Mantenha tudo organizado com as coleções
Salve e categorize o conteúdo com base nas suas preferências.
Proteger o acesso aos recursos com o IAM
Os utilizadores e as contas de serviço do Kubernetes precisam de autorizações para gerir os recursos do Config Connector. Com o Config Connector, o plano de controlo do seu projeto pode ser gerido por identidades que usam o controlo de acesso baseado em funções (CABF) do Kubernetes. Também pode consultar as políticas de gestão de identidade e de acesso (IAM).
Os recursos que podem fazer referência a IAMPolicy e IAMPolicyMember estão listados na
Referência de recursos.
Estes recursos têm a propriedade "Can Be Referenced by
IAMPolicy/IAMPolicyMember".
Este tópico explica como proteger o acesso aos Google Cloud recursos
através da gestão de identidade e de acesso.
Neste exemplo, vai criar uma conta de serviço e conceder-lhe autorizações para gerir um PubSubTopic. Esta conta de serviço não pode gerir outros tipos de recursos do Config Connector.
Crie um ficheiro com o nome pubsub-topic-service-account.yaml com o seguinte conteúdo:
Substitua CC_NAMESPACE pelo espaço de nomes a partir do qual o Config Connector gere os recursos.
Confirme que pubsub-topic-service-account não consegue criar recursos PubSubTopic validando se o resultado do seguinte comando contém no:
kubectl auth can-i get pubsubtopics --as=system:serviceaccount:default:pubsub-topic-service-account
Em seguida, crie uma
ClusterRole
que permita a criação de tópicos do Pub/Sub.
O ClusterRole só pode gerir recursos que tenham valores especificados em
rules.apiGroups e rules.resources. Para encontrar valores para apiGroups e
resources, consulte a
referência dos seus
recursos.
Crie um ficheiro denominado pubsub-topic-editor-role.yaml com o seguinte conteúdo:
Substitua CC_NAMESPACE pelo espaço de nomes a partir do qual o Config Connector gere os recursos.
Em seguida, crie uma RoleBinding entre o ClusterRole e a sua conta de serviço.
Crie um ficheiro com o nome pubsub-topic-editor-rolebinding.yaml com o seguinte conteúdo:
Substitua CC_NAMESPACE pelo espaço de nomes a partir do qual o Config Connector gere os recursos.
Confirme se a política foi aplicada Google Cloud executando este comando
e procurando o seu endereço de email no resultado, substituindo
PROJECT_ID pelo ID do seu projeto:
[[["Fácil de entender","easyToUnderstand","thumb-up"],["Meu problema foi resolvido","solvedMyProblem","thumb-up"],["Outro","otherUp","thumb-up"]],[["Difícil de entender","hardToUnderstand","thumb-down"],["Informações incorretas ou exemplo de código","incorrectInformationOrSampleCode","thumb-down"],["Não contém as informações/amostras de que eu preciso","missingTheInformationSamplesINeed","thumb-down"],["Problema na tradução","translationIssue","thumb-down"],["Outro","otherDown","thumb-down"]],["Última atualização 2025-08-21 UTC."],[[["\u003cp\u003eConfig Connector allows managing Kubernetes control planes using identities that leverage Kubernetes Role-Based Access Control (RBAC) or Identity and Access Management (IAM) Policies.\u003c/p\u003e\n"],["\u003cp\u003eService accounts can be granted specific permissions to manage particular Config Connector resources, as demonstrated by the example of a service account managing \u003ccode\u003ePubSubTopic\u003c/code\u003e resources.\u003c/p\u003e\n"],["\u003cp\u003eRBAC can be used to secure control plane access by creating ClusterRoles and RoleBindings to define and assign permissions to service accounts.\u003c/p\u003e\n"],["\u003cp\u003eIAM Policies can be utilized to secure the data plane by creating resources such as \u003ccode\u003ePubSubTopic\u003c/code\u003e and limiting their access with \u003ccode\u003eIAMPolicyMember\u003c/code\u003e resources.\u003c/p\u003e\n"],["\u003cp\u003eThe cleaning up process involves deleting service accounts, IAM roles, rolebindings, \u003ccode\u003ePubSubTopic\u003c/code\u003e, and \u003ccode\u003eIAMPolicyMember\u003c/code\u003e resources using \u003ccode\u003ekubectl delete\u003c/code\u003e.\u003c/p\u003e\n"]]],[],null,["# Securing access to resources with IAM\n=====================================\n\n*** ** * ** ***\n\nKubernetes users and service accounts need permissions to manage\nConfig Connector resources. With Config Connector, your project's\n[control plane](https://kubernetes.io/docs/concepts/#kubernetes-control-plane)\ncan be managed by identities that use Kubernetes\n[Role-Based Access Control](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)\n(RBAC). You can also reference Identity and Access Management (IAM) Policies.\n\nResources that can reference IAMPolicy and IAMPolicyMember are listed in the\n[Resource reference](/config-connector/docs/reference/resources).\nThese resources have the property \"Can Be Referenced by\nIAMPolicy/IAMPolicyMember\".\n\nThis topic explains how to secure access to Google Cloud resources\nusing Identity and Access Management.\n\nBefore you begin\n----------------\n\n[Install Config Connector on your cluster](/config-connector/docs/concepts/installation-types).\n\nSecuring control plane access with RBAC\n---------------------------------------\n\nIn this example, you will create a service account and grant it permissions to\nmanage a `PubSubTopic`. This service account cannot manage other types of\nConfig Connector resources.\n\n1. Create a file named `pubsub-topic-service-account.yaml` with the\n following contents:\n\n apiVersion: v1\n kind: ServiceAccount\n metadata:\n name: pubsub-topic-service-account\n namespace: default\n\n Apply this to create the `pubsub-topic-service-account` service account: \n\n ```\n kubectl apply -f pubsub-topic-service-account.yaml --namespace CC_NAMESPACE\n ```\n\n Replace \u003cvar translate=\"no\"\u003eCC_NAMESPACE\u003c/var\u003e with the namespace Config Connector\n manages resources from.\n2. Confirm `pubsub-topic-service-account` cannot create\n `PubSubTopic` resources by verifying the output of the following command\n contains `no`:\n\n ```\n kubectl auth can-i get pubsubtopics --as=system:serviceaccount:default:pubsub-topic-service-account\n ```\n3. Next, create a\n [`ClusterRole`](/kubernetes-engine/docs/concepts/access-control#rbac)\n that allows Pub/Sub topic creation.\n\n The ClusterRole can only manage resources that have values specified in\n `rules.apiGroups` and `rules.resources`. To find values for `apiGroups` and\n `resources`, see the\n [reference](/config-connector/docs/reference/overview) for your\n resources.\n\n Create a file named `pubsub-topic-editor-role.yaml` with the following\n contents: \n\n apiVersion: rbac.authorization.k8s.io/v1\n kind: ClusterRole\n metadata:\n creationTimestamp: null\n name: pubsub-topic-editor\n rules:\n - apiGroups:\n - pubsub.cnrm.cloud.google.com\n resources:\n - pubsubtopics\n verbs:\n - get\n - list\n - watch\n - create\n - update\n - patch\n - delete\n\n Apply `pubsub-topic-editor.yaml` to create the `ClusterRole`: \n\n ```\n kubectl apply -f pubsub-topic-editor-role.yaml --namespace CC_NAMESPACE\n ```\n\n Replace \u003cvar translate=\"no\"\u003eCC_NAMESPACE\u003c/var\u003e with the namespace Config Connector\n manages resources from.\n4. Next, create a RoleBinding between the ClusterRole and your service account.\n Create a file named `pubsub-topic-editor-rolebinding.yaml` with the\n following contents:\n\n apiVersion: rbac.authorization.k8s.io/v1\n kind: RoleBinding\n metadata:\n name: pubsub-topic-editor-rolebinding.\n subjects:\n - kind: ServiceAccount\n name: pubsub-topic-service-account\n roleRef:\n apiGroup: rbac.authorization.k8s.io\n kind: ClusterRole\n name: pubsub-topic-editor\n\n5. Apply `pubsub-topic-editor-rolebinding.yaml` to your cluster.\n\n ```\n kubectl apply -f pubsub-topic-editor-rolebinding.yaml --namespace CC_NAMESPACE\n ```\n\n Replace \u003cvar translate=\"no\"\u003eCC_NAMESPACE\u003c/var\u003e with the namespace Config Connector\n manages resources from.\n6. Confirm the `pubsub-topic-service-account` is allowed to create\n `PubSubTopic` resources by confirming the output of the following command is\n `yes`:\n\n ```\n kubectl auth can-i get pubsubtopics \\\n --as=system:serviceaccount:default:pubsub-topic-service-account\n ```\n\n### Cleaning up\n\nUse `kubectl delete` to remove the Service Account, IAM Role and\nRolebinding. \n\n kubectl delete -f pubsub-topic-editor-rolebinding.yaml --namespace \u003cvar translate=\"no\"\u003eCC_NAMESPACE\u003c/var\u003e\n kubectl delete -f pubsub-topic-editor-role.yaml --namespace \u003cvar translate=\"no\"\u003eCC_NAMESPACE\u003c/var\u003e\n kubectl delete -f pubsub-topic-service-account.yaml --namespace \u003cvar translate=\"no\"\u003eCC_NAMESPACE\u003c/var\u003e\n\nReplace \u003cvar translate=\"no\"\u003eCC_NAMESPACE\u003c/var\u003e with the namespace Config Connector\nmanages resources from.\n\nSecuring the data plane with IAM Policies\n-----------------------------------------\n\nIn this example, you use the permissions granted earlier to create a\n`PubSubTopic` and limit access to it with an `IAMPolicyMember` resource.\n\n1. Create a file named `pubsub-topic-sample.yaml` with the following content:\n\n apiVersion: pubsub.cnrm.cloud.google.com/v1beta1\n kind: PubSubTopic\n metadata:\n name: pubsubtopic-sample\n\n Apply `pubsub-topic-sample.yaml` with `kubectl`: \n\n ```\n kubectl apply -f pubsub-topic-sample.yaml --namespace CC_NAMESPACE\n ```\n\n Replace \u003cvar translate=\"no\"\u003eCC_NAMESPACE\u003c/var\u003e with the namespace Config Connector\n manages resources from.\n2. Create a file named `iampolicymember.yaml` with the following content,\n replacing \u003cvar translate=\"no\"\u003eEMAIL_ADDRESS\u003c/var\u003e with your Google Cloud account's\n email address:\n\n apiVersion: iam.cnrm.cloud.google.com/v1beta1\n kind: IAMPolicyMember\n metadata:\n name: iampolicymember-sample\n spec:\n resourceRef:\n apiVersion: pubsub.cnrm.cloud.google.com/v1beta1\n kind: PubSubTopic\n name: pubsubtopic-sample\n role: roles/pubsub.admin\n member: \"user:\u003cvar translate=\"no\"\u003eEMAIL_ADDRESS\u003c/var\u003e\"\n\n3. Apply the `iampolicymember.yaml`.\n\n ```\n kubectl apply -f iampolicymember.yaml --namespace CC_NAMESPACE \n ```\n\n Replace \u003cvar translate=\"no\"\u003eCC_NAMESPACE\u003c/var\u003e with the namespace Config Connector\n manages resources from.\n4. Confirm the policy has been applied to Google Cloud by running this command\n and looking for your email address in the output, replacing\n \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with your project ID:\n\n ```\n gcloud beta pubsub topics get-iam-policy projects/PROJECT_ID/topics/pubsubtopic-sample\n ```\n\nAccess to your Pub/Sub topics is now protected with an `IAMPolicyMember`.\n\n### Cleaning up\n\nUse `kubectl delete` to remove the Pub/Sub topic and IAMPolicyMember\nfrom your Google Cloud Project. \n\n kubectl delete -f iampolicymember.yaml --namespace \u003cvar translate=\"no\"\u003eCC_NAMESPACE\u003c/var\u003e\n kubectl delete -f pubsub-topic-sample.yaml --namespace \u003cvar translate=\"no\"\u003eCC_NAMESPACE\u003c/var\u003e\n\nWhat's next\n-----------\n\nUse [Secrets](/config-connector/docs/how-to/secrets) to pass information securely to Google Cloud resources."]]
