Cloud Provider Management

This is the configuration screen to register and manage cloud accounts for various cloud-related operations.

  1. From the top menu, go to System > Cloud Provider.

  2. Click "Select Action" then click "Create".

  3. Enter a name for the configuration (e.g., 'AWS Cloud').

  4. Select one of the following for the Cloud: "AWS", "AZURE", "NHN", "NAVER", "LINODE", "OCI", "K8S".

  5. Refer to the 'Input method for each cloud type' section below to enter the required information.

  6. Click Create.

Input Method for Each Cloud Type

AWS Credential Information

  1. Access Key: In the AWS Console, click the user email at the top right > Select "Security credentials" > Check and enter the 'Access key'.

  2. Secret Key: When creating the Access key, click 'Show' to check and enter the 'Secret key'.

  • Policies that must be enabled in the AWS account's IAM

  • Path: AWS Console > IAM > Users > Select user ID > Permissions > Policy name

  • AdministratorAccess: Provides full access to AWS services and resources.

  • AmazonEC2FullAccess: Full access to Amazon EC2 through the AWS Management Console.

  • AmazonRoute53FullAccess: Full access to Amazon Route 53 through the AWS Management Console.

  • AmazonS3FullAccess: Full access to all buckets through the AWS Management Console.

  • AWSMarketplaceFullAccess: Allows subscribing and unsubscribing from AWS Marketplace software, managing Marketplace software instances on the 'Your Software' page, and managing EC2 access.

  • AWSSupportAccess: Grants access to the AWS Support Center.

  • CloudFrontFullAccess: Grants full access to CloudFront Console and the ability to list Amazon S3 buckets.

  • CloudWatchEventsFullAccess: Grants full access to Amazon CloudWatch Events.

  • CloudWatchFullAccess: Grants full access to CloudWatch.

  • SecurityAudit: Provides read-only access to security configuration metadata. Useful for software auditing AWS account configuration.

AZURE Credential Information

  1. Client ID: Azure Portal > Azure Active Directory > App registrations > Check and enter the 'Application ID'.

  2. Client Secret: Home > Azure Active Directory > App registrations > Certificates & secrets > Check and enter the 'Value'.

  3. Subscription ID: Home > Subscriptions > Check and enter the 'Subscription ID'.

  4. Tenant ID: Home > Azure Active Directory > App registrations > Check and enter the 'Directory ID'.

  5. Resource Group Name: Home > Subscriptions > Subscription Name > Resource groups > Check and enter the 'Name'.

  • IAM roles required for the Azure account

  • Path: Access control (IAM) > View my access > Current role assignments > Role field

  • Contributor: Full access to manage all resources, except assigning roles in Azure RBAC, managing assignments in Azure Blueprints, or sharing image galleries.

  • User Access Administrator: Can manage user access to Azure resources.

  • Managed Application Operator Role: Can read and perform operations on managed application resources.

NHN Credential Information

  1. User Name: Enter the NHN Console login 'ID'.

  2. Tenant ID: Go to Compute > Instance > Management page > Click API endpoint settings button > Check and enter the 'Tenant ID'.

  3. Password: Go to Compute > Instance > Management page > Click API endpoint settings button > Set and enter the desired API 'Password'.

  • Project role settings for NHN account's IAM

  • Path: Login to the corresponding console > Member Management > IAM Members

  • Set the role for the project to ADMIN.

LINODE Credential Information

  1. Token: Linode Console > My Profile > API Tokens > Add a Personal Access Token > Check and enter the 'Key'.

  • Policies that must be enabled for the Linode account

  • When creating the API Token, set it to have all permissions including create/delete.

  • Left sidebar Account > User & Grants > User Permissions for the corresponding user > Set to Full Account Access.

OCI Credential Information

  1. Tenancy OCID: OCI Console > MY Profile at top right > Tenancy > Enter the OCID.

  2. User OCID: OCI Console > MY Profile at top right > User Information > Enter the OCID.

  3. Fingerprint: OCI Console > MY Profile at top right > API Keys > Enter the FingerPrint.

  4. Private Key: Select the private key downloaded when creating API Keys in OCI Console > MY Profile at top right > API Keys.

  5. Region: Select the region information at the top right of the OCI Console.

  • Policies that must be enabled for OCI account's IAM

  • Path: Identity & Security > Policies

  • Tenancy management policy

  • Allow group Administrators to manage all-resources in tenancy

  • Policy granting the Administrators group management permissions for all resources in the tenancy

  • User and group management policy

  • Allow group Administrators to manage users in tenancy

  • Policy granting the Administrators group permission to manage users and groups in the tenancy

  • Policy management policy

  • Allow group Administrators to manage policies in tenancy

  • Policy granting the Administrators group permission to manage policies in the tenancy

  • API Key must be added to use the API.

  • Path: My Profile > API Keys > Add API key > Generate API Key Pair

  • Click Download Private Key to download the oci_api_key.pem file.

  • Download file path: /home/{username}/.oci/oci_api_key.pem

  • Click Add below

  • When the API Key is successfully added, the Fingerprint value will be displayed.

K8S (Kubernetes) Credential Information

  1. Server URL: Enter the URL of the Kubernetes API server. (e.g., https://123.1.2.3:6443)

  2. Certificate Data: Copy and enter the client-certificate-data value from the kubeconfig file.

  3. Key Data: Copy and enter the client-key-data value from the kubeconfig file.

  • Kubernetes Architecture Concepts

    • Cloud Provider (K8S) = Kubernetes Cluster concept.

    • Site = Kubernetes Namespace concept.

    • Namespace represents a logically separated network space within K8S, and Sites are managed according to each Namespace.

  • kubeconfig configuration for Kubernetes cluster access

    • The kubeconfig file is typically located at ~/.kube/config.

    • If you can access the cluster using kubectl commands, you can use that kubeconfig file.

  • How to extract required information from the kubeconfig file

    1. Check Server URL:

      • Check the server value in the clusters section of the kubeconfig file.

      • Example:

        clusters:
- cluster:
    server: https://123.1.2.3:6443

    2. Check Certificate Data:

      • Check the client-certificate-data value in the users section of the kubeconfig file.

      • This value is Base64-encoded certificate data.

      • Example:

        users:
- name: kubernetes-admin
  user:
    client-certificate-data: LS0tLS1CRUdJTi...

    3. Check Key Data:

      • Check the client-key-data value in the users section of the kubeconfig file.

      • This value is Base64-encoded key data.

      • Example:

        users:
- name: kubernetes-admin
  user:
    client-key-data: LS0tLS1CRUdJTi...

  • Notes

    • Server URL must use the https:// protocol.

    • Certificate Data and Key Data should be copied directly from the kubeconfig file.

    • Certificate and key data must be entered in Base64-encoded format.

    • After K8S integration, you can perform operations by Namespace.

    • The system verifies access to the Kubernetes API server (/api/v1/ endpoint).

  • Collected Kubernetes Resource Information

    • Device Info (DEVINFO): Pod, Node (node IP and interface information)

    • Site Info (SITEINFO):

      • Workloads: Deployment, DaemonSet, ReplicaSet, Job, CronJob

      • Config: ConfigMap, Secret

      • Network: Service, Endpoints, Ingress, NetworkPolicy

      • Security: Role, RoleBinding, ServiceAccount

  • Notes for Site Creation

    • When K8S is selected as the Cloud Provider:

      • Region and VPC ID fields are not displayed.

      • You can select from a list of Namespaces.

      • Network Address is automatically set to 0.0.0.0/0.

      • Only the Collector function is enabled after Site creation.