How do I relate GCP users to GKE Kubernetes users, for authentication and subsequent authorization?

3/28/2019

I am using GKE Kubernetes in GCP. I am new to GCP, GKE, and kubectl. I am trying to create new Kubernetes users in order to assign them ClusterRoleBindings, and then login (kubectl) as those users.

I do not see the relationship between GCP users and Kubernetes "users" (I do understand there's no User object type in Kubernetes).

According to https://cloud.google.com/kubernetes-engine/docs/concepts/security-overview , Kubernetes user accounts are Google Accounts.

Accordingly, I created some Google accounts and then associated them with my GCP account via IAM. I can see these accounts fine in IAM.

Then I performed gcloud auth login on those new users, and I could see them in gcloud auth list. I then tried accessing gcloud resources (gcloud compute disks list) as my various users. This worked as expected - the GCP user permissions were respected.

I then created a Kubernetes UserRole. Next step was to bind those users to those Roles, with a UserRoleBinding.

ClusterRole.yaml (creates fine):

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  # "namespace" omitted since ClusterRoles are not namespaced
  name: cluster-role-pod-reader-1
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

ClusterRoleBinding.yaml (creates fine):

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: cluster-role-binding-pod-reader-1
subjects:
- kind: User
  name: MYTESTUSER@gmail.com  # not real userid
  apiGroup: rbac.authorization.k8s.io
roleRef: 
  kind: ClusterRole
  name: cluster-role-pod-reader-1
  apiGroup: rbac.authorization.k8s.io

In Kubernetes, I could create bindings, but my first problem is that I could create a UserRoleBinding between an existing UserRole and a non-existent user. I would have thought that would fail. It means I'm missing something important.

My second problem is I do not know how to login to kubectl as one of the new users.

Overall I'm missing the connection between GCP/IAM users and GKE users. Help would be much appreciated!

-- Marc Riehm
google-cloud-platform
google-kubernetes-engine
kubernetes

1 Answer

3/29/2019

Kubernetes doesn't have a user database. Users live outside the cluster and are usually controlled by the cloud provider.

If you're using GKE, the users are controlled by the GCP IAM. Therefore you can't list users with kubectl.

You can create service accounts though. However, it is important to understand the difference between service accounts and users. Users are for real people while service accounts are for processes inside and outside kubernetes.

When you create a ClusterRoleBinding this means to kubernetes:

If a user with the username MYTESTUSER@gmail.com enters the cluster, bind him to the ClusterRole cluster-role-pod-reader-1

To use kubernetes with the GCP IAM users, you have to do the following:

  • add the user to IAM
  • add him to the role roles/container.viewer
  • create the RoleBinding/ClusterRoleBinding of your choice

You can list the respective IAM roles (not to be mistaken with RBAC roles) with this command:

gcloud iam roles list | grep 'roles/container\.' -B2 -A2

With the principle of least privilige in mind you should grant your user only the minimal rights to login into the cluster. The other IAM roles (except for roles/container.clusterAdmin) will automatically grant access with higher privileges to objects inside the all clusters of your project.

RBAC allows just the addition of privileges therefore you should choose the IAM role with the least privileges and add the required privileges via RBAC on top.

-- Randy
Source: StackOverflow