I am running a Kubernetes application on GKE. In the GCP IAM console, I can see several built-in roles, e.g. Kubernetes Engine Admin. Each role has an ID and permissions associated with it— for example, Kubernetes Engine Admin has ID roles/container.admin and ~300 permissions, each something like container.apiServices.create.
In the kubernetes cluster, I can run:
kubectl get clusterrole | grep -v system: # exclude system rolesThis returns the following:
NAME AGE
admin 35d
cloud-provider 35d
cluster-admin 35d
cluster-autoscaler 35d
edit 35d
gce:beta:kubelet-certificate-bootstrap 35d
gce:beta:kubelet-certificate-rotation 35d
gce:cloud-provider 35d
kubelet-api-admin 35d
view 35dI do not see any roles in this table that reflect the roles in GCP IAM.
That being the case, how are the GCP IAM roles implemented/enforced in a cluster? Does Kubernetes talk to GCP, in addition to using RBAC, when doing permissions checks?
RBAC system lets you exercise fine-grained control over how users access the API resources running on your cluster. You can use RBAC to dynamically configure permissions for your cluster's users and define the kinds of resources with which they can interact.
Moreover, GKE also uses Cloud Identity and Access Management (IAM) to control access to your cluster.
Hope this helps!
RBAC inherits permissions from IAM, so be careful with that. If you set a cluster-admin permission, for example, in IAM, you will have no way to give less permissions through RBAC.
If you want to use RBAC, you will need to set the lowest permission for the user (given your use case), and then granularly manage the permissions through RBAC.