Menu
Context
Access to a Google Cloud (GKE) kubernetes cluster is managed through the Google Cloud IAM feature;
An admin invites a new user (using their google account/login) and assigns them a role.
The example role below is "Container Engine Viewer", which will allow the user to access the kubernetes cluster and run all "view" operations.
The User can use the gcloud auth login on their local machine followed by gcloud container clusters get-credentials to authenticate to Google IAM and have the gcloud tool write them out a kubernetes config file, ready to use the cluster.
Users can then use kubectl to access the cluster. With the example above, reads work... writes/changes dont; all good!
The Problem
The IAM roles for a GKE kubernetes cluster are very simple, "Admin, Read/Write, Read".
For more fine-grained control over the kubernetes cluster, Kubernetes RBAC should be used within the cluster, allowing me to restrict a user to a single namespace, single API endpoint, single action, etc.
However, without specifying an IAM role for the user; the user has no way of authenticating to the cluster (RBAC is authorization, not authentication).
Yet, the Lowest permission IAM role I can set is "Container Engine Viewer", so regardless of the restrictions I implement with Kubernetes RBAC, All my users still have full read access.
Question
Has anyone found a way to ensure all permissions in GKE are coming from RBAC, basically nullifying the permissions from IAM?
918
Interaction with Identity and Access Management Kubernetes RBAC is a core component of Kubernetes and lets you create and grant roles (sets of permissions) for any object or type of object within the cluster.
We will also assume that RBAC has been enabled in your cluster through the --authorization-mode=RBAC option in your Kubernetes API server. You can check this by executing the command kubectl api-versions ; if RBAC is enabled you should see the API version . rbac.authorization.k8s.io/v1 .
Weird how writing out the problem gets you to an answer sooner huh?
Theres a new "Alpha" feature in Google Cloud's IAM which wasn't there last time I tried to tackle this problem;
Under IAM > Roles, you can now create custom IAM roles with your own subset of permissions.
I created a minimal role which allows gcloud container clusters get-credentials to work, but nothing else, allowing permissions within the kubernetes cluster to be fully managed by RBAC.
Initial testing looks good.
IAM Role Screenshots (with the permissions needed) below.
Minimal IAM role with GKE cluster access
New IAM roles alpha functionality
165
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
