Restrict deployment to a GKE namespace

When you deploy to Google Kubernetes Engine (GKE), the default Google Cloud Deploy execution service account has access to all namespaces in the target cluster. You can configure that service account to deploy to only one namespace.

  1. Ensure that the execution service account doesn't have the roles/container.developer IAM role.

  2. Grant the service account the roles/container.clusterViewer role.

    gcloud projects add-iam-policy-binding PROJECT_ID \
     --member="serviceAccount:SERVICE_ACCOUNT" \
     --role="roles/container.clusterViewer"
    

    This role allows the service account to authenticate on the cluster, but do nothing else.

  3. Create a Kubernetes RBAC Role that grants admin access to the namespace.

    The RBAC role in this example has broad permissions, equivalent to the clouddeploy.developer IAM role. To minimize the risk of privilege escalation, we recommend you change these permissions to the minimum required for your applications. For instructions, see the RBAC documentation for GKE.

    kind: Role
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: admin
      namespace: NAMESPACE
    rules:
    - apiGroups: ["", "extensions", "apps"]
      resources: ["*"]
      verbs: ["*"]
    
  4. Create a RoleBinding that binds that RBAC Role in your chosen namespace to the Google Cloud Deploy execution service account:

    kind: RoleBinding
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: admin
      namespace: NAMESPACE
    subjects:
    # Google Cloud user account
    - kind: User
      name: SERVICE_ACCOUNT
    roleRef:
      kind: Role
      name: admin
      apiGroup: rbac.authorization.k8s.io
    

    This manifest defines an RBAC policy binding the admin Role to your execution service account. NAMESPACE is the namespace for which you want to grant the service account access. The service account can't access any other namespace on the cluster.

  5. Apply the RBAC manifest to the cluster:

    kubectl apply -f YAML_NAME