Simplifying Granular Access Control on Kubernetes(GKE) Using IAM and RBAC

Google Kubernetes Engine(GKE), a managed Kubernetes Engine provided by Google Cloud Platform is easy to use production grade service that enables to create and run K8s cluster in no time. Access control of GKE is well integrated with Cloud Identity & Access Management (IAM) which abstracts the authorization and authentication to Kubernetes cluster resources.

Few roles available on Cloud IAM for GKE are:

  • GKE Admin
  • GKE Developer
  • GKE Viewer
  • GKE Cluster Admin

But still Cloud IAM is not sufficient for granular access control because IAM works on project-level which cannot manage access to namespace level. For eg, if we have to grant access for user to view pods’ logs, edit deployment, edit configmap, this level cannot be controlled by IAM. For that, we need RBAC(Role Based Access Control). But if we use Cloud IAM and RBAC combined, we can configure secure way for authentication and authorization.

In this post, I am going to consider situation of granting Kubernetes pod log viewer access to a google account(G Suite or Gmail or Service Account) with Cloud IAM authentication for cluster credentials and RBAC for log only view access to the same account(email).

Create a new cluster

gcloud container clusters create mycluster --zone us-central1-b

Kubernetes Authentication and IAM

Currently, GKE has three ways of Kubernetes authentication:

  • Using a Google Account
  • Using a Google Cloud Platform (GCP) service account
  • Using a Kubernetes service account

We are dealing with first two ways in this post.

Let’s add a google account to Cloud IAM and give Read-Only access to Kubernetes Engine Resources access.

Likewise, if we need to grant access to service account, we have to create a service account for the project from IAM Service Accounts page and add the role while creating account.

Gcloud Auth

For a google account, gcloud sdk can be authenticated by simple commandgcloud auth login which get credentials through web-based authorization flow.

For service account, we first activate the account

gcloud auth activate-service-account [ACCOUNT EMAIL] --key-file=KEY_FILE

Get Cluster Credentials

Time to fetch credentials for the running cluster mycluster in us-central1-b zone.

gcloud container clusters get-credentials mycluster --zone us-central1-b

Confirm the cluster access

kubectl get pods --all-namespaces

Time for Kubernetes RBAC

Role-based access control (RBAC) is a method of regulating access to Kubernetes resources with right permissions based on roles in the cluster. For granting log viewer only access to a user in a namespace, we need to create role and role binding.

https://gist.github.com/dwdraju/60fdffecae03440313922d0eaba56f9d

Change the name with the google account ID or service account and apply the manifest.

kubectl apply -f k8s-log-viewer-role.yml

Now, the user can view logs, list pods only.

kubectl logs [pod-name]

In this way, we can give granular access to Kubernetes resources to user by integrating with Google Cloud IAM.