Feature authorization in an environ

Environs let you manage multiple Kubernetes clusters across cloud and on-premises environments.

Environ-enabled components, also called "features," are Google-hosted services that provide functionality across a group of clusters. For example, Anthos Config Management allows you to apply consistent policy across all the clusters in an environ.

In order to use these features, they must be authorized through role-based access control to perform their functions on clusters. The Feature Authorizer automatically sets and updates permissions for environ-enabled features, which saves you from having to set feature permissions manually on every cluster, especially when Google releases feature updates.

When you register a cluster, the manifest applied to the cluster contains a ClusterRoleBinding that gives the Feature Authorizer a cluster-admin role on the cluster, and the role is attached to a service account named service-project-number@gcp-sa-gkehub.iam.gserviceaccount.com. For more information about Feature Authorizer and the RBAC it sets on Google Cloud controllers, see What uses Connect.

You can see the status of environ-enabled features in the Google Cloud Console. You can also disable (and re-enable) some features there as well.

When you disable an environ-enabled feature in your project, Feature Authorizer deletes the corresponding ClusterRole and ClusterRoleBinding for the feature, which removes the feature's ability to operate on the cluster.

Viewing Feature Authorizer in audit logs

To view Feature Authorizer activity in Google Kubernetes Engine audit logs:

  1. Open the Log Viewer in the Google Cloud Console.

    Go to the Logs page

  2. Run the following advanced query, replacing the variables:

    resource.type="k8s_cluster"
    resource.labels.cluster_name="cluster-name"
    resource.labels.location="cluster-location"
    protoPayload.authenticationInfo.principalEmail="system:serviceaccount:gke-connect:connect-agent-sa"
    protoPayload.authenticationInfo.authoritySelector="service-project-number@gcp-sa-gkehub.iam.gserviceaccount.com"
    

For non-GKE clusters, find out where the Kubernetes audit logs are stored, and run a similar query.

There's no real need to disable Feature Authorizer. The only reliable way to disable Feature Authorizer is by removing the cluster-admin role from it, which could cause features to stop working or work improperly. Therefore, disabling Feature Authorizer is not recommended.