The page has been translated by Gen AI.
Authentication and Authorization
Kubernetes Engine has Kubernetes’ authentication and RBAC authorization features applied. This explains the authentication and authorization features of Kubernetes and how to link them with Kubernetes Engine and IAM.
Kubernetes Authentication and Authorization
This explains the authentication and RBAC authorization features of Kubernetes.
Authentication
The Kubernetes API server acquires the necessary information for user or account authentication from certificates or authentication tokens and proceeds with the authentication process.
Note
For a detailed explanation of Kubernetes authentication, refer to the following document:
https://kubernetes.io/docs/reference/access-authn-authz/authentication/
Note
For a detailed explanation of using kubectl and kubeconfig, refer to Accessing the Cluster.
Authorization
The Kubernetes API server checks if the user has permission for the requested action using the user information obtained through the authentication process and the RBAC-related objects. There are four types of RBAC-related objects as follows:
| Object | Scope | Description |
|---|---|---|
| ClusterRole | Cluster-wide | Definition of permissions across all namespaces in the cluster |
| ClusterRoleBinding | Cluster-wide | Binding definition between ClusterRole and user |
| Role | Namespace | Definition of permissions for a specific namespace |
| RoleBinding | Namespace | Binding definition between ClusterRole or Role and user |
Table. RBAC-related objects
Note
For a detailed explanation of Kubernetes RBAC authorization, refer to the following document:
https://kubernetes.io/docs/reference/access-authn-authz/rbac/
Role
Kubernetes has several predefined ClusterRoles. Some of these ClusterRoles do not have the prefix system:, which means they are intended for user use. These include the cluster-admin role that can be applied to the entire cluster using ClusterRoleBinding, and the admin, edit, and view roles that can be applied to a specific namespace using RoleBinding.
| Default ClusterRole | Default ClusterRoleBinding | Description |
|---|---|---|
| cluster-admin | system:masters group | Grants superuser access to perform all actions on all resources.
|
| admin | None | Grants administrator access to the namespace when used with RoleBinding. When used in RoleBinding, it grants read/write access to most resources in the namespace, including the ability to create roles and role bindings. However, this role does not grant write access to resource quotas or the namespace itself. |
| edit | None | Grants read/write access to most objects in the namespace. This role does not grant the ability to view or modify roles and role bindings. However, this role allows access to secrets, which can be used to run pods in the namespace as any account, effectively granting API access at the account level. |
| view | None | Grants read-only access to most objects in the namespace. Roles and role bindings cannot be viewed. This role does not grant access to secrets, as reading secret contents would allow access to account credentials and potentially grant API access at the account level (a form of privilege escalation). |
Table. Default ClusterRole and ClusterRoleBinding descriptions
Note
For a detailed explanation of user-facing roles, refer to the following document:
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
In addition to the predefined ClusterRoles, you can define separate roles (or ClusterRoles) as needed. For example:
Color mode
# Role that grants permission to view pods in the "default" namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]# Role that grants permission to view pods in the "default" namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]Color mode
# ClusterRole that grants permission to view nodes
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: node-viewer
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]# ClusterRole that grants permission to view nodes
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: node-viewer
rules:
- apiGroups: [""]
resources: ["nodes"]
verbs: ["get", "list", "watch"]Note
For more information about roles and cluster roles, see the following document:
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-and-clusterrole
Role Binding
To manage access to the Kubernetes Engine using Samsung Cloud Platform IAM, you need to understand the relationship between Kubernetes’ role binding and IAM. The target (subjects) of role binding (or cluster role binding) can include individual users (User) or groups (Group).
- User matches the Samsung Cloud Platform username, and Group matches the IAM user group name.
For role binding/cluster role binding, subjects.kind can be one of the following:
- User: Binds to a Samsung Cloud Platform individual user.
- Group: Binds to a Samsung Cloud Platform IAM user group.
Note
In addition to the above, a service account can also be specified, but a service account is generally not for users and cannot be bound to a Samsung Cloud Platform user.
The subjects.name of role binding/cluster role binding can be specified as follows:
- User case: Samsung Cloud Platform individual username (e.g. jane.doe)
- Group case: Samsung Cloud Platform IAM user group name (e.g. ReadPodsGroup)
Note
subjects.name is case-sensitive.
In this way, an IAM user group is bound to a role binding (or cluster role binding) written in the Kubernetes Engine cluster. Additionally, the permission to perform API operations included in the role (or cluster role) bound to the group is granted.
Example) Role Binding read-pods #1
An example of writing a User (Samsung Cloud Platform individual user) to a role binding is as follows:
Color mode
# This role binding allows the user "jane.doe@example.com" to view pods in the "default" namespace.
# A "pod-reader" role must exist in the namespace.
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
roleRef:
# "roleRef" specifies the binding to a role or cluster role.
kind: Role # Must be Role or ClusterRole.
name: pod-reader # Must match the name of the role or cluster role to bind.
apiGroup: rbac.authorization.k8s.io
subjects:
# One or more "targets" can be specified.
- kind: User
name: jane.doe
apiGroup: rbac.authorization.k8s.io# This role binding allows the user "jane.doe@example.com" to view pods in the "default" namespace.
# A "pod-reader" role must exist in the namespace.
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: read-pods
namespace: default
roleRef:
# "roleRef" specifies the binding to a role or cluster role.
kind: Role # Must be Role or ClusterRole.
name: pod-reader # Must match the name of the role or cluster role to bind.
apiGroup: rbac.authorization.k8s.io
subjects:
# One or more "targets" can be specified.
- kind: User
name: jane.doe
apiGroup: rbac.authorization.k8s.ioIf a role binding like the above is created in a cluster, a user with the username jane.doe is granted the permission to perform the API actions defined in the pod-reader role.
Example) Role Binding read-pods #2
An example of writing a group (IAM user group) to a role binding is as follows:
Color mode
# This role binding allows users in the "ReadPodsGroup" group to view pods in the "default" namespace.
# A "pod-reader" role must exist in the namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
subjects:
# One or more "targets" can be specified.
- kind: Group
name: ReadPodsGroup
apiGroup: rbac.authorization.k8s.io# This role binding allows users in the "ReadPodsGroup" group to view pods in the "default" namespace.
# A "pod-reader" role must exist in the namespace.
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
subjects:
# One or more "targets" can be specified.
- kind: Group
name: ReadPodsGroup
apiGroup: rbac.authorization.k8s.ioIf a role binding like the above is created in the cluster, users in the IAM user group ReadPodsGroup are granted the permission to perform API operations written in the pod-reader role.
Example) Cluster Role Binding read-nodes
Color mode
# This cluster role binding allows users in the "ReadNodesGroup" group to view nodes.
# A cluster role named "node-reader" must exist.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: read-nodes
roleRef:
kind: ClusterRole
name: node-reader
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: ReadNodesGroup
apiGroup: rbac.authorization.k8s.io# This cluster role binding allows users in the "ReadNodesGroup" group to view nodes.
# A cluster role named "node-reader" must exist.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: read-nodes
roleRef:
kind: ClusterRole
name: node-reader
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: ReadNodesGroup
apiGroup: rbac.authorization.k8s.ioWhen a cluster role binding like the one above is created in the cluster, users in the IAM user group ReadNodesGroup are granted the permissions to perform the API actions written in the cluster role node-reader.
Note
For more detailed explanations on role binding creation, refer to the following document:
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#role-binding-examples
Predefined Roles and Role Bindings for Samsung Cloud Platform
The Kubernetes Engine of Samsung Cloud Platform has predefined cluster role bindings scp-cluster-admin, scp-view, scp-namespace-view, and cluster roles scp-namespace-view. The following table shows the binding relationship between predefined roles and role bindings, and Samsung Cloud Platform users. Here, cluster roles cluster-admin and view are predefined within the Kubernetes cluster. For more detailed explanations, refer to the Roles section.
| Cluster Role Binding | Cluster Role | Subjects (User) |
|---|---|---|
| scp-cluster-admin | cluster-admin |
|
| scp-view | view | Group ViewerGroup |
| scp-namespace-view | scp-namespace-view | All authenticated users in the cluster |
Table. Predefined Roles and Role Bindings for Samsung Cloud Platform, IAM User Groups, and User Binding Relationships
- According to the cluster role binding scp-cluster-admin, users in the IAM user groups AdministratorGroup or OperatorGroup, as well as the Kubernetes Engine product applicant, are granted cluster administrator permissions.
- According to the cluster role binding scp-view, users in the ViewerGroup are granted cluster viewer permissions. More precisely, since it is linked to the predefined cluster role view in Kubernetes, access permissions for cluster-scoped resources (e.g., namespaces, nodes, ingress classes, etc.) and secrets within namespaces are not included. For more detailed explanations, refer to the Roles section.
- According to the cluster role binding scp-namespace-view, all authenticated users in the cluster are granted namespace viewer permissions.
Note
- Predefined roles and role bindings for Samsung Cloud Platform are created only once when the cluster product is applied.
- Users can modify or delete predefined cluster role bindings and cluster roles for Samsung Cloud Platform as needed.
The details of predefined roles and role bindings for Samsung Cloud Platform are as follows:
Cluster Role Binding scp-cluster-admin
The cluster role binding scp-cluster-admin is bound to the cluster role cluster-admin and bound to the IAM user groups AdministratorGroup, OperatorGroup, and the SCP user (Kubernetes Engine cluster creator) according to the subjects.
Color mode
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
name: scp-cluster-admin
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: AdministratorGroup
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: OperatorGroup
apiGroup: rbac.authorization.k8s.io
- kind: User # Cluster creator
name: jane.doe # cluster creater name
apiGroup: rbac.authorization.k8s.ioapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
name: scp-cluster-admin
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: AdministratorGroup
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: OperatorGroup
apiGroup: rbac.authorization.k8s.io
- kind: User # Cluster creator
name: jane.doe # cluster creater name
apiGroup: rbac.authorization.k8s.ioCluster Role Binding scp-view
The cluster role binding scp-view is bound to the cluster role view and bound to the IAM user group ViewerGroup according to the subjects.
Color mode
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: scp-view
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: ViewerGroup
apiGroup: rbac.authorization.k8s.ioapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: scp-view
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: ViewerGroup
apiGroup: rbac.authorization.k8s.ioCluster Role and Cluster Role Binding scp-namespace-view
Cluster Role scp-namespace-view is a role that defines the authority to view namespaces. Cluster Role Binding scp-namespace-view is associated with Cluster Role scp-namespace-view and grants namespace view authority to all authenticated users in the cluster.
Color mode
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: scp-namespace-view
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: scp-namespace-view
roleRef:
kind: ClusterRole
name: scp-namespace-view
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.ioapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: scp-namespace-view
rules:
- apiGroups: [""]
resources: ["namespaces"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: scp-namespace-view
roleRef:
kind: ClusterRole
name: scp-namespace-view
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.ioIAM User Group RBAC Use Case
This chapter explains examples of granting authority by major user scenarios. The names of IAM user groups, ClusterRoleBindings/RoleBindings, and ClusterRoles presented here are examples for understanding. Administrators should define and apply appropriate names and authorities according to their needs.
| Scope | Use Case | IAM User Group | ClusterRoleBinding/RoleBinding | ClusterRole | Note |
|---|---|---|---|---|---|
| Cluster | Cluster Administrator | ClusterAdminGroup | ClusterRoleBinding cluster-admin-group | cluster-admin | Administrator for a specific cluster |
| Cluster | Cluster Editor | ClusterEditGroup | ClusterRoleBinding cluster-edit-group | edit | Editor for a specific cluster |
| Cluster | Cluster Viewer | ClusterViewGroup | ClusterRoleBinding cluster-view-group | view | Viewer for a specific cluster |
| Namespace | Namespace Administrator | NamespaceAdminGroup | RoleBinding namespace-admin-group | admin | Administrator for a specific namespace |
| Namespace | Namespace Editor | NamespaceEditGroup | RoleBinding namespace-edit-group | edit | Editor for a specific namespace |
| Namespace | Namespace Viewer | NamespaceViewGroup | RoleBinding namespace-view-group | view | Viewer for a specific namespace |
Table. Predefined Roles and RoleBindings, IAM User Groups, and Binding Relationships for Samsung Cloud Platform
Note
The ClusterRoles (cluster-admin, admin, edit, view) in the table above are predefined in the Kubernetes cluster. For more information, see the Role section.
Cluster Administrator
To create a cluster administrator, follow these steps:
- Create an IAM user group named ClusterAdminGroup.
- Create a ClusterRoleBinding with the following content in the target cluster:
Color mode
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admin-group
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: ClusterAdminGroup
apiGroup: rbac.authorization.k8s.ioapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admin-group
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: ClusterAdminGroup
apiGroup: rbac.authorization.k8s.io- It is associated with the default ClusterRole cluster-admin, granting administrator authority for the cluster.
Cluster Editor
To create a cluster editor, follow these steps:
- Create an IAM user group named ClusterEditGroup.
- Create a ClusterRoleBinding with the following content in the target cluster:
Color mode
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-edit-group
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: ClusterEditGroup
apiGroup: rbac.authorization.k8s.ioapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-edit-group
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: ClusterEditGroup
apiGroup: rbac.authorization.k8s.io- The default cluster role edit is associated with it, and editor permissions are granted for the cluster.
Cluster Viewer
To create a cluster viewer, follow these steps:
- Create an IAM user group named ClusterViewGroup.
- Create a cluster role binding with the following content in the target cluster.
Color mode
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-view-group
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: ClusterViewGroup
apiGroup: rbac.authorization.k8s.ioapiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-view-group
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: ClusterViewGroup
apiGroup: rbac.authorization.k8s.io- The default cluster role view is associated with it, and viewer permissions are granted for the cluster.
Namespace Administrator
To create a namespace administrator, follow these steps:
- Create an IAM user group named NamespaceAdminGroup.
- Create a role binding with the following content in the target cluster.
Color mode
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: namespace-admin-group
namespace: <namespace_name>
roleRef:
kind: ClusterRole
name: admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: NamespaceAdminGroup
apiGroup: rbac.authorization.k8s.ioapiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: namespace-admin-group
namespace: <namespace_name>
roleRef:
kind: ClusterRole
name: admin
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: NamespaceAdminGroup
apiGroup: rbac.authorization.k8s.io- The default cluster role admin is associated with it, and administrator permissions are granted for the namespace.
Namespace Editor
To create a namespace editor, follow these steps:
- Create an IAM user group named NamespaceEditGroup.
- Create a role binding with the following content in the target cluster.
Color mode
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: namespace-edit-group
namespace: <namespace_name>
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: NamespaceEditGroup
apiGroup: rbac.authorization.k8s.ioapiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: namespace-edit-group
namespace: <namespace_name>
roleRef:
kind: ClusterRole
name: edit
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: NamespaceEditGroup
apiGroup: rbac.authorization.k8s.io- The default cluster role edit is associated with it, and editor permissions are granted for the namespace.
Namespace Viewer
To create a namespace viewer, follow these steps:
- Create an IAM user group named NamespaceViewGroup.
- Create a role binding with the following content in the target cluster.
Color mode
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: namespace-view-group
namespace: <namespace_name>
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: NamespaceViewGroup
apiGroup: rbac.authorization.k8s.ioapiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: namespace-view-group
namespace: <namespace_name>
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: NamespaceViewGroup
apiGroup: rbac.authorization.k8s.io- The default cluster role view is associated with it, and viewer permissions are granted for the namespace. To create a namespace viewer, follow these steps:
- Create an IAM user group: Create an IAM user group named NamespaceViewGroup.
- Create a role binding: Create a role binding with the following content in the target cluster.
Color mode
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: namespace-view-group
namespace: <namespace_name>
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: NamespaceViewGroup
apiGroup: rbac.authorization.k8s.ioapiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: namespace-view-group
namespace: <namespace_name>
roleRef:
kind: ClusterRole
name: view
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: NamespaceViewGroup
apiGroup: rbac.authorization.k8s.io- The view cluster role is associated with the viewer permission for the specified namespace.
Practice Example
This chapter describes an example and procedure for applying an administrator to a specific namespace.
- IAM user group: NamespaceAdminGroup
- IAM policy: NamespaceAdminAccess
- Role binding: namespace-admin-group
Create an IAM User Group
Note
For more information about IAM user groups, see IAM > User Group.
To create an IAM user group in Samsung Cloud Platform, follow these steps:
Click All Services > Management > IAM. The Identity and Access Management (IAM) Service Home page appears.
On the Service Home page, click User Group. The User Group List page appears.
On the User Group List page, click Create User Group.
Enter the required information in the Basic Information, Add User, Attach Policy, and Additional Information sections.
Category RequiredDescription User Group Name Required Enter the user group name - Use Korean, English, numbers, and special characters (
+=,.@-_) to enter a value between 3 and 24 characters - Enter NamespaceAdminGroup as the user group name
Description Optional Description of the user group name - Enter a detailed description of the user group name, up to 1,000 characters
User Optional Users to add to the user group - The list of users registered in the account is displayed, and the selected user’s name is displayed at the top of the screen when the checkbox is selected
- Click the Delete button at the top of the screen or uncheck the checkbox in the user list to cancel the selection of the selected user
- If there are no users to add, click Create User at the bottom of the user list to register a new user, and then refresh the user list to select the user
Policy Optional Policy to attach to the user group - The list of policies registered in the account is displayed, and the selected policy name is displayed at the top of the screen when the checkbox is selected
- Select ViewerAccess in the policy list
Tag Optional Tags to add to the user group - Up to 50 tags can be added per resource
Table. User Group Creation Information Input Items- Use Korean, English, numbers, and special characters (
Click the Complete button. The User Group List page appears.
Note
In this practice example, the ViewerAccess policy (permission to view all resources) is attached for demonstration purposes.
- If you do not need permission to view all resources in the Samsung Cloud Platform Console, you do not need to attach the ViewerAccess policy. Define and apply a separate policy according to your actual situation.
Create an IAM Policy
Note
If you do not need to grant Samsung Cloud Platform Console usage permissions, you do not need to perform this step.
Note
For more information about IAM policies, see IAM > Policy.
To create an IAM policy in Samsung Cloud Platform, follow these steps:
Click All Services > Management > IAM. The Identity and Access Management (IAM) Service Home page appears.
On the Service Home page, click Policy. The Policy List page appears.
On the Policy List page, click Create Policy. The Create Policy page appears.
Enter the required information in the Basic Information and Additional Information sections.
Category RequiredDescription Policy Name Required Enter the policy name - Use Korean, English, numbers, and special characters (
+=,.@-_) to enter a value between 3 and 128 characters - Enter NamespaceAdminAccess as the policy name
Description Optional Description of the policy name - Enter a detailed description of the policy name, up to 1,000 characters
Tag Optional Tags to add to the policy - Up to 50 tags can be added per resource
Table. Policy Creation Information Input Items - Basic Information and Additional Information- Use Korean, English, numbers, and special characters (
Click the Next button. The Permission Settings section appears.
Enter the required information in the Permission Settings section.
Select Kubernetes Engine in the Service section.
You can create a policy by importing an existing policy using Policy Import. For more information about Policy Import, see Policy Import.
Category RequiredDescription Control Type Required Select the policy control type - Allow Policy: A policy that allows defined permissions
- Deny Policy: A policy that denies defined permissions
Action Required Select actions provided by each service - Create: CreateKubernetesObject selected
- Delete: DeleteKubernetesObject selected
- List: ListKubernetesEngine, ListKubernetesObject selected
- Read: DetailKubernetesObject selected
- Update: UpdateKubernetesObject selected
- Add Action Directly: Use wildcard
*to specify multiple actions at once
Applied Resource Required Resource to which the action is applied - All Resources: Apply to all resources for the selected action
- Individual Resource: Apply only to the specified resource for the selected action
- Individual resources are only possible when selecting actions that allow individual resource selection (purple actions)
- Click the Add Resource button to specify the target resource by resource type
- For more information on Add Resource, see Registering individual resources as applied resources
Authentication Type Required Authentication method for the target user - All Authentication: Apply regardless of authentication method
- API Key Authentication: Apply to users who use API key authentication
- IAM Key Authentication, Console Login: Apply to users who use IAM key authentication or console login
Applied IP Required IP addresses to which the policy is applied - User-specified IP: Register and manage IP addresses directly by the user
- Applied IP: Register IP addresses directly by the user as IP addresses or ranges to which the policy is applied
- Excluded IP: Register IP addresses to be excluded from Applied IP as IP addresses or ranges
- All IP: Do not restrict IP access
- Allow access to all IP addresses, but if exceptions are needed, register Excluded IP to restrict access to registered IP addresses
Table. Policy creation information input items - Permission settings
Note
Permission settings provide Basic Mode and JSON Mode.
- If you write in Basic Mode and enter JSON Mode or move to another screen, services with the same conditions will be integrated into one, and settings that are not completed will be deleted.
- If the content written in JSON Mode does not match the JSON format, you cannot switch to Basic Mode.
- Click the Next button. Move to the Input Information Check page.
- Check the input information and click the Complete button. Move to the Policy List page.
Add a user to an IAM user group
Reference
For more information on managing IAM user groups, see IAM > Managing User Groups.
To add a user to an IAM user group in Samsung Cloud Platform, follow these steps.
- Click All Services > Management > IAM menu. Move to the Identity and Access Management (IAM) Service Home page.
- On the Service Home page, click the User menu. Move to the User List page.
- On the User List page, click the user to be added to the IAM user group. Move to the User Details page.
- On the User Details page, click the User Group tab.
- On the user group tab, select the Add User Group button. Move to the Add User Group page.
- On the Add User Group page, select the user group to be added and click the Complete button. Move to the User Details page.
- Select NamespaceAdminGroup from the user group.
Create a role binding
Create a role binding by referring to the example below.
Color mode
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: namespace-admin-group
namespace: dev # target namespace
roleRef:
kind: ClusterRole
name: admin # pre-defined cluster role in Kubernetes
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: NamespaceAdminGroup # IAM user group created earlier
apiGroup: rbac.authorization.k8s.ioapiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: namespace-admin-group
namespace: dev # target namespace
roleRef:
kind: ClusterRole
name: admin # pre-defined cluster role in Kubernetes
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: NamespaceAdminGroup # IAM user group created earlier
apiGroup: rbac.authorization.k8s.ioVerify the user
Verify that the user’s namespace permissions are applied normally.
To verify namespace user permissions in Samsung Cloud Platform, follow these steps.
- Click All Services > Container > Kubernetes Engine menu. Move to the Kubernetes Engine Service Home page.
- On the Service Home page, click Workload menu under Pod. Move to the Pod List page.
- On the Pod List page, select the cluster and namespace from the gear button at the top left and click Confirm.
- On the Pod List page, verify that the pod list is retrieved.
- If you select a namespace with permissions, the pod list will be displayed.
- If you select a namespace without permissions, a confirmation window will be displayed indicating that you do not have permission to retrieve the list.