KubernetesポリシーTips案内
Overview
組織で管理するKubernetesクラスターのアクセスポリシー(Policy)を管理できます。 KubernetesポリシーはPolicy as a Code(PaC)で運営され、YAML形態をベースに動作します。KubernetesポリシーはPolicy as a Code(PaC)で運営され、YAML形態をベースに動作します。
管理者はCode Editorページ下段の Tipsタブ を通じて各項目に対する定義方法を確認してコードに反映できます。
Tips はコードエディター各フィールド別に作成ガイドを簡略に提供します。
- コードエディターカーソル位置に応じて該当するヒント上にハイライトしてユーザーにすることで関連内容を照会できるようにします。
- 該当フィールドに値が作成されるとヒントは露出から消えます。値が再び空になると、Tipsに再び明示されます。
TIPSで提供されるコンテンツ
以下の情報を露出してPolicyコード作成時に方法を案内します:
| 対象 | メインヒント | 詳細説明 |
|---|---|---|
spec | Define Specifications | A policy may include allow and/or deny specifications. The syntax does not accept multiple allow or deny specifications in a single policy. |
resources | Specify Resources | A policy is required to include at least one target QueryPie resource. To target every resources at once, use ''. (e.g., cluster:) QueryPie supports both glob patterns and regular expressions (RE2: https://github.com/girishji/re2/wiki/Syntax ). |
subjectskubernetesGroups | Specify Kubernetes Groups | A policy is required to include at least one kubernetes group for impersonation. Define group subject in a kubernetes cluster for impersonation via QueryPie Proxy. (e.g., system:masters) |
subjectsimpersonation | (Optional) Allow Impersonation | A policy may include a list of kubernetes users and/or groups allowed to impersonate from clients |
subjectsimpersonationusers | (Optional) List Impersonation Users | A policy may include a list of kubernetes users allowed to impersonate using the “—as” parameter from clients |
subjectsimpersonationgroups | (Optional) List Impersonation Groups | A policy may include a list of kubernetes groups allowed using the “—as-group” parameter from clients. |
actionsapiGroups | Define API Groups | Define API groups for efficient organization of kubernetes resources. To define all API groups at once, type ''. (e.g., [""]) |
actionsresources | Define Kubernetes Resources | Define target Kubernetes resources. Specify subresources if necessary. To target all resources, type ’*’. (e.g., [“pods”, “pods/exec”]) |
actionsnamespace | Define Namespace | Define the namespace of the target kubernetes resources. To target all namespaces, type ''. (e.g., "") |
actionsname | Define Name | Define the name of the target kubernetes resources. To target all resource names, type ''. (e.g., “eks-”) |
actionsverbs | Define Verbs | Define permissible actions on resources. To target all actions at once, type ''. (e.g., [""]) |
conditions | (Optional) Set Conditions | A policy may contain a set of conditions to filter target resources and/or users via tags, attributes, and/or IP addresses. |
conditionsresourceTags | (Optional) Add Tag Conditions | Filter target QueryPie-managed resources via tags in QueryPie. (e.g., “region”: “ap-northeast-*“) |
conditionsuserAttributes | (Optional) Add User Attribute Conditions | Specify user attributes for fine-grained policy enforcement. Only users matching specified attributes can utilize this policy. (e.g., “department”: “DevOps”) |
conditionsipAddresses | (Optional) List IP Addresses | List IP address ranges to utilize this policy. Input either in a single IP address or CIDR format. (e.g., [“10.0.0.0/24”, “10.10.10.10”]) |
actionsresources``"pods/exec" | Specify Verb “get” , “create" | "pods/exec” resource requires the verbs “get”, “create” for users to call its action. Also, authorization to “get” & “list” “pods” is required. |
actionsresources``"pods/log" | Specify Verb “get" | "pods/log” resource requires the verb “get” for users to call its action. Also, authorization to “get” & “list” “pods” is required. |
actionsresources``"pods/portforward" | Specify Verb “get” , “create" | "pods/portforward” resource requires the verbs “get”, “create” for users to call its action. Also, authorization to “get” & “list” “pods” is required. |
actionsverbswithout "get", "list", "watch" | Add Verbs “get” and/or “list” | It is a common practice to use verbs “get” and/or “list” for view before performing an Edit operation to ensure consistency and accuracy. |
Last updated on