Details for Kubernetes Engine
This topic covers details for writing policies to control access to Kubernetes Engine.
Resource-Types
Aggregate Resource-Type
cluster-family
Individual Resource-Types
clusterscluster-node-poolscluster-pod-shapescluster-virtualnode-poolscluster-work-requestscluster-workload-mappings
Comments
A policy that uses <verb> cluster-family is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types.
See the table in Details for Verb + Resource-Type Combinations for details of the API operations covered by each verb, for each individual resource-type included in cluster-family.
Supported Variables
Kubernetes Engine supports all the general variables (see General Variables for All Requests), plus the ones listed here.
The clusters resource type can use the following variables:
| Variable | Variable Type | Comments |
|---|---|---|
target.cluster.id
|
Entity (OCID) |
The cluster-node-pools resource type can use the following variables:
| Variable | Variable Type | Comments |
|---|---|---|
target.nodepool.id
|
Entity (OCID) |
The cluster-virtual-node-pools resource type can use the following variables:
| Variable | Variable Type | Comments |
|---|---|---|
target.virtualnodepool.id |
Entity (OCID) | |
target.cluster.id
|
Entity (OCID) |
The cluster-workload-mappings resource type can use the following variables:
| Variable | Variable Type | Comments |
|---|---|---|
target.clusterworkloadmapping.id |
Entity (OCID) | |
target.mapping.cluster_id
|
Entity (OCID) |
Details for Verb + Resource-Type Combinations
The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. For example, a group that can use a resource can also inspect and read that resource. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.
For example, the read verb for the clusters resource-type includes the same permissions and API operations as the inspect verb, plus the CLUSTER_READ permission and a number of API operations (e.g., GetCluster, etc.). The use verb covers still another permission and API operation compared to read. Lastly, manage covers more permissions and operations compared to use.
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect | CLUSTER_INSPECT |
|
none |
| read | INSPECT + CLUSTER_READ |
INSPECT +
|
none |
| use | READ + CLUSTER_USE |
READ +
|
none |
| manage | USE + CLUSTER_CREATE CLUSTER_DELETE CLUSTER_UPDATE CLUSTER_MANAGE CLUSTER_JOIN |
USE +
|
|
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect | CLUSTER_NODE_POOL_INSPECT |
|
none |
| read | INSPECT + CLUSTER_NODE_POOL_READ |
INSPECT +
|
none |
| use | no extra |
no extra |
none |
| manage | USE + CLUSTER_NODE_POOL_CREATE CLUSTER_NODE_POOL_DELETE CLUSTER_NODE_POOL_UPDATE |
no extra |
CreateNodePool, DeleteNodePool, and UpdateNodePool (also need manage instance-family, use subnets, use vnics, and inspect compartments)
|
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect | CLUSTER_VIRTUAL_NODE_POOL_INSPECT |
|
none |
| read | no extra |
no extra |
none |
| use | no extra |
no extra |
none |
| manage |
no extra |
no extra |
none |
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect | CLUSTER_VIRTUAL_NODE_POOL_INSPECT |
|
none |
| read | INSPECT + CLUSTER_VIRTUAL_NODE_POOL_READ |
INSPECT +
|
none |
| use | no extra |
no extra |
none |
| manage | USE + CLUSTER_VIRTUAL_NODE_POOL_CREATE CLUSTER_VIRTUAL_NODE_POOL_UPDATE CLUSTER_VIRTUAL_NODE_POOL_DELETE |
USE +
|
none |
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect | CLUSTER_WORK_REQUEST_INSPECT |
ListWorkRequests
|
none |
| read | INSPECT + CLUSTER_WORK_REQUEST_READ |
INSPECT +
|
none |
| use | no extra |
no extra |
none |
| manage | USE + CLUSTER_WORK_REQUEST_DELETE |
USE +
|
none |
| Verbs | Permissions | APIs Fully Covered | APIs Partially Covered |
|---|---|---|---|
| inspect | CLUSTER_WORKLOAD_MAPPING_INSPECT |
ListWorkloadMappings
|
none |
| read | INSPECT + CLUSTER_WORKLOAD_MAPPING_READ |
INSPECT +
|
none |
| use |
READ + CLUSTER_WORKLOAD_MAPPING_UPDATE CLUSTER_WORKLOAD_COMPARTMENT_BIND CLUSTER_WORKLOAD_COMPARTMENT_UNBIND |
|
none |
| manage | USE + CLUSTER_WORKLOAD_MAPPING_CREATE CLUSTER_WORKLOAD_MAPPING_DELETE |
USE +
|
none |
Permissions Required for Each API Operation
The following table lists the API operations in a logical order, grouped by resource type. For information about permissions, see Permissions.
| API Operation | Permissions Required to Use the Operation |
|---|---|
ListClusters
|
CLUSTER_INSPECT |
CreateCluster
|
CLUSTER_CREATE |
CreateKubeconfig
|
CLUSTER_USE |
GetCluster
|
CLUSTER_READ |
UpdateCluster
|
CLUSTER_UPDATE |
JoinCluster |
CLUSTER_MANAGE |
DeleteCluster
|
CLUSTER_DELETE, CLUSTER_NODE_POOL_DELETE |
UpdateClusterEndpointConfig |
CLUSTER_MANAGE |
AdministerK8s
|
CLUSTER_MANAGE |
GetCredentialRotationStatus |
CLUSTER_READ |
StartCredentialRotation |
CLUSTER_UPDATE |
CompleteCredentialRotation |
CLUSTER_UPDATE |
ListNodePools
|
CLUSTER_NODE_POOL_INSPECT |
CreateNodePool
|
CLUSTER_NODE_POOL_CREATE |
GetNodePool
|
CLUSTER_NODE_POOL_READ |
GetNodePoolOptions
|
CLUSTER_READ |
UpdateNodePool
|
CLUSTER_NODE_POOL_UPDATE |
DeleteNodePool
|
CLUSTER_NODE_POOL_DELETE |
ListWorkRequests
|
CLUSTER_WORK_REQUEST_INSPECT, CLUSTER_NODE_POOL_INSPECT, CLUSTER_INSPECT |
GetWorkRequest
|
CLUSTER_WORK_REQUEST_READ, CLUSTER_NODE_POOL_READ, CLUSTER_READ |
ListWorkRequestErrors
|
CLUSTER_WORK_REQUEST_READ, CLUSTER_NODE_POOL_READ, CLUSTER_READ |
ListWorkRequestLogs
|
CLUSTER_WORK_REQUEST_READ, CLUSTER_NODE_POOL_READ, CLUSTER_READ |
DeleteWorkRequest
|
CLUSTER_WORK_REQUEST_DELETE |
ListVirtualNodePools |
CLUSTER_VIRTUAL_NODE_POOL_INSPECT |
GetVirtualNodePool |
CLUSTER_VIRTUAL_NODE_POOL_READ |
CreateVirtualNodePool |
CLUSTER_VIRTUAL_NODE_POOL_CREATE |
UpdateVirtualNodePool |
CLUSTER_VIRTUAL_NODE_POOL_UPDATE |
DeleteVirtualNodePool |
CLUSTER_VIRTUAL_NODE_POOL_DELETE |
ListVirtualNodes |
CLUSTER_VIRTUAL_NODE_POOL_READ |
GetVirtualNode |
CLUSTER_VIRTUAL_NODE_POOL_READ |
DeleteVirtualNode |
CLUSTER_VIRTUAL_NODE_POOL_UPDATE |
ListPodShapes |
CLUSTER_VIRTUAL_NODE_POOL_INSPECT |
GetVirtualNode |
CLUSTER_VIRTUAL_NODE_POOL_READ |
ListVirtualNodes |
CLUSTER_VIRTUAL_NODE_POOL_READ |
DeleteVirtualNode |
CLUSTER_VIRTUAL_NODE_POOL_UPDATE |
UpdateVirtualNode |
CLUSTER_VIRTUAL_NODE_POOL_UPDATE |
ListAddons |
CLUSTER_READ |
GetAddon |
CLUSTER_READ |
UpdateAddon |
CLUSTER_UPDATE |
DisableAddon |
CLUSTER_UPDATE |
InstallAddon |
CLUSTER_UPDATE |
ListWorkloadMappings |
CLUSTER_WORKLOAD_MAPPING_INSPECT |
GetWorkloadMapping |
CLUSTER_WORKLOAD_MAPPING_READ |
CreateWorkloadMapping |
CLUSTER_WORKLOAD_MAPPING_CREATE, CLUSTER_WORKLOAD_COMPARTMENT_BIND |
UpdateWorkloadMapping |
CLUSTER_WORKLOAD_MAPPING_UPDATE, CLUSTER_WORKLOAD_COMPARTMENT_BIND, CLUSTER_WORKLOAD_COMPARTMENT_UNBIND |
DeleteWorkloadMapping |
CLUSTER_WORKLOAD_MAPPING_DELETE, CLUSTER_WORKLOAD_COMPARTMENT_UNBIND |