K
Q

Limit access to a a kubernetes cluster on google cloud platform

1/13/2018

We have created 2 different Kubernetes clusters on Google Cloud Platform, one for Development and the other for Production. Our team members have the "editor" role (so they can create, update delete and list pods)

We want to limit access to the production cluster by using RBAC authorization provided by Kubernetes. I've created a ClusterRole and a ClusterBindingRole, as follow:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: prod-all
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: access-prod-all
subjects:
- kind: User
  name: xxx@xxx.com
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: prod-all
  apiGroup: rbac.authorization.k8s.io

But the users already have an "editor" role (complete access to all the clusters). So I don't know if we should assign a simple "viewer" role than extend it using kubernetes RBAC.

I also want to know if there is a way to completely hide the production cluster from some users. (our clusters are in the same project)

-- PhiloJunkie
google-cloud-platform
google-kubernetes-engine
kubernetes
kubernetes-security
rbac

Similar Questions

How does Kubernetes track which cloud disk is attached to which Pod in a StatefulSet?
Kubernetes installation on fedora meets a package conflict
How to track a packet in order to list the source pod ip and the destination pod ip
Google Compute Engine: Required 'compute.zones.get' permission error

1 Answer

1/17/2018

If you are in a initial phase or you can manage to move your testing cluster I would advise you to set up the clusters in two different projects.

This will create two completely different environments and you will not have any kind of issues in the future and you automatically forbid the access to half of your resources and you don't have to fear that something is misconfigured and your production is still reachable. When you need to grant something you simply add that person to the project with the corresponding role

Because maybe you succeed in blocking the cluster access using IAM and RBAC, but then you would need to deal with securing the access to the networking components, LoadBalacers, Firewalls, to the Compute Engine ecc

Maybe at the beginning it is a lot of work, but in the long run it will save you a lot of issues.

This is the link for the official Google Cloud documentation about how to set up two cluster of which one is in production.

-- GalloCedrone
Source: StackOverflow