Kubernetes Policy Tips Guide
Overview
You can manage access policies (Policy) for Kubernetes clusters managed by the organization. Kubernetes policies are operated as Policy as a Code (PaC) and work based on YAML format.
Administrators can check the definition method for each item through the Tips tab at the bottom of the Code Editor page and reflect it in the code.
Tips briefly provides writing guides for each field of the code editor.
- Highlights the relevant tip based on the code editor cursor position to allow users to view related content.
- When a value is written in the field, the tip disappears from the display. When the value becomes empty again, it is specified in Tips again.
Content Provided by TIPS
The following information is exposed to guide methods when writing Policy code:
| Target | Main Tip | Detailed Description |
|---|---|---|
spec | Define Specifications | A policy may include allow and/or deny specifications. The syntax does not accept multiple allow or deny specifications in a single policy. |
resources | Specify Resources | A policy is required to include at least one target QueryPie resource. To target every resources at once, use ''. (e.g., cluster:) QueryPie supports both glob patterns and regular expressions (RE2: https://github.com/girishji/re2/wiki/Syntax ). |
subjectskubernetesGroups | Specify Kubernetes Groups | A policy is required to include at least one kubernetes group for impersonation. Define group subject in a kubernetes cluster for impersonation via QueryPie Proxy. (e.g., system:masters) |
subjectsimpersonation | (Optional) Allow Impersonation | A policy may include a list of kubernetes users and/or groups allowed to impersonate from clients |
subjectsimpersonationusers | (Optional) List Impersonation Users | A policy may include a list of kubernetes users allowed to impersonate using the “—as” parameter from clients |
subjectsimpersonationgroups | (Optional) List Impersonation Groups | A policy may include a list of kubernetes groups allowed using the “—as-group” parameter from clients. |
actionsapiGroups | Define API Groups | Define API groups for efficient organization of kubernetes resources. To define all API groups at once, type ''. (e.g., [""]) |
actionsresources | Define Kubernetes Resources | Define target Kubernetes resources. Specify subresources if necessary. To target all resources, type ’*’. (e.g., [“pods”, “pods/exec”]) |
actionsnamespace | Define Namespace | Define the namespace of the target kubernetes resources. To target all namespaces, type ''. (e.g., "") |
actionsname | Define Name | Define the name of the target kubernetes resources. To target all resource names, type ''. (e.g., “eks-”) |
actionsverbs | Define Verbs | Define permissible actions on resources. To target all actions at once, type ''. (e.g., [""]) |
conditions | (Optional) Set Conditions | A policy may contain a set of conditions to filter target resources and/or users via tags, attributes, and/or IP addresses. |
conditionsresourceTags | (Optional) Add Tag Conditions | Filter target QueryPie-managed resources via tags in QueryPie. (e.g., “region”: “ap-northeast-*“) |
conditionsuserAttributes | (Optional) Add User Attribute Conditions | Specify user attributes for fine-grained policy enforcement. Only users matching specified attributes can utilize this policy. (e.g., “department”: “DevOps”) |
conditionsipAddresses | (Optional) List IP Addresses | List IP address ranges to utilize this policy. Input either in a single IP address or CIDR format. (e.g., [“10.0.0.0/24”, “10.10.10.10”]) |
actionsresources``"pods/exec" | Specify Verb “get” , “create" | "pods/exec” resource requires the verbs “get”, “create” for users to call its action. Also, authorization to “get” & “list” “pods” is required. |
actionsresources``"pods/log" | Specify Verb “get" | "pods/log” resource requires the verb “get” for users to call its action. Also, authorization to “get” & “list” “pods” is required. |
actionsresources``"pods/portforward" | Specify Verb “get” , “create" | "pods/portforward” resource requires the verbs “get”, “create” for users to call its action. Also, authorization to “get” & “list” “pods” is required. |
actionsverbswithout "get", "list", "watch" | Add Verbs “get” and/or “list” | It is a common practice to use verbs “get” and/or “list” for view before performing an Edit operation to ensure consistency and accuracy. |
Last updated on