Oracle Cloud Infrastructure Documentation

Managing Access Policies with kubectl

With the kubectl command you can create, update, move, list, view, and delete a Service Mesh access policy. The following topics detail how to manage these operations with kubectl.

Required IAM Policy for Access Policies

To use an access policy, an administrator must grant you the required type of access in a policy (IAM). Whether you're using the Console, the REST API with an SDK, the CLI, Kubernetes kubectl, or other tool, the correct permissions are required.

When an action produces a permission denied or unauthorized message, confirm a couple of settings with your administrator. The administrator must ensure that the correct type of access is granted and the correct compartment is specified.

For example, to allow users in the group MeshAdmins to create, update, and delete all access policies in the compartment sales-app:

Allow group MeshAdmins to manage mesh-access-policies in compartment sales-app

For Service Mesh IAM policy reference details for each resource, see: Service Mesh IAM Policies.

For a step-by-step guide to set up all the required IAM policies for a Service Mesh, see Set up Policies required for Service Mesh

View Kubernetes Configuration Options for Access Policies

You can view the Kubernetes CLI access policy YAML configuration options by displaying the Custom Resource Definition (CRD). Use the following command:

kubectl describe crd accesspolicies.servicemesh.oci.oracle.com

In the CRD, you see the fields used in a YAML configuration file under spec:schema:openAPIV3Schema:properties:spec. CRD output also includes information about field types, ranges, and limits. The following section provides an example of a YAML configuration file.

Create, Update, or Move an Access Policy

To create an access policy, use the kubectl apply command. For example:

kubectl apply -f access-policy.yaml

The following is the sample yaml configuration file used to create an access policy:

apiVersion: servicemesh.oci.oracle.com/v1beta1
kind: AccessPolicy
metadata:
  name: <sample-access-policy>      # Access Policy name
  namespace: <sample-namespace>
spec:
  compartmentId: ocid1.compartment.oc1..aaa...
  name: sample-ap     # Access Policy name inside the mesh
  description: This Access Policy
  mesh:
    ref:
      name: <sample-mesh>
  rules:
    - action: ALLOW
      source:
        virtualService:
          ref:
            name: <vs-sample-page>
      destination:
        allVirtualServices: {}
    - action: ALLOW
      source:
        ingressGateway:
          ref:
            name: <sample-ingress-gateway>
      destination:
        virtualService:
          ref:
            name: <vs-sample-page>
To update an access policy with kubectl:
  1. Change the configuration file as needed.
  2. Save the file.
  3. Run the apply command again.
To move an access policy to a different compartment:
  1. Update the compartment OCID to the value of the target compartment.
  2. Save the file.
  3. Run the apply command again.

Get a List of Access Policies

To get a list of access policies in your namespace, use the following command:

kubectl get accesspolicies -n <namespace>

View an Access Policy

To view the details of a specific access policy in your namespace, use the following command:

kubectl describe accesspolicy <name> -n <namespace>

Delete an Access Policy

To delete of a specific access policy in your namespace, use the following command:

kubectl delete accesspolicy <name> -n <namespace>