Access GKE without Project

This article shows how to let someone access your GKE, but you don’t want them to be added in Google Cloud project.

Prerequisite: Your cluster must be RBAC enabled cluster.


User Step

  1. Install gcloud sdk
  2. Login gcloud application default
$ gcloud auth application-default login

3. Create new K8S credential config

$ kubectl config set-credentials username --auth-provider=gcp

4. Create new K8S cluster config

$ kubectl config set-cluster cluster-name --server=https://cluster-master-ip --insecure-skip-tls-verify

5. Create new K8S context config

$ kubectl config set-context context-name --cluster=cluster-name --user=username --namespace=user-namespace

6. Switch K8S context

$ kubectl config use-context context-name

7. Done!!! Now user can access your K8S without any permissions

$ kubectl get no
No resources found. Error from server (Forbidden): nodes is forbidden: User "username@gmail.com" cannot list nodes at the cluster scope: Required "container.nodes.list" permission.

Cluster Admin Step

  1. You don’t have to do anything in Google Cloud project :D (yay!!!)
  2. Create new role or cluster role for your user
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: username
namespace: user-namespace
rules:
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
verbs:
- create
- get
- list
- update
- delete
- apiGroups:
- apps
resources:
- deployments
- statefulsets
verbs:
- create
- get
- list
- update
- delete

3. Create role binding

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: username
namespace: user-namespace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: username
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: User
name: username@gmail.com

4. Done!!!!