Details for Container Engine for Kubernetes

This topic covers details for writing policies to control access to Container Engine for Kubernetes.

Resource-Types

Aggregate Resource-Type

cluster-family

Individual Resource-Types

clusters
cluster-node-pools
cluster-pod-shapes
cluster-virtualnode-pools
cluster-work-requests
cluster-workload-mappings

Comments

A policy that uses <verb> cluster-family is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types.

See the table in Details for Verb + Resource-Type Combinations for details of the API operations covered by each verb, for each individual resource-type included in cluster-family.

Supported Variables

Container Engine for Kubernetes supports all the general variables (see General Variables for All Requests), plus the ones listed here.

The clusters resource type can use the following variables:


Variable	Variable Type	Comments
`target.cluster.id`	Entity (OCID)

The cluster-node-pools resource type can use the following variables:


Variable	Variable Type	Comments
`target.nodepool.id`	Entity (OCID)

The cluster-virtual-node-pools resource type can use the following variables:


Variable	Variable Type	Comments
`target.virtualnodepool.id`	Entity (OCID)
`target.cluster.id`	Entity (OCID)

The cluster-workload-mappings resource type can use the following variables:


Variable	Variable Type	Comments
`target.clusterworkloadmapping.id`	Entity (OCID)
`target.mapping.cluster_id`	Entity (OCID)

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the clusters resource-type includes the same permissions and API operations as the inspect verb, plus the CLUSTER_READ permission and a number of API operations (e.g., GetCluster, etc.). The use verb covers still another permission and API operation compared to read. Lastly, manage covers more permissions and operations compared to use.

clusters


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	CLUSTER_INSPECT	`ListClusters` `ListWorkRequests`	none
read	INSPECT + CLUSTER_READ	INSPECT + `GetCluster` `GetWorkRequest` `ListWorkRequestErrors` `ListWorkRequestLogs` `ListAddons` `GetAddon`	none
use	READ + CLUSTER_USE	READ + `CreateKubeconfig`	none
manage	USE + CLUSTER_CREATE CLUSTER_DELETE CLUSTER_UPDATE CLUSTER_MANAGE CLUSTER_JOIN	USE + `UpdateCluster` `AdministerK8s` `InstallAddon` `UpdateAddon` `DisableAddon` `JoinCluster`	`CreateCluster` (also need `use subnets`, `read virtual-network-family`, `inspect compartments`, `use vnics`, `use network-security-groups`, `use private-ips`, and `manage public-ips`) `DeleteCluster` (also need `manage cluster-node-pools`, `manage instance-family`, `use subnets`, `use vnics`, `use private-ips`, and `manage public-ips`) `UpdateClusterEndpointConfig` (also need `use vnics`, `use network-security-groups`, `use private-ips`, and `manage public-ips`)

cluster-node-pools


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	CLUSTER_NODE_POOL_INSPECT	`ListNodePools` `ListWorkRequests`	none
read	INSPECT + CLUSTER_NODE_POOL_READ	INSPECT + `GetNodePool` `GetWorkRequest` `ListWorkRequestErrors` `ListWorkRequestLogs`	none
use	no extra	no extra	none
manage	USE + CLUSTER_NODE_POOL_CREATE CLUSTER_NODE_POOL_DELETE CLUSTER_NODE_POOL_UPDATE	no extra	`CreateNodePool`, `DeleteNodePool`, and `UpdateNodePool` (also need `manage instance-family`, `use subnets`, `use vnics`, and `inspect compartments`)

cluster-pod-shapes


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	CLUSTER_VIRTUAL_NODE_POOL_INSPECT	`ListPodShapes`	none
read	no extra	no extra	none
use	no extra	no extra	none
manage	no extra	no extra	none

cluster-virtual-node-pools


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	CLUSTER_VIRTUAL_NODE_POOL_INSPECT	`ListVirtualNodePools` `ListPodShapes`	none
read	INSPECT + CLUSTER_VIRTUAL_NODE_POOL_READ	INSPECT + `GetVirtualNodePool` `ListPodShapes` `ListVirtualNodes` `GetVirtualNode`	none
use	no extra	no extra	none
manage	USE + CLUSTER_VIRTUAL_NODE_POOL_CREATE CLUSTER_VIRTUAL_NODE_POOL_UPDATE CLUSTER_VIRTUAL_NODE_POOL_DELETE	USE + `CreateVirtualNodePool` `UpdateVirtualNodePool` `DeleteVirtualNodePool` `UpdateVirtualNode` `DeleteVirtualNode`	none

cluster-work-requests


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	CLUSTER_WORK_REQUEST_INSPECT	`ListWorkRequests`	none
read	INSPECT + CLUSTER_WORK_REQUEST_READ	INSPECT + `GetWorkRequest` `ListWorkRequestErrors` `ListWorkRequestLogs`	none
use	no extra	no extra	none
manage	USE + CLUSTER_WORK_REQUEST_DELETE	USE + `DeleteWorkRequest`	none

cluster-workload-mappings


Verbs	Permissions	APIs Fully Covered	APIs Partially Covered
inspect	CLUSTER_WORKLOAD_MAPPING_INSPECT	`ListWorkloadMappings`	none
read	INSPECT + CLUSTER_WORKLOAD_MAPPING_READ	INSPECT + `GetWorkloadMapping`	none
use	READ + CLUSTER_WORKLOAD_MAPPING_UPDATE CLUSTER_WORKLOAD_COMPARTMENT_BIND CLUSTER_WORKLOAD_COMPARTMENT_UNBIND	`UpdateWorkloadMapping`	none
manage	USE + CLUSTER_WORKLOAD_MAPPING_CREATE CLUSTER_WORKLOAD_MAPPING_DELETE	USE + `CreateWorkloadMapping` `DeleteWorkloadMapping`	none

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type. For information about permissions, see Permissions.


API Operation	Permissions Required to Use the Operation
`ListClusters`	CLUSTER_INSPECT
`CreateCluster`	CLUSTER_CREATE
`CreateKubeconfig`	CLUSTER_USE
`GetCluster`	CLUSTER_READ
`UpdateCluster`	CLUSTER_UPDATE
`JoinCluster`	CLUSTER_MANAGE
`DeleteCluster`	CLUSTER_DELETE, CLUSTER_NODE_POOL_DELETE
`UpdateClusterEndpointConfig`	CLUSTER_MANAGE
`AdministerK8s`	CLUSTER_MANAGE
`ListNodePools`	CLUSTER_NODE_POOL_INSPECT
`CreateNodePool`	CLUSTER_NODE_POOL_CREATE
`GetNodePool`	CLUSTER_NODE_POOL_READ
`GetNodePoolOptions`	CLUSTER_READ
`UpdateNodePool`	CLUSTER_NODE_POOL_UPDATE
`DeleteNodePool`	CLUSTER_NODE_POOL_DELETE
`ListWorkRequests`	CLUSTER_WORK_REQUEST_INSPECT, CLUSTER_NODE_POOL_INSPECT, CLUSTER_INSPECT
`GetWorkRequest`	CLUSTER_WORK_REQUEST_READ, CLUSTER_NODE_POOL_READ, CLUSTER_READ
`ListWorkRequestErrors`	CLUSTER_WORK_REQUEST_READ, CLUSTER_NODE_POOL_READ, CLUSTER_READ
`ListWorkRequestLogs`	CLUSTER_WORK_REQUEST_READ, CLUSTER_NODE_POOL_READ, CLUSTER_READ
`DeleteWorkRequest`	CLUSTER_WORK_REQUEST_DELETE
`ListVirtualNodePools`	CLUSTER_VIRTUAL_NODE_POOL_INSPECT
`GetVirtualNodePool`	CLUSTER_VIRTUAL_NODE_POOL_READ
`CreateVirtualNodePool`	CLUSTER_VIRTUAL_NODE_POOL_CREATE
`UpdateVirtualNodePool`	CLUSTER_VIRTUAL_NODE_POOL_UPDATE
`DeleteVirtualNodePool`	CLUSTER_VIRTUAL_NODE_POOL_DELETE
`ListVirtualNodes`	CLUSTER_VIRTUAL_NODE_POOL_READ
`GetVirtualNode`	CLUSTER_VIRTUAL_NODE_POOL_READ
`DeleteVirtualNode`	CLUSTER_VIRTUAL_NODE_POOL_UPDATE
`ListPodShapes`	CLUSTER_VIRTUAL_NODE_POOL_INSPECT
`GetVirtualNode`	CLUSTER_VIRTUAL_NODE_POOL_READ
`ListVirtualNodes`	CLUSTER_VIRTUAL_NODE_POOL_READ
`DeleteVirtualNode`	CLUSTER_VIRTUAL_NODE_POOL_UPDATE
`UpdateVirtualNode`	CLUSTER_VIRTUAL_NODE_POOL_UPDATE
`ListAddons`	CLUSTER_READ
`GetAddon`	CLUSTER_READ
`UpdateAddon`	CLUSTER_UPDATE
`DisableAddon`	CLUSTER_UPDATE
`InstallAddon`	CLUSTER_UPDATE
`ListWorkloadMappings`	CLUSTER_WORKLOAD_MAPPING_INSPECT
`GetWorkloadMapping`	CLUSTER_WORKLOAD_MAPPING_READ
`CreateWorkloadMapping`	CLUSTER_WORKLOAD_MAPPING_CREATE, CLUSTER_WORKLOAD_COMPARTMENT_BIND
`UpdateWorkloadMapping`	CLUSTER_WORKLOAD_MAPPING_UPDATE, CLUSTER_WORKLOAD_COMPARTMENT_BIND, CLUSTER_WORKLOAD_COMPARTMENT_UNBIND
`DeleteWorkloadMapping`	CLUSTER_WORKLOAD_MAPPING_DELETE, CLUSTER_WORKLOAD_COMPARTMENT_UNBIND

Oracle Cloud Infrastructure Documentation