the criteria.

UUID

92d84b44-ee71-493d-9782-3a90481ce5f3

Automatically add rules to the Security Group corresponding to the specified ID

When you use this annotation, rules are added to the Security Group for each port of the type LB service, so the Security Group rules can become very numerous.

If having too many Security Group rules is burdensome, you can alternatively add Security Group rules manually without using this annotation. For example, you can specify the target address as the Load Balancer’s Source NAT IP and health check IP, and add a Security Group rule that allows ports in the NodePort range (30000-32767).

Security Group rules added by this annotation are not automatically removed even if the annotation is deleted or modified.

You can add multiple entries separated by commas. (Example: ddc25ad8-6d3f-4242-8c86-2a059212ddc6,26ab7fe1-b3ea-4aa9-9e9d-35a7c237904e)

This annotation can be used together with the service.beta.kubernetes.io/scp-load-balancer-security-group-name annotation, and rules are automatically added to all Security Groups that meet the criteria.

service.beta.kubernetes.io/scp-load-balancer-security-group-name

All

string

security-group-1

Automatically add rules to the Security Group corresponding to the specified Name

When you use this annotation, rules are added to the Security Group for each port of the type LB service, so the number of Security Group rules can become very large.

If the large number of Security Group rules is burdensome, you can alternatively add Security Group rules manually without using this annotation. For example, you can specify the target addresses as the Load Balancer’s Source NAT IP and health check IP, and add a Security Group rule that allows ports in the NodePort range (30000-32767).

Security Group rules added by this annotation are not automatically removed even if the annotation is deleted or modified.

Multiple entries can be added, separated by commas (example: security-group-1,security-group-2)

This annotation can be used together with the service.beta.kubernetes.io/scp-load-balancer-security-group-id annotation, and rules are automatically added to all Security Groups that meet the criteria.

Table. Settings related to Security Group in Kubernetes annotations

annotation	Protocol	default	allowed value	example	Explanation
service.beta.kubernetes.io/scp-load-balancer-layer-type	All	`L4`	`L4`, `L7`	`L4`	Specify the service type of the Load Balancer When using this annotation, specify L4 if you want to use TCP or UDP, and L7 if you want to use HTTP or HTTPS. Cannot be changed after initial creation. To change it, you must recreate the service.
service.beta.kubernetes.io/scp-load-balancer-subnet-id	All	-	`ID`	`7f05eda5e1cf4a45971227c57a6d60fa`	Specify the Service Subnet of the Load Balancer If this annotation is not specified, the cluster’s Subnet is used. Cannot be changed after initial creation. To modify, you must recreate the service.
service.beta.kubernetes.io/scp-load-balancer-service-ip	All	-	`IP address`	`192.168.10.7`	Specify the Service IP of the Load Balancer Cannot be changed after initial creation. To change it, you must recreate the service.
service.beta.kubernetes.io/scp-load-balancer-public-ip-enabled	All	`false`	`true`, `false`	`false`	Specify whether to use the Load Balancer’s Public NAT IP If this annotation is set to true and service.beta.kubernetes.io/scp-load-balancer-public-ip-id is not specified, an IP is automatically assigned. If this annotation is set to true and service.beta.kubernetes.io/scp-load-balancer-public-ip-id is specified, the Public IP corresponding to the specified ID is applied.
service.beta.kubernetes.io/scp-load-balancer-public-ip-id	All	-	`ID`	`4119894bd9614cef83db6f8dda667a20`	Specify the ID of the Public IP to be used as the Load Balancer’s Public NAT IP service.beta.kubernetes.io/scp-load-balancer-public-ip-enabled is not set to true, this annotation is ignored. service.beta.kubernetes.io/scp-load-balancer-public-ip-enabled is set to true and this annotation is specified, the Public IP corresponding to the specified ID is applied.

Table. Load Balancer related settings in Kubernetes annotations

annotation	Protocol	default	allowed value	example	Explanation
service.beta.kubernetes.io/scp-load-balancer-idle-timeout	HTTP, HTTPS	-	`60 - 3600`(60-second unit)	`600`	Specify the LB Listener’s idle-timeout (seconds) If the annotation is not set or the value is not allowed (e.g., “”, “0”), the default value (unused) is applied. Cannot change from used to unused after use. To change, you must recreate the service. service.beta.kubernetes.io/scp-load-balancer-session-duration-time cannot be set simultaneously. service.beta.kubernetes.io/scp-load-balancer-response-timeout cannot be set simultaneously.
service.beta.kubernetes.io/scp-load-balancer-session-duration-time	All	L4: `120` L7: -	L4 TCP: `60 - 3600`(60-second unit) L4 UDP: `60 - 180`(60-second unit) L7: `0 - 120`	`120`	Specify the LB Listener’s session-duration-time (seconds) L4: If the annotation is not set or the value is not allowed, the default value (“120”) is applied. (L4 cannot be unused) L7: If the annotation is not set or the value is not allowed (e.g., “”, “0”), the default (unused) is applied. Cannot change from used to unused after deployment. To change, you must recreate the service. service.beta.kubernetes.io/scp-load-balancer-idle-timeout cannot be set simultaneously.
service.beta.kubernetes.io/scp-load-balancer-response-timeout	HTTP, HTTPS	-	`0 - 120`	`60`	Specify the LB Listener response-timeout (seconds) If the annotation is not set or the value is not allowed (e.g., “”, “0”), the default (unused) is applied. Cannot change from used to unused. To change, you must recreate the service. service.beta.kubernetes.io/scp-load-balancer-idle-timeout cannot be set simultaneously.
service.beta.kubernetes.io/scp-load-balancer-insert-client-ip	TCP	`false`	`true`, `false`	`false`	Specify Insert Client IP for LB Listener
service.beta.kubernetes.io/scp-load-balancer-x-forwarded-proto	HTTP, HTTPS	`false`	`true`, `false`	`false`	Specify whether to use the X-Forwarded-Proto header for the LB Listener.
service.beta.kubernetes.io/scp-load-balancer-x-forwarded-port	HTTP, HTTPS	`false`	`true, false`	`false`	Specify whether to use the X-Forwarded-Port header of the LB Listener
service.beta.kubernetes.io/scp-load-balancer-x-forwarded-for	HTTP, HTTPS	`false`	`true`, `false`	`false`	Specify whether to use the X-Forwarded-For header for the LB Listener.
service.beta.kubernetes.io/scp-load-balancer-support-http2	HTTP, HTTPS	`false`	`true`, `false`	`false`	Specify whether the LB Listener supports HTTP 2.0.
service.beta.kubernetes.io/scp-load-balancer-persistence	TCP, HTTP, HTTPS	`""`	`""`, `source-ip`, `cookie`	`source-ip`	Specify the persistence of the LB Listener (none, source IP, or cookie) For UDP, this annotation cannot be used. For TCP, you can specify `""` or `source-ip` . For HTTP/HTTPS, you can specify one of `""`, `source-ip`, `cookie` .
service.beta.kubernetes.io/scp-load-balancer-client-cert-id	HTTPS	-	`UUID`	`78b9105e00324715b63700933125fa83`	Specify the client SSL certificate ID of the LB Listener required input field when HTTPS is specified.
service.beta.kubernetes.io/scp-load-balancer-client-cert-level	HTTPS	`HIGH`	`HIGH`, `NORMAL`, `LOW`	`HIGH`	Specify the security level of the client SSL certificate for the LB Listener.
service.beta.kubernetes.io/scp-load-balancer-server-cert-level	HTTPS	-	`HIGH`, `NORMAL`, `LOW`	`HIGH`	Specify the security level of the server SSL certificate for the LB Listener.

Table. LB Listener related settings in Kubernetes annotations

annotation	Protocol	default	allowed value	example	Explanation
service.beta.kubernetes.io/scp-load-balancer-lb-method	All	`ROUND_ROBIN`	`ROUND_ROBIN`, `LEAST_CONNECTION`, `IP_HASH`	`ROUND_ROBIN`	Specify the load balancing policy for the LB server group

Table. Settings related to LB server group in Kubernetes annotations

annotation	Protocol	default	allowed value	example	Explanation
service.beta.kubernetes.io/scp-load-balancer-health-check-enabled	All	`true`	`true`, `false`	`true`	Specify whether to use LB health check
service.beta.kubernetes.io/scp-load-balancer-health-check-protocol	All	TCP	TCP, HTTP, HTTPS	TCP	Specify the protocol for the LB health check
service.beta.kubernetes.io/scp-load-balancer-health-check-port	All	`{nodeport}`	`1 - 65534`	`30000`	Specify the health check port of the LB health check `{nodeport}` as default so, it is generally not necessary to specify it.
service.beta.kubernetes.io/scp-load-balancer-health-check-count	All	`3`	`1 - 10`	`3`	Specify the number of detection attempts for LB health check
service.beta.kubernetes.io/scp-load-balancer-health-check-interval	All	`5`	`1 - 180`	`5`	Specify the LB health check interval
service.beta.kubernetes.io/scp-load-balancer-health-check-timeout	All	`5`	`1 - 180`	`5`	Specify the wait time for LB health check
service.beta.kubernetes.io/scp-load-balancer-health-check-http-method	HTTP	GET	GET, POST	GET	Specify the HTTP method for the LB health check
service.beta.kubernetes.io/scp-load-balancer-health-check-url	HTTP	`/`	string	`/healthz`	Specify the URL for the LB health check
service.beta.kubernetes.io/scp-load-balancer-health-check-response-code	HTTP	`200`	`200 - 500`	`200`	Specify the response code for the LB health check
service.beta.kubernetes.io/scp-load-balancer-health-check-request-data	HTTP	-	string	`username=admin&password=1234`	Specify the request string for LB health check POST method is a required input field when set.
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-enabled	All	`true`	`true`, `false`	`true`	Specify whether to use LB health check for the Service’s {port} port number
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-protocol	All	TCP	TCP, HTTP, HTTPS	TCP	Specify the LB health check protocol for the Service’s {port} port number.
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-port	All	-	`1 - 65534`	`30000`	Specify the LB health check port for the Service’s {port} port number
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-count	All	`3`	`1 - 10`	`3`	Specify the LB health check detection count for the Service’s {port} port number
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-interval	All	`5`	`1 - 180`	`5`	Specify the LB health check interval for the Service’s {port} port number
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-timeout	All	`5`	`1 - 180`	`5`	Specify the LB health check wait time for the Service’s {port} port number.
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-http-method	HTTP	GET	GET, POST	GET	Specify the LB health check HTTP method for the Service’s {port} port number.
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-url	HTTP	`/`	string	`/healthz`	Specify the LB health check URL for the Service’s {port} port number.
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-response-code	HTTP	`200`	`200 - 500`	`200`	Specify the LB health check response code for the Service’s {port} port number.
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-request-data	HTTP	-	string	`username=admin&password=1234`	Specify the LB health check request string for the Service’s {port} port number POST method is a required field.

Table. Settings related to LB health check in Kubernetes annotations

Constraints

The constraints to consider when using Kubernetes annotations are as follows.

Constraints	Related annotations
When changing the Security Group, rules created in the existing Security Group are not automatically deleted.	service.beta.kubernetes.io/scp-load-balancer-security-group-id service.beta.kubernetes.io/scp-load-balancer-security-group-name
Cannot change the service classification (L4/L7) of the Load Balancer.	service.beta.kubernetes.io/scp-load-balancer-layer-type
L4 and L7 cannot be used together within the same k8s Service.	service.beta.kubernetes.io/scp-load-balancer-layer-type
Cannot change Load Balancer subnet	service.beta.kubernetes.io/scp-load-balancer-subnet-id
Cannot change the Load Balancer’s Service IP	service.beta.kubernetes.io/scp-load-balancer-service-ip
The LB Listener idle-timeout cannot be changed from enabled to disabled after it has been used.	service.beta.kubernetes.io/scp-load-balancer-idle-timeout
The LB Listener session-duration-time cannot be changed from used to unused after it has been used.	service.beta.kubernetes.io/scp-load-balancer-session-duration-time
The LB Listener response-timeout cannot be changed from enabled to disabled after it has been used.	service.beta.kubernetes.io/scp-load-balancer-response-timeout
LB Listener idle-timeout cannot be set simultaneously with session-duration-time or response-timeout.	service.beta.kubernetes.io/scp-load-balancer-idle-timeout service.beta.kubernetes.io/scp-load-balancer-session-duration-time service.beta.kubernetes.io/scp-load-balancer-response-timeout
Cannot use TCP and UDP together on the same port number within the same k8s Service.	-
L7 Listener’s routing rules only support the default URL path of the LB server group delivery method To add other URL paths, you must add them directly in the Samsung Cloud Platform console URL redirection is not supported	-

Table. Constraints when using Kubernetes annotations

4 - Usage Considerations

Managed Port Constraints

The following ports are used for SKE management and cannot be used for service access. Additionally, if they are blocked by the OS firewall or similar, node functions or some features may not operate correctly.

Port	Explanation
UDP 4789	calico-vxlan
TCP 5473	calico-typha
TCP 10250	kubelet
TCP 19100	node-exporter
TCP 19400	dcgm-exporter

Table. Managed Port List

kube-reserved resource constraints

kube-reserved is a feature that reserves resources for system daemons that do not run as pods on a node.

System daemons that do not run as pods include kubelet, container runtime, etc.

Reference

For detailed information about kube-reserved, refer to the following document.

https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#kube-reserved

Kubernetes Engine reserves CPU and memory based on the following criteria.

CPU specifications	Memory specifications
6% of the first core 1% of the next core (up to 2 cores) 0.5% of the next 2 cores (up to 4 cores) 0.25% of cores exceeding 4 cores	25% of the first 4 GB memory 20% of the next 4 GB memory (up to 8 GB) 10% of the next 8 GB memory (up to 16 GB) 6% of the next 112 GB memory (up to 128 GB) 2% of memory exceeding 128 GB

CPU specifications

Memory specifications

6% of the first core

1% of the next core (up to 2 cores)

0.5% of the next 2 cores (up to 4 cores)

0.25% of cores exceeding 4 cores

25% of the first 4 GB memory

20% of the next 4 GB memory (up to 8 GB)

10% of the next 8 GB memory (up to 16 GB)

6% of the next 112 GB memory (up to 128 GB)

2% of memory exceeding 128 GB

Table. CPU and Memory Standard Resource Reservation Items

Example: For a Virtual Server with 16 vCPU cores and 32 GB memory, kube-reserved is calculated as follows.
- CPU: (1 core × 0.06) + (1 core × 0.01) + (2 core × 0.005) + (12 core × 0.0025) = 0.11 core
- Memory: (4 GB × 0.25) + (4 GB × 0.2) + (8 GB × 0.1) + (16 GB × 0.06) = 3.56 GB
Example: The resources reserved based on CPU size are as follows.

CPU specifications	Resource Specification 1	Resource Specification 2	Resource Specification 3	Resource Specification 4
kube-reserved CPU	70 m	80 m	90 m	110 m

Table. Example of resources reserved according to CPU size

Example: The resources reserved based on memory size are as follows.

Memory specifications	Resource Specification 1	Resource Specification 2	Resource Specification 3	Resource Specification 4	Resource Specification 4	Resource Specification 4	Resource Specification 4
kube-reserved memory	1 GB	1.8 GB	2.6 GB	3.56 GB	5.48 GB	9.32 GB	11.88 GB

Table. Example of resources reserved according to memory size

5 - Version information

Kubernetes version and support period

Kubernetes version lifecycle

The Kubernetes open-source software (OSS) community releases minor versions three times a year, with a release cycle of approximately 15 weeks. A released minor version goes through a support period of about 14 months (12 months for standard patches, 2 months for maintenance) before reaching EOL (End of Life).

information

For information on Kubernetes release and EOL dates and support periods, refer to the following link.

Samsung Cloud Platform Kubernetes Engine (SKE) version release plan

SKE validates and supplies the stable patch versions among released OSS minor versions. Therefore, the release timing of the version provided by SKE differs from that of the corresponding OSS version.

Also, for previously released versions, considering factors such as the open‑source EOL timing, technical support will be terminated sequentially from the older versions (End of Tech support, EoTS).

The release schedule and end-of-life schedule for OSS and SKE are as follows.

version	OSS release	OSS EOL	SKE release	SKE EoTS
v1.29	2023-12-13	2025-02-28	2024-10	2026-03-31
v1.30	2024-04-17	2025-06-28	2025-02	2026-06-30
v1.31	2024-08-13	2025-10-28	2025-07	2026-10-28
v1.32	2024-12-11	2026-02-28	2025-10	2027-02-28
v1.33	2025-04-23	2026-06-28	2025-12	2027-06-28
v1.34	2025-08-27	2026-10-27	2026-03	2027-10-27

Table. Release and end schedule for OSS and SKE

Feature restrictions when technical support ends (EoTS)

If the Kubernetes version provided by SKE reaches end-of-technical-support (EoTS) status, the features supported in that version may be limited.

Create new cluster → Creation not allowed
Existing cluster upgrade → upgrade possible (upgrade is possible even if the newer version is EoTS)
Create node pool from existing cluster → possible

Reference

Since EOL versions may have vulnerabilities, we recommend upgrading to a newer version.
You can upgrade the control plane and node pools from the Samsung Cloud Platform Console, and no additional costs are incurred for the upgrade.
- For stable operation, perform compatibility testing of the upgrade version before proceeding with the upgrade.

OS and GPU drivers

The OS and GPU driver version information available for each K8s server type is as follows.

Caution

The OS versions provided may vary by K8s version.
When using GPU nodes, the related K8s components (nvidia-device-plugin, dcgm-exporter) are provisioned by default in the cluster.
- When deploying the gpu-operator, conflicts may occur due to duplicate component configurations. We recommend deployment and use, excluding the default-provided components.
For end-of-life OSes, creating a node pool is possible, but we recommend using the latest OS version.

k8s version	Standard and High Capacity	GPU
v1.29	Ubuntu 22.04 RHEL 8.10 RHEL 8.8 (EOL OS)	Ubuntu 22.04 (ND 535.183.06)
v1.30	Ubuntu 22.04 RHEL 8.10 RHEL 8.8 (EOL OS)	Ubuntu 24.04 (ND 580.126.20) Ubuntu 24.04 (ND 570.195.03) Ubuntu 22.04 (ND 535.183.06)
v1.31	Ubuntu 22.04 RHEL 8.10 RHEL 8.8 (EOL OS)	Ubuntu 24.04 (ND 580.126.20) Ubuntu 24.04 (ND 570.195.03) Ubuntu 22.04 (ND 535.183.06)
v1.32	Ubuntu 22.04 RHEL 9.4	Ubuntu 24.04 (ND 580.126.20) Ubuntu 24.04 (ND 570.195.03) Ubuntu 22.04 (ND 535.183.06)
v1.33	Ubuntu 22.04 RHEL 9.4	Ubuntu 24.04 (ND 580.126.20) Ubuntu 24.04 (ND 570.195.03) Ubuntu 22.04 (ND 535.183.06)
v1.34	Ubuntu 22.04 RHEL 9.4	Ubuntu 24.04 (ND 580.126.20) Ubuntu 24.04 (ND 570.195.03) Ubuntu 22.04 (ND 535.183.06)

Table. OS / GPU driver versions by K8s version and server type

The OS versions and supported GPU server models for each GPU driver version are as follows.

Caution

When creating a GPU node with the GPU-B300-3 server type, you must use an image with GPU driver version 580.126.20.

GPU driver version	OS version	Supported model (server type)
ND 535.183.06	Ubuntu 22.04	A100(GPU-A100-1) H100(GPU-H100-2)
ND 570.195.03	Ubuntu 24.04	A100(GPU-A100-1) H100(GPU-H100-2)
ND 580.126.20	Ubuntu 24.04	A100(GPU-A100-1) H100(GPU-H100-2) B300(GPU-B300-3)

Table. OS / supported models by GPU driver version