Securing access to resources with Cloud IAM

Kubernetes users and service accounts need permissions to manage Config Connector resources. With Config Connector, your project's control plane can be managed by identities that use Kubernetes Role-Based Access Control (RBAC). You can also reference Cloud Identity and Access Management (Cloud IAM) Policies created with Config Connector.

The resources that support references to IAMPolicy and IAMPolicyMember are listed in the Resource reference. These resources have the property "Data Plane Access Can Be Secured".

This topic explains how to secure access to Google Cloud resources using Cloud Identity and Access Management.

Before you begin

To complete the steps on this page, first install Config Connector on your cluster.

Securing control plane access with RBAC

In this example, you will create a service account and grant it permissions to manage a PubSubTopic.

  1. Create a file named pubsub-topic-service-account.yaml with the following contents:

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: pubsub-topic-service-account
      namespace: default
    

    Apply this to create the pubsub-topic-service-account service account:

    kubectl apply -f pubsub-topic-service-account.yaml
  2. Confirm pubsub-topic-service-account cannot create PubSubTopic resources by verifying the output of the following command contains no:

    kubectl auth can-i get pubsubtopics --as=system:serviceaccount:default:pubsub-topic-service-account
  3. Next, create a ClusterRole that allows Pub/Sub topic creation.

    Create a file named pubsub-topic-editor-role.yaml with the following contents:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      creationTimestamp: null
      name: pubsub-topic-editor
    rules:
    - apiGroups:
      - pubsub.cnrm.cloud.google.com
      resources:
      - pubsubtopics
      verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
    

    Apply pubsub-topic-editor.yaml to create the ClusterRole:

    kubectl apply -f pubsub-topic-editor-role.yaml
  4. Create a file named pubsub-topic-editor-rolebinding.yaml with the following contents:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: pubsub-topic-editor-rolebinding.
    subjects:
    - kind: ServiceAccount
      name: pubsub-topic-service-account
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: pubsub-topic-editor
    
  5. Apply pubsub-topic-editor-rolebinding.yaml to your cluster.

    kubectl apply -f pubsub-topic-editor-rolebinding.yaml
  6. Confirm the pubsub-topic-service-account is allowed to create PubSubTopic resources by confirming the output of the following command is yes:

    kubectl auth can-i get pubsubtopics \
      --as=system:serviceaccount:default:pubsub-topic-service-account

Cleaning up

Use kubectl delete to remove the Service Account, Cloud IAM Role and Rolebinding.

kubectl delete -f pubsub-topic-editor-rolebinding.yaml
kubectl delete -f pubsub-topic-editor-role.yaml
kubectl delete -f pubsub-topic-service-account.yaml

Securing the data plane with IAM Policies

In this example, you use the permissions granted earlier to create a PubSubTopic and limit access to it with an IAMPolicyMember resource.

  1. Create a file named pubsub-topic-sample.yaml with the following content:

    apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
    kind: PubSubTopic
    metadata:
      name: pubsubtopic-sample
    

    Apply pubsub-topic-sample.yaml, replacing [NAMESPACE_NAME] with your Config Connector namespace:

    kubectl apply -f pubsub-topic-sample.yaml --namespace [NAMESPACE_NAME]
  2. Create a file named iampolicymember.yaml with the following content, replacing [EMAIL_ADDRESS] with your Google Cloud account's email address:

    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMPolicyMember
    metadata:
      name: iampolicymember-sample
    spec:
      resourceRef:
        apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
        kind: PubSubTopic
        name: pubsubtopic-sample
      role: roles/pubsub.admin
      member: "user:[EMAIL_ADDRESS]"
    
  3. Apply the iampolicymember.yaml, replacing [NAMESPACE_NAME] with your namespace:

    kubectl --namespace [NAMESPACE_NAME] apply -f iampolicymember.yaml
  4. Confirm the policy has been applied to Google Cloud by running this command and looking for your email address in the output, replacing [PROJECT_ID] with your project ID:

    gcloud beta pubsub topics get-iam-policy projects/[PROJECT_ID]/topics/pubsubtopic-sample

Access to your Pub/Sub topics is now protected with an IAMPolicyMember.

Cleaning up

Use kubectl delete to remove the Pub/Sub topic and IAMPolicyMember from your Google Cloud Project.

kubectl --namespace [NAMESPACE_NAME] delete -f iampolicymember.yaml
kubectl delete -f pubsub-topic-sample.yaml