Manage identity and access for the project

This page describes identity and access management (IAM) practices for the Application Operator (AO) on Google Distributed Cloud (GDC) air-gapped appliance.

An identity provider (IdP) is a system entity that creates, maintains, and manages identity information for principals. The IdP also provides authentication services to applications within a federation or distributed network.

Sign in

This section describes how to access your workloads through the web user interface (UI) or the command-line interface (CLI).

Sign in to the web UI

This page covers how to access and manage your workloads and resources within Google Distributed Cloud (GDC) air-gapped appliance. It describes how to authenticate, generate kubeconfig files for both a Management API server and a Kubernetes cluster, and manage session inactivity. Understanding these processes ensures secure and reliable access to your projects and workloads.

Access your workloads through the GDC console or the gdcloud CLI.

Sign in

To sign in to the GDC console or a cluster, work through the following steps:

Console

Open the following URL in a new browser tab to access the GDC air-gapped appliance user interface (UI):

https://GDC_URL

Replace GDC_URL with the domain name you use to access GDC that the Infrastructure Operator (IO) provides. When opening any URL for the first time, GDC redirects you to your identity provider login page if the Infrastructure Operator (IO) configured the page.

For example, the following page displays after signing in to the Console for an organization named `org-1: Console showing welcome screen for org-1 project.

CLI

You can sign in to any cluster that you have permission to access. The CLI login process for all clusters is the same. You must only provide the cluster name and its related kubeconfig file, and log in separately to each cluster.

Before you sign in, ensure you do the following:

  • Download the gdcloud CLI binary and install it in your system. For more information, see Download the gdcloud CLI.
  • Set up and initialize the gdcloud CLI default configuration. Make sure to set the correct organization URL, which is used to fetch the login config endpoint. For more information, see gdcloud CLI installation.
  • Install the authentication plugin gdcloud-k8s-auth-plugin. For more information, see gdcloud CLI authentication.

To sign in to a cluster, complete the following steps:

  1. Authenticate your gdcloud CLI instance to log in. There are two ways to authenticate:

    • Standard browser login: Use this authentication flow when logging in from a browser.

      gdcloud auth login

    • Secondary device login: Use this authentication flow if your primary device does not have a browser available. This flow starts the login on the primary device with no browser access and continues the login with the secondary device that has browser access.

      1. Initiate the login on your primary device with no browser:

        gdcloud auth login --no-browser

        The command in the primary device prints another gdcloud command that you must run on the secondary device in step c.

      2. Repeat step 1 of Log in to a cluster to download the certificate on the secondary device.

      3. Complete the login on the secondary device by entering the command printed on the primary device in step a.

    This action opens a browser to log in to the configured identity provider (IdP). Provide the user and password that you set during the initial gdcloud CLI setup to log in.

  2. Export your user identity kubeconfig file as a variable:

    export KUBECONFIG=/tmp/admin-kubeconfig-with-user-identity.yaml

  3. Generate a kubeconfig file with your user identity:

    gdcloud clusters get-credentials CLUSTER_NAME

    A kubeconfig file is generated with your user identity. The following YAML file shows an example:

    apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <REDACTED>
    server: https://10.200.0.32:443
  name: cluster-name
contexts:
- context:
    cluster: cluster-name
    user: cluster-name-anthos-default-user
  name: cluster-name-cluster-name-anthos-default-user
current-context: cluster-name-cluster-name-anthos-default-user
kind: Config
preferences: {}
users:
- name: cluster-name-anthos-default-user
  user:
    exec:
        apiVersion: client.authentication.k8s.io/v1
        args:
        - --audience=root-admin
        command: gdcloud-k8s-auth-plugin
        env: null
        installHint: Run 'gdcloud components install gdcloud-k8s-auth-plugin' to use plugin
        interactiveMode: Never
        provideClusterInfo: false

  4. To verify that you can access the cluster, log in with the generated kubeconfig file with a user identity:

    kubectl --kubeconfig /tmp/admin-kubeconfig-with-user-identity.yaml version

Sign out

To sign out of the GDC console, do the following:

Console

Click Logout in the menu bar.

CLI

Log out from the CLI:

gdcloud auth revoke

Manually generate kubeconfig file

If you're managing resources with the kubectl CLI by calling KRM APIs directly, you must generate the kubeconfig file for the cluster that hosts your resource, depending on the resource type you're managing. Visit the resource's documentation to determine the kubeconfig file you need.

Complete the applicable setup based on your resource type.

Management API server resources

Complete the following steps to generate your kubeconfig file for the Management API server:

  1. Set the MANAGEMENT_API_SERVER environment variable:

    export MANAGEMENT_API_SERVER="root-admin"

  2. Generate the Management API server kubeconfig file, and validate the credentials:

    export KUBECONFIG=${HOME}/${MANAGEMENT_API_SERVER:?}-kubeconfig.yaml
rm ${KUBECONFIG:?}
gdcloud clusters get-credentials ${MANAGEMENT_API_SERVER:?}
[[ $(kubectl config current-context) == *${MANAGEMENT_API_SERVER:?}* ]] && echo "Success. Your kubeconfig is at $KUBECONFIG" || echo "Failure"

    The command rm ${KUBECONFIG:?} removes the existing kubeconfig file in the home directory. When you generate a new kubeconfig file, it overwrites the existing one. If you don't want to overwrite or remove the existing file, back it up in another safe location.

Kubernetes cluster resources

Complete the following steps to generate your kubeconfig file for the bare metal Kubernetes cluster:

  1. Set the KUBERNETES_CLUSTER environment variable:

    export KUBERNETES_CLUSTER="root-infra"

  2. Generate the Kubernetes cluster kubeconfig file, and validate the credentials:

    export KUBECONFIG=${HOME}/${KUBERNETES_CLUSTER:?}-kubeconfig.yaml
rm ${KUBECONFIG:?}
gdcloud clusters get-credentials ${KUBERNETES_CLUSTER:?}
[[ $(kubectl config current-context) == *${KUBERNETES_CLUSTER:?}* ]] && echo "Success. Your kubeconfig is at $KUBECONFIG" || echo "Failure"

    The command rm ${KUBECONFIG:?} removes the existing kubeconfig file in the home directory. When you generate a new kubeconfig file, it overwrites the existing one. If you don't want to overwrite or remove the existing file, back it up in another safe location.

Session inactivity logout

After fifteen or more minutes of inactivity in a session, the GDC console and gdcloud CLI logs you out. GDC considers session inactivity as a period during an open session with no active engagement from you, such as no cursor or keyboard movement. An active session lasts up to twelve hours with user activity.

Console

For session inactivity, the GDC console logs you out. Two minutes before the GDC console logs you out for inactivity, you receive a dialog that cautions you of the logout:

Console UI showing dialog with a timer of 99 seconds before logging out user for inactivity.

After logging you out for inactivity, you see the following screen:

Console UI showing login screen with a banner containing text on the session log out: 'You have been logged out of the system because your session was inactive for too long. Please log in again or reach out to your administrator for assistance.'

To log back in to the GDC console, select your identity provider and add your login credentials. If you use a service, such as the monitoring dashboard, and the GDC console logs you out for inactivity, log back in to gain access.

CLI

For session inactivity, the gdcloud CLI logs you out. After the gdcloud CLI logs you out, and you attempt to run a command, you receive an authorization error:

Error: error when creating kube client: unable to create k8sclient: Unauthorized

To log back in to the gdcloud CLI, follow the CLI steps in Sign in.

kubectl

The gdcloud CLI expires your kubeconfig files after session inactivity. If you attempt to run a kubectl command after inactivity, you receive an authorization error:

error: You must be logged in to the server (Unauthorized)

To log back in and use your kubeconfig file, follow the CLI steps in Sign in. For every session timeout, you must regenerate your kubeconfig files.

Set IAM allow policies

Predefined role descriptions

An Application Operator (AO) is a member of the development team within the Platform Administrator (PA) organization. AOs interact with project-level resources. You can assign the following predefined roles to team members:

  • Project IAM Admin: Manages the IAM allow policies of projects.
  • AI OCR Developer: Access the Optical Character Recognition service to detect text in images.
  • AI Speech Developer: Access the Speech-to-Text service to recognize speech and transcribe audio.
  • AI Translation Developer: Access the Vertex AI Translation service to translate text.
  • Artifact Management Admin: Has admin access to resources in all Harbor projects in the project namespace.
  • Artifact Management Editor: Has read and write access to resources in all Harbor projects in the project namespace.
  • Certificate Authority Service Admin: Has access to manage certificate authorities and certificate requests in their project.
  • Certificate Service Admin: Has access to manage certificates and certificate issuers in their project.
  • Dashboard Editor: Has read and write access on Dashboard custom resources.
  • Dashboard Viewer: Has read-only access on Dashboard custom resources.
  • Harbor Instance Admin: Has full access to manage Harbor instances in a project.
  • Harbor Instance Viewer: Has read-only access to view Harbor instances in a project.
  • Harbor Project Creator: Has access to manage Harbor instance projects.
  • K8s Network Policy Admin: Manages network policies in Kubernetes clusters.
  • LoggingRule Creator: Creates LoggingRule custom resources in the project namespace.
  • LoggingRule Editor: Edits LoggingRule custom resources in the project namespace.
  • LoggingRule Viewer: Views LoggingRule custom resources in the project namespace.
  • LoggingTarget Creator: Creates LoggingTarget custom resources in the project namespace.
  • LoggingTarget Editor: Edits LoggingTarget custom resources in the project namespace.
  • LoggingTarget Viewer: Views LoggingTarget custom resources in the project namespace.
  • Load Balancer Admin: has read and write permissions on all load balancer resources in project namespace.
  • MonitoringRule Editor: Has read and write access to MonitoringRule resources.
  • MonitoringRule Viewer: Has read-only access to MonitoringRule custom resources.
  • MonitoringTarget Editor: Has read and write access to MonitoringTarget custom resources.
  • MonitoringTarget Viewer: Has read-only access to MonitoringTarget custom resources.
  • NAT Viewer: Has read-only access to deployments in Kubernetes clusters.
  • Namespace Admin: Manages all resources within the project namespace.
  • ObservabilityPipeline Editor: Has read and write access on ObservabilityPipeine custom resources.
  • ObservabilityPipeline Viewer: Has read-only access on ObservabilityPipeline custom resources.
  • Project Bucket Admin: Manages the storage buckets and objects within buckets.
  • Project Bucket Object Admin: Has read-only access on buckets within a project, and read-write access on the objects in those buckets.
  • Project Bucket Object Viewer: Has read-only access on buckets within a project and the objects in those buckets.
  • Project Cortex Alertmanager Editor: Grants permissions to edit the Cortex Alertmanager instance in the project namespace.
  • Project Cortex Alertmanager Viewer: Grants permissions to access the Cortex Alertmanager instance in the project namespace.
  • Project Cortex Prometheus Viewer: Grants permissions to access the Cortex Prometheus instance in the project namespace.
  • Project Grafana Viewer: Accesses the Grafana instance in the project namespace of the fleet admin cluster.
  • Project NetworkPolicy Admin: Manages the project network policies in the project namespace.
  • Project Viewer: Has read-only access to all resources within project namespaces.
  • Project VirtualMachine Admin: Manages VMs in the project namespace.
  • Project VirtualMachine Image Admin: Manages VM images in the project namespace.
  • Secret Admin: Manages Kubernetes secrets in projects.
  • Secret Viewer: Views Kubernetes secrets in projects.
  • Service Configuration Admin: Has read and write access to service configurations within a project namespace.
  • Service Configuration Viewer: Has read access to service configurations within a project namespace.
  • Volume Replication Admin: Manages volume replication resources.
  • Workbench Notebooks Admin: Get read and write access to all notebook resources within a project namespace.
  • Workbench Notebooks Viewer: Get read-only access to all notebook resources within a project namespace and view the Vertex AI Workbench user interface.
  • Workload Viewer: Has read access to workloads in a project.

Common roles

The following predefined common roles apply to all authenticated users:

  • AI Platform Viewer: Grants permissions to view pre-trained services.
  • DNS Suffix Viewer: Accesses the domain name service (DNS) suffix config map.
  • Flow Log Admin: Has read and write access to all Flow Log resources.
  • Flow Log Viewer: Has read-only access to all Flow Log resources.
  • Project Discovery Viewer: Has read access for all authenticated users to the project view.
  • Public Image Viewer: Has read access for all authenticated users on the public VM images in the namespace vm-images.
  • System Artifact Registry anthos-creds secret Monitor: Has read-only access to secrets in the anthos-creds namespace.
  • System Artifact Registry gpc-system secret Monitor: Has read-only access to secrets in the gpc-system namespace.
  • System Artifact Registry harbor-system secret Monitor: Has read-only access to secrets in the harbor-system namespace.
  • Virtual Machine Type Viewer: Has read access to cluster-scoped virtual machine types.
  • VM Type Viewer: Has read access to the predefined virtual machine types on the admin clusters.

Role definitions

The tables of this section describe different predefined roles and their permissions. The tables contain the following columns:

  • Name: The name of a role displayed in the user interface (UI).
  • Kubernetes resource name: The name of the corresponding Kubernetes custom resource.
  • Level: The specification of whether this role is scoped by the organization or a project.
  • Type: The type of this role. For example, some possible values are Role, ProjectRole, ClusterRole, or ProjectClusterRole.
  • Binding type: The type of binding that you must apply to this role.
  • Management API server or Kubernetes cluster permissions: The permissions that this role has for the Management API server or the Kubernetes cluster. For example, some possible values are read, write, read and write, or not applicable (N/A).
  • Escalates to: The specification of whether this role escalates to other roles or not.

AO persona, predefined identity, and access roles

AO persona
Name Kubernetes resource name Initial admin Level Type
Project IAM Admin project-iam-admin True Project Role
AI OCR Developer ai-ocr-developer False Project Role
AI Platform Viewer ai-platform-viewer False Project Role
AI Speech Developer ai-speech-developer False Project Role
AI Translation Developer ai-translation-developer False Project Role
Artifact Management Admin artifact-management-admin False Project Role
Artifact Management Editor artifact-management-editor False Project Role
Certificate Authority Service Admin certificate-authority-service-admin False Project Role
Certificate Service Admin certificate-service-admin False Project Role
Dashboard Editor dashboard-editor False Project Role
Dashboard Viewer dashboard-viewer False Project Role
Harbor Instance Admin harbor-instance-admin False Project Role
Harbor Instance Viewer harbor-instance-viewer False Project Role
Harbor Project Creator harbor-project-creator False Project Role
K8s Network Policy Admin k8s-networkpolicy-admin False Project ProjectRole
Load Balancer Admin load-balancer-admin False Project ProjectRole
LoggingRule Creator loggingrule-creator False Project Role
LoggingRule Editor loggingrule-editor False Project Role
LoggingRule Viewer loggingrule-viewer False Project Role
LoggingTarget Creator loggingtarget-creator False Project Role
LoggingTarget Editor loggingtarget-editor False Project Role
LoggingTarget Viewer loggingtarget-viewer False Project Role
MonitoringRule Editor monitoringrule-editor False Project Role
MonitoringRule Viewer monitoringrule-viewer False Project Role
MonitoringTarget Editor monitoringtarget-editor False Project Role
MonitoringTarget Viewer monitoringtarget-viewer False Project Role
Namespace Admin namespace-admin False Project ProjectRole
NAT Viewer nat-viewer False Project ProjectRole
ObservabilityPipeline Editor observabilitypipeline-editor False Project Role
ObservabilityPipeline Viewer observabilitypipeline-viewer False Project Role
Project Bucket Admin project-bucket-admin False Project Role
Project Bucket Object Admin project-bucket-object-admin False Project Role
Project Bucket Object Viewer project-bucket-object-viewer False Project Role
Project Cortex Alertmanager Editor project-cortex-alertmanager-editor False Project Role
Project Cortex Alertmanager Viewer project-cortex-alertmanager-viewer False Project Role
Project Cortex Prometheus Viewer project-cortex-prometheus-viewer False Project Role
Project Grafana Viewer project-grafana-viewer False Project Role
Project NetworkPolicy Admin project-networkpolicy-admin False Project Role
Project Viewer project-viewer False Project Role
Project VirtualMachine Admin project-vm-admin False Project Role
Project VirtualMachine Image Admin project-vm-image-admin False Project Role
Secret Admin secret-admin False Project Role
Secret Viewer secret-viewer False Project Role
Service Configuration Admin service-configuration-admin False Project Role
Service Configuration Viewer service-configuration-viewer False Project Role
Workbench Notebooks Admin workbench-notebooks-admin False Project Role
Volume Replication Admin app-volume-replication-admin False Cluster Role
Workbench Notebooks Viewer workbench-notebooks-viewer False Project Role
Workload Viewer workload-viewer False Project Role

AO persona, predefined identity, and access roles

AO persona
Name Binding type Management API server permissions Kubernetes cluster permissions Escalates to
Project IAM Admin RoleBinding
  • RoleBinding, ClusterRoleBinding, Role, ClusterRole, ProjectRole, ProjectClusterRole, ProjectRoleBinding, and ProjectClusterRoleBinding: Create, read, update, delete, and bind
  • ProjectServiceAccount: Create, read, update, and delete
  • List project namespace
 N/A All other AO roles
AI OCR Developer RoleBinding OCR resources: Read and write N/A N/A
AI Speech Developer RoleBinding Speech resources: Read and write N/A N/A
AI Translation Developer RoleBinding Translation resources: Read and write N/A N/A
Artifact Management Admin RoleBinding HarborProjects: Admin, create, read, write, delete, and view N/A N/A
Artifact Management Editor RoleBinding HarborProjects: Read, write, and view N/A N/A
Certificate Authority Service Admin RoleBinding Certificate authorities and certificate requests: Get, list, watch, update, create, delete, and patch N/A N/A
Certificate Service Admin RoleBinding Certificates and certificate issuers: Get, list, watch, update, create, delete, and patch N/A N/A
Dashboard Editor RoleBinding Dashboard custom resources: Get, read, create, update, delete, and patch N/A N/A
Dashboard Viewer RoleBinding Dashboard: Get and read N/A N/A
Harbor Instance Admin RoleBinding Harbor instances: Create, read, update, delete, and patch N/A N/A
Harbor Instance Viewer RoleBinding Harbor instances: Read N/A N/A
Harbor Project Creator RoleBinding Harbor instance projects: Create, get, and watch N/A N/A
K8s NetworkPolicy Admin ProjectRoleBinding N/A NetworkPolicy resources: Create, read, get, update, delete, and patch N/A
Load Balancer Admin RoleBinding N/A
  • Backend: Get, watch, list, create, patch, update, and delete
  • HealthCheck: Get, watch, list, create, patch, update, and delete
  • BackendService: Get, watch, list, create, patch, update, and delete
  • ForwardingRuleExternal: Get, watch, list, create, patch, update, and delete
  • ForwardingRuleInternal: Get, watch, list, create, patch, update, and delete
 N/A
LoggingRule Creator RoleBinding LoggingRule custom resources: Create, read, update, delete, and patch N/A N/A
LoggingRule Editor RoleBinding LoggingRule custom resources: Create, read, update, delete, and patch N/A N/A
LoggingRule Viewer RoleBinding LoggingRule custom resources: Read N/A N/A
LoggingTarget Creator RoleBinding LoggingTarget custom resources: Create, read, update, delete, and patch N/A N/A
LoggingTarget Editor RoleBinding LoggingTarget custom resources: Create, read, update, delete, and patch N/A N/A
LoggingTarget Viewer RoleBinding LoggingTarget custom resources: Read N/A N/A
MonitoringRule Editor RoleBinding MonitoringRule custom resources: Create, read, update, delete, and patch N/A N/A
MonitoringRule Viewer RoleBinding MonitoringRule custom resources: Read N/A N/A
MonitoringTarget Editor RoleBinding MonitoringTarget custom resources: Create, read, update, delete, and patch N/A N/A
MonitoringTarget Viewer RoleBinding MonitoringTarget custom resources: Read N/A N/A
Namespace Admin ProjectRoleBinding N/A All resources: Read and write access in the project namespace N/A
NAT Viewer ProjectRoleBinding N/A Deployments: Get and read N/A
ObservabilityPipeline Editor RoleBinding ObservabilityPipeline resources: Get, read, create, update, delete, and patch N/A N/A
ObservabilityPipeline Viewer RoleBinding ObservabilityPipeline resources: Get and read N/A N/A
Project Bucket Admin RoleBinding Bucket: Read and write in the project namespace N/A N/A
Project Bucket Object Admin RoleBinding
  • Bucket: Read
  • Objects: Read and write
 N/A N/A
Project Bucket Object Viewer RoleBinding Bucket and objects: Read N/A N/A
Project Cortex Alertmanager Editor RoleBinding Cortex system and Cortex Alertmanager: Read and write N/A N/A
Project Cortex Alertmanager Viewer RoleBinding Cortex system and Cortex Alertmanager: Read N/A N/A
Project Cortex Prometheus Viewer RoleBinding Cortex system and Cortex Prometheus: Read N/A N/A
Project Grafana Viewer RoleBinding Grafana system and Grafana: Read and write N/A N/A
Project NetworkPolicy Admin RoleBinding Project network policies: Read and write in the project namespace N/A N/A
Project Viewer RoleBinding All resources in the project namespace: Read N/A N/A
Project VirtualMachine Admin RoleBinding
  • Virtual machines, disks, access requests, external access, backup requests, backups, restore requests, delete backup requests, restores, and password reset requests: Read, create, update, and delete
  • Virtual machine restart: Put
  • Virtual machine images, backup plans, and backup plan templates: Read
 N/A N/A
Project VirtualMachine Image Admin RoleBinding
  • VM images: Read
  • VM image imports: Read and write
 N/A N/A
Secret Admin RoleBinding Kubernetes secrets: Read, create, update, delete, and patch N/A N/A
Secret Viewer RoleBinding Kubernetes secrets: Read N/A N/A
Service Configuration Admin RoleBinding ServiceConfigurations: Read and write N/A N/A
Service Configuration Viewer RoleBinding ServiceConfigurations: Read N/A N/A
Volume Replication Admin ClusterRoleBinding Volume failovers, volume relationship replicas: Create, get, list, watch, delete N/A N/A
Workbench Notebooks Admin RoleBinding N/A
  • Notebook custom resources (CR) in the project namespace: Create, read, update, and delete
  • ClusterInfo objects: Read
 N/A
Workbench Notebooks Viewer RoleBinding N/A
  • Notebook custom resources (CR) in the project namespace: Read
 N/A
Workload Viewer ProjectRoleBinding N/A
  • Pod custom resources in the project namespace: Read
  • Deployment custom resources in the project namespace: Read
 N/A

Common predefined identity and access roles

Common roles
Name Kubernetes resource name Initial admin Level Type
AI Platform Viewer ai-platform-viewer False Project Role
DNS Suffix Viewer dnssuffix-viewer False Organization Role
Flow Log Admin flowlog-admin False Organization ClusterRole
Flow Log Viewer flowlog-viewer False Project ClusterRole
Project Discovery Viewer projectdiscovery-viewer False Project ClusterRole
Public Image Viewer public-image-viewer False Organization Role
System Artifact Registry anthos-creds secret Monitor sar-anthos-creds-secret-monitor False Organization Role
System Artifact Registry gpc-system secret Monitor sar-gpc-system-secret-monitor False Organization Role
System Artifact Registry harbor-system secret Monitor sar-harbor-system-secret-monitor False Organization Role
Virtual Machine Type Viewer virtualmachinetype-viewer False Organization OrganizationRole
VM Type Viewer vmtype-viewer False Organization Role

Common predefined identity and access roles

Common roles
Name Binding type Admin cluster permissions Kubernetes cluster permissions Escalates to
AI Platform Viewer RoleBinding Pre-trained services: Read N/A N/A
DNS Suffix Viewer ClusterRoleBinding DNS suffix config maps: Read N/A N/A
Flow Log Admin ClusterRoleBinding Flow log resources: Get and read Flow log resources: Get and read N/A
Flow Log Viewer ClusterRoleBinding Flow log resources: Create, get, read, patch, update, and delete Flow log resources: Create, get, read, patch, update, and delete N/A
Project Discovery Viewer ClusterRoleBinding Projects: Read N/A N/A
Public Image Viewer RoleBinding VM images: Read N/A N/A
System Artifact Registry anthos-creds secret Monitor RoleBinding anthos-creds secrets: Get and read anthos-creds secrets: Get and read N/A
System Artifact Registry gpc-system secret Monitor RoleBinding gpc-system secrets: Get and read gpc-system secrets: Get and read N/A
System Artifact Registry harbor-system secret Monitor RoleBinding harbor-system secrets: Get and read harbor-system secrets: Get and read N/A
Virtual Machine Type Viewer OrganizationRoleBinding N/A VM types: Read N/A
VM Type Viewer ClusterRoleBinding VM types: Read N/A N/A

There are two ways to grant access to resources:

Set up role bindings using the CLI

AO access in the admin cluster

Unlike Infrastructure Operators (IO) and Platform Administrators (PA), GDC binds Application Operators (AO) to a Project through a RoleBinding, instead of a ClusterRoleBinding.

To grant an AO access to the admin cluster, complete the following steps:

  1. Export the email that you use for AO access. For example, an email such as ao-alice@example.com.

    export AO_EMAIL=AO_EMAIL

  2. Create a role binding to grant ${AO_EMAIL} Project IAM Admin access in the iam-test namespace:

    kubectl create --kubeconfig PA_KUBECONFIG \
rolebinding $AO_EMAIL-project-iam-admin \
--role=project-iam-admin --user=$AO_EMAIL \
--namespace=iam-test

    The project-iam-admin role is a predefined role for GDC. The iam-test Kubernetes namespace corresponds to the iam-test project in the admin cluster.

  3. Verify that the AO account has permissions to create role bindings in the iam-test namespace:

    kubectl --kubeconfig AO_KUBECONFIG auth can-i create rolebinding -n iam-test

    You see the following output:

    yes

  4. Create a role binding to grant ${AO_EMAIL} Project Viewer access in the bar namespace:

    kubectl create --kubeconfig PA_KUBECONFIG \
rolebinding $AO_EMAIL-project-viewer \
--role=project-viewer --user=$AO_EMAIL \
--namespace=bar

    The project-viewer role is a preset role for GDC. The bar Kubernetes namespace corresponds to the bar project in the org admin cluster.

  5. Verify that the AO account doesn't have permissions to create role bindings in the bar namespace:

    kubectl --kubeconfig AO_KUBECONFIG auth can-i create rolebinding -n bar

    You see the following output:

    no

  6. Optional: Delete the role binding to revoke the permission granted to the AO account:

    kubectl --kubeconfig PA_KUBECONFIG delete rolebinding $AO_EMAIL-project-iam-admin -n iam-test

AO access in user clusters

An AO uses ProjectRole and ProjectRoleBinding resources to gain namespace access to user clusters. However, PAs can grant the AO organization-wide permissions in user clusters using preset OrganizationRole and ProjectRoleBinding resources.

Complete the following steps to provide AOs with access to user clusters:

To grant access to user clusters, you must have the role of Project IAM Admin.

  1. Create a ProjectRoleBinding resource to grant ${AO_EMAIL} Namespace Admin access in all user clusters in the iam-test namespace:

    kubectl --kubeconfig AO_KUBECONFIG apply -f - <<EOF
apiVersion: resourcemanager.gdc.goog/v1
kind: ProjectRoleBinding
metadata:
  name: ${AO_EMAIL%@*}-namespace-admin
  namespace: iam-test
spec:
  roleRef:
    apiGroup: resourcemanager.gdc.goog
    kind: ProjectRole
    name: namespace-admin
  subjects:
  - apiGroup: rbac.authorization.k8s.io
    kind: User
    name: ${AO_EMAIL}
EOF

  2. Follow the instructions of the Sign in with CLI and kubectl section to get user credentials for the user cluster, and export them in the AO_USER_CLUSTER_KUBECONFIG variable:

    export AO_USER_CLUSTER_KUBECONFIG=GENERATED_KUBECONFIG

  3. Verify that the AO account has permissions to create deployments in the iam-test namespace:

    kubectl --kubeconfig ${AO_USER_CLUSTER_KUBECONFIG} auth can-i create deployment -n iam-test

    You see the following output:

    yes

  4. Optional: Delete the project role bindings to revoke the permission granted to the test AO account:

    kubectl --kubeconfig ${AO_USER_CLUSTER_KUBECONFIG} delete projectrolebinding ${AO_EMAIL%@*}-namespace-admin -n iam-test

Set up project-wide role bindings using the UI

An Application Operator adds other Application Operators to the project so that they have access to project resources.

To get the permissions that you need to set up role bindings, ask your Project IAM Admin to grant you the Project IAM Admin role.

Work through the following steps to set up role bindings:

  1. Sign in to the GDC air-gapped appliance console.
  2. Select a project.
  3. In the navigation menu, click Access Management.
  4. Click Add member.
  5. In the Identity provider list, select an identity provider.
  6. Choose whether you want to add individual users or groups.
  7. In the Username or group alias field, enter the username, email address, or alias.
  8. In the Role list, select the role that you want to assign to the user or group, such as Project Viewer.
  9. Click Add.

Remove role bindings using the UI

When access is no longer required, remove a member and their associated roles, permissions, and access.

Work through the following steps to remove members:

  1. Sign in to the GDC air-gapped appliance console.
  2. Select a project.
  3. In the navigation menu, click Access Management.
  4. In the Authorized members list, select a member.
  5. Click Remove member.
  6. When prompted, click Remove member to confirm.