IAM and Activity Tracker action by API method
When you use IBM Cloud® Kubernetes Service such as through the command line or console, the service calls application programming interface (API) methods to complete your requests. In IBM Cloud IAM, each API operation is associated with an IAM action that the user must have an access role to use the API operation. You can keep track of the requests that you make with an IBM Cloud Activity Tracker instance.
Review the following list of IBM Cloud Identity and Access Management (IAM) actions and IBM Cloud Activity Tracker events that correspond to each API method in IBM Cloud Kubernetes Service.
For more information, see the following topics.
Account
Review the following account API methods, their corresponding actions in IBM Cloud IAM, and the events that are sent to IBM Cloud Activity Tracker for IBM Cloud Kubernetes Service.
API Method | Description | IAM action for the API | Event sent to Activity Tracker |
---|---|---|---|
DELETE/v1/credentials |
Remove IBM Cloud infrastructure account credentials from your IBM Cloud Kubernetes Service account. | containers-kubernetes.cluster.create |
containers-kubernetes.account.delete |
GET/v1/addons |
List available add-ons that you can enable in a cluster. | N/A | N/A |
GET/v1/config |
List configuration values for your IBM Cloud account. | containers-kubernetes.cluster.read |
N/A |
GET/v1/credentials |
View the IBM Cloud infrastructure account credentials that are set for your IBM Cloud Kubernetes Service account. | containers-kubernetes.cluster.read |
N/A |
GET/v1/datacenters/{datacenter}/machine-types |
List available machine types for a zone (data center). | N/A | N/A |
GET/v1/datacenters/{datacenter}/vlans |
List available VLANs for a zone. | N/A | N/A |
GET/v1/infra-permissions |
Get details on the permissions that the IBM Cloud infrastructure credentials have. | containers-kubernetes.cluster.read |
N/A |
GET/v1/kube-versions |
Deprecated: List available Kubernetes versions. | N/A | N/A |
GET/v1/locations |
List available locations. | N/A | N/A |
GET/v1/messages |
View the current user messages. | N/A | N/A |
GET/v1/prodconfig |
List product-specific values to substitute for variables in other files. | N/A | N/A |
GET/v1/regions |
Deprecated: List available Kubernetes Service regions. | N/A | N/A |
GET/v1/subnets |
List available IBM Cloud infrastructure subnets. | containers-kubernetes.cluster.read |
N/A |
GET/v1/subnets/vlan-spanning |
View the VLAN spanning status. | containers-kubernetes.cluster.read |
N/A |
GET/v1/user-config |
View a user's ability to create clusters in a region and resource group. | containers-kubernetes.cluster.read |
N/A |
GET/v1/versions |
List available IBM Cloud Kubernetes Service versions. | containers-kubernetes.cluster.read |
N/A |
GET/v1/zones |
List available zones (data centers). | N/A | N/A |
GET/v2/getMessages |
View the current user messages. | N/A | N/A |
GET/v2/getQuota |
View the quota for resources per region in the account. | containers-kubernetes.cluster.read |
N/A |
GET/v2/getVersions |
List available IBM Cloud Kubernetes Service versions. | containers-kubernetes.cluster.read |
N/A |
GET/v2/vpc/getZones |
List available zones in a region. | N/A | N/A |
POST/v1/credentials |
Set IBM Cloud infrastructure account credentials for your IBM Cloud Kubernetes Service account. | containers-kubernetes.cluster.create |
N/A |
POST/v1/keys |
Reset the IAM API key. | containers-kubernetes.cluster.create |
N/A |
Certificate authority
API Method | Description | IAM action for the API | Event sent to Activity Tracker |
---|---|---|---|
GET/v2/getCACert |
Get the cluster's CA certificate. | containers-kubernetes.cluster.view |
cluster-ca-certificate.get |
POST/v2/rotateCACert |
Rotate the cluster's CA certificate. | containers-kubernetes.cluster.create |
cluster-ca-certificate.rotate |
POST/v2/createCA |
Create a CA certificate. cluster-ca-certificate.create |
containers-kubernetes.cluster.create |
Cluster
Review the following cluster API methods, their corresponding actions in IBM Cloud IAM, and the events that are sent to IBM Cloud Activity Tracker for IBM Cloud Kubernetes Service.
API Method | Description | IAM action for the API | Activity Tracker event |
---|---|---|---|
DELETE/v1/clusters/{idOrName} |
Delete a cluster. | containers-kubernetes.cluster.create |
containers-kubernetes.cluster.delete |
DELETE/v1/clusters/{idOrName}/apiserverconfigs/auditwebhook |
Delete an audit webhook configuration. | containers-kubernetes.cluster.operate |
containers-kubernetes.cluster.delete |
DELETE/v1/clusters/{idOrName}/services/{namespace}/{serviceInstanceId} |
Unbind an IBM Cloud service from a cluster. | containers-kubernetes.cluster.operate |
containers-kubernetes.service.delete |
DELETE/v1/clusters/{idOrName}/usersubnets/{subnetId}/vlans/{vlanId} |
Remove a user-managed subnet from a cluster. | containers-kubernetes.cluster.operate |
containers-kubernetes.vlan.delete |
GET/v1/clusters |
List the clusters that you have access to. | containers-kubernetes.cluster.read |
N/A |
GET/v1/clusters/{idOrName} |
View details for a cluster. | containers-kubernetes.cluster.read |
N/A |
GET/v1/clusters/{idOrName}/addons |
View details of the add-ons that are enabled in a cluster. | containers-kubernetes.cluster.read |
N/A |
GET/v1/clusters/{idOrName}/apiserverconfigs/auditwebhook |
View details for an audit webhook configuration. | containers-kubernetes.cluster.read |
N/A |
GET/v1/clusters/{idOrName}/config |
Get the cluster-specific configuration and certificates. | containers-kubernetes.cluster.read |
containers-kubernetes.cluster.config |
GET/v1/clusters/{idOrName}/services |
List the IBM Cloud services bound to a cluster across all namespaces. | containers-kubernetes.cluster.read |
N/A |
GET/v1/clusters/{idOrName}/services/{namespace} |
List the IBM Cloud services bound to a specific namespace in a cluster. | containers-kubernetes.cluster.read |
N/A |
GET/v1/clusters/{idOrName}/subnets |
List subnets from your IBM Cloud infrastructure account that are bound to a cluster. | containers-kubernetes.cluster.read |
N/A |
GET/v1/clusters/{idOrName}/usersubnets |
List user-managed subnets that are bound to a cluster. | containers-kubernetes.cluster.read |
N/A |
GET/v1/clusters/{idOrName}/webhooks |
List all webhooks for a cluster. | containers-kubernetes.cluster.read |
N/A |
GET/v1/clusters/{idOrName}/workerpools |
List the worker pools in a cluster. | containers-kubernetes.cluster.read |
N/A |
GET/v2/classic/getCluster |
Get detailed cluster information. | containers-kubernetes.cluster.read |
N/A |
GET/v2/classic/getClusters |
List the classic clusters that you have access to. | containers-kubernetes.cluster.read |
N/A |
GET/v2/classic/getVLANs |
List available classic infrastructure VLANs for a zone. | containers-kubernetes.cluster.read |
N/A |
GET/v2/getCluster |
View details for a cluster. | containers-kubernetes.cluster.read |
N/A |
GET/v2/getClusterAddons |
View details of the add-ons that are enabled in a cluster. | containers-kubernetes.cluster.read |
N/A |
GET/v2/getCRKs |
List the root keys for a key management service (KMS) instance. | containers-kubernetes.cluster.read |
N/A |
GET/v2/getFlavors |
List available flavors types for a VPC zone (data center). | N/A | N/A |
GET/v2/getKMSInstances |
Get key management service (KMS) instances tied to an account | containers-kubernetes.cluster.read |
N/A |
GET/v2/getKubeconfig |
Get the cluster's kubeconfig file. Optionally include the network configuration file. |
containers-kubernetes.cluster.read |
containers-kubernetes.account.get |
GET/v2/getOperatingSystems |
Get a list of available worker node operating systems. | N/A | cluster-worker-pool-supported-operating-systems.get |
GET/v2/getRBACStatus |
Get the status of an RBAC. | containers-kubernetes.cluster.view |
cluster-rbac.status |
GET/v2/vpc/getCluster |
Get detailed information for a VPC cluster. | containers-kubernetes.cluster.read |
N/A |
GET/v2/vpc/getClusters |
List the VPC clusters that you have access to. | containers-kubernetes.cluster.read |
N/A |
GET/v2/vpc/getSubnets |
View subnets for a given VPC. | containers-kubernetes.cluster.read |
N/A |
GET/v2/vpc/getVPC |
View details of a VPC. | containers-kubernetes.cluster.read |
N/A |
GET/v2/vpc/getVPCs |
View available VPCs for the infrastructure provider. | containers-kubernetes.cluster.read |
N/A |
PATCH/v1/clusters/{idOrName}/addons |
Enable, disable, or update add-ons for a cluster. | containers-kubernetes.cluster.create |
containers-kubernetes.cluster.update |
PATCH/v1/clusters/{idOrName}/subnets/{subnetId} |
Detach a public or private portable subnet from a cluster. | containers-kubernetes.cluster.operate |
|
POST/v1/clusters |
Create a cluster. | containers-kubernetes.cluster.create |
containers-kubernetes.cluster.create |
POST/v1/clusters/{idOrName}/kms |
Create a key management service (KMS) provider configuration for a cluster. | containers-kubernetes.cluster.create |
containers-kubernetes.account.update |
POST/v1/clusters/{idOrName}/services |
Bind an IBM Cloud service to a cluster. | containers-kubernetes.cluster.update |
containers-kubernetes.service.create |
POST/v1/clusters/{idOrName}/usersubnets |
Add an existing user-managed subnet to a cluster. | containers-kubernetes.cluster.operate |
containers-kubernetes.subnet.create |
POST/v1/clusters/{idOrName}/vlans/{vlanId} |
Create an IBM Cloud infrastructure subnet and add it to an existing cluster. | containers-kubernetes.cluster.create |
containers-kubernetes.vlan.create |
POST/v1/clusters/{idOrName}/webhooks |
Add a webhook to a cluster. | containers-kubernetes.cluster.update |
containers-kubernetes.cluster.create |
POST/v2/applyRBACAndGetKubeconfig |
Apply IAM roles to the cluster, then retrieve the cluster's kubeconfig file. Optionally include the network configuration file. |
containers-kubernetes.cluster.create |
containers-kubernetes.cluster.update |
POST/v2/autoUpdateMaster |
Set the autoupdate status of the cluster master. |
containers-kubernetes.cluster.create |
containers-kubernetes.account.update |
POST/v2/disablePrivateServiceEndpoint |
Disable a private cloud service endpoint for a cluster. | containers-kubernetes.cluster.create |
containers-kubernetes.cluster.update |
POST/v2/disablePublicServiceEndpoint |
Disable a public cloud service endpoint for a cluster. | containers-kubernetes.cluster.create |
containers-kubernetes.cluster.update |
POST/v2/enableKMS |
Enable a key management service (KMS) for a cluster | containers-kubernetes.cluster.create |
containers-kubernetes.account.update |
POST/v2/enablePrivateServiceEndpoint |
Enable the private cloud service endpoint for a cluster. | containers-kubernetes.cluster.create |
containers-kubernetes.cluster.update |
POST/v2/enablePublicServiceEndpoint |
Enable the public cloud service endpoint for a cluster. | containers-kubernetes.cluster.create |
containers-kubernetes.cluster.update |
POST/v2/enablePullSecret |
Create image pull secret to IBM Cloud Container Registry in the default Kubernetes namespace. | containers-kubernetes.cluster.operate |
containers-kubernetes.cluster.update |
POST/v2/refreshMaster |
Refresh the Kubernetes master. | containers-kubernetes.cluster.operate |
containers-kubernetes.account.update |
POST/v2/updateMaster |
Update the version of the Kubernetes cluster master node. | containers-kubernetes.cluster.operate |
containers-kubernetes.account.update |
POST/v2/vpc/createCluster |
Create a VPC cluster. | containers-kubernetes.cluster.create |
containers-kubernetes.cluster.create |
PUT/v1/clusters/{idOrName} |
Update the version of the Kubernetes cluster master node. | containers-kubernetes.cluster.operate |
containers-kubernetes.cluster.update |
PUT/v1/clusters/{idOrName}/apiserverconfigs/auditwebhook |
Create or update an audit webhook configuration for a cluster. | containers-kubernetes.cluster.update |
containers-kubernetes.cluster.update |
PUT/v1/clusters/{idOrName}/masters |
Refresh the Kubernetes master. | containers-kubernetes.cluster.operate |
containers-kubernetes.cluster.update |
PUT/v1/clusters/{idOrName}/subnets/{subnetId} |
Add an existing IBM Cloud infrastructure subnet to an existing cluster. | containers-kubernetes.cluster.operate |
containers-kubernetes.subnet.update |
Image security
API Method | Description | IAM action for the API | Activity Tracker event |
---|---|---|---|
POST/v2/enableImageSecurity |
Enable image security. | containers-kubernetes.cluster.operate |
cluster-image-security.enable |
POST/v2/disableImageSecurity |
Disable image security. | containers-kubernetes.cluster.operate |
cluster-image-security.disable |
Ingress
API Method | Description | IAM action for the API | Activity Tracker event |
---|---|---|---|
GET/ingress/v2/secret/getSecret |
View Ingress secret details. | containers-kubernetes.cluster.create |
cluster-ingress-secret.get |
GET/ingress/v2/secret/getSecrets |
View Ingress secrets for a cluster. | containers-kubernetes.cluster.create |
cluster-ingress-secret.list |
POST/ingress/v2/secret/createSecret |
Create an Ingress secret for a certificate. | containers-kubernetes.cluster.create |
cluster-ingress-secret.create |
POST/ingress/v2/secret/deleteSecret |
Delete an Ingress secret from the cluster. | containers-kubernetes.cluster.create |
cluster-ingress-secret.delete |
POST/ingress/v2/secret/updateSecret |
Update an Ingress secret for a certificate. | containers-kubernetes.cluster.create |
cluster-ingress-secret.update |
POST/ingress/v2/secret/addField |
Add a field to an Ingress secret. containers-kubernetes.cluster.operate |
cluster-ingress-secret-field.add |
|
POST/ingress/v2/secret/removeField |
Remove fields from an Ingress secret with a secret stored in IBM Cloud Secrets Manager. | containers-kubernetes.cluster.operate |
cluster-ingress-secret-field.remove |
POST/ingress/v2/secret/registerInstance |
Register an IBM Cloud Secrets Manager instance to the cluster. | containers-kubernetes.cluster.update |
cluster-ingress-instance.create |
POST/ingress/v2/secret/unregisterInstance |
Unregister an IBM Cloud Secrets Manager instance from the cluster. | containers-kubernetes.cluster.update |
cluster-ingress-instance.delete |
POST/ingress/v2/secret/updateInstance |
Update an IBM Cloud Secrets Manager instance registration configuration to the cluster. | containers-kubernetes.cluster.update |
cluster-ingress-instance.update |
GET/ingress/v2/secret/getInstances |
View IBM Cloud Secrets Manager instances registered to the cluster. | containers-kubernetes.cluster.read |
cluster-ingress-instance.list |
GET/ingress/v2/secret/getInstance |
View an IBM Cloud Secrets Manager instance registered to the cluster. | containers-kubernetes.cluster.read |
cluster-ingress-instance.get |
Ingress ALB
Review the following Ingress application load balancer (ALB) API methods, their corresponding actions in IBM Cloud IAM, and the events that are sent to IBM Cloud Activity Tracker for IBM Cloud Kubernetes Service.
API Method | Description | IAM action for the API | Activity Tracker event |
---|---|---|---|
DELETE/v1/alb/albs/{albID} |
Disable an ALB in a classic cluster. | containers-kubernetes.cluster.update |
cluster-alb.delete |
DELETE/v1/alb/clusters/{idOrName}/albsecrets |
Delete an ALB secret that is imported from Secrets Manager from a classic cluster. | containers-kubernetes.cluster.create |
cluster-ingress-secret.delete |
GET/v1/alb/albs/{albID} |
View details of an ALB in a classic cluster. | containers-kubernetes.cluster.read |
cluster-alb.get |
GET/v1/alb/albtypes |
List the ALB types that are supported in classic clusters. | containers-kubernetes.cluster.read |
N/A |
GET/v1/alb/clusters/{idOrName} |
List all ALBs in a classic cluster. | containers-kubernetes.cluster.read |
cluster-alb.list |
GET/v1/alb/clusters/{idOrName}/albsecrets |
View details of an ALB secret that you imported from Secrets Manager to a classic cluster. | containers-kubernetes.cluster.create |
cluster-ingress-secret.list |
GET/v1/alb/clusters/{idOrName}/updatepolicy |
Check if automatic updates for Ingress ALBs are enabled in a classic cluster. | containers-kubernetes.cluster.update |
cluster-alb-policy.get |
GET/v2/alb/getAlb |
View details of an ALB. | containers-kubernetes.cluster.read |
cluster-alb.get |
GET/v2/alb/getAlbImages |
List supported Ingress controller images. | containers-kubernetes.cluster.read |
alb-image.list |
GET/v2/alb/getClusterAlbs |
List all ALBs in a cluster. | containers-kubernetes.cluster.read |
cluster-alb.list |
GET/v2/alb/getMigrationStatus |
Get the status of the Ingress migration process. | containers-kubernetes.cluster.read |
cluster-alb-migration-status.get |
POST/v1/alb/albs |
Enable an existing ALB in a classic cluster. | containers-kubernetes.cluster.update |
cluster-alb.enable |
POST/v1/alb/albsecrets |
Import an ALB secret from Secrets Manager to a cluster. | containers-kubernetes.cluster.create |
cluster-ingress-secret.create |
POST/v1/alb/clusters/{idOrName}/zone/{zoneId} |
Create a public or private ALB in a classic cluster. | containers-kubernetes.cluster.update |
cluster-alb.create |
POST/v2/alb/cleanupMigration |
Clean up any Ingress resources and configmaps that are no longer needed after an Ingress migration. | containers-kubernetes.cluster.create |
cluster-alb-migration.cleanup |
POST/v2/alb/startMigration |
Start a migration of your IBM Cloud Ingress ConfigMap and Ingress resources to the Kubernetes Ingress format. | containers-kubernetes.cluster.create |
cluster-alb-migration.start |
POST/v2/alb/updateAlb |
Update ALBs in a cluster. | containers-kubernetes.cluster.update |
cluster-alb.update |
POST/v2/alb/vpc/createAlb |
Create a public or private ALB in a VPC cluster. | containers-kubernetes.cluster.update |
cluster-alb.create |
POST/v2/alb/vpc/disableAlb |
Disable an ALB in a VPC cluster. | containers-kubernetes.cluster.update |
cluster-alb.delete |
POST/v2/alb/vpc/enableAlb |
Enable an existing ALB in a VPC cluster. | containers-kubernetes.cluster.update |
cluster-alb.enable |
PUT/v1/alb/albsecrets |
Update an ALB secret that you imported from Secrets Manager. | containers-kubernetes.cluster.create |
cluster-ingress-secret.update |
PUT/v1/alb/clusters/{idOrName}/update |
Force a one-time update of all ALB pods to the latest build. | containers-kubernetes.cluster.update |
cluster-alb.update |
PUT/v1/alb/clusters/{idOrName}/updatepolicy |
Enable or disable automatic updates for the Ingress ALBs in a cluster. | containers-kubernetes.cluster.update |
cluster-alb-policy.update |
PUT/v1/alb/clusters/{idOrName}/updaterollback |
Roll back all ALB pods in a cluster to their previously running build. | containers-kubernetes.cluster.update |
cluster-alb-policy.update |
Ingress load balancer
API Method | Description | IAM action for the API | Activity Tracker event |
---|---|---|---|
GET/ingress/v2/load-balancer/configuration |
Get the configuration of load balancers for Ingress ALBs. | containers-kubernetes.cluster.read |
N/A |
PATCH/ingress/v2/load-balancer/configuration |
Update the configuration of load balancers for Ingress ALBs. | containers-kubernetes.cluster.operate |
N/A |
Ingress status
API Method | Description | IAM action for the API | Activity Tracker event |
---|---|---|---|
GET/v2/alb/getIngressClusterHealthcheck |
Get the status of the in-cluster ALB health checker. | containers-kubernetes.cluster.read |
cluster-alb-healthcheck.get |
GET/v2/alb/getStatus |
Get the status of the Ingress resources in a cluster. | containers-kubernetes.cluster.read |
cluster-ingress-status.get |
GET/v2/alb/listIgnoredIngressStatusErrors |
List all Ingress status errors that are ignored for the cluster. | containers-kubernetes.cluster.read |
cluster-ignored-ingress-status-errors.list |
POST/v2/alb/setIngressClusterHealthcheck |
Set the in-cluster Ingress health checker. | containers-kubernetes.cluster.operate |
cluster-alb-healthcheck.set |
POST/v2/alb/setIngressStatusState |
Set the state of the Ingress status. | containers-kubernetes.cluster.update |
cluster-ingress-status-state.set |
POST/v2/alb/addIgnoredIngressStatusErrors |
Ignore specific ingress status errors in Ingress status reporting. | containers-kubernetes.cluster.update |
cluster-ignored-ingress-status-errors.add |
DELETE/v2/alb/removeIgnoredIngressStatusErrors |
Stop ignoring specific status errors in Ingress status reporting. | containers-kubernetes.cluster.update |
cluster-ignored-ingress-status-errors.remove |
Fluentd logging
Review the following Fluentd logging configuration API methods, their corresponding actions in IBM Cloud IAM, and the events that are sent to IBM Cloud Activity Tracker for IBM Cloud Kubernetes Service.
API Method | Description | IAM action for the API | Activity Tracker event |
---|---|---|---|
DELETE/v1/logging/{idOrName}/filterconfigs |
Deletes all logging filter configurations for the cluster. | containers-kubernetes.cluster.update |
containers-kubernetes.logging-filter.delete |
DELETE/v1/logging/{idOrName}/filterconfigs/{id} |
Delete a logging filter configuration. | containers-kubernetes.cluster.update |
containers-kubernetes.logging-filter.delete |
DELETE/v1/logging/{idOrName}/loggingconfig |
Delete all log forwarding configurations for a cluster. | containers-kubernetes.cluster.update |
containers-kubernetes.logging-config.delete |
DELETE/v1/logging/{idOrName}/loggingconfig/{logSource}/{id} |
Delete a log forwarding configuration. | containers-kubernetes.cluster.update |
containers-kubernetes.logging-config.delete |
GET/v1/log-collector/{idOrName}/masterlogs |
Show the status for the most recent master log collection request. | containers-kubernetes.cluster.read |
containers-kubernetes.masterlog-status |
GET/v1/logging/{idOrName}/clusterkeyowner |
View information about the containers-kubernetes-key API key owner. | containers-kubernetes.cluster.read |
N/A |
GET/v1/logging/{idOrName}/default |
View the default logging endpoint for the target region. | containers-kubernetes.cluster.read |
N/A |
GET/v1/logging/{idOrName}/filterconfigs |
List all logging filter configurations in the cluster. | containers-kubernetes.cluster.read |
N/A |
GET/v1/logging/{idOrName}/filterconfigs/{id} |
View a logging filter configuration. | containers-kubernetes.cluster.read |
N/A |
GET/v1/logging/{idOrName}/loggingconfig |
List all log forwarding configurations in the cluster. | containers-kubernetes.cluster.read |
N/A |
GET/v1/logging/{idOrName}/loggingconfig/{logSource} |
List all log forwarding configurations for a log source in the cluster. | containers-kubernetes.cluster.read |
N/A |
GET/v1/logging/{idOrName}/updatepolicy |
Check if automatic updates for the Fluentd logging add-on are enabled in the cluster. | containers-kubernetes.cluster.read |
N/A |
POST/v1/log-collector/{idOrName}/masterlogs |
Create a new master log collection request. | containers-kubernetes.cluster.create |
containers-kubernetes.masterlog-retrieve |
POST/v1/logging/{idOrName}/filterconfigs |
Create a logging filter configuration. | containers-kubernetes.cluster.update |
containers-kubernetes.logging-filter.create |
POST/v1/logging/{idOrName}/loggingconfig/{logSource} |
Create a log forwarding configuration. | containers-kubernetes.cluster.update |
containers-kubernetes.logging-config.create |
PUT/v1/logging/{idOrName}/filterconfigs/{id} |
Update a logging filter configuration. | containers-kubernetes.cluster.update |
N/A |
PUT/v1/logging/{idOrName}/loggingconfig/{logSource}/{id} |
Update a log forwarding configuration. | containers-kubernetes.cluster.update |
N/A |
PUT/v1/logging/{idOrName}/refresh |
Refresh the cluster's logging configuration. | containers-kubernetes.cluster.update |
containers-kubernetes.logging-config.refresh |
PUT/v1/logging/{idOrName}/updatepolicy |
Enable or disable automatic updates for the Fluentd logging add-on in the cluster. | containers-kubernetes.cluster.create |
containers-kubernetes.logging-autoupdate.changed |
NLB DNS
Review the following network load balancer (NLB) domain name system (DNS) API methods, their corresponding actions in IBM Cloud IAM, and the events that are sent to IBM Cloud Activity Tracker for IBM Cloud Kubernetes Service.
API Method | Description | IAM action for the API | Activity Tracker event |
---|---|---|---|
DELETE/v1/nlb-dns/clusters/{idOrName}/host/{nlbHost}/ip/{nlbIP}/remove |
Remove an IP address from an NLB subdomain. | containers-kubernetes.cluster.update |
cluster-nlb-dns.delete |
GET/v1/nlb-dns/clusters/{idOrName}/list |
List registered NLB subdomains and NLB IP addresses. | containers-kubernetes.cluster.read |
cluster-nlb-dns.list |
GET/v1/nlb-dns/health/clusters/{idOrName}/host/{nlbHost}/config |
View the health check monitor settings for an NLB subdomain. | containers-kubernetes.cluster.read |
cluster-nlb-dns-monitor.get |
GET/v1/nlb-dns/health/clusters/{idOrName}/list |
List the health check monitor settings for all NLB subdomains. | containers-kubernetes.cluster.read |
cluster-nlb-dns-monitor.list |
GET/v1/nlb-dns/health/clusters/{idOrName}/status |
List the health check status for the IPs behind NLB subdomains in a cluster. | containers-kubernetes.cluster.read |
cluster-nlb-dns-monitor-status.list |
GET/v2/nlb-dns/getNlbDNSList |
List registered NLB subdomains in a cluster. | containers-kubernetes.cluster.read |
cluster-nlb-dns.list |
PATCH/v1/nlb-dns/health/clusters/{idOrName}/config |
Configure a health check monitor for an NLB subdomain. | containers-kubernetes.cluster.update |
cluster-nlb-dns-monitor.create |
POST/v1/nlb-dns/clusters/{idOrName}/register |
Create a NLB subdomain and associate one or more NLB IP addresses with it. | containers-kubernetes.cluster.update |
cluster-nlb-dns.update |
POST/v2/nlb-dns/deleteSecret |
Remove a secret from an NLB subdomain. | containers-kubernetes.cluster.update |
cluster-ingress-secret.delete |
POST/v2/nlb-dns/regenerateCert |
Regenerate certificates for a secret. | containers-kubernetes.cluster.update |
cluster-ingress-secret.update |
POST/v2/nlb-dns/vpc/createNlbDNS |
Create a NLB subdomain in a VPC cluster and associate a load balancer hostname with it. | containers-kubernetes.cluster.update |
cluster-nlb-dns.create |
POST/v2/nlb-dns/vpc/removeLBHostname |
Remove the load balancer hostname from the DNS record for an existing NLB subdomain. | containers-kubernetes.cluster.update |
cluster-lb-hostname.delete |
POST/v2/nlb-dns/vpc/ReplaceLBHostname |
Update the DNS record for an NLB subdomain by replacing the load balancer hostname. | containers-kubernetes.cluster.update |
cluster-lb-hostname.update |
PUT/v1/nlb-dns/clusters/{idOrName}/add |
Update a DNS record by adding an NLB IP address. | containers-kubernetes.cluster.update |
cluster-nlb-dns.update |
PUT/v1/nlb-dns/clusters/{idOrName}/health |
Enable or disable a health check monitor for an NLB subdomain. | containers-kubernetes.cluster.update |
cluster-nlb-dns-monitor.update |
Observability: Log Analysis
Review the following observability logging API methods, their corresponding actions in IBM Cloud IAM, and the events that are sent to IBM Cloud Activity Tracker for IBM Cloud Kubernetes Service.
API Method | Description | IAM action for the API | Activity Tracker event |
---|---|---|---|
GET/v2/observe/logging/getConfig |
Show the details of an existing Log Analysis configuration. | containers-kubernetes.cluster.read |
N/A |
GET/v2/observe/logging/getConfigs |
List all Log Analysis configurations for a cluster. | containers-kubernetes.cluster.read |
N/A |
POST/v2/observe/logging/createConfig |
Create a Log Analysis configuration for a cluster. | containers-kubernetes.cluster.create |
containers-kubernetes.observe.logging.create |
POST/v2/observe/logging/discoverAgent |
Discover a Log Analysis agent previously deployed in the cluster. | containers-kubernetes.cluster.create |
N/A |
POST/v2/observe/logging/modifyConfig |
Update a Log Analysis configuration in the cluster. | containers-kubernetes.cluster.create |
containers-kubernetes.observe.logging.modify |
POST/v2/observe/logging/removeConfig |
Remove a Log Analysis configuration from a cluster. | containers-kubernetes.cluster.create |
containers-kubernetes.observe.logging.remove |
Observability: Monitoring
Review the following observability monitoring API methods, their corresponding actions in IBM Cloud IAM, and the events that are sent to IBM Cloud Activity Tracker for IBM Cloud Kubernetes Service.
API Method | Description | IAM action for the API | Activity Tracker event |
---|---|---|---|
GET/v2/observe/monitoring/getConfig |
Show the details of an existing Monitoring configuration. | containers-kubernetes.cluster.read |
N/A |
GET/v2/observe/monitoring/getConfigs |
List all Monitoring configurations for a cluster. | containers-kubernetes.cluster.read |
N/A |
POST/v2/observe/monitoring/createConfig |
Create a Monitoring configuration for a cluster. | containers-kubernetes.cluster.create |
containers-kubernetes.observe.monitoring.create |
POST/v2/observe/monitoring/discoverAgent |
Discover a Monitoring agent previously deployed in the cluster. | containers-kubernetes.cluster.create |
N/A |
POST/v2/observe/monitoring/modifyConfig |
Update a Monitoring configuration in the cluster. | containers-kubernetes.cluster.create |
containers-kubernetes.observe.monitoring.modify |
POST/v2/observe/monitoring/removeConfig |
Remove a Monitoring configuration from a cluster. | containers-kubernetes.cluster.create |
containers-kubernetes.observe.monitoring.remove |
Private service endpoint allowlist
Private service endpoint allowlists are deprecated and support ends on 10 February 2025. Migrate from allowlists to context based restrictions as soon as possible. For more information, see Migrating from a private service endpoint allowlist to context based restrictions (CBR).
Review the following access control list (ACL) API methods, their corresponding actions in IBM Cloud IAM, and the events that are sent to IBM Cloud Activity Tracker for IBM Cloud Kubernetes Service if you use a private cloud service endpoint allowlist.
API Method | Description | IAM action for the API | Activity Tracker event |
---|---|---|---|
DELETE/v1/acl/{idOrName} |
Disable the private cloud service endpoint allowlist feature for a cluster. | containers-kubernetes.cluster.create |
containers-kubernetes.network-acl.delete |
GET/v1/acl/{idOrName} |
Get the subnets in the private cloud service endpoint allowlist. | containers-kubernetes.cluster.read |
containers-kubernetes.network-acl.get |
PATCH/v1/acl/{idOrName}/add |
Add subnets to a cluster's private cloud service endpoint allowlist. | containers-kubernetes.cluster.create |
containers-kubernetes.network-acl.update |
PATCH/v1/acl/{idOrName}/rm |
Remove subnets from a cluster's private cloud service endpoint allowlist. | containers-kubernetes.cluster.create |
containers-kubernetes.network-acl.update |
POST/v1/acl/{idOrName}/enable |
Enables the private cloud service endpoint allowlist feature for a cluster. | containers-kubernetes.cluster.create |
containers-kubernetes.network-acl.update |
Satellite
Review the following API methods, their corresponding actions in IBM Cloud IAM, and the events that are sent to IBM Cloud Activity Tracker for IBM Cloud Satellite.
API Method | Description | IAM action for the API | Activity Tracker event |
---|---|---|---|
GET/v2/nlb-dns/getSatLocationSubdomains |
List registered NLB subdomains in a Satellite location. | containers-kubernetes.cluster.read |
N/A |
POST/v2/nlb-dns/registerMSCDomains |
Register NLB subdomains c001 , c002 , and c003 , which each correspond to an IP address of a host that is assigned to the Satellite location control plane. The c000 subdomain corresponds
to all the IP addresses for the cluster. Also, register one CNAME, ce00 , for the specified Satellite location control plane. |
containers-kubernetes.cluster.operate |
N/A |
GET/v2/satellite/getClusters |
List the IBM Cloud Satellite clusters that you have access to. | containers-kubernetes.cluster.read |
N/A |
GET/v2/satellite/getController |
Get the details for an IBM Cloud Satellite location. | containers-kubernetes.cluster.read |
N/A |
GET/v2/satellite/getControllers |
List the IBM Cloud Satellite locations that you have access to. | containers-kubernetes.cluster.read |
N/A |
GET/v2/satellite/hostqueue/getHosts |
List the hosts in your IBM Cloud Satellite location. | containers-kubernetes.cluster.read |
N/A |
POST/v2/satellite/createCluster |
Create an IBM Cloud Satellite cluster. | containers-kubernetes.cluster.create |
containers-kubernetes.cluster.create |
POST/v2/satellite/createController |
Create an IBM Cloud Satellite location. | containers-kubernetes.cluster.create |
containers-kubernetes.cluster.create |
POST/v2/satellite/hostqueue/createAssignment |
Assign a host to an IBM Cloud Satellite location or cluster. | containers-kubernetes.cluster.operate |
containers-kubernetes.cluster.create |
POST/v2/satellite/hostqueue/createRegistrationScript |
Attach a host to an IBM Cloud Satellite location. | containers-kubernetes.cluster.operate |
containers-kubernetes.cluster.create |
POST/v2/satellite/hostqueue/removeHost |
Remove a host from an IBM Cloud Satellite location or cluster. | containers-kubernetes.cluster.operate |
containers-kubernetes.cluster.delete |
POST/v2/satellite/hostqueue/updateHost |
Update a host in your IBM Cloud Satellite location. | containers-kubernetes.cluster.operate |
containers-kubernetes.cluster.update |
POST/v2/satellite/removeController |
Remove an IBM Cloud Satellite Location. | containers-kubernetes.cluster.create |
containers-kubernetes.cluster.delete |
Storage
Review the following storage API methods, their corresponding actions in IBM Cloud IAM, and the events that are sent to IBM Cloud Activity Tracker for IBM Cloud Kubernetes Service.
API Method | Description | IAM action for the API | Activity Tracker event |
---|---|---|---|
GET/v2/storage/getAttachment |
Get details of a storage attachment. | containers-kubernetes.cluster.read |
containers-kubernetes.containers-kubernetes.storage.attachment.read |
GET/v2/storage/getAttachments |
List storage attachments | containers-kubernetes.cluster.read |
containers-kubernetes.containers-kubernetes.storage.attachment.read |
GET/v2/storage/getVolume |
Get the details of a storage volume. | containers-kubernetes.cluster.read |
containers-kubernetes.containers-kubernetes.storage.volume.read |
GET/v2/storage/getVolumes |
List storage volumes for a cluster or for the account if no cluster is provided. | containers-kubernetes.cluster.read |
containers-kubernetes.containers-kubernetes.storage.volume.read |
POST/v2/storage/createAttachment |
Attach a volume to a worker node. | containers-kubernetes.cluster.update |
containers-kubernetes.containers-kubernetes.storage.attachment.create |
POST/v2/storage/deleteAttachment |
Detach a volume from a worker node. | containers-kubernetes.cluster.update |
containers-kubernetes.containers-kubernetes.storage.attachment.delete |
Worker nodes and worker pools
Review the following worker node and worker pool API methods, their corresponding actions in IBM Cloud IAM, and the events that are sent to IBM Cloud Activity Tracker for IBM Cloud Kubernetes Service.
API Method | Description | IAM action for the API | Activity Tracker event |
---|---|---|---|
DELETE/v1/clusters/{idOrName}/workerpools/{poolidOrName} |
Remove a worker pool from a cluster. | containers-kubernetes.cluster.operate |
containers-kubernetes.workerpool.delete |
DELETE/v1/clusters/{idOrName}/workerpools/{poolidOrName}/zones/{zoneid} |
Remove a zone from a worker pool. | containers-kubernetes.cluster.operate |
containers-kubernetes.zone.delete |
DELETE/v1/clusters/{idOrName}/workers/{workerId} |
Delete a worker node from a cluster. | containers-kubernetes.cluster.operate |
containers-kubernetes.worker.delete |
GET/v1/clusters/{idOrName}/workerpools/{poolidOrName} |
View details for a worker pool. | containers-kubernetes.cluster.read |
N/A |
GET/v1/clusters/{idOrName}/workers |
List all worker nodes in a cluster. | containers-kubernetes.cluster.read |
N/A |
GET/v1/clusters/{idOrName}/workers/{workerId} |
View details of a worker node. | containers-kubernetes.cluster.read |
N/A |
GET/v2/classic/getWorker |
View details of a worker node for classic cluster. | containers-kubernetes.cluster.read |
N/A |
GET/v2/classic/getWorkerPool |
View details of a worker pool for a classic cluster. | containers-kubernetes.cluster.read |
N/A |
GET/v2/classic/getWorkerPools |
View details of a worker pool for a classic cluster. | containers-kubernetes.cluster.read |
N/A |
GET/v2/classic/getWorkers |
View all workers for a classic cluster. | containers-kubernetes.cluster.read |
N/A |
GET/v2/getWorker |
View details of a worker node for cluster. | containers-kubernetes.cluster.read |
N/A |
GET/v2/getWorkerPool |
View details of a worker pool for a cluster. | containers-kubernetes.cluster.read |
N/A |
GET/v2/getWorkerPools |
View details of a worker pool for a cluster. | containers-kubernetes.cluster.read |
N/A |
GET/v2/getWorkers |
View all workers for cluster. | containers-kubernetes.cluster.read |
N/A |
GET/v2/vpc/getWorker |
View details of a worker node for VPC cluster. | containers-kubernetes.cluster.read |
N/A |
GET/v2/vpc/getWorkerPool |
View details of a worker pool for a VPC cluster. | containers-kubernetes.cluster.read |
N/A |
GET/v2/vpc/getWorkerPools |
View details of a worker pool for a VPC cluster. | containers-kubernetes.cluster.read |
N/A |
GET/v2/vpc/getWorkers |
View all workers for VPC cluster. | containers-kubernetes.cluster.read |
N/A |
PATCH/v1/clusters/{idOrName}/workerpools/{poolidOrName} |
Resize or rebalance a worker pool. | containers-kubernetes.cluster.operate |
containers-kubernetes.workerpool.update |
PATCH/v1/clusters/{idOrName}/workerpools/{poolidOrName}/zones/{zoneid} |
Updates network configuration for a worker pool for a given zone. | containers-kubernetes.cluster.operate |
containers-kubernetes.zone.update |
POST/v1/clusters/{idOrName}/workerpools |
Create a worker pool for a cluster. | containers-kubernetes.cluster.operate |
containers-kubernetes.workerpool.create |
POST/v1/clusters/{idOrName}/workerpools/{poolidOrName}/zones |
Add a zone to the specified worker pool for a cluster. | containers-kubernetes.cluster.operate |
containers-kubernetes.workerpool.create |
POST/v1/clusters/{idOrName}/workers |
Add worker nodes to a cluster. | containers-kubernetes.cluster.operate |
containers-kubernetes.worker.create |
POST/v2/rebalanceWorkerPool |
Rebalance workers in a worker pool. | containers-kubernetes.cluster.operate |
containers-kubernetes.account.update |
POST/v2/removeWorker |
Delete a worker node from a cluster. | containers-kubernetes.cluster.operate |
containers-kubernetes.account.delete |
POST/v2/removeWorkerPool |
Removes a worker pool. | containers-kubernetes.cluster.operate |
containers-kubernetes.account.delete |
POST/v2/replaceWorker |
Replace a worker node with a new worker node. | containers-kubernetes.cluster.operate |
containers-kubernetes.account.update |
POST/v2/resizeWorkerPool |
Resize an existing worker pool. | containers-kubernetes.cluster.operate |
containers-kubernetes.workerpool.update |
POST/v2/setWorkerPoolLabels |
Set custom labels for a worker pool. | containers-kubernetes.cluster.operate |
containers-kubernetes.account.update |
POST/v2/setWorkerPoolTaints |
Set custom taints for a worker pool. | containers-kubernetes.cluster.operate |
containers-kubernetes.account.update |
POST/v2/vpc/createWorkerPool |
Create a worker pool for a VPC cluster. | containers-kubernetes.cluster.operate |
containers-kubernetes.account.create |
POST/v2/vpc/createWorkerPoolZone |
Create a zone in the specified worker pool for a VPC cluster. | containers-kubernetes.cluster.operate |
containers-kubernetes.account.create |
POST/v2/vpc/replaceWorker |
Replace a worker node with a new worker node. | containers-kubernetes.cluster.operate |
containers-kubernetes.account.create |
PUT/v1/clusters/{idOrName}/workers/{workerId} |
Reboot, reload, or update a worker node for a cluster. | containers-kubernetes.cluster.operate |
containers-kubernetes.worker.update |