Securing access to resources

Kubernetes users and service accounts need permissions to manage Config Connector resources. With Config Connector, your project's control plane can be managed by identities that use Kubernetes Role-Based Access Control (RBAC). You can also secure data plane access using Cloud Identity and Access Management (Cloud IAM) Policies created with Config Connector. The resources that support data plane access control are listed in the Resource reference.

This topic explains how to secure access to GCP resources using Cloud Identity and Access Management.

Before you begin

To complete the steps on this page, first install Config Connector on your cluster.

Securing control plane access with RBAC

In this example, you will create a service account and grant it permissions to manage a PubSubTopic.

  1. Create a file named pubsub-topic-service-account.yaml with the following contents:

    apiVersion: v1
    kind: ServiceAccount
    metadata:
      name: pubsub-topic-service-account
      namespace: default
    

    Apply this to create the pubsub-topic-service-account topic:

    kubectl apply -f pubsub-topic-service-account.yaml
  2. Confirm pubsub-topic-service-account cannot create PubSubTopic resources by verifying the output of the following command contains no:

    kubectl auth can-i get pubsubtopics --as=system:serviceaccount:default:pubsub-topic-service-account
  3. Next, create a ClusterRole that allows Cloud Pub/Sub topic creation.

    Create a file named pubsub-topic-editor-role.yaml with the following contents:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      creationTimestamp: null
      name: pubsub-topic-editor
    rules:
    - apiGroups:
      - pubsub.cnrm.cloud.google.com
      resources:
      - pubsubtopics
      verbs:
      - get
      - list
      - watch
      - create
      - update
      - patch
      - delete
    

    Apply pubsub-topic-editor.yaml to create the ClusterRole:

    kubectl apply -f pubsub-topic-editor-role.yaml
  4. Create a file named pubsub-topic-editor-rolebinding.yaml with the following contents:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: pubsub-topic-editor-rolebinding.
    subjects:
    - kind: ServiceAccount
      name: pubsub-topic-service-account
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: ClusterRole
      name: pubsub-topic-editor
    
  5. Apply pubsub-topic-editor-rolebinding.yaml to your cluster.

    kubectl apply -f pubsub-topic-editor-rolebinding.yaml
  6. Confirm the pubsub-topic-service-account is allowed to create PubSubTopic resources by confirming the output of the following command is yes:

    kubectl auth can-i get pubsubtopics \
      --as=system:serviceaccount:default:pubsub-topic-service-account

Securing the data plane with IAM Policies

In this example, you use the permissions granted earlier to create a PubSubTopic and limit access to it with an IAMPolicy resource.

  1. Create a file named pubsub-topic-sample.yaml with the following content:

    apiVersion: pubsub.cnrm.cloud.google.com/v1alpha2
    kind: PubSubTopic
    metadata:
      name: pubsubtopic-sample
    

    Apply pubsub-topic-sample.yaml, replacing [Config Connector_NAMESPACE_NAME] with your Config Connector namespace:

    kubectl apply -f pubsub-topic-sample.yaml --namespace [Config Connector_NAMESPACE_NAME]
  2. Create a file named iampolicy.yaml with the following content, replacing [EMAIL_ADDRESS] with your GCP account's email address:

    apiVersion: iam.cnrm.cloud.google.com/v1alpha1
    kind: IAMPolicy
    metadata:
      name: iampolicy-sample
    spec:
      resourceRef:
        apiVersion: pubsub.cnrm.cloud.google.com/v1alpha2
        kind: PubSubTopic
        name: pubsubtopic-sample
      bindings:
        - role: roles/pubsub.admin
          members:
            - user:<var>[EMAIL_ADDRESS]</var>
    
  3. Apply the iampolicy.yaml, replacing [NAMESPACE_NAME] with your namespace:

    kubectl --namespace [NAMESPACE_NAME] apply -f iampolicy.yaml
  4. Confirm the policy has been applied to GCP by running this command and looking for your email address in the output, replacing [PROJECT_ID] with your project ID:

    gcloud beta pubsub topics get-iam-policy projects/[PROJECT_ID]/topics/pubsubtopic-sample

Access to your Cloud Pub/Sub topics is now protected with an IAMpolicy.

Apakah halaman ini membantu? Beri tahu kami pendapat Anda:

Kirim masukan tentang...

Config Connector Documentation