When you deploy to Google Kubernetes Engine (GKE), the default Cloud Deploy execution service account has access to all namespaces in the target cluster. You can configure that service account to deploy to only one namespace.
Ensure that the execution service account doesn't have the
roles/container.developerIAM role.Grant the service account the
roles/container.clusterViewerrole.gcloud projects add-iam-policy-binding PROJECT_ID \ --member="serviceAccount:SERVICE_ACCOUNT" \ --role="roles/container.clusterViewer"This role allows the service account to authenticate on the cluster, but do nothing else.
Create a Kubernetes RBAC Role that grants admin access to the namespace.
The RBAC role in this example has broad permissions, equivalent to the
clouddeploy.developerIAM role. To minimize the risk of privilege escalation, we recommend you change these permissions to the minimum required for your applications. For instructions, see the RBAC documentation for GKE.kind: Role apiVersion: rbac.authorization.k8s.io/v1 metadata: name: admin namespace: NAMESPACE rules: - apiGroups: ["", "extensions", "apps"] resources: ["*"] verbs: ["*"]Create a
RoleBindingthat binds that RBAC Role in your chosen namespace to the Cloud Deploy execution service account:kind: RoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: admin namespace: NAMESPACE subjects: # Google Cloud user account - kind: User name: SERVICE_ACCOUNT roleRef: kind: Role name: admin apiGroup: rbac.authorization.k8s.ioThis manifest defines an RBAC policy binding the
adminRole to your execution service account.NAMESPACEis the namespace for which you want to grant the service account access. The service account can't access any other namespace on the cluster.Apply the RBAC manifest to the cluster:
kubectl apply -f YAML_NAME