I am interacting with a GKE cluster and trying to understand what are my permissions
➢ kubectl get roles --all-namespaces
NAMESPACE NAME AGE
istio-system istio-ingressgateway-sds 38d
kube-public system:controller:bootstrap-signer 38d
kube-system cloud-provider 38d
kube-system extension-apiserver-authentication-reader 38d
kube-system gce:cloud-provider 38d
kube-system sealed-secrets-key-admin 38d
kube-system system::leader-locking-kube-controller-manager 38d
kube-system system::leader-locking-kube-scheduler 38d
kube-system system:controller:bootstrap-signer 38d
kube-system system:controller:cloud-provider 38d
kube-system system:controller:token-cleaner 38d
kube-system system:fluentd-gcp-scaler 38d
kube-system system:pod-nanny 38dHowever I do not see any role associated with me.
How am I interacting with the k8s cluster?
How can I see whoami and what are my permissions?
The command and output you are sharing refers to Kubernetes RBAC Authorization (not exclusive of GKE). You can find the definition for each role HERE
If you want to be specific to GKE you can use both Cloud Identity and Access Management and Kubernetes RBAC to control access to your GKE cluster.
Cloud IAM is not specific to Kubernetes; it provides identity management for multiple Google Cloud Platform products, and operates primarily at the level of the GCP project.
Kubernetes RBAC is a core component of Kubernetes and allows you to create and grant roles (sets of permissions) for any object or type of object within the cluster. You can find more information on how RBAC integrates with GKE HERE
You don’t see any roles associated to you because are querying the roles for all the namespaces and most likely you haven’t define a single one.
You are interacting with your cluster from the cloud shell. Before connecting to your cluster you must had run the following command.
gcloud container clusters get-credentials CLUSTER_NAME --zone ZONE --project PROJECT_IDYou authenticate to the cluster using the same user you authenticate with to login to GCP. More information on authentication for kubectl HERE
You can get role binding and cluster roles based on namespace or resource as seen in my example commands.
kubectl get rolebinding POD_NAME -o yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"rbac.authorization.k8s.io/v1","kind":"RoleBinding","metadata":{"annotations":{},"name":"pod-reader-binding","namespace":"default"},"roleRef":{"apiGroup":"rbac.authorization.k8s.io","kind":"Role","name":"pod-reader"},"subjects":[{"kind":"User","name":"example@foo.com"},{"kind":"ServiceAccount","name":"johndoe"},{"kind":"User","name":"test-account@example.google.com.iam.gserviceaccount.com"},{"kind":"Group","name":"accounting-group@example.com"}]}
creationTimestamp: xxxx-xx-xxxx:xx:xxZ
name: pod-reader-binding
namespace: default
resourceVersion: "1502640"
selfLink: /apis/rbac.authorization.k8s.io/v1/namespaces/default/rolebindings/pod-reader-binding
uid: de1775dc-cd85-11e9-a07d-42010aa800c2
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pod-reader
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: example@foo.com
In the above examle my user [example@foo.com] is a member of APIGroup [rbac.authorization.k8s.io] so his actions on the pod will be limited by the permission he is giving with RBAC for example if you want to give this user readd access you need to specify the the following line in thr YAML
verbs: ["get", "watch", "list"]Finally there are many Predefined GKE Roles that grants different permissions to GCP user or service accounts. You can find each role and permissions HERE