Context
Access to a Google Cloud (GKE) kubernetes cluster is managed through the Google Cloud IAM feature;
An admin invites a new user (using their google account/login) and assigns them a role.
The example role below is "Container Engine Viewer", which will allow the user to access the kubernetes cluster and run all "view" operations.
The User can use the
gcloud auth login
on their local machine followed bygcloud container clusters get-credentials
to authenticate to Google IAM and have thegcloud
tool write them out a kubernetes config file, ready to use the cluster.Users can then use
kubectl
to access the cluster. With the example above, reads work... writes/changes dont; all good!
The Problem
The IAM roles for a GKE kubernetes cluster are very simple, "Admin, Read/Write, Read".
For more fine-grained control over the kubernetes cluster, Kubernetes RBAC should be used within the cluster, allowing me to restrict a user to a single namespace, single API endpoint, single action, etc.
However, without specifying an IAM role for the user; the user has no way of authenticating to the cluster (RBAC is authorization, not authentication).
Yet, the Lowest permission IAM role I can set is "Container Engine Viewer", so regardless of the restrictions I implement with Kubernetes RBAC, All my users still have full read access.
Question
Has anyone found a way to ensure all permissions in GKE are coming from RBAC, basically nullifying the permissions from IAM?
Weird how writing out the problem gets you to an answer sooner huh?
Theres a new "Alpha" feature in Google Cloud's IAM which wasn't there last time I tried to tackle this problem;
Under IAM > Roles, you can now create custom IAM roles with your own subset of permissions.
I created a minimal role which allows
gcloud container clusters get-credentials
to work, but nothing else, allowing permissions within the kubernetes cluster to be fully managed by RBAC.Initial testing looks good.
IAM Role Screenshots (with the permissions needed) below.
Minimal IAM role with GKE cluster access
New IAM roles alpha functionality