Simplifying Granular Access Control on Kubernetes(GKE) Using IAM and RBAC
Google Kubernetes Engine(GKE), a managed Kubernetes Engine provided by Google Cloud Platform is easy to use production grade service that enables to create and run K8s cluster in no time. Access control of GKE is well integrated with Cloud Identity & Access Management (IAM) which abstracts the authorization and authentication to Kubernetes cluster resources.
Few roles available on Cloud IAM for GKE are:
- GKE Admin
- GKE Developer
- GKE Viewer
- GKE Cluster Admin
But still Cloud IAM is not sufficient for granular access control because IAM works on project-level which cannot manage access to namespace level. For eg, if we have to grant access for user to view pods’ logs, edit deployment, edit configmap, this level cannot be controlled by IAM. For that, we need RBAC(Role Based Access Control). But if we use Cloud IAM and RBAC combined, we can configure secure way for authentication and authorization.
In this post, I am going to consider situation of granting Kubernetes pod log viewer access to a google account(G Suite or Gmail or Service Account) with Cloud IAM authentication for cluster credentials and RBAC for log only view access to the same account(email).
Create a new cluster
gcloud container clusters create mycluster --zone us-central1-bKubernetes Authentication and IAM
Currently, GKE has three ways of Kubernetes authentication:
- Using a Google Account
- Using a Google Cloud Platform (GCP) service account
- Using a Kubernetes service account
We are dealing with first two ways in this post.
Let’s add a google account to Cloud IAM and give Read-Only access to Kubernetes Engine Resources access.
Likewise, if we need to grant access to service account, we have to create a service account for the project from IAM Service Accounts page and add the role while creating account.
Gcloud Auth
For a google account, gcloud sdk can be authenticated by simple commandgcloud auth login which get credentials through web-based authorization flow.
For service account, we first activate the account
gcloud auth activate-service-account [ACCOUNT EMAIL] --key-file=KEY_FILEGet Cluster Credentials
Time to fetch credentials for the running cluster mycluster in us-central1-b zone.
gcloud container clusters get-credentials mycluster --zone us-central1-bConfirm the cluster access
kubectl get pods --all-namespacesTime for Kubernetes RBAC
Role-based access control (RBAC) is a method of regulating access to Kubernetes resources with right permissions based on roles in the cluster. For granting log viewer only access to a user in a namespace, we need to create role and role binding.
Change the name with the google account ID or service account and apply the manifest.
kubectl apply -f k8s-log-viewer-role.ymlNow, the user can view logs, list pods only.
kubectl logs [pod-name]In this way, we can give granular access to Kubernetes resources to user by integrating with Google Cloud IAM.
