Kubernetes role-based access control (RBAC) with Google Cloud IAM

Whenever it comes to set user access and permissions for your GKE clusters on google cloud, you have two options:

  1. Use Google Cloud IAM
  2. Use Kubernetes RBAC

Google Cloud IAM is not specific to Kubernetes, it has wide verity of roles and permissions on Google Cloud Product level and is per project.

On the other hand, if you need more refined roles and permissions that can be applied to your Kubernetes objects or type of objects on cluster level, RBAC is the best match.

But it’s bit complex to have both Cloud IAM and Kubernetes RBAC and getting best out of it.

Here I have tried to explain the easiest way to configure Kubernetes RBAC on GKE by considering PRINCIPLE OF LEAST PRIVILEGES.

Go to Google Cloud Console -> Cloud IAM -> Create Role, and add following access permission.

container.clusters.get
container.clusters.list
resourcemanager.projects.get

This will give browse current Project access, and basic view and connect to Kubernetes clusters access.

First create Kubernetes Role, so that it can be assigned to different users, connect to your cluster then create role.yaml file and add following configuration and save.
(There are two types of role in Kubernetes “Role” and “ClusterRole”, we will be using “Role” for our setup. Check Kubernetes doc for more info.)

apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: development
name: dev-member
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
resources: ["pods/log"]
verbs: ["get", "list"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: [""]
resources: ["secrets"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["replicasets"]
verbs: ["get", "list", "watch"]

Then apply role:

kubectl apply -f role.yaml

This will create dev-member Role in RBAC. Which has basic access permission that required for any developer to do deployments on Kubernetes. You can add/remove rules in above role.yaml file as per your requirements.

Second, bind this newly created role to user, through Kubernetes RoleBinding.

Create rolebinding.yaml, and add following configuration and save.

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: dev-member-binding
namespace: development
subjects:
# Google Cloud user account
subjects:
- kind: User
name: abc@xyz.com
namespace: development
roleRef:
kind: Role
name: dev-member
apiGroup: rbac.authorization.k8s.io

(You can also add service accounts, group accounts etc. Check Kubernetes RBAC doc for more details.)

Then apply rolebinding:

kubectl apply -f rolebinding.yaml

Thats it, abc@xyz.com user has all basic access for deployment on GKE.