I have a google kubernetes engine cluster with multiple namespaces. Different applications are deployed on each of these namespaces. Is it possible to give a user complete access to a single namespace only?
Yes, Kubernetes has a built-in RBAC system that integrates with Cloud IAM so that you can control access to individual clusters and namespaces for GCP users.
Rolekind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: YOUR_NAMESPACE
name: ROLE_NAME
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["pods"]
verbs: ["get", "watch", "list"]RoleBindingkind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: ROLE_NAME-binding
namespace: YOUR_NAMESPACE
subjects:
# GCP user account
- kind: User
name: janedoe@example.comReference
You can bind the user to the cluster-admin role using a Rolebinding in your namespace of choice. As specified in the documentation, cluster-admin:
Allows super-user access to perform any action on any resource. When used in a ClusterRoleBinding, it gives full control over every resource in the cluster and in all namespaces. When used in a RoleBinding, it gives full control over every resource in the rolebinding's namespace, including the namespace itself.
For example:
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: example
namespace: yournamespace
subjects:
- kind: User
name: example-user
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io