GCP IAM Set of Permissions for GKE clusterNode resizing

Question

We are in process of improving the IAM roles in our project and we need to enable dev team to only resize their cluster to save the cost.

We are struggling to get the exact set of permissions needed to enable user to only scale up and scale down cluster nodes (i.e. resizing). We referred below GCP IAM documentation but it didn't help either to get this information.

https://cloud.google.com/iam/docs/permissions-reference

Currently, we have given below set of permissions(some of them may not required) however we are not able to do cluster resizing with this. And one more issue is GKE does not give any permission error, we see the "Node Pool Resized Successfully" notification but nodepool size doesn't change.

Is there any documentation or link which has the mapping of set of permissions vs user activity type of mapping for GCP IAM.

Answer 1

The GKE cluster will be created with the permissions that is set on the 'Access scopes' section in the 'Advanced edit' tab. So only the APIs with the access enabled in this section will be shown as enabled. These permissions denote the type and level of API access granted to the VM in the node pool. Scopes inform the access level your cluster nodes will have to specific GCP services as a whole. Please see this link for more information about accesss scopes.

In the tab of 'Create a Kubernetes cluster', click 'Advanced edit'. Then you will see another tab called 'Edit node pool' pops up with more options. If you click 'Set access for each API', you will see the option to set these permissions.

'Permissions' are defined when the cluster is created. You can not edit it directly on the cluster after the creation. You may want to create a new cluster with appropriate permissions or create a new Node Pool with the new scopes you need and then delete your old 'default' Node Pool as specified in this link .

When you add or remove nodes in your cluster, Google Kubernetes Engine (GKE) adds or removes the associated virtual machine (VM) instances from the underlying Compute Engine Managed Instance Groups (MIGs) provisioned for your node pools.

Please see this link for more information about resizing the cluster.