When you create a Google Cloud Platform (GCP) project, you are the only user on the project. By default, no other users have access to your project or its resources, including Google Kubernetes Engine resources, until you add them as team members and grant them roles in your project. This page describes how to configure access control for your GKE resources.
Access control options
You can use two access control features to secure your project, clusters, and data: Google Cloud Identity & Access Management (Cloud IAM), and Kubernetes role-based access control (RBAC).
Cloud IAM is GCP's access control system for managing authentication and authorization for GCP resources. You use Cloud IAM to grant users access to GKE and Kubernetes resources.
Kubernetes' RBAC system grants granular permissions for specific resources and operations within your clusters.
Cloud IAM offers roles for managing access to projects and GCP resources. After you add users to your project, you assign them roles which grant them permission to perform operations within your project and clusters. You can assign primitive and predefined. You can also create custom roles for testing purposes.
Additionally, you use Cloud IAM to create and configure service accounts—Google accounts associated with your project that perform tasks on your behalf. Service accounts are assigned roles and permissions in the same way as human users.
To learn more, refer to Creating Cloud IAM Policies.
Kubernetes RBAC allows you to use Kubernetes native access control APIs to create roles with fine-grained permissions for Kubernetes resources and operations at a cluster- or namespace-level. After you create roles, you create role bindings which assign roles to users and Kubernetes service accounts.
Kubernetes RBAC is useful if you are already familiar with access control inside of Kubernetes and prefer to manage access in a cloud-agnostic way.
To learn more, refer to the Role-Based Access Control documentation.
Should I use Cloud IAM or RBAC?
When assessing your access control needs, consider which type of access control would be most useful to you:
You use GCP's Cloud IAM to grant access to resources and operations using primitive, predefined, or custom roles. You can assign roles at a project- and cluster-level. You can manage permissions for GCP, GKE, and Kubernetes together in one place.
You use RBAC to configure granular access to Kubernetes resources and operations at a cluster- and namespace-level. Since RBAC is the Kubernetes-native authorization system, managing permissions is consistent across clusters in different cloud and on-premises environments.