Minimum IAM User Policy - OCI (4.3)
To use the installation guide, you must ensure that the user who performs the installation has been granted minimum permission to be able to provision OCI resources.
When a tenancy is created, an Administrators group is automatically created for the tenancy. Users that are members of the Administrators group can perform any operation on resources in the tenancy.
You do not need to setup the the policies below if the user who performs the installation has the AdministratorAccess policy.
Best practice is to set up a minimum IAM policy for the group and then add any user performing the installation to that group.
Required Policies for Groups
If you want to enable users that are not members of the Administrators group to use Container Engine for Kubernetes, you must create policies that enable the groups to which these users belong to perform operations on resources in the tenancy or in individual compartments.
The following policy statements are required to enable users to use Container Engine for Kubernetes to create, update, and delete clusters and node pools:
Allow group <group-name> to manage instance-family in <location>
Allow group <group-name> to use subnets in <location>
Allow group <group-name> to manage virtual-network-family in <location>
Allow group <group-name> to inspect compartments in <location>
Allow group <group-name> to use vnics in <location>
Allow group <group-name> to use network-security-groups in <location>
Allow group <group-name> to use private-ips in <location>
Allow group <group-name> to manage public-ips in <location>
The following policy statement is required to enable users to perform any operation on cluster-related resources:
Allow group <group-name> to manage cluster-family in <location>
Additional Policies for Groups
To enable users in the group to automatically create and configure associated new network resources when creating new clusters, these policies must also be granted to the group:
Allow group <group-name> to manage vcns in <location>
Allow group <group-name> to manage subnets in <location>
Allow group <group-name> to manage internet-gateways in <location>
Allow group <group-name> to manage nat-gateways in <location>
Allow group <group-name> to manage route-tables in <location>
Allow group <group-name> to manage security-lists in <location>
Allow group <group-name> to manage load-balancers in <location>
Allow group <group-name> to manage network-security-groups in <location>
To enable users in the group to only list the clusters, grant the following policy:
To enable users in the group to list, create, update, and delete node pools, grant the following policy:
To enable users in the group to see details of operations performed on clusters, grant the following policy:
To enable users in the group to create a service gateway to enable worker nodes to access other resources in the same region without exposing data to the public internet, grant the following policy:
To enable users in the group to access clusters using Cloud Shell, grant the following policy:
To enable users in the group to select master encryption keys and vaults in the Vault service when creating and modifying clusters using the Console, grant the following policies:
To enable users in the group to use capacity reservations, grant the following policy:
Policy to Manage Certificate and Certificate Authority
To enable users in the group to issue new TLS/SSL certificates, to generate CA Bundles, and to retrieve any certificate-related information from the Certificates Service.
Policy to Manage File Systems
To create and/or manage file systems, mount targets, and export paths, grant the following policy:
Policy to Access User-Managed Encryption Keys for Encrypting File Systems
To use a master encryption key from the Vault service to encrypt data in file systems, create a dynamic group with the following matching rules:
Policy to Manage DNS
To enable users in the group to create a new DNS zone and add new records to the parent DNS zone.
Policy to use Logging Analytics
A dynamic group configured below is needed to create the policies for Logging Analytics. Users in this dynamic group are allowed to use and manage Logging Analytics.
Create a dynamic group with the following matching rules:
Create a policy to use Logging Analytics:
Note!
Replace <location>
with either tenancy
(if you are creating the policy in the tenancy's root compartment) or compartment <compartment-name>
(if you are creating the policy in an individual compartment).
Â
Â