Can Namespace level permissions be set with Google Cloud IAM on GKE?


Kubernetes RBAC can be used to give permissions to a subject in a particular Namespace. Can the same be accomplished with Cloud IAM?

-- dippynark

2 Answers


If I got your point correctly that:

The IAM roles for a GKE kubernetes cluster are very simple, "Admin, Read/Write, Read". But you need more fine-grained control over the kubernetes cluster.

In this case:

There's a new "Alpha" feature in Google Cloud's IAM which wasn't available previously.

Under IAM > Roles

You can now create custom IAM roles with your own subset of permissions.

You can create a minimal role which allows for example gcloud container clusters get-credentials to work, but nothing else, allowing permissions within the kubernetes cluster to be fully managed by RBAC.

It will allow you to get more fine-grained access configurations for kubernetes cluster.

-- Abdul Rehman
Source: StackOverflow


Not at the moment, no. IAM is used to assign and verify permissions when interacting with GCP APIs. IAM can only provide access to the GKE API, which does not take into account namespaces.

As you mentioned, RBAC is your option for more granular permissions within the cluster

-- Patrick W
Source: StackOverflow