Overview
조직에서 관리하는 쿠버네티스 클러스터의 접근 정책(Policy)를 관리할 수 있습니다. 쿠버네티스 정책은 Policy as a Code(PaC)로 운영되며 YAML 형태를 베이스로 동작합니다.
관리자는 Code Editor 페이지 하단의 Tips 탭을 통해 각 항목에 대한 정의 방법을 확인하여 코드에 반영할 수 있습니다.
Tips는 코드 에디터 각 필드 별로 작성 가이드를 간략히 제공합니다.
코드 에디터 커서 위치에 따라 해당되는 팁 위에 하이라이트하여 사용자로 하여금 관련 내용을 조회할 수 있도록 합니다.
해당 필드에 값이 작성이 되면 팁은 노출에서 사라집니다. 값이 다시 비면, Tips에 다시 명시됩니다.
TIPS로 제공되는 컨텐츠
아래의 정보를 노출하여 Policy 코드 작성 시에 방법을 안내합니다:
대상 | 메인 팁 | 상세 설명 |
|---|---|---|
| Define Specifications | A policy may include allow and/or deny specifications. The syntax does not accept multiple allow or deny specifications in a single policy. |
| Specify Resources | A policy is required to include at least one target QueryPie resource. To target every resources at once, use ‘*’. (e.g., cluster:*) QueryPie supports both glob patterns and regular expressions (RE2: https://github.com/girishji/re2/wiki/Syntax ). |
| Specify Kubernetes Groups | A policy is required to include at least one kubernetes group for impersonation. Define group subject in a kubernetes cluster for impersonation via QueryPie Proxy. (e.g., system:masters) |
| (Optional) Allow Impersonation | A policy may include a list of kubernetes users and/or groups allowed to impersonate from clients |
| (Optional) List Impersonation Users | A policy may include a list of kubernetes users allowed to impersonate using the “--as” parameter from clients |
| (Optional) List Impersonation Groups | A policy may include a list of kubernetes groups allowed using the “--as-group” parameter from clients. |
| Define API Groups | Define API groups for efficient organization of kubernetes resources. To define all API groups at once, type ‘*’. (e.g., ["*"]) |
| Define Kubernetes Resources | Define target Kubernetes resources. Specify subresources if necessary. To target all resources, type ‘*’. (e.g., ["pods", "pods/exec"]) |
| Define Namespace | Define the namespace of the target kubernetes resources. To target all namespaces, type ‘*’. (e.g., “*”) |
| Define Name | Define the name of the target kubernetes resources. To target all resource names, type ‘*’. (e.g., “eks-*”) |
| Define Verbs | Define permissible actions on resources. To target all actions at once, type ‘*’. (e.g., ["*"]) |
| (Optional) Set Conditions | A policy may contain a set of conditions to filter target resources and/or users via tags, attributes, and/or IP addresses. |
| (Optional) Add Tag Conditions | Filter target QueryPie-managed resources via tags in QueryPie. (e.g., "region": "ap-northeast-*") |
| (Optional) Add User Attribute Conditions | Specify user attributes for fine-grained policy enforcement. Only users matching specified attributes can utilize this policy. (e.g., "department": "DevOps") |
| (Optional) List IP Addresses | List IP address ranges to utilize this policy. Input either in a single IP address or CIDR format. (e.g., ["10.0.0.0/24", "10.10.10.10"]) |
| Specify Verb "get", "create" | "pods/exec" resource requires the verbs “get”, ”create" for users to call its action. Also, authorization to "get" & "list" "pods" is required. |
| Specify Verb "get" | "pods/log" resource requires the verb "get" for users to call its action. Also, authorization to "get" & "list" "pods" is required. |
| Specify Verb "get", "create" | "pods/portforward" resource requires the verbs "get", "create" for users to call its action. Also, authorization to "get" & "list" "pods" is required. |
without | Add Verbs "get" and/or "list" | It is a common practice to use verbs “get” and/or “list” for view before performing an Edit operation to ensure consistency and accuracy. |