Skip to content

Latest commit

 

History

History
1146 lines (1085 loc) · 73 KB

cs_access_reference.md

File metadata and controls

1146 lines (1085 loc) · 73 KB
copyright lastupdated keywords subcollection
years
2014, 2019
2019-04-15
kubernetes, iks
containers

{:new_window: target="blank"} {:shortdesc: .shortdesc} {:screen: .screen} {:pre: .pre} {:table: .aria-labeledby="caption"} {:codeblock: .codeblock} {:tip: .tip} {:note: .note} {:important: .important} {:deprecated: .deprecated} {:download: .download}

User access permissions

{: #access_reference}

When you assign cluster permissions, it can be hard to judge which role you need to assign to a user. Use the tables in the following sections to determine the minimum level of permissions that are required to perform common tasks in {{site.data.keyword.containerlong}}. {: shortdesc}

As of 30 January 2019, {{site.data.keyword.containerlong_notm}} has a new way of authorizing users with {{site.data.keyword.Bluemix_notm}} IAM: service access roles. These service roles are used to grant access to resources within the cluster, such as Kubernetes namespaces. For more information, check out the blog, Introducing service roles and namespaces in IAM for more granular control of cluster access External link icon. {: note}

{{site.data.keyword.Bluemix_notm}} IAM platform roles

{: #iam_platform}

{{site.data.keyword.containerlong_notm}} is configured to use {{site.data.keyword.Bluemix_notm}} Identity and Access Management (IAM) roles. {{site.data.keyword.Bluemix_notm}} IAM platform roles determine the actions that users can perform on {{site.data.keyword.Bluemix_notm}} resources such as clusters, worker nodes, and Ingress application load balancers (ALBs). {{site.data.keyword.Bluemix_notm}} IAM platform roles also automatically set basic infrastructure permissions for users. To set platform roles, see Assigning {{site.data.keyword.Bluemix_notm}} IAM platform permissions. {: shortdesc}

Do not assign {{site.data.keyword.Bluemix_notm}} IAM platform roles at the same time as a service role. You must assign platform and service roles separately.

In each of the following sections, the tables show cluster management, logging, and Ingress permissions granted by each {{site.data.keyword.Bluemix_notm}} IAM platform role. The tables are organized alphabetically by CLI command name.

Actions requiring no permissions

{: #none-actions}

Any user in your account who runs the CLI command or makes the API call for the action in the following table sees the result, even if the user has no assigned permissions. {: shortdesc}

Overview of CLI commands and API calls that require no permissions in {{site.data.keyword.containerlong_notm}}
Cluster management action CLI command API call
View a list of supported versions for managed add-ons in {{site.data.keyword.containerlong_notm}}. [ibmcloud ks addon-versions](/docs/containers?topic=containers-cs_cli_reference#cs_addon_versions) [GET /v1/kube-versions](https://containers.cloud.ibm.com/swagger-api/#!/util/GetAddons)
Target or view the API endpoint for {{site.data.keyword.containerlong_notm}}. [ibmcloud ks api](/docs/containers?topic=containers-cs_cli_reference#cs_cli_api) -
View a list of supported commands and parameters. [ibmcloud ks help](/docs/containers?topic=containers-cs_cli_reference#cs_help) -
Initialize the {{site.data.keyword.containerlong_notm}} plug-in or specify the region where you want to create or access Kubernetes clusters. [ibmcloud ks init](/docs/containers?topic=containers-cs_cli_reference#cs_init) -
View a list of Kubernetes versions supported in {{site.data.keyword.containerlong_notm}}. [ibmcloud ks kube-versions](/docs/containers?topic=containers-cs_cli_reference#cs_kube_versions) [GET /v1/kube-versions](https://containers.cloud.ibm.com/swagger-api/#!/util/GetKubeVersions)
View a list of available machine types for your worker nodes. [ibmcloud ks machine-types](/docs/containers?topic=containers-cs_cli_reference#cs_machine_types) [GET /v1/datacenters/{datacenter}/machine-types](https://containers.cloud.ibm.com/swagger-api/#!/util/GetDatacenterMachineTypes)
View current messages for the IBMid user. [ibmcloud ks messages](/docs/containers?topic=containers-cs_cli_reference#cs_messages) [GET /v1/messages](https://containers.cloud.ibm.com/swagger-api/#!/util/GetMessages)
Find the {{site.data.keyword.containerlong_notm}} region that you are currently in. [ibmcloud ks region](/docs/containers?topic=containers-cs_cli_reference#cs_region) -
Set the region for {{site.data.keyword.containerlong_notm}}. [ibmcloud ks region-set](/docs/containers?topic=containers-cs_cli_reference#cs_region-set) -
Lists the available regions. [ibmcloud ks regions](/docs/containers?topic=containers-cs_cli_reference#cs_regions) [GET /v1/regions](https://containers.cloud.ibm.com/swagger-api/#!/util/GetRegions)
View a list of available zones that you can create a cluster in. [ibmcloud ks zones](/docs/containers?topic=containers-cs_cli_reference#cs_datacenters) [GET /v1/zones](https://containers.cloud.ibm.com/swagger-api/#!/util/GetZones)

Viewer actions

{: #view-actions}

The Viewer platform role includes the actions that require no permissions, plus the permissions that are shown in the following table. With the Viewer role, users such as auditors or billing can see cluster details but not modify the infrastructure. {: shortdesc}

Overview of cluster management CLI commands and API calls that require the Viewer platform role in {{site.data.keyword.containerlong_notm}}
Cluster management action CLI command API call
View the name and email address for the owner of the {{site.data.keyword.Bluemix_notm}} IAM API key for a resource group and region. [ibmcloud ks api-key-info](/docs/containers?topic=containers-cs_cli_reference#cs_api_key_info) [GET /v1/logging/{idOrName}/clusterkeyowner](https://containers.cloud.ibm.com/swagger-logging/#!/logging/GetClusterKeyOwner)
Download Kubernetes configuration data and certificates to connect to your cluster and run `kubectl` commands. [ibmcloud ks cluster-config](/docs/containers?topic=containers-cs_cli_reference#cs_cluster_config) [GET /v1/clusters/{idOrName}/config](https://containers.cloud.ibm.com/swagger-api/#!/clusters/GetClusterConfig)
View information for a cluster. [ibmcloud ks cluster-get](/docs/containers?topic=containers-cs_cli_reference#cs_cluster_get) [GET /v1/clusters/{idOrName}](https://containers.cloud.ibm.com/swagger-api/#!/clusters/GetCluster)
List all services in all namespaces that are bound to a cluster. [ibmcloud ks cluster-services](/docs/containers?topic=containers-cs_cli_reference#cs_cluster_services) [GET /v1/clusters/{idOrName}/services](https://containers.cloud.ibm.com/swagger-api/#!/clusters/ListServicesForAllNamespaces)
List all clusters. [ibmcloud ks clusters](/docs/containers?topic=containers-cs_cli_reference#cs_clusters) [GET /v1/clusters](https://containers.cloud.ibm.com/swagger-api/#!/clusters/GetClusters)
Get the infrastructure credentials that are set for the {{site.data.keyword.Bluemix_notm}} account to access a different IBM Cloud infrastructure (SoftLayer) portfolio. [ibmcloud ks credential-get](/docs/containers?topic=containers-cs_cli_reference#cs_credential_get)[GET /v1/credentials](https://containers.cloud.ibm.com/swagger-api/#!/accounts/GetUserCredentials)
List all services bound to a specific namespace. - [GET /v1/clusters/{idOrName}/services/{namespace}](https://containers.cloud.ibm.com/swagger-api/#!/clusters/ListServicesInNamespace)
List all user-managed subnets that are bound to a cluster. - [GET /v1/clusters/{idOrName}/usersubnets](https://containers.cloud.ibm.com/swagger-api/#!/clusters/GetClusterUserSubnet)
List available subnets in the infrastructure account. [ibmcloud ks subnets](/docs/containers?topic=containers-cs_cli_reference#cs_subnets) [GET /v1/subnets](https://containers.cloud.ibm.com/swagger-api/#!/properties/ListSubnets)
View the VLAN spanning status for the infrastructure account. [ibmcloud ks vlan-spanning-get](/docs/containers?topic=containers-cs_cli_reference#cs_vlan_spanning_get) [GET /v1/subnets/vlan-spanning](https://containers.cloud.ibm.com/swagger-api/#!/accounts/GetVlanSpanning)
When set for one cluster: List VLANs that the cluster is connected to in a zone.
When set for all clusters in the account: List all available VLANs in a zone.		 [ibmcloud ks vlans](/docs/containers?topic=containers-cs_cli_reference#cs_vlans) [GET /v1/datacenters/{datacenter}/vlans](https://containers.cloud.ibm.com/swagger-api/#!/properties/GetDatacenterVLANs)
List all webhooks for a cluster. - [GET /v1/clusters/{idOrName}/webhooks](https://containers.cloud.ibm.com/swagger-api/#!/clusters/GetClusterWebhooks)
View information for a worker node. [ibmcloud ks worker-get](/docs/containers?topic=containers-cs_cli_reference#cs_worker_get) [GET /v1/clusters/{idOrName}/workers/{workerId}](https://containers.cloud.ibm.com/swagger-api/#!/clusters/GetWorkers)
View information for a worker pool. [ibmcloud ks worker-pool-get](/docs/containers?topic=containers-cs_cli_reference#cs_worker_pool_get) [GET /v1/clusters/{idOrName}/workerpools/{poolidOrName}](https://containers.cloud.ibm.com/swagger-api/#!/clusters/GetWorkerPool)
List all worker pools in a cluster. [ibmcloud ks worker-pools](/docs/containers?topic=containers-cs_cli_reference#cs_worker_pools) [GET /v1/clusters/{idOrName}/workerpools](https://containers.cloud.ibm.com/swagger-api/#!/clusters/GetWorkerPools)
List all worker nodes in a cluster. [ibmcloud ks workers](/docs/containers?topic=containers-cs_cli_reference#cs_workers) [GET /v1/clusters/{idOrName}/workers](https://containers.cloud.ibm.com/swagger-api/#!/clusters/GetClusterWorkers)
Overview of Ingress CLI commands and API calls that require the Viewer platform role in {{site.data.keyword.containerlong_notm}}
Ingress action CLI command API call
View information for an Ingress ALB. [ibmcloud ks alb-get](/docs/containers?topic=containers-cs_cli_reference#cs_alb_get) [GET /albs/{albId}](https://containers.cloud.ibm.com/swagger-alb-api/#!/alb/GetClusterALB)
View ALB types that are supported in the region. [ibmcloud ks alb-types](/docs/containers?topic=containers-cs_cli_reference#cs_alb_types) [GET /albtypes](https://containers.cloud.ibm.com/swagger-alb-api/#!/util/GetAvailableALBTypes)
List all Ingress ALBs in a cluster. [ibmcloud ks albs](/docs/containers?topic=containers-cs_cli_reference#cs_albs) [GET /clusters/{idOrName}](https://containers.cloud.ibm.com/swagger-alb-api/#!/alb/GetClusterALBs)
Overview of logging CLI commands and API calls that require the Viewer platform role in {{site.data.keyword.containerlong_notm}}
Logging action CLI command API call
View the status for automatic updates of the Fluentd add-on. [ibmcloud ks logging-autoupdate-get](/docs/containers?topic=containers-cs_cli_reference#cs_log_autoupdate_get) [GET /v1/logging/{idOrName}/updatepolicy](https://containers.cloud.ibm.com/swagger-logging/#!/logging/GetUpdatePolicy)
View the default logging endpoint for the target region. - [GET /v1/logging/{idOrName}/default](https://containers.cloud.ibm.com/swagger-logging/#!/logging/GetDefaultLoggingEndpoint)
List all log forwarding configurations in the cluster or for a specific log source in the cluster. [ibmcloud ks logging-config-get](/docs/containers?topic=containers-cs_cli_reference#cs_logging_get) [GET /v1/logging/{idOrName}/loggingconfig](https://containers.cloud.ibm.com/swagger-logging/#!/logging/FetchLoggingConfigs) and [GET /v1/logging/{idOrName}/loggingconfig/{logSource}](https://containers.cloud.ibm.com/swagger-logging/#!/logging/FetchLoggingConfigsForSource)
View information for a log filtering configuration. [ibmcloud ks logging-filter-get](/docs/containers?topic=containers-cs_cli_reference#cs_log_filter_view) [GET /v1/logging/{idOrName}/filterconfigs/{id}](https://containers.cloud.ibm.com/swagger-logging/#!/filter/FetchFilterConfig)
List all logging filter configurations in the cluster. [ibmcloud ks logging-filter-get](/docs/containers?topic=containers-cs_cli_reference#cs_log_filter_view) [GET /v1/logging/{idOrName}/filterconfigs](https://containers.cloud.ibm.com/swagger-logging/#!/filter/FetchFilterConfigs)

Editor actions

{: #editor-actions}

The Editor platform role includes the permissions that are granted by Viewer, plus the following. With the Editor role, users such as developers can bind services, work with Ingress resources, and set up log forwarding for their apps but cannot modify the infrastructure. Tip: Use this role for app developers, and assign the Cloud Foundry Developer role. {: shortdesc}

Overview of cluster management CLI commands and API calls that require the Editor platform role in {{site.data.keyword.containerlong_notm}}
Cluster management action CLI command API call
Bind a service to a cluster. **Note**: The Developer Cloud Foundry role in the space that the service is in is also required. [ibmcloud ks cluster-service-bind](/docs/containers?topic=containers-cs_cli_reference#cs_cluster_service_bind) [POST /v1/clusters/{idOrName}/services](https://containers.cloud.ibm.com/swagger-api/#!/clusters/BindServiceToNamespace)
Unbind a service from a cluster. **Note**: The Developer Cloud Foundry role in the space that the service is in is also required. [ibmcloud ks cluster-service-unbind](/docs/containers?topic=containers-cs_cli_reference#cs_cluster_service_unbind) [DELETE /v1/clusters/{idOrName}/services/{namespace}/{serviceInstanceId}](https://containers.cloud.ibm.com/swagger-api/#!/clusters/UnbindServiceFromNamespace)
Create a webhook in a cluster. [ibmcloud ks webhook-create](/docs/containers?topic=containers-cs_cli_reference#cs_webhook_create) [POST /v1/clusters/{idOrName}/webhooks](https://containers.cloud.ibm.com/swagger-api/#!/clusters/AddClusterWebhooks)
Overview of Ingress CLI commands and API calls that require the Editor platform role in {{site.data.keyword.containerlong_notm}}
Ingress action CLI command API call
Disable automatic updates for the Ingress ALB add-on. [ibmcloud ks alb-autoupdate-disable](/docs/containers?topic=containers-cs_cli_reference#cs_alb_autoupdate_disable) [PUT /clusters/{idOrName}/updatepolicy](https://containers.cloud.ibm.com/swagger-alb-api/#!/alb/ChangeUpdatePolicy)
Enable automatic updates for the Ingress ALB add-on. [ibmcloud ks alb-autoupdate-enable](/docs/containers?topic=containers-cs_cli_reference#cs_alb_autoupdate_enable) [PUT /clusters/{idOrName}/updatepolicy](https://containers.cloud.ibm.com/swagger-alb-api/#!/alb/ChangeUpdatePolicy)
Check if automatic updates for the Ingress ALB add-on are enabled. [ibmcloud ks alb-autoupdate-get](/docs/containers?topic=containers-cs_cli_reference#cs_alb_autoupdate_get) [GET /clusters/{idOrName}/updatepolicy](https://containers.cloud.ibm.com/swagger-alb-api/#!/alb/GetUpdatePolicy)
Enable or disable an Ingress ALB. [ibmcloud ks alb-configure](/docs/containers?topic=containers-cs_cli_reference#cs_alb_configure) [POST /albs](https://containers.cloud.ibm.com/swagger-alb-api/#!/alb/EnableALB) and [DELETE /albs/{albId}](https://containers.cloud.ibm.com/swagger-alb-api/#/)
Roll back the an Ingress ALB add-on update to the build that your ALB pods were previously running. [ibmcloud ks alb-rollback](/docs/containers?topic=containers-cs_cli_reference#cs_alb_rollback) [PUT /clusters/{idOrName}/updaterollback](https://containers.cloud.ibm.com/swagger-alb-api/#!/alb/RollbackUpdate)
Force a one-time update of your ALB pods by manually updating the Ingress ALB add-on. [ibmcloud ks alb-update](/docs/containers?topic=containers-cs_cli_reference#cs_alb_update) [PUT /clusters/{idOrName}/update](https://containers.cloud.ibm.com/swagger-alb-api/#!/alb/UpdateALBs)
Overview of network load balancer (NLB) DNS host and health check monitor CLI commands and API calls that require the Editor platform role in {{site.data.keyword.containerlong_notm}}
Network load balancer (NLB) DNS action CLI command API call
Add one NLB IP to an existing NLB host name. [ibmcloud ks nlb-dns-add](/docs/containers?topic=containers-cs_cli_reference#cs_nlb-dns-add) [PUT /clusters/{idOrName}/add](https://containers.cloud.ibm.com/swagger-dns-api/#!/nlb45dns/UpdateDNSWithIP)
Create a DNS host name to register one or more NLB IPs. [ibmcloud ks nlb-dns-create](/docs/containers?topic=containers-cs_cli_reference#cs_nlb-dns-create) [POST /clusters/{idOrName}/register](https://containers.cloud.ibm.com/swagger-dns-api/#!/nlb45dns/RegisterDNSWithIP)
List the NLB host names and IP addresses that are registered in a cluster. [ibmcloud ks nlb-dnss](/docs/containers?topic=containers-cs_cli_reference#cs_nlb-dns-ls) [GET /clusters/{idOrName}/list](https://containers.cloud.ibm.com/swagger-dns-api/#!/nlb45dns/ListNLBIPsForSubdomain)
Remove an NLB IP address from a host name. [ibmcloud ks nlb-dns-rm](/docs/containers?topic=containers-cs_cli_reference#cs_nlb-dns-rm) [DELETE /clusters/{idOrName}/host/{nlbHost}/ip/{nlbIP}/remove](https://containers.cloud.ibm.com/swagger-dns-api/#!/nlb45dns/UnregisterDNSWithIP)
Configure and optionally enable a health check monitor for an existing NLB host name in a cluster. [ibmcloud ks nlb-dns-monitor-configure](/docs/containers?topic=containers-cs_cli_reference#cs_nlb-dns-monitor-configure) [POST /health/clusters/{idOrName}/config](https://containers.cloud.ibm.com/swagger-dns-api/#!/nlb45health45monitor/AddNlbDNSHealthMonitor)
View the settings for an existing health check monitor. [ibmcloud ks nlb-dns-monitor-get](/docs/containers?topic=containers-cs_cli_reference#cs_nlb-dns-monitor-get) [GET /health/clusters/{idOrName}/host/{nlbHost}/config](https://containers.cloud.ibm.com/swagger-dns-api/#!/nlb45health45monitor/GetNlbDNSHealthMonitor)
Disable an existing health check monitor for a host name in a cluster. [ibmcloud ks nlb-dns-monitor-disable](/docs/containers?topic=containers-cs_cli_reference#cs_nlb-dns-monitor-disable) [PUT /clusters/{idOrName}/health](https://containers.cloud.ibm.com/swagger-dns-api/#!/nlb45health45monitor/UpdateNlbDNSHealthMonitor)
Enable a health check monitor that you configured. [ibmcloud ks nlb-dns-monitor-enable](/docs/containers?topic=containers-cs_cli_reference#cs_nlb-dns-monitor-enable) [PUT /clusters/{idOrName}/health](https://containers.cloud.ibm.com/swagger-dns-api/#!/nlb45health45monitor/UpdateNlbDNSHealthMonitor)
List the health check monitor settings for each NLB host name in a cluster. [ibmcloud ks nlb-dns-monitor-ls](/docs/containers?topic=containers-cs_cli_reference#cs_nlb-dns-monitor-ls) [GET /health/clusters/{idOrName}/list](https://containers.cloud.ibm.com/swagger-dns-api/#!/nlb45health45monitor/ListNlbDNSHealthMonitors)
List the health check status for the IPs behind NLB host names in a cluster. [ibmcloud ks nlb-dns-monitor-status](/docs/containers?topic=containers-cs_cli_reference#cs_nlb-dns-monitor-status) [GET /health/clusters/{idOrName}/status](https://containers.cloud.ibm.com/swagger-dns-api/#!/nlb45health45monitor/ListNlbDNSHealthMonitorStatus)
Overview of logging CLI commands and API calls that require the Editor platform role in {{site.data.keyword.containerlong_notm}}
Logging action CLI command API call
Create an API server audit webhook. [ibmcloud ks apiserver-config-set](/docs/containers?topic=containers-cs_cli_reference#cs_apiserver_config_set) [PUT /v1/clusters/{idOrName}/apiserverconfigs/auditwebhook](https://containers.cloud.ibm.com/swagger-api/#!/clusters/apiserverconfigs/UpdateAuditWebhook)
Delete an API server audit webhook. [ibmcloud ks apiserver-config-unset](/docs/containers?topic=containers-cs_cli_reference#cs_apiserver_config_unset) [DELETE /v1/clusters/{idOrName}/apiserverconfigs/auditwebhook](https://containers.cloud.ibm.com/swagger-api/#!/apiserverconfigs/DeleteAuditWebhook)
Create a log forwarding configuration for all log sources except kube-audit. [ibmcloud ks logging-config-create](/docs/containers?topic=containers-cs_cli_reference#cs_logging_create) [POST /v1/logging/{idOrName}/loggingconfig/{logSource}](https://containers.cloud.ibm.com/swagger-logging/#!/logging/CreateLoggingConfig)
Refresh a log forwarding configuration. [ibmcloud ks logging-config-refresh](/docs/containers?topic=containers-cs_cli_reference#cs_logging_refresh) [PUT /v1/logging/{idOrName}/refresh](https://containers.cloud.ibm.com/swagger-logging/#!/logging/RefreshLoggingConfig)
Delete a log forwarding configuration for all log sources except kube-audit. [ibmcloud ks logging-config-rm](/docs/containers?topic=containers-cs_cli_reference#cs_logging_rm) [DELETE /v1/logging/{idOrName}/loggingconfig/{logSource}/{id}](https://containers.cloud.ibm.com/swagger-logging/#!/logging/DeleteLoggingConfig)
Delete all log forwarding configurations for a cluster. - [DELETE /v1/logging/{idOrName}/loggingconfig](https://containers.cloud.ibm.com/swagger-logging/#!/logging/DeleteLoggingConfigs)
Update a log forwarding configuration. [ibmcloud ks logging-config-update](/docs/containers?topic=containers-cs_cli_reference#cs_logging_update) [PUT /v1/logging/{idOrName}/loggingconfig/{logSource}/{id}](https://containers.cloud.ibm.com/swagger-logging/#!/logging/UpdateLoggingConfig)
Create a log filtering configuration. [ibmcloud ks logging-filter-create](/docs/containers?topic=containers-cs_cli_reference#cs_log_filter_create) [POST /v1/logging/{idOrName}/filterconfigs](https://containers.cloud.ibm.com/swagger-logging/#!/filter/CreateFilterConfig)
Delete a log filtering configuration. [ibmcloud ks logging-filter-rm](/docs/containers?topic=containers-cs_cli_reference#cs_log_filter_delete) [DELETE /v1/logging/{idOrName}/filterconfigs/{id}](https://containers.cloud.ibm.com/swagger-logging/#!/filter/DeleteFilterConfig)
Delete all logging filter configurations for the Kubernetes cluster. - [DELETE /v1/logging/{idOrName}/filterconfigs](https://containers.cloud.ibm.com/swagger-logging/#!/filter/DeleteFilterConfigs)
Update a log filtering configuration. [ibmcloud ks logging-filter-update](/docs/containers?topic=containers-cs_cli_reference#cs_log_filter_update) [PUT /v1/logging/{idOrName}/filterconfigs/{id}](https://containers.cloud.ibm.com/swagger-logging/#!/filter/UpdateFilterConfig)

Operator actions

{: #operator-actions}

The Operator platform role includes the permissions that are granted by Viewer, plus the permissions that are shown in the following table. With the Operator role, users such as site reliability engineers, DevOps engineers, or cluster administrators can add worker nodes and troubleshoot infrastructure such as by reloading a worker node, but cannot create or delete the cluster, change the credentials, or set up cluster-wide features like service endpoints or managed add-ons. {: shortdesc}

Overview of cluster management CLI commands and API calls that require the Operator platform role in {{site.data.keyword.containerlong_notm}}
Cluster management action CLI command API call
Refresh the Kubernetes master. [ibmcloud ks apiserver-refresh](/docs/containers?topic=containers-cs_cli_reference#cs_apiserver_refresh) [PUT /v1/clusters/{idOrName}/masters](https://containers.cloud.ibm.com/swagger-api/#!/clusters/HandleMasterAPIServer)
Make an {{site.data.keyword.Bluemix_notm}} IAM service ID for the cluster, create a policy for the service ID that assigns the **Reader** service access role in {{site.data.keyword.registrylong_notm}}, and then create an API key for the service ID. [ibmcloud ks cluster-pull-secret-apply](/docs/containers?topic=containers-cs_cli_reference#cs_cluster_pull_secret_apply) -
Restart the cluster master nodes to apply new Kubernetes API configuration changes. [ibmcloud ks cluster-refresh](/docs/containers?topic=containers-cs_cli_reference#cs_cluster_refresh) [PUT /v1/clusters/{idOrName}/masters](https://containers.cloud.ibm.com/swagger-api/#!/clusters/HandleMasterAPIServer)
Add a subnet to a cluster. [ibmcloud ks cluster-subnet-add](/docs/containers?topic=containers-cs_cli_reference#cs_cluster_subnet_add) [PUT /v1/clusters/{idOrName}/subnets/{subnetId}](https://containers.cloud.ibm.com/swagger-api/#!/clusters/AddClusterSubnet)
Create a subnet. [ibmcloud ks cluster-subnet-create](/docs/containers?topic=containers-cs_cli_reference#cs_cluster_subnet_create) [POST /v1/clusters/{idOrName}/vlans/{vlanId}](https://containers.cloud.ibm.com/swagger-api/#!/clusters/CreateClusterSubnet)
Update a cluster. [ibmcloud ks cluster-update](/docs/containers?topic=containers-cs_cli_reference#cs_cluster_update) [PUT /v1/clusters/{idOrName}](https://containers.cloud.ibm.com/swagger-api/#!/clusters/UpdateCluster)
Add a user-managed subnet to a cluster. [ibmcloud ks cluster-user-subnet-add](/docs/containers?topic=containers-cs_cli_reference#cs_cluster_user_subnet_add) [POST /v1/clusters/{idOrName}/usersubnets](https://containers.cloud.ibm.com/swagger-api/#!/clusters/AddClusterUserSubnet)
Remove a user-managed subnet from a cluster. [ibmcloud ks cluster-user-subnet-rm](/docs/containers?topic=containers-cs_cli_reference#cs_cluster_user_subnet_rm) [DELETE /v1/clusters/{idOrName}/usersubnets/{subnetId}/vlans/{vlanId}](https://containers.cloud.ibm.com/swagger-api/#!/clusters/RemoveClusterUserSubnet)
Add worker nodes. [ibmcloud ks worker-add (deprecated)](/docs/containers?topic=containers-cs_cli_reference#cs_worker_add) [POST /v1/clusters/{idOrName}/workers](https://containers.cloud.ibm.com/swagger-api/#!/clusters/AddClusterWorkers)
Create a worker pool. [ibmcloud ks worker-pool-create](/docs/containers?topic=containers-cs_cli_reference#cs_worker_pool_create) [POST /v1/clusters/{idOrName}/workerpools](https://containers.cloud.ibm.com/swagger-api/#!/clusters/CreateWorkerPool)
Rebalance a worker pool. [ibmcloud ks worker-pool-rebalance](/docs/containers?topic=containers-cs_cli_reference#cs_rebalance) [PATCH /v1/clusters/{idOrName}/workerpools/{poolidOrName}](https://containers.cloud.ibm.com/swagger-api/#!/clusters/PatchWorkerPool)
Resize a worker pool. [ibmcloud ks worker-pool-resize](/docs/containers?topic=containers-cs_cli_reference#cs_worker_pool_resize) [PATCH /v1/clusters/{idOrName}/workerpools/{poolidOrName}](https://containers.cloud.ibm.com/swagger-api/#!/clusters/PatchWorkerPool)
Delete a worker pool. [ibmcloud ks worker-pool-rm](/docs/containers?topic=containers-cs_cli_reference#cs_worker_pool_rm) [DELETE /v1/clusters/{idOrName}/workerpools/{poolidOrName}](https://containers.cloud.ibm.com/swagger-api/#!/clusters/RemoveWorkerPool)
Reboot a worker node. [ibmcloud ks worker-reboot](/docs/containers?topic=containers-cs_cli_reference#cs_worker_reboot) [PUT /v1/clusters/{idOrName}/workers/{workerId}](https://containers.cloud.ibm.com/swagger-api/#!/clusters/UpdateClusterWorker)
Reload a worker node. [ibmcloud ks worker-reload](/docs/containers?topic=containers-cs_cli_reference#cs_worker_reload) [PUT /v1/clusters/{idOrName}/workers/{workerId}](https://containers.cloud.ibm.com/swagger-api/#!/clusters/UpdateClusterWorker)
Remove a worker node. [ibmcloud ks worker-rm](/docs/containers?topic=containers-cs_cli_reference#cs_worker_rm) [DELETE /v1/clusters/{idOrName}/workers/{workerId}](https://containers.cloud.ibm.com/swagger-api/#!/clusters/RemoveClusterWorker)
Update a worker node. [ibmcloud ks worker-update](/docs/containers?topic=containers-cs_cli_reference#cs_worker_update) [PUT /v1/clusters/{idOrName}/workers/{workerId}](https://containers.cloud.ibm.com/swagger-api/#!/clusters/UpdateClusterWorker)
Add a zones to a worker pool. [ibmcloud ks zone-add](/docs/containers?topic=containers-cs_cli_reference#cs_zone_add) [POST /v1/clusters/{idOrName}/workerpools/{poolidOrName}/zones](https://containers.cloud.ibm.com/swagger-api/#!/clusters/AddWorkerPoolZone)
Update the network configuration for a given zone in a worker pool. [ibmcloud ks zone-network-set](/docs/containers?topic=containers-cs_cli_reference#cs_zone_network_set) [PATCH /v1/clusters/{idOrName}/workerpools/{poolidOrName}/zones/{zoneid}](https://containers.cloud.ibm.com/swagger-api/#!/clusters/AddWorkerPoolZoneNetwork)
Remove a zone a from worker pool. [ibmcloud ks zone-rm](/docs/containers?topic=containers-cs_cli_reference#cs_zone_rm) [DELETE /v1/clusters/{idOrName}/workerpools/{poolidOrName}/zones/{zoneid}](https://containers.cloud.ibm.com/swagger-api/#!/clusters/RemoveWorkerPoolZone)

Administrator actions

{: #admin-actions}

The Administrator platform role includes all permissions that are granted by the Viewer, Editor, and Operator roles, plus the following. With the Administrator role, users such as cluster or account administrators can create and delete clusters or set up cluster-wide features like service endpoints or managed add-ons. To create order such infrastructure resources such as worker node machines, VLANs, and subnets, Administrator users need the Super user infrastructure role or the API key for the region must be set with the appropriate permissions. {: shortdesc}

Overview of cluster management CLI commands and API calls that require the Administrator platform role in {{site.data.keyword.containerlong_notm}}
Cluster management action CLI command API call
Set the API key for the {{site.data.keyword.Bluemix_notm}} account to access the linked IBM Cloud infrastructure (SoftLayer) portfolio. [ibmcloud ks api-key-reset](/docs/containers?topic=containers-cs_cli_reference#cs_api_key_reset) [POST /v1/keys](https://containers.cloud.ibm.com/swagger-api/#!/accounts/ResetUserAPIKey)
Disable a managed add-on, such Istio or Knative, in a cluster. [ibmcloud ks cluster-addon-disable](/docs/containers?topic=containers-cs_cli_reference#cs_cluster_addon_disable) [PATCH /v1/clusters/{idOrName}/addons](https://containers.cloud.ibm.com/swagger-api/#!/clusters/ManageClusterAddons)
Enable a managed add-on, such Istio or Knative, in a cluster. [ibmcloud ks cluster-addon-enable](/docs/containers?topic=containers-cs_cli_reference#cs_cluster_addon_enable) [PATCH /v1/clusters/{idOrName}/addons](https://containers.cloud.ibm.com/swagger-api/#!/clusters/ManageClusterAddons)
List managed add-on, such Istio or Knative, that are enabled in a cluster. [ibmcloud ks cluster-addons](/docs/containers?topic=containers-cs_cli_reference#cs_cluster_addons) [GET /v1/clusters/{idOrName}/addons](https://containers.cloud.ibm.com/swagger-api/#!/clusters/GetClusterAddons)
Create a free or standard cluster. **Note**: The Administrator platform role for {{site.data.keyword.registrylong_notm}} and the Super User infrastructure role are also required. [ibmcloud ks cluster-create](/docs/containers?topic=containers-cs_cli_reference#cs_cluster_create) [POST /v1/clusters](https://containers.cloud.ibm.com/swagger-api/#!/clusters/CreateCluster)
Disable a specified feature for a cluster, such as the public service endpoint for the cluster master. [ibmcloud ks cluster-feature-disable](/docs/containers?topic=containers-cs_cli_reference#cs_cluster_feature_disable) -
Enable a specified feature for a cluster, such as the private service endpoint for the cluster master. [ibmcloud ks cluster-feature-enable](/docs/containers?topic=containers-cs_cli_reference#cs_cluster_feature_enable) -
Delete a cluster. [ibmcloud ks cluster-rm](/docs/containers?topic=containers-cs_cli_reference#cs_cluster_rm) [DELETE /v1/clusters/{idOrName}](https://containers.cloud.ibm.com/swagger-api/#!/clusters/RemoveCluster)
Set infrastructure credentials for the {{site.data.keyword.Bluemix_notm}} account to access a different IBM Cloud infrastructure (SoftLayer) portfolio. [ibmcloud ks credential-set](/docs/containers?topic=containers-cs_cli_reference#cs_credentials_set) [POST /v1/credentials](https://containers.cloud.ibm.com/swagger-api/#!/clusters/accounts/StoreUserCredentials)
Remove infrastructure credentials for the {{site.data.keyword.Bluemix_notm}} account to access a different IBM Cloud infrastructure (SoftLayer) portfolio. [ibmcloud ks credential-unset](/docs/containers?topic=containers-cs_cli_reference#cs_credentials_unset) [DELETE /v1/credentials](https://containers.cloud.ibm.com/swagger-api/#!/clusters/accounts/RemoveUserCredentials)
Encrypt Kubernetes secrets by using {{site.data.keyword.keymanagementservicefull}}. [ibmcloud ks key-protect-enable](/docs/containers?topic=containers-cs_cli_reference#cs_messages) [POST /v1/clusters/{idOrName}/kms](https://containers.cloud.ibm.com/swagger-api/#!/clusters/CreateKMSConfig)
Overview of Ingress CLI commands and API calls that require the Administrator platform role in {{site.data.keyword.containerlong_notm}}
Ingress action CLI command API call
Deploy or update a certificate from your {{site.data.keyword.cloudcerts_long_notm}} instance to an ALB. [ibmcloud ks alb-cert-deploy](/docs/containers?topic=containers-cs_cli_reference#cs_alb_cert_deploy) [POST /albsecrets](https://containers.cloud.ibm.com/swagger-alb-api/#!/alb/CreateALBSecret) or [PUT /albsecrets](https://containers.cloud.ibm.com/swagger-alb-api/#!/alb/UpdateALBSecret)
View details for an ALB secret in a cluster. [ibmcloud ks alb-cert-get](/docs/containers?topic=containers-cs_cli_reference#cs_alb_cert_get) [GET /clusters/{idOrName}/albsecrets](https://containers.cloud.ibm.com/swagger-alb-api/#!/alb/ViewClusterALBSecrets)
Remove an ALB secret from a cluster. [ibmcloud ks alb-cert-rm](/docs/containers?topic=containers-cs_cli_reference#cs_alb_cert_rm) [DELETE /clusters/{idOrName}/albsecrets](https://containers.cloud.ibm.com/swagger-alb-api/#!/alb/DeleteClusterALBSecrets)
List all ALB secrets in a cluster. [ibmcloud ks alb-certs](/docs/containers?topic=containers-cs_cli_reference#cs_alb_certs) -
Overview of logging CLI commands and API calls that require the Administrator platform role in {{site.data.keyword.containerlong_notm}}
Logging action CLI command API call
Disable automatic updates for the Fluentd cluster add-on. [ibmcloud ks logging-autoupdate-disable](/docs/containers?topic=containers-cs_cli_reference#cs_log_autoupdate_disable) [PUT /v1/logging/{idOrName}/updatepolicy](https://containers.cloud.ibm.com/swagger-logging/#!/logging/ChangeUpdatePolicy)
Enable automatic updates for the Fluentd cluster add-on. [ibmcloud ks logging-autoupdate-enable](/docs/containers?topic=containers-cs_cli_reference#cs_log_autoupdate_enable) [PUT /v1/logging/{idOrName}/updatepolicy](https://containers.cloud.ibm.com/swagger-logging/#!/logging/ChangeUpdatePolicy)
Collect a snapshot of API server logs in an {{site.data.keyword.cos_full_notm}} bucket. [ibmcloud ks logging-collect](/docs/containers?topic=containers-cs_cli_reference#cs_log_collect) -
See the status of the API server logs snapshot request. [ibmcloud ks logging-collect-status](/docs/containers?topic=containers-cs_cli_reference#cs_log_collect_status) -
Create a log forwarding configuration for the kube-audit log source. [ibmcloud ks logging-config-create](/docs/containers?topic=containers-cs_cli_reference#cs_logging_create) [POST /v1/logging/{idOrName}/loggingconfig/{logSource}](https://containers.cloud.ibm.com/swagger-logging/#!/logging/CreateLoggingConfig)
Delete a log forwarding configuration for the kube-audit log source. [ibmcloud ks logging-config-rm](/docs/containers?topic=containers-cs_cli_reference#cs_logging_rm) [DELETE /v1/logging/{idOrName}/loggingconfig/{logSource}/{id}](https://containers.cloud.ibm.com/swagger-logging/#!/logging/DeleteLoggingConfig)

{{site.data.keyword.Bluemix_notm}} IAM service roles

{: #service}

Every user who is assigned an {{site.data.keyword.Bluemix_notm}} IAM service access role is also automatically assigned a corresponding Kubernetes role-based access control (RBAC) role in a specific namespace. To learn more about service access roles, see {{site.data.keyword.Bluemix_notm}} IAM service roles. Do not assign {{site.data.keyword.Bluemix_notm}} IAM platform roles at the same time as a service role. You must assign platform and service roles separately. {: shortdesc}

Looking for which Kubernetes actions each service role grants through RBAC? See Kubernetes resource permissions per RBAC role. To learn more about RBAC roles, see Assigning RBAC permissions. {: tip}

The following table shows the Kubernetes resource permissions granted by each service role and its corresponding RBAC role.

that applies to all namespaces Kubernetes resource permissions by service and corresponding RBAC roles
Service role Corresponding RBAC role, binding, and scope Kubernetes resource permissions
Reader role When scoped to one namespace: view cluster role applied by the ibm-view role binding in that namespace

When scoped to all namespaces: view cluster role applied by the ibm-view role binding in each namespace of the cluster
  • Read access to resources in a namespace
  • No read access to roles and role bindings or to Kubernetes secrets
  • Access the Kubernetes dashboard to view resources in a namespace
Writer role When scoped to one namespace: edit cluster role applied by the ibm-edit role binding in that namespace

When scoped to all namespaces: edit cluster role applied by the ibm-edit role binding in each namespace of the cluster
  • Read/write access to resources in a namespace
  • No read/write access to roles and role bindings
  • Access the Kubernetes dashboard to view resources in a namespace
Manager role When scoped to one namespace: admin cluster role applied by the ibm-operate role binding in that namespace

When scoped to all namespaces: cluster-admin cluster role applied by the ibm-admin cluster role binding		When scoped to one namespace:
  • Read/write access to all resources in a namespace but not to resource quota or the namespace itself
  • Create RBAC roles and role bindings in a namespace
  • Access the Kubernetes dashboard to view all resources in a namespace

When scoped to all namespaces:
  • Read/write access to all resources in every namespace
  • Create RBAC roles and role bindings in a namespace or cluster roles and cluster role bindings in all namespaces
  • Access the Kubernetes dashboard
  • Create an Ingress resource that makes apps publicly available
  • Review cluster metrics such as with the kubectl top pods, kubectl top nodes, or kubectl get nodes commands

Kubernetes resource permissions per RBAC role

{: #rbac_ref}

Every user who is assigned an {{site.data.keyword.Bluemix_notm}} IAM service access role is also automatically assigned a corresponding, predefined Kubernetes role-based access control (RBAC) role. If you plan to manage your own custom Kubernetes RBAC roles, see Creating custom RBAC permissions for users, groups, or service accounts. {: shortdesc}

Wondering if you have the correct permissions to run a certain kubectl command on a resource in a namespace? Try the kubectl auth can-i command External link icon. {: tip}

The following table shows the permissions that are granted by each RBAC role to individual Kubernetes resources. Permissions are shown as which verbs a user with that role can complete against the resource, such as "get", "list", "describe", "create", or "delete".

Kubernetes resource permissions granted by each predefined RBAC role
Kubernetes resource view edit admin and cluster-admin
bindings get, list, watch get, list, watch get, list, watch
configmaps get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
cronjobs.batch get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
daemonsets.apps get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
daemonsets.extensions get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
deployments.apps get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
deployments.apps/rollback - create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
deployments.apps/scale get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
deployments.extensions get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
deployments.extensions/rollback - create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
deployments.extensions/scale get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
endpoints get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
events get, list, watch get, list, watch get, list, watch
horizontalpodautoscalers.autoscaling get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
ingresses.extensions get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
jobs.batch get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
limitranges get, list, watch get, list, watch get, list, watch
localsubjectaccessreviews - - create
namespaces get, list, watch get, list, watch get, list, watch
**cluster-admin only:** create, delete
namespaces/status get, list, watch get, list, watch get, list, watch
networkpolicies get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
networkpolicies.extensions get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
persistentvolumeclaims get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
poddisruptionbudgets.policy get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
pods get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, top, patch, update, watch
pods/attach - create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
pods/exec - create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
pods/log get, list, watch get, list, watch get, list, watch
pods/portforward - create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
pods/proxy - create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
pods/status get, list, watch get, list, watch get, list, watch
replicasets.apps get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
replicasets.apps/scale get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
replicasets.extensions get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
replicasets.extensions/scale get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
replicationcontrollers get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
replicationcontrollers/scale get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
replicationcontrollers/status get, list, watch get, list, watch get, list, watch
replicationcontrollers.extensions/scale get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
resourcequotas get, list, watch get, list, watch get, list, watch
resourcequotas/status get, list, watch get, list, watch get, list, watch
rolebindings - - create, delete, deletecollection, get, list, patch, update, watch
roles - - create, delete, deletecollection, get, list, patch, update, watch
secrets - create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
serviceaccounts get, list, watch create, delete, deletecollection, get, list, patch, update, watch, impersonate create, delete, deletecollection, get, list, patch, update, watch, impersonate
services get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
services/proxy - create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
statefulsets.apps get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch
statefulsets.apps/scale get, list, watch create, delete, deletecollection, get, list, patch, update, watch create, delete, deletecollection, get, list, patch, update, watch

Cloud Foundry roles

{: #cloud-foundry}

Cloud Foundry roles grant access to organizations and spaces within the account. To see the list of Cloud Foundry-based services in {{site.data.keyword.Bluemix_notm}}, run ibmcloud service list. To learn more, see all available org and space roles or the steps for managing Cloud Foundry access in the {{site.data.keyword.Bluemix_notm}} IAM documentation. {: shortdesc}

The following table shows the Cloud Foundry roles required for cluster action permissions.

Cluster management permissions by Cloud Foundry role
Cloud Foundry role Cluster management permissions
Space role: Manager Manage user access to an {{site.data.keyword.Bluemix_notm}} space
Space role: Developer
  • Create {{site.data.keyword.Bluemix_notm}} service instances
  • Bind {{site.data.keyword.Bluemix_notm}} service instances to clusters
  • View logs from a cluster's log forwarding configuration at the space level

Infrastructure roles

{: #infra}

When a user with the Super User infrastructure access role sets the API key for a region and resource group, infrastructure permissions for the other users in the account are set by {{site.data.keyword.Bluemix_notm}} IAM platform roles. You do not need to edit the other users' IBM Cloud infrastructure (SoftLayer) permissions. Only use the following table to customize users' IBM Cloud infrastructure (SoftLayer) permissions when you can't assign Super User to the user who sets the API key. For more information, see Customizing infrastructure permissions. {: shortdesc}

The following table shows the infrastructure permissions required to complete groups of common tasks.

Commonly required infrastructure permissions for {{site.data.keyword.containerlong_notm}}
Common tasks in {{site.data.keyword.containerlong_notm}} Required infrastructure permissions by category
Minimum permissions:
  • Create a cluster.
 Devices:
  • View Virtual Server Details
  • Reboot server and view IPMI system information
  • Issue OS Reloads and Initiate Rescue Kernel
Account:
  • Add Server
Cluster Administration:
  • Create, update, and delete clusters.
  • Add, reload, and reboot worker nodes.
  • View VLANs.
  • Create subnets.
  • Deploy pods and load balancer services.
 Support:
  • View Tickets
  • Add Tickets
  • Edit Tickets
Devices:
  • View Hardware Details
  • View Virtual Server Details
  • Reboot server and view IPMI system information
  • Issue OS Reloads and Initiate Rescue Kernel
Network:
  • Add Compute with Public Network Port
Account:
  • Cancel Server
  • Add Server
Storage:
  • Create persistent volume claims to provision persistent volumes.
  • Create and manage storage infrastructure resources.
 Services:
  • Manage Storage
Account:
  • Add Storage
Private Networking:
  • Manage private VLANs for in-cluster networking.
  • Set up VPN connectivity to private networks.
 Network:
  • Manage Network Subnet Routes
Public Networking:
  • Set up public load balancer or Ingress networking to expose apps.
 Devices:
  • Edit Hostname/Domain
  • Manage Port Control
Network:
  • Add Compute with Public Network Port
  • Manage Network Subnet Routes
  • Add IP Addresses
Services:
  • Manage DNS, Reverse DNS, and WHOIS
  • View Certificates (SSL)
  • Manage Certificates (SSL)