Admin cluster RBAC policies

When you fill in the gkeConnect section in your admin cluster configuration file, the cluster is registered to your fleet during creation or update. To enable fleet management functionality, Google Cloud deploys the Connect agent and creates a Google service account that represents the project that the cluster is registered to. The Connect agent establishes a connection with the service account to handle requests to the cluster's Kubernetes API server. This enables access to cluster and workload management features in Google Cloud, including access to the Google Cloud console, which lets you interact with your cluster.

The admin cluster's Kubernetes API server needs to be able to authorize requests from the Connect agent. To ensure this, the following role-based access control (RBAC) policies are configured on the service account:

  • An impersonation policy that authorizes the Connect agent to send requests to the Kubernetes API server on behalf of the service account.

  • A permissions policy that specifies the operations that are allowed on other Kubernetes resources.

The service account and RBAC policies are needed so that you can manage the lifecycle of your user clusters in the console.

What's next