Skip to main content
Skip table of contents

쿠버네티스 정책 Tips 안내

Overview

조직에서 관리하는 쿠버네티스 클러스터의 접근 정책(Policy)를 관리할 수 있습니다. 쿠버네티스 정책은 Policy as a Code(PaC)로 운영되며 YAML 형태를 베이스로 동작합니다.

관리자는 Code Editor 페이지 하단의 Tips 탭을 통해 각 항목에 대한 정의 방법을 확인하여 코드에 반영할 수 있습니다.

Tips는 코드 에디터 각 필드 별로 작성 가이드를 간략히 제공합니다.

  1. 코드 에디터 커서 위치에 따라 해당되는 팁 위에 하이라이트하여 사용자로 하여금 관련 내용을 조회할 수 있도록 합니다.

  2. 해당 필드에 값이 작성이 되면 팁은 노출에서 사라집니다. 값이 다시 비면, Tips에 다시 명시됩니다.

TIPS로 제공되는 컨텐츠

아래의 정보를 노출하여 Policy 코드 작성 시에 방법을 안내합니다:

대상

메인 팁

상세 설명

spec

Define Specifications

A policy may include allow and/or deny specifications. The syntax does not accept multiple allow or deny specifications in a single policy.

resources

Specify Resources

A policy is required to include at least one target QueryPie resource. To target every resources at once, use ‘*’. (e.g., cluster:*) QueryPie supports both glob patterns and regular expressions (RE2: https://github.com/girishji/re2/wiki/Syntax ).

subjects
kubernetesGroups

Specify Kubernetes Groups

A policy is required to include at least one kubernetes group for impersonation. Define group subject in a kubernetes cluster for impersonation via QueryPie Proxy. (e.g., system:masters)

subjects
impersonation

(Optional) Allow Impersonation

A policy may include a list of kubernetes users and/or groups allowed to impersonate from clients

subjects
impersonation
users

(Optional) List Impersonation Users

A policy may include a list of kubernetes users allowed to impersonate using the “--as” parameter from clients

subjects
impersonation
groups

(Optional) List Impersonation Groups

A policy may include a list of kubernetes groups allowed using the “--as-group” parameter from clients.

actions
apiGroups

Define API Groups

Define API groups for efficient organization of kubernetes resources. To define all API groups at once, type ‘*’. (e.g., ["*"])

actions
resources

Define Kubernetes Resources

Define target Kubernetes resources. Specify subresources if necessary. To target all resources, type ‘*’. (e.g., ["pods", "pods/exec"])

actions
namespace

Define Namespace

Define the namespace of the target kubernetes resources. To target all namespaces, type ‘*’. (e.g., “*”)

actions
name

Define Name

Define the name of the target kubernetes resources. To target all resource names, type ‘*’. (e.g., “eks-*”)

actions
verbs

Define Verbs

Define permissible actions on resources. To target all actions at once, type ‘*’. (e.g., ["*"])

conditions

(Optional) Set Conditions

A policy may contain a set of conditions to filter target resources and/or users via tags, attributes, and/or IP addresses.

conditions
resourceTags

(Optional) Add Tag Conditions

Filter target QueryPie-managed resources via tags in QueryPie. (e.g., "region": "ap-northeast-*")

conditions
userAttributes

(Optional) Add User Attribute Conditions

Specify user attributes for fine-grained policy enforcement. Only users matching specified attributes can utilize this policy. (e.g., "department": "DevOps")

conditions
ipAddresses

(Optional) List IP Addresses

List IP address ranges to utilize this policy. Input either in a single IP address or CIDR format. (e.g., ["10.0.0.0/24", "10.10.10.10"])

actions
resources

"pods/exec"

Specify Verb "get", "create"

"pods/exec" resource requires the verbs “get”, ”create" for users to call its action. Also, authorization to "get" & "list" "pods" is required.

actions
resources

"pods/log"

Specify Verb "get"

"pods/log" resource requires the verb "get" for users to call its action. Also, authorization to "get" & "list" "pods" is required.

actions
resources

"pods/portforward"

Specify Verb "get", "create"

"pods/portforward" resource requires the verbs "get", "create" for users to call its action. Also, authorization to "get" & "list" "pods" is required.

actions
verbs

without "get", "list", "watch"

Add Verbs "get" and/or "list"

It is a common practice to use verbs “get” and/or “list” for view before performing an Edit operation to ensure consistency and accuracy.

관련 토픽

 

Back to 쿠버네티스 정책 설정하기

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.