Open in app

Sign in

Write

Sign in

Kubernetes role-based access control (RBAC) with Google Cloud IAM

Dharmik Chauhan
2 min readApr 7, 2021

Whenever it comes to set user access and permissions for your GKE clusters on google cloud, you have two options:

  1. Use Google Cloud IAM
  2. Use Kubernetes RBAC

Google Cloud IAM is not specific to Kubernetes, it has wide verity of roles and permissions on Google Cloud Product level and is per project.

On the other hand, if you need more refined roles and permissions that can be applied to your Kubernetes objects or type of objects on cluster level, RBAC is the best match.

But it’s bit complex to have both Cloud IAM and Kubernetes RBAC and getting best out of it.

Here I have tried to explain the easiest way to configure Kubernetes RBAC on GKE by considering PRINCIPLE OF LEAST PRIVILEGES.

Setup access permissions on Google Cloud IAM:

Go to Google Cloud Console -> Cloud IAM -> Create Role, and add following access permission.

container.clusters.get
container.clusters.list
resourcemanager.projects.get

This will give browse current Project access, and basic view and connect to Kubernetes clusters access.

Setup access permission on Kubernetes RBAC:

First create Kubernetes Role, so that it can be assigned to different users, connect to your cluster then create role.yaml file and add following configuration and save.
(There are two types of role in Kubernetes “Role” and “ClusterRole”, we will be using “Role” for our setup. Check Kubernetes doc for more info.)

apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: development
  name: dev-member
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "list", "watch", "create", "update", "delete"]
- apiGroups: [""]
  resources: ["pods/log"]
  verbs: ["get", "list"]
- apiGroups: ["apps"]
  resources: ["deployments"]
  verbs: ["get", "list", "watch", "update", "patch"]
- apiGroups: [""]
  resources: ["secrets"]
  verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
  resources: ["replicasets"]
  verbs: ["get", "list", "watch"]

Then apply role:

kubectl apply -f role.yaml

This will create dev-member Role in RBAC. Which has basic access permission that required for any developer to do deployments on Kubernetes. You can add/remove rules in above role.yaml file as per your requirements.

Second, bind this newly created role to user, through Kubernetes RoleBinding.

Create rolebinding.yaml, and add following configuration and save.

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: dev-member-binding
  namespace: development
subjects:
# Google Cloud user account
subjects:
- kind: User
  name: abc@xyz.com
  namespace: development
roleRef:
  kind: Role
  name: dev-member
  apiGroup: rbac.authorization.k8s.io

(You can also add service accounts, group accounts etc. Check Kubernetes RBAC doc for more details.)

Then apply rolebinding:

kubectl apply -f rolebinding.yaml

Thats it, abc@xyz.com user has all basic access for deployment on GKE.

Gke
Kubernetes
Rbac Access Control
Rbac

--

--

Dharmik Chauhan

Written by Dharmik Chauhan

4 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams