Context
Access to a Google Cloud (GKE) kubernetes cluster is managed through the Google Cloud IAM feature;
An admin invites a new user (using their google account/login) and assigns them a role.
The example role below is "Container Engine Viewer", which will allow the user to access the kubernetes cluster and run all "view" operations.
The User can use the
gcloud auth loginon their local machine followed bygcloud container clusters get-credentialsto authenticate to Google IAM and have thegcloudtool write them out a kubernetes config file, ready to use the cluster.Users can then use
kubectlto access the cluster. With the example above, reads work... writes/changes dont; all good!
The Problem
The IAM roles for a GKE kubernetes cluster are very simple, "Admin, Read/Write, Read".
For more fine-grained control over the kubernetes cluster, Kubernetes RBAC should be used within the cluster, allowing me to restrict a user to a single namespace, single API endpoint, single action, etc.
However, without specifying an IAM role for the user; the user has no way of authenticating to the cluster (RBAC is authorization, not authentication).
Yet, the Lowest permission IAM role I can set is "Container Engine Viewer", so regardless of the restrictions I implement with Kubernetes RBAC, All my users still have full read access.
Question
Has anyone found a way to ensure all permissions in GKE are coming from RBAC, basically nullifying the permissions from IAM?
