how to give namespace access to a user in gke?

11/6/2019

I have a google kubernetes engine cluster with multiple namespaces. Different applications are deployed on each of these namespaces. Is it possible to give a user complete access to a single namespace only?

-- user12075171
access
google-cloud-platform
google-kubernetes-engine
kubernetes
namespaces

2 Answers

11/6/2019

Yes, Kubernetes has a built-in RBAC system that integrates with Cloud IAM so that you can control access to individual clusters and namespaces for GCP users.

  1. Create a Kubernetes Role
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: YOUR_NAMESPACE
  name: ROLE_NAME
rules:
- apiGroups: [""] # "" indicates the core API group
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
  1. Create a Kubernetes RoleBinding
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: ROLE_NAME-binding
  namespace: YOUR_NAMESPACE
subjects:
# GCP user account
- kind: User
  name: janedoe@example.com

Reference

-- Travis Webb
Source: StackOverflow

11/6/2019

You can bind the user to the cluster-admin role using a Rolebinding in your namespace of choice. As specified in the documentation, cluster-admin:

Allows super-user access to perform any action on any resource. When used in a ClusterRoleBinding, it gives full control over every resource in the cluster and in all namespaces. When used in a RoleBinding, it gives full control over every resource in the rolebinding's namespace, including the namespace itself.

For example:

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: example
  namespace: yournamespace
subjects:
- kind: User
  name: example-user
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io
-- Alassane Ndiaye
Source: StackOverflow