쿠버네티스 정책 Tips 안내
Overview
조직에서 관리하는 쿠버네티스 클러스터의 접근 정책(Policy)를 관리할 수 있습니다. 쿠버네티스 정책은 Policy as a Code(PaC)로 운영되며 YAML 형태를 베이스로 동작합니다.
관리자는 Code Editor 페이지 하단의 Tips 탭 을 통해 각 항목에 대한 정의 방법을 확인하여 코드에 반영할 수 있습니다.
Tips 는 코드 에디터 각 필드 별로 작성 가이드를 간략히 제공합니다.
- 코드 에디터 커서 위치에 따라 해당되는 팁 위에 하이라이트하여 사용자로 하여금 관련 내용을 조회할 수 있도록 합니다.
- 해당 필드에 값이 작성이 되면 팁은 노출에서 사라집니다. 값이 다시 비면, Tips에 다시 명시됩니다.
TIPS로 제공되는 컨텐츠
아래의 정보를 노출하여 Policy 코드 작성 시에 방법을 안내합니다:
| 대상 | 메인 팁 | 상세 설명 |
|---|---|---|
spec | Define Specifications | A policy may include allow and/or deny specifications. The syntax does not accept multiple allow or deny specifications in a single policy. |
resources | Specify Resources | A policy is required to include at least one target QueryPie resource. To target every resources at once, use ‘’. (e.g., cluster:) QueryPie supports both glob patterns and regular expressions (RE2: https://github.com/girishji/re2/wiki/Syntax ). |
subjectskubernetesGroups | Specify Kubernetes Groups | A policy is required to include at least one kubernetes group for impersonation. Define group subject in a kubernetes cluster for impersonation via QueryPie Proxy. (e.g., system:masters) |
subjectsimpersonation | (Optional) Allow Impersonation | A policy may include a list of kubernetes users and/or groups allowed to impersonate from clients |
subjectsimpersonationusers | (Optional) List Impersonation Users | A policy may include a list of kubernetes users allowed to impersonate using the “—as” parameter from clients |
subjectsimpersonationgroups | (Optional) List Impersonation Groups | A policy may include a list of kubernetes groups allowed using the “—as-group” parameter from clients. |
actionsapiGroups | Define API Groups | Define API groups for efficient organization of kubernetes resources. To define all API groups at once, type ‘’. (e.g., [""]) |
actionsresources | Define Kubernetes Resources | Define target Kubernetes resources. Specify subresources if necessary. To target all resources, type ‘*’. (e.g., [“pods”, “pods/exec”]) |
actionsnamespace | Define Namespace | Define the namespace of the target kubernetes resources. To target all namespaces, type ‘’. (e.g., “”) |
actionsname | Define Name | Define the name of the target kubernetes resources. To target all resource names, type ‘’. (e.g., “eks-”) |
actionsverbs | Define Verbs | Define permissible actions on resources. To target all actions at once, type ‘’. (e.g., [""]) |
conditions | (Optional) Set Conditions | A policy may contain a set of conditions to filter target resources and/or users via tags, attributes, and/or IP addresses. |
conditionsresourceTags | (Optional) Add Tag Conditions | Filter target QueryPie-managed resources via tags in QueryPie. (e.g., “region”: “ap-northeast-*“) |
conditionsuserAttributes | (Optional) Add User Attribute Conditions | Specify user attributes for fine-grained policy enforcement. Only users matching specified attributes can utilize this policy. (e.g., “department”: “DevOps”) |
conditionsipAddresses | (Optional) List IP Addresses | List IP address ranges to utilize this policy. Input either in a single IP address or CIDR format. (e.g., [“10.0.0.0/24”, “10.10.10.10”]) |
actionsresources``"pods/exec" | Specify Verb “get” , “create" | "pods/exec” resource requires the verbs “get”, ”create” for users to call its action. Also, authorization to “get” & “list” “pods” is required. |
actionsresources``"pods/log" | Specify Verb “get" | "pods/log” resource requires the verb “get” for users to call its action. Also, authorization to “get” & “list” “pods” is required. |
actionsresources``"pods/portforward" | Specify Verb “get” , “create" | "pods/portforward” resource requires the verbs “get”, “create” for users to call its action. Also, authorization to “get” & “list” “pods” is required. |
actionsverbswithout "get", "list", "watch" | Add Verbs “get” and/or “list” | It is a common practice to use verbs “get” and/or “list” for view before performing an Edit operation to ensure consistency and accuracy. |
Last updated on