Restrict deployment to a GKE namespace

Stay organized with collections Save and categorize content based on your preferences.

When you deploy to Google Kubernetes Engine (GKE), the default Google Cloud Deploy execution service account has access to all namespaces in the target cluster. You can configure that service account to deploy to only one namespace.

  1. Ensure that the execution service account doesn't have the roles/container.developer IAM role.

  2. Grant the service account the roles/container.clusterViewer role.

    gcloud projects add-iam-policy-binding PROJECT_ID \
     --member="serviceAccount:SERVICE_ACCOUNT" \

    This role allows the service account to authenticate on the cluster, but do nothing else.

  3. Create a Kubernetes RBAC Role that grants admin access to the namespace.

    The RBAC role in this example has broad permissions, equivalent to the clouddeploy.developer IAM role. To minimize the risk of privilege escalation, we recommend you change these permissions to the minimum required for your applications. For instructions, see the RBAC documentation for GKE.

    kind: Role
      name: admin
      namespace: NAMESPACE
    - apiGroups: ["", "extensions", "apps"]
      resources: ["*"]
      verbs: ["*"]
  4. Create a RoleBinding that binds that RBAC Role in your chosen namespace to the Google Cloud Deploy execution service account:

    kind: RoleBinding
      name: admin
      namespace: NAMESPACE
    # Google Cloud user account
    - kind: User
      kind: Role
      name: admin

    This manifest defines an RBAC policy binding the admin Role to your execution service account. NAMESPACE is the namespace for which you want to grant the service account access. The service account can't access any other namespace on the cluster.

  5. Apply the RBAC manifest to the cluster:

    kubectl apply -f YAML_NAME