Kubernetes Policy UI Code Helpers

Overview

You can manage access policies for Kubernetes clusters within your organization. Kubernetes policies operate as Policy as Code (PaC) and are based on YAML format.

On the right side, there are Policy UI Code Helpers that provide modals for users to easily insert content into the code editor.

Using the UI Code Helper

On the right side of the code editor screen, a modal is available to assist with code entry for each field. This modal aids in code editing, and any content inserted via the modal can be removed directly from the code editor.

1. Add Resources

   

   1. It operates in the same manner in both the Spec: Allow and Spec: Deny sections.

   2. You can search for resources by cluster name.

   3. To insert a resource into the code, check the checkbox next to the desired resource and click the Add button.

2. Set Subjects

   

   1. It operates only in the Spec: Allow section.

   2. Kubernetes Groups : (Required) Use this field to specify the Kubernetes groups that the KubePie Proxy will impersonate to perform API calls.

   3. Permitted Impersonation : (Optional) Use this field to list the Kubernetes users/groups that can be impersonated when a user attempts impersonation through the client using the --as and --as-group parameters.

      1. Allowed Kubernetes Users: ist the Kubernetes users that are permitted for impersonation using the --as parameter.

      2. Allowed Kubernetes Users: List the Kubernetes groups that are permitted for impersonation using the --as-group parameter.

      3. Multiple entries can be registered using a comma (,) as a separator.

   4. The modal displays existing information from the editor. Clicking the Set button will overwrite the editor's content with the changes.

3. Add Actions

   

   1. It operates in the same manner in both the Spec: Allow and Spec: Deny sections.

   2. API Groups: Defaults to "*", but can be modified by the administrator. Multiple entries can be added using a comma (,).

   3. Resources: Specify the Kubernetes resources.

      1. Defaults to "*", but can be modified by the administrator. Multiple entries can be added.

      2. Commonly used resources include:

         • pods, pods/exec, pods/log, pods/portforward, services, ingresses, deployments, replicasets, statefulsets, daemonsets, configmaps, secrets, namespaces, nodes, persistentvolumes, persistentvolumeclaims, jobs, cronjobs, serviceaccounts, endpoints, roles, rolebindings, clusterroles, clusterrolebindings

      3. For resources not listed above, you can type directly to specify custom resources.

      4. Once specified, items are displayed as blocks and can be removed by clicking the "X".

   4. Namespace: Specify the namespace to limit the scope of Kubernetes resources.

      1. Defaults to "*", but can be modified by the administrator. Supports wildcards and regular expressions.

      2. For resources outside the namespace scope, the value in this field will not affect them.

         • non-namespaced resources: e.g.,persistentvolumes, persistentvolumeclaims, serviceaccounts, customresourcedefinitions, endpoints, nodes, clusterroles, clusterrolebindings

   5. Name: Specify the name of the Kubernetes resource to target.

      1. Defaults to "*", but can be modified by the administrator. Supports wildcards and regular expressions.

   6. Verbs: Specify multiple Kubernetes API methods.

      1. Defaults to "*". Once specified, items are displayed as blocks and can be removed by clicking the "X".

      2. Commonly used verbs include:

         • get, list, watch, create, update, patch, delete, deletecollection

      3. You can type directly to specify other verbs for custom resources.

   7. Click the Add button to define an action set within the actions list.

   8. This functions as an append operation in the code, allowing new actions to be added without resetting previously added actions.

4. Set Conditions

   

   1. All of the following items are optional.

   2. The modal displays existing information from the editor, and clicking the Set button will overwrite the editor's content with the changes.

   3. Resource Tags (Optional)

      1. You can restrict the scope of target Kubernetes clusters based on their attached tags.

      2. Each row operates as an AND condition; values within a row operate as OR conditions separated by commas (,).

      3. Click the Insert button to create a new row.

      4. Once specified, tags are displayed as blocks and can be removed by clicking the "X".

      5. Fields:

         1. Key : Tag key (does not support regex or glob)

         2. Value : Tag value (supports regex, glob, and multiple inputs)

   4. User Attributes (Optional)

      1. You can limit the scope of target users based on their user attributes.

      2. Users must match all specified attribute values to use the policy.

      3. Each row operates as an AND condition; values within a row operate as OR conditions separated by commas (,).

      4. The Variable Name field suggests currently supported attributes, including:

         • loginId, firstName, lastName, middleName, honorificPrefix, honorificSuffix, email, title, displayName, nickName, profileUrl, secondEmail, mobilePhone, primaryPhone, streetAddress, city, state, zipCode, countryCode, postalAddress, preferredLanguage, locale, timezone, userType, employeeNumber, costCenter, organization, division, department, managerId, manager, endpoints, staticIp, macAddress

   5. IP Addresses (Optional)

      1. The administrator can specify IP ranges that are allowed or denied access to the resource.

      2. Supports both single IPs and CIDR notation, separated by commas (,).