Tech Made Simple

Google Kubernetes Engine Authentication and Authorization between Cloud IAM and RBAC

kubernetes/identity/authn/authz

If you have been using Kubernetes for a while, you probably know by now that Kubernetes does not offer any built in mechanism for defining and managing users. This means that Kubernetes does not store any reference to users or groups they belong to in its object store ETCD. This allows admins to integrate their organization identity service provider and for cloud providers to integrate their cloud identity service offering with the likes of Google Cloud identity and Microsoft AD to work with kubernetes and not having to recreate those users or manage them twice.

In this blog we will go over the details of how users are created with Google Kubernetes Engine — GKE and how Google Cloud IAM and RBAC play together to achieve a better authentication and authorization strategy for your cluster.

Some background

Every request made to kubernetes is an API call that goes through the RESTful interface provided by the kube-api server. This works the same as well internally, when different kubernetes components such as the scheduler, kubelets, kube-proxy as an example want to change or retrieve cluster state from ETCD to…