Securing access to resources

Kubernetes users and service accounts need permissions to manage Config Connector resources. With Config Connector, your project's control plane can be managed by identities that use Kubernetes Role-Based Access Control (RBAC). You can also secure data plane access using Cloud Identity and Access Management (Cloud IAM) Policies created with Config Connector. The resources that support data plane access control are listed in the Resource reference.

This topic explains how to secure access to GCP resources using Cloud Identity and Access Management.

Before you begin

To complete the steps on this page, first install Config Connector on your cluster.

Securing control plane access with RBAC

In this example, you will create a service account and grant it permissions to manage a PubSubTopic.

  1. Create a file named pubsub-topic-service-account.yaml with the following contents:

    apiVersion: v1
    kind: ServiceAccount
      name: pubsub-topic-service-account
      namespace: default

    Apply this to create the pubsub-topic-service-account topic:

    kubectl apply -f pubsub-topic-service-account.yaml
  2. Confirm pubsub-topic-service-account cannot create PubSubTopic resources by verifying the output of the following command contains no:

    kubectl auth can-i get pubsubtopics --as=system:serviceaccount:default:pubsub-topic-service-account
  3. Next, create a ClusterRole that allows Cloud Pub/Sub topic creation.

    Create a file named pubsub-topic-editor-role.yaml with the following contents:

    kind: ClusterRole
      creationTimestamp: null
      name: pubsub-topic-editor
    - apiGroups:
      - pubsubtopics
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete

    Apply pubsub-topic-editor.yaml to create the ClusterRole:

    kubectl apply -f pubsub-topic-editor-role.yaml
  4. Create a file named pubsub-topic-editor-rolebinding.yaml with the following contents:

    kind: RoleBinding
      name: pubsub-topic-editor-rolebinding.
    - kind: ServiceAccount
      name: pubsub-topic-service-account
      kind: ClusterRole
      name: pubsub-topic-editor
  5. Apply pubsub-topic-editor-rolebinding.yaml to your cluster.

    kubectl apply -f pubsub-topic-editor-rolebinding.yaml
  6. Confirm the pubsub-topic-service-account is allowed to create PubSubTopic resources by confirming the output of the following command is yes:

    kubectl auth can-i get pubsubtopics \

Securing the data plane with IAM Policies

In this example, you use the permissions granted earlier to create a PubSubTopic and limit access to it with an IAMPolicy resource.

  1. Create a file named pubsub-topic-sample.yaml with the following content:

    kind: PubSubTopic
      name: pubsubtopic-sample

    Apply pubsub-topic-sample.yaml, replacing [Config Connector_NAMESPACE_NAME] with your Config Connector namespace:

    kubectl apply -f pubsub-topic-sample.yaml --namespace [Config Connector_NAMESPACE_NAME]
  2. Create a file named iampolicy.yaml with the following content, replacing [EMAIL_ADDRESS] with your GCP account's email address:

    kind: IAMPolicy
      name: iampolicy-sample
        kind: PubSubTopic
        name: pubsubtopic-sample
        - role: roles/pubsub.admin
            - user:<var>[EMAIL_ADDRESS]</var>
  3. Apply the iampolicy.yaml, replacing [NAMESPACE_NAME] with your namespace:

    kubectl --namespace [NAMESPACE_NAME] apply -f iampolicy.yaml
  4. Confirm the policy has been applied to GCP by running this command and looking for your email address in the output, replacing [PROJECT_ID] with your project ID:

    gcloud beta pubsub topics get-iam-policy projects/[PROJECT_ID]/topics/pubsubtopic-sample

Access to your Cloud Pub/Sub topics is now protected with an IAMpolicy.

Apakah halaman ini membantu? Beri tahu kami pendapat Anda:

Kirim masukan tentang...

Config Connector Documentation