Managing Access Policies with kubectl
With the kubectl
command you can create, update, move, list, view,
and delete a Service Mesh access policy. The following topics detail how to manage these
operations with kubectl
.
Required IAM Policy for Access Policies
To use an access policy, an administrator must grant you the required type of access in a policy (IAM). Whether you're using the Console, the REST API with an SDK, the CLI, Kubernetes kubectl
, or other tool, the correct permissions are required.
When an action produces a permission denied or unauthorized message, confirm a couple of settings with your administrator. The administrator must ensure that the correct type of access is granted and the correct compartment is specified.
For example, to allow users in the group MeshAdmins
to create, update, and delete all access policies in the compartment sales-app
:
Allow group MeshAdmins to manage mesh-access-policies in compartment sales-app
For Service Mesh IAM policy reference details for each resource, see: Service Mesh IAM Policies.
For a step-by-step guide to set up all the required IAM policies for a Service Mesh, see Set up Policies required for Service Mesh
View Kubernetes Configuration Options for Access Policies
You can view the Kubernetes CLI access policy YAML configuration options by displaying the Custom Resource Definition (CRD). Use the following command:
kubectl describe crd accesspolicies.servicemesh.oci.oracle.com
In the CRD, you see the fields used in a YAML configuration file under
spec:schema:openAPIV3Schema:properties:spec
. CRD output also
includes information about field types, ranges, and limits. The following section
provides an example of a YAML configuration file.
Create, Update, or Move an Access Policy
To create an access policy, use the kubectl apply
command. For
example:
kubectl apply -f access-policy.yaml
The following is the sample yaml
configuration file used to create
an access policy:
apiVersion: servicemesh.oci.oracle.com/v1beta1
kind: AccessPolicy
metadata:
name: <sample-access-policy> # Access Policy name
namespace: <sample-namespace>
spec:
compartmentId: ocid1.compartment.oc1..aaa...
name: sample-ap # Access Policy name inside the mesh
description: This Access Policy
mesh:
ref:
name: <sample-mesh>
rules:
- action: ALLOW
source:
virtualService:
ref:
name: <vs-sample-page>
destination:
allVirtualServices: {}
- action: ALLOW
source:
ingressGateway:
ref:
name: <sample-ingress-gateway>
destination:
virtualService:
ref:
name: <vs-sample-page>
kubectl
: - Change the configuration file as needed.
- Save the file.
- Run the
apply
command again.
- Update the compartment OCID to the value of the target compartment.
- Save the file.
- Run the
apply
command again.
Get a List of Access Policies
To get a list of access policies in your namespace, use the following command:
kubectl get accesspolicies -n <namespace>
View an Access Policy
To view the details of a specific access policy in your namespace, use the following command:
kubectl describe accesspolicy <name> -n <namespace>
Delete an Access Policy
To delete of a specific access policy in your namespace, use the following command:
kubectl delete accesspolicy <name> -n <namespace>