K
Q

Can Namespace level permissions be set with Google Cloud IAM on GKE?

10/17/2018

Kubernetes RBAC can be used to give permissions to a subject in a particular Namespace. Can the same be accomplished with Cloud IAM?

-- dippynark
google-cloud-platform
google-kubernetes-engine
kubernetes

Similar Questions

How to run a kubernetes job with a temporary help database
Can I get a Pod's pause container ID via the Kubernetes API?
container does not start with status CrashLoopBackOff
How to launch a new instance of a Docker container on web request in Docker Swarm / Kubernetes?
Zeppelin Spark Master Settings on Kubernetes
Jenkins - How to pick Kubernetes server to deploy to?

2 Answers

10/18/2018

If I got your point correctly that:

The IAM roles for a GKE kubernetes cluster are very simple, "Admin, Read/Write, Read". But you need more fine-grained control over the kubernetes cluster.

In this case:

There's a new "Alpha" feature in Google Cloud's IAM which wasn't available previously.

Under IAM > Roles

You can now create custom IAM roles with your own subset of permissions.

You can create a minimal role which allows for example gcloud container clusters get-credentials to work, but nothing else, allowing permissions within the kubernetes cluster to be fully managed by RBAC.

It will allow you to get more fine-grained access configurations for kubernetes cluster.

-- Abdul Rehman
Source: StackOverflow
10/17/2018

Not at the moment, no. IAM is used to assign and verify permissions when interacting with GCP APIs. IAM can only provide access to the GKE API, which does not take into account namespaces.

As you mentioned, RBAC is your option for more granular permissions within the cluster

-- Patrick W
Source: StackOverflow