Access control

When you create a Google Cloud project, you are the only user on the project. By default, no other users have access to your project or its resources, including Google Kubernetes Engine (GKE) resources. GKE supports multiple options for managing access to resources within your project and its clusters using role-based access control (RBAC).

• Identity and Access Management (IAM)
• Kubernetes role-based access control (RBAC)

These mechanisms have some functional overlap, but are targeted to different types of resources. Each is explained in a section below, but in brief:

• Kubernetes RBAC is built into Kubernetes, and grants granular permissions to objects within Kubernetes clusters. Permissions exist as ClusterRole or Role objects within the cluster. RoleBinding objects grant Roles to Kubernetes users, Google Cloud users, IAM service accounts, or Google Groups.

  If you primarily use GKE, and need fine-grained permissions for every object and operation within your cluster, Kubernetes RBAC is the best choice.

• IAM manages Google Cloud resources, including clusters, and types of objects within clusters. Permissions are assigned to IAM principals.

  There is no mechanism for granting permissions for specific Kubernetes objects within IAM. For instance, you can grant a user permission to create CustomResourceDefinitions (CRDs), but you can't grant the user permission to create only one specific CustomResourceDefinition, or limit creation to a specific Namespace or to a specific cluster in the project. An IAM role grants privileges across all clusters in the project, or all clusters in all child projects if the role is applied at the folder level.

  If you use multiple Google Cloud components and you don't need to manage granular Kubernetes-specific permissions, IAM is a good choice.

Kubernetes RBAC

Kubernetes has built-in support for RBAC that allows you to create fine-grained Roles, which exist within the Kubernetes cluster. A Role can be scoped to a specific Kubernetes object or a type of Kubernetes object, and defines which actions (called verbs) the Role grants in relation to that object. A RoleBinding is also a Kubernetes object, and grants Roles to users. A GKE user can be any of:

• Google Cloud user
• IAM service account
• Kubernetes ServiceAccount
• Google Workspace user
• Google Workspace Google Group
• Users authenticated using X509 client certificates

To learn more, refer to Role-Based Access Control.

IAM

IAM lets you grant roles to principals. A role is a collection of permissions, and when granted to a principal, controls access to one or more Google Cloud resources. You can use the following types of roles:

• Basic roles provide coarse permissions limited to Owner, Editor, and Viewer.
• Pre-defined roles, such as the pre-defined roles for GKE, provide finer-grained access than basic roles and address many common use cases.
• Custom roles allow you to create unique combinations of permissions.

A principal can be any of the following:

• User account
• Service account
• Google Workspace Google Group
• Google Workspace domain
• Cloud Identity domain

IAM policy types

IAM supports the following policy types:

• Allow policies: grant roles to principals. For details, see Allow policy.
• Deny policies: prevent principals from using specific IAM permissions regardless of the roles that those principals are granted. For details, see Deny policies.

Use deny policies to restrict specific principals from performing specific actions in your project, folder, or organization even if an IAM allow policy grants those principals a role that contains the relevant permissions.

IAM recommendations

Consider using the following IAM predefined roles to facilitate common scenarios:

• Kubernetes Engine Cluster Viewer (roles/container.clusterViewer): DevOps, engineers, and application developers who only need to connect to the cluster.
• Kubernetes Engine Cluster Admin (roles/container.clusterAdmin): Platform administrators and cluster operators who need to manage one or more clusters in a Google Cloud project.

For a list of the available predefined IAM roles, refer to Predefined GKE roles.

Additionally, consider creating a custom IAM service account for your nodes to use instead of the Compute Engine default service account. Grant the custom service account the minimum permissions needed for GKE to function. For instructions, see Use least-privilege IAM service accounts.

IAM interaction with Kubernetes RBAC

IAM and Kubernetes RBAC work together to help manage access to your cluster. RBAC controls access on a cluster and namespace level, while IAM works on the project level. An entity must have sufficient permissions at either level to work with resources in your cluster.

What's next

• Read the GKE security overview.
• Learn how to use Kubernetes RBAC.
• Learn how to create IAM policies for GKE.
• Learn how to use IAM Conditions for load balancers.