Oracle Cloud Infrastructure Documentation

Details for Container Engine for Kubernetes

This topic covers details for writing policies to control access to Container Engine for Kubernetes.

Resource-Types

Aggregate Resource-Type

  • cluster-family

Individual Resource-Types

  • clusters
  • cluster-node-pools
  • cluster-work-requests

Comments

A policy that uses <verb> cluster-family is equivalent to writing one with a separate <verb> <individual resource-type> statement for each of the individual resource-types.

See the table in Details for Verb + Resource-Type Combinations for a detailed breakout of the API operations covered by each verb, for each individual resource-type included in cluster-family.

Supported Variables

Container Engine for Kubernetes supports all the general variables (see General Variables for All Requests), plus the ones listed here.

The clusters resource type can use the following variables:

Variable Variable Type Comments
target.cluster.id Entity (OCID)  

 

The cluster-node-pools resource type can use the following variables:

Variable Variable Type Comments
target.nodepool.id Entity (OCID)  

Details for Verb + Resource-Type Combinations

The following tables show the permissions and API operations covered by each verb. The level of access is cumulative as you go from inspect > read > use > manage. A plus sign (+) in a table cell indicates incremental access compared to the cell directly above it, whereas "no extra" indicates no incremental access.

For example, the read verb for the clusters resource-type includes the same permissions and API operations as the inspect verb, plus the CLUSTER_READ permission and a number of API operations (e.g., GetCluster, etc.). The use verb covers still another permission and API operation compared to read. Lastly, manage covers more permissions and operations compared to use.

clusters
cluster-node-pools
cluster-work-requests

Permissions Required for Each API Operation

The following table lists the API operations in a logical order, grouped by resource type. For information about permissions, see Permissions.

API Operation Permissions Required to Use the Operation
ListClusters CLUSTER_INSPECT
CreateCluster CLUSTER_CREATE
GetClusterKubeconfig CLUSTER_USE
GetCluster CLUSTER_READ
UpdateCluster CLUSTER_UPDATE
DeleteCluster CLUSTER_DELETE, CLUSTER_NODE_POOL_DELETE
AdministerK8s CLUSTER_MANAGE
ListNodePools CLUSTER_NODE_POOL_INSPECT
CreateNodePool CLUSTER_NODE_POOL_CREATE
GetNodePool CLUSTER_NODE_POOL_READ
GetNodePoolOptions CLUSTER_READ
UpdateNodePool CLUSTER_NODE_POOL_UPDATE
DeleteNodePool CLUSTER_NODE_POOL_DELETE
ListWorkRequests CLUSTER_WORK_REQUEST_INSPECT, CLUSTER_NODE_POOL_INSPECT, CLUSTER_INSPECT
GetWorkRequest CLUSTER_WORK_REQUEST_READ, CLUSTER_NODE_POOL_READ, CLUSTER_READ
ListWorkRequestErrors CLUSTER_WORK_REQUEST_READ, CLUSTER_NODE_POOL_READ, CLUSTER_READ
ListWorkRequestLogs CLUSTER_WORK_REQUEST_READ, CLUSTER_NODE_POOL_READ, CLUSTER_READ
DeleteWorkRequest CLUSTER_WORK_REQUEST_DELETE