0

I have two clusters belongs same project in google kubernetes engine. How can I allow some my partner to access one cluster, and deny them to access another cluster? Thank you!

fengyuxx
  • 1
  • 2
  • Could you share more information? Is this person already have access to this GKE project? Some background scenario might help here. If you want to give/revoke access in GKE resources you have to set IAM, however if you want to set specific permissions on cluster you must use RBAC. – PjoterS May 20 '20 at 12:03
  • @PjoterS Thank you for your reply. I have already added my partner account to my GKE project, and give him "Kubernetes Engine Viewer" role. So he can view the two clusters in GKE web console. I want allow him to deploy or delete pod / service etc.. in my test cluster, but not in produce cluster. – fengyuxx May 21 '20 at 01:53

1 Answers1

0

If you want to grant access to user to only one cluster in GKE project, you have to use Cloud IAM with RBAC.

As was mentioned in GKE IAM:

Kubernetes' native role-based access control (RBAC) system also manages access to your cluster. RBAC controls access on a cluster and namespace level, while Cloud IAM works on the project level.

Cloud IAM and RBAC can work in concert, and an entity must have sufficient permissions at either level to work with resources in your cluster.

More detailed information about Access Controll in GKE can be found here.

Kubernetes RBAC is built into Kubernetes, and grants granular permissions to objects within Kubernetes clusters. Permissions exist as ClusterRole or Role objects within the cluster. RoleBinding objects grant Roles to Kubernetes users, Google Cloud users, Google Cloud service accounts, or Google Groups (beta).

Cloud IAM manages Google Cloud resources, including clusters, and types of objects within clusters. Permissions are assigned to Cloud IAM members, which exist within Google Cloud, G Suite, or Cloud Identity.

First step to achieve this is grant new user access to Project with at least Viewer role, as mentioned here (which you already did).

While Kubernetes RBAC can be used instead of Cloud IAM for almost all cases, GKE users are required at least the container.clusters.get Cloud IAM permission in the project containing the cluster. This permission is included by the container.clusterViewer role, as well as the other, more highly privileged roles.

The next step is access to the cluster for which you want to grant permissions to another user. If you want to grant access to only one namespace, you should to create Role, however if you want to grant access to all namespaces you have to create ClusterRole, like mentioned here.

You also need to crealte RoleBidning / ClusterRoleBinding depends on your needs.

It's well described in Kubernetes docs.

Summary:

  1. Grant new user access to GKE project (Cloud IAM).

  2. Create Role/ClusterRole (resources, verbs) and RoleBinding/ClusterRoleBinding depends on your needs.

Community
  • 1
PjoterS
  • 705
  • 3
  • 11