IAM and RBAC Conflicts on Google Cloud Container Engine (GKE)

8/29/2017

Context

Access to a Google Cloud (GKE) kubernetes cluster is managed through the Google Cloud IAM feature;

  1. An admin invites a new user (using their google account/login) and assigns them a role.

    The example role below is "Container Engine Viewer", which will allow the user to access the kubernetes cluster and run all "view" operations.

  2. The User can use the gcloud auth login on their local machine followed by gcloud container clusters get-credentials to authenticate to Google IAM and have the gcloud tool write them out a kubernetes config file, ready to use the cluster.

  3. Users can then use kubectl to access the cluster. With the example above, reads work... writes/changes dont; all good!

The Problem

The IAM roles for a GKE kubernetes cluster are very simple, "Admin, Read/Write, Read".

For more fine-grained control over the kubernetes cluster, Kubernetes RBAC should be used within the cluster, allowing me to restrict a user to a single namespace, single API endpoint, single action, etc.

However, without specifying an IAM role for the user; the user has no way of authenticating to the cluster (RBAC is authorization, not authentication).

Yet, the Lowest permission IAM role I can set is "Container Engine Viewer", so regardless of the restrictions I implement with Kubernetes RBAC, All my users still have full read access.

Question

Has anyone found a way to ensure all permissions in GKE are coming from RBAC, basically nullifying the permissions from IAM?

-- Matt Johnson
google-compute-engine
google-iam
google-kubernetes-engine
kubernetes
kubernetes-security

1 Answer

8/29/2017

Weird how writing out the problem gets you to an answer sooner huh?

Theres a new "Alpha" feature in Google Cloud's IAM which wasn't there last time I tried to tackle this problem;

Under IAM > Roles, you can now create custom IAM roles with your own subset of permissions.

I created a minimal role which allows gcloud container clusters get-credentials to work, but nothing else, allowing permissions within the kubernetes cluster to be fully managed by RBAC.

Initial testing looks good.

IAM Role Screenshots (with the permissions needed) below.

Minimal IAM role with GKE cluster access

New IAM roles alpha functionality

-- Matt Johnson
Source: StackOverflow