OKEã€OCIRを使ã†ã¨ãã«æ¨©é™åˆ¶å¾¡ã™ã‚‹ãŸã‚ã®è¨å®šã¾ã¨ã‚
ã“ã®ã‚¨ãƒ³ãƒˆãƒªãƒ¼ã¯Oracle Cloud アドベントカレンダーãã®2ã®22日目ã§ã™ã€‚
今回ã¯OracleãŒæä¾›ã™ã‚‹ã‚³ãƒ³ãƒ†ãƒŠé–¢é€£ã®ã‚¯ãƒ©ã‚¦ãƒ‰ã‚µãƒ¼ãƒ“スã§ã‚ã‚‹ã€OKEã€OCIRを使ã†ä¸Šã§ã®ã€æº–å‚™ã«å½“ãŸã‚‹ä½œæ¥ã®è©±ã‚’書ããŸã„ã¨æ€ã„ã¾ã™ã€‚
- OKE:
- Oracle Container Engine for Kubernetes
- OracleãŒæä¾›ã™ã‚‹ãƒžãƒãƒ¼ã‚¸ãƒ‰Kubernetesサービス
- OCIR
- Oracle Cloud Infrastructure Registry
- OracleãŒæä¾›ã™ã‚‹ã‚³ãƒ³ãƒ†ãƒŠãƒ¬ã‚¸ã‚¹ãƒˆãƒªã®ãƒžãƒãƒ¼ã‚¸ãƒ‰ãƒ»ã‚µãƒ¼ãƒ“ス
ã“れらを使ã†ã«ã¯ã€Policyã¨å‘¼ã°ã‚Œã‚‹ã‚¢ã‚¯ã‚»ã‚¹æ¨©é™ã®è¨å®šã‚’予ã‚ã—ã¦ãŠãå¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚ ã“ã®ã‚¨ãƒ³ãƒˆãƒªãƒ¼ã§ã¯ã€ãれら必è¦ãªæ¨©é™å‘¨ã‚Šã®è¨å®šã‚’æ•´ç†ã—ãŸã„ã¨æ€ã„ã¾ã™ï¼ˆä»–ã®ã‚¨ãƒ³ãƒˆãƒªãƒ¼ã§ã¯ãã®ã‚¨ãƒ³ãƒˆãƒªãƒ¼ã§å¿…è¦ãªã‚‚ã®ã ã‘書ã„ã¦ã„ã‚‹ã®ã§ï¼‰ã€‚
管ç†è€…権é™ã‚’打ã¡è¾¼ã‚ã°ã™ãã«ä½¿ãˆã‚‹ã‚ˆã†ã«ã¯ãªã‚Šã¾ã™ãŒã€ã¡ã‚ƒã‚“ã¨æ¨©é™ã‚’分ã‘ãŸã„ã¨ãã«ã¯ã“ã®æƒ…å ±ã‚’ç®—ç”¨ã—ã¦ãã ã•ã„。
OKEを使ã†ãŸã‚ã«å¿…è¦ãªãƒãƒªã‚·ãƒ¼
注: in tenancyã‚’in compartment [コンパートメントå]ã®ã‚ˆã†ã«ã™ã‚‹ã¨ã€æ¨©é™ã®åŠã¶ç¯„囲をコンパートåã«çµžã‚‹äº‹ãŒã§ãã¾ã™ã€‚
OKEã®PaaSã«ä¸Žãˆã‚‹æ¨©é™OKEを使ã¤ã¨ãã¯å¿…é ˆ
- Statement:
Allow service OKE to manage all-resources in tenancy
- 説明:
- OKEã®PaaSã«æ¨©é™ã‚’与ãˆã‚‹ãŸã‚ã®ç‰¹æ®Šãªãƒãƒªã‚·ãƒ¼ã€‚OKEを使ã†ã¨ãã¯ã“れを必ãšä½œã‚‹ã€‚ã“ã‚ŒãŒãªã„ã¨å§‹ã¾ã‚‰ãªã„
- Statement:
OKEクラスターã¨Node Poolã‚’æ“作ã™ã‚‹æ¨©é™
- Statement:
Allow group [グループå] to manage cluster-family in tenancyAllow group [グループå] to inspect vcns in tenancyAllow group [グループå] to inspect subnets in tenancy
- 説明:
- OKEã®ã‚¯ãƒ©ã‚¹ã‚¿ãƒ¼ã¨Node Poodã‚’æ“作ã™ã‚‹æ¨©é™ï¼ˆ3ã¤ã‚»ãƒƒãƒˆï¼‰ã€‚3ã¤ã®ã†ã¡ä¸‹ã®ã®2ã¤ã¯ã€ã‚¯ãƒ©ã‚¹ã‚¿ãƒ¼ãŒä¾å˜ã™ã‚‹ä¸‹å›žã‚Šã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’å‚ç…§ã™ã‚‹ãŸã‚ã®ã‚‚ã®ã€‚
- ã“ã®ã‚»ãƒƒãƒˆã«ã¯ä¸‹å›žã‚Šã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’ã„ã˜ã‚‹æ¨©é™ã¯å«ã¾ã‚Œãªã„(ä¾å˜ã™ã‚‹ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã¯ä½œæˆæ¸ˆã¿ã®å‰æ)
- Statement:
OKEクラスターã¨Node Poolã‚’æ“作ã™ã‚‹æ¨©é™ + ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã®æ“作権é™
- Statement:
Allow group [グループå] to manage cluster-family in tenancyAllow group [グループå] to manage virtual-network-family in tenancy
- 説明:
- OKEã‚’ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚‚å«ã‚ã¦ä½œã£ãŸã‚Šæ“作ã—ãŸã„ã¨ãã«å¿…è¦ãªæ¨©é™ã€‚2ã¤ç›®ã®æ–¹ã¯ä¸‹å›žã‚Šã®ãƒãƒƒãƒˆãƒ¯ãƒ¼ã‚¯ã‚’æ“作ã™ã‚‹ãŸã‚ã®ã‚‚ã®
- OKE作æˆã®ãƒ€ã‚¤ã‚¢ãƒã‚°ã§
quick clusterを使ã†ã¨ãã«ã¯ã“ã®æ¨©é™ãŒå¿…è¦
- Statement:
OKEクラスターをå‚ç…§ã™ã‚‹æ¨©é™
- Statement:
Allow group [グループå] to inspect clusters in tenancy
- 説明:
- OKEã®ã‚¯ãƒ©ã‚¹ã‚¿ãƒ¼ã‚’å‚ç…§ã™ã‚‹æ¨©é™
- Statement:
OKEクラスターã®Node Poolã‚’æ“作ã™ã‚‹æ¨©é™
- Statement:
Allow group [グループå] to use cluster-node-pools in tenancy
- 説明:
- 作æˆæ¸ˆã¿ã®OKEクラスターã®Node Poolã‚’è¿½åŠ ã€å‰Šé™¤ã€ã‚¢ãƒƒãƒ—デート(構æˆå¤‰æ›´ãªã©ï¼‰ã™ã‚‹æ¨©é™
- Statement:
OKEクラスターã¸ã®æ“作ã®ç›£æŸ»æƒ…å ±ã‚’å‚ç…§ã™ã‚‹æ¨©é™
- Statement:
Allow group [グループå] to read cluster-work-requests in tenancy
- 説明:
- OKEクラスターã¸ã®æ“作ã®ç›£æŸ»æƒ…å ±ã‚’å‚ç…§ã™ã‚‹æ¨©é™
- Statement:
OCIRを使ã†ãŸã‚ã«å¿…è¦ãªãƒãƒªã‚·ãƒ¼
以下ã¯å…¨ã¦ã‚’網羅ã—ãŸã‚‚ã®ã§ã¯ã‚ã‚Šã¾ã›ã‚“ãŒã€ã»ã¨ã‚“ã©ã®ã‚±ãƒ¼ã‚¹ã¯ã“れらãŒã‚ã‚Œã°å¤§ä¸ˆå¤«ã‹ã¨æ€ã„ã¾ã™ã€‚
リãƒã‚¸ãƒˆãƒªã®é–²è¦§æ¨©é™
- Statement:
Allow group [グループå] to inspect repos in tenancy
- 説明:
- OCIRã®ãƒªãƒã‚¸ãƒˆãƒªã®é–²è¦§æ¨©é™
- Statement:
イメージã®å–得権é™ï¼ˆå…¨ã¦ã®ãƒªãƒã‚¸ãƒˆãƒªï¼‰
- Statement:
Allow group [グループå] to read repos in tenancy
- 説明:
- OCIRã®å…¨ã¦ã®ãƒªãƒã‚¸ãƒˆãƒªã®ã‚¤ãƒ¡ãƒ¼ã‚¸ã‚’pullã™ã‚‹æ¨©é™
- Statement:
イメージã®å–得権é™ï¼ˆãƒªãƒã‚¸ãƒˆãƒªã‚’é™å®šï¼‰
- Statement:
Allow group [グループå] to read repos in tenancy where all { target.repo.name=/[リãƒã‚¸ãƒˆãƒªå]/ }
- 説明:
- OCIRã®æŒ‡å®šã•ã‚ŒãŸãƒªãƒã‚¸ãƒˆãƒªã®ã‚¤ãƒ¡ãƒ¼ã‚¸ã‚’pullã™ã‚‹æ¨©é™ã€‚
/example-app*/ã®ã‚ˆã†ã«æ£è¦è¡¨ç¾ã‚’使ã†ã“ã¨ã‚‚ã§ãる模様
- OCIRã®æŒ‡å®šã•ã‚ŒãŸãƒªãƒã‚¸ãƒˆãƒªã®ã‚¤ãƒ¡ãƒ¼ã‚¸ã‚’pullã™ã‚‹æ¨©é™ã€‚
- Statement:
イメージã®ç™»éŒ²æ¨©é™ï¼ˆå…¨ã¦ã®ãƒªãƒã‚¸ãƒˆãƒªï¼‰
- Statement:
Allow group [グループå] to use repos in tenancy
- 説明:
- OCIRã®å…¨ã¦ã®ãƒªãƒã‚¸ãƒˆãƒªã«ã‚¤ãƒ¡ãƒ¼ã‚¸ã‚’pushã™ã‚‹æ¨©é™
- Statement:
イメージã®ç™»éŒ²æ¨©é™ï¼ˆãƒªãƒã‚¸ãƒˆãƒªãŒå˜åœ¨ã—ãªã„å ´åˆã«æ–°ãŸã«ä½œã‚‹æ¨©é™ã‚‚è¿½åŠ ï¼‰
- Statement:
Allow group [グループå] to manage repos in tenancy where ANY {request.permission = 'REPOSITORY_CREATE', request.permission = 'REPOSITORY_UPDATE'}
- 説明:
- OCIRã®å…¨ã¦ã®ãƒªãƒã‚¸ãƒˆãƒªã«ã‚¤ãƒ¡ãƒ¼ã‚¸ã‚’pushã™ã‚‹æ¨©é™ã€‚リãƒã‚¸ãƒˆãƒªãŒå˜åœ¨ã—ãªã„å ´åˆã«æ–°ãŸã«ä½œã‚‹æ¨©é™ã‚‚è¿½åŠ ï¼‰
- Statement:
OCIRã¸ã®ãƒ•ãƒ«ã‚¢ã‚¯ã‚»ã‚¹
- Statement:
Allow group [グループå] to manage repos in tenancy
- 説明:
- テナント内ã®ãƒªãƒã‚¸ãƒˆãƒªã«å¯¾ã™ã‚‹å…¨æ¨©é™
- Statement:
