%201.png){kind=logo}
Kubernetes Policy Tips
Overview
You can manage access policies for Kubernetes clusters within your organization. Kubernetes policies operate as Policy as Code (PaC) and are based on YAML format.
Administrators can use the Tips tab at the bottom of the Code Editor page to see definitions for each item and incorporate them into their code.
Tips provide brief writing guides for each field in the code editor.
The relevant tip is highlighted based on the cursor position in the code editor, allowing users to view related content.
Once a value is entered in the corresponding field, the tip disappears. If the value is removed, the tip reappears.
Contents Provided by Tips
The following information is displayed to guide you in writing the policy code:
Target | Main Tip(s) | Description |
|---|---|---|
| Define Specifications | A policy may include allow and/or deny specifications. The syntax does not accept multiple allow or deny specifications in a single policy. |
| Specify Resources | A policy is required to include at least one target QueryPie resource. To target every resources at once, use ‘*’. (e.g., cluster:*) QueryPie supports both glob patterns and regular expressions (RE2: https://github.com/girishji/re2/wiki/Syntax ). |
| Specify Kubernetes Groups | A policy is required to include at least one kubernetes group for impersonation. Define group subject in a kubernetes cluster for impersonation via QueryPie Proxy. (e.g., system:masters) |
| (Optional) Allow Impersonation | A policy may include a list of kubernetes users and/or groups allowed to impersonate from clients |
| (Optional) List Impersonation Users | A policy may include a list of kubernetes users allowed to impersonate using the “--as” parameter from clients |
| (Optional) List Impersonation Groups | A policy may include a list of kubernetes groups allowed using the “--as-group” parameter from clients. |
| Define API Groups | Define API groups for efficient organization of kubernetes resources. To define all API groups at once, type ‘*’. (e.g., ["*"]) |
| Define Kubernetes Resources | Define target Kubernetes resources. Specify subresources if necessary. To target all resources, type ‘*’. (e.g., ["pods", "pods/exec"]) |
| Define Namespace | Define the namespace of the target kubernetes resources. To target all namespaces, type ‘*’. (e.g., “*”) |
| Define Name | Define the name of the target kubernetes resources. To target all resource names, type ‘*’. (e.g., “eks-*”) |
| Define Verbs | Define permissible actions on resources. To target all actions at once, type ‘*’. (e.g., ["*"]) |
| (Optional) Set Conditions | A policy may contain a set of conditions to filter target resources and/or users via tags, attributes, and/or IP addresses. |
| (Optional) Add Tag Conditions | Filter target QueryPie-managed resources via tags in QueryPie. (e.g., "region": "ap-northeast-*") |
| (Optional) Add User Attribute Conditions | Specify user attributes for fine-grained policy enforcement. Only users matching specified attributes can utilize this policy. (e.g., "department": "DevOps") |
| (Optional) List IP Addresses | List IP address ranges to utilize this policy. Input either in a single IP address or CIDR format. (e.g., ["10.0.0.0/24", "10.10.10.10"]) |
| Specify Verb "get", "create" | "pods/exec" resource requires the verbs “get”, ”create" for users to call its action. Also, authorization to "get" & "list" "pods" is required. |
| Specify Verb "get" | "pods/log" resource requires the verb "get" for users to call its action. Also, authorization to "get" & "list" "pods" is required. |
| Specify Verb "get", "create" | "pods/portforward" resource requires the verbs "get", "create" for users to call its action. Also, authorization to "get" & "list" "pods" is required. |
without | Add Verbs "get" and/or "list" | It is a common practice to use verbs “get” and/or “list” for view before performing an Edit operation to ensure consistency and accuracy. |