Configure Google Groups for RBAC

Stay organized with collections Save and categorize content based on your preferences.

This page shows you how to set up Google Groups to work with Kubernetes role-based access control (RBAC) in your Google Kubernetes Engine (GKE) clusters.

Overview

Google Groups for RBAC lets you assign RBAC permissions to members of Groups in Google Workspace. Your Google Workspace administrators maintain the users and groups completely outside of GKE or the Google Cloud console. Your cluster administrators therefore won't need detailed information about users.

Using Google Groups for RBAC also lets you integrate with your existing user account management practices, such as revoking access when someone leaves your organization.

To use Google Groups for RBAC, complete the following tasks:

  1. Meet the requirements.
  2. Set up your Groups.
  3. Enable Google Groups for RBAC on a cluster.
  4. Define and assign RBAC permissions to the Groups.

Requirements

To use Google Groups for RBAC, you must have access to Google Workspace or any edition of Cloud Identity.

Set up your Groups

The following steps show you how to set up a group in Groups that works with RBAC:

  1. Create a group in your domain named gke-security-groups. The gke-security-groups name is required. Make sure the group has the View Members permission selected for Group Members. For details, see Set permissions for managing members and content.

  2. Create groups, if they do not already exist, that represent sets of users who should have different permissions on your clusters, such as developers and cluster administrators. Each group must have the View members permission for Group members.

  3. Add your groups as members of the gke-security-groups group. Don't add individual users as members of gke-security-groups.

For more information on managing Groups, refer to the Groups Help Center.

To check whether a specific user can perform an action on a cluster resource, GKE checks if the user is a member of a group with access and if that group is a member of the gke-security-groups group. Groups can be direct or nested members of the gke-security-groups group.

Information about Groups membership is cached for a short time. It might take a few minutes for changes in group memberships to propagate to all your clusters. In addition to latency from group changes, standard caching of user credentials on the cluster is about one hour.

Enable Google Groups for RBAC on clusters

You can enable Google Groups for RBAC on new and existing GKE Standard and Autopilot clusters using the Google Cloud CLI or the Google Cloud console.

Create a new cluster

gcloud

Standard

To create a new Standard cluster and enable Google Groups for RBAC, run the following command:

gcloud container clusters create CLUSTER_NAME \
    --region=COMPUTE_REGION \
    --security-group="gke-security-groups@DOMAIN"

Replace the following:

  • CLUSTER_NAME: the name of the new cluster.
  • COMPUTE_REGION: the Compute Engine region for the new cluster. For zonal clusters, use --zone=COMPUTE_ZONE.
  • DOMAIN: the domain name of the gke-security-groups group you created.

Autopilot

To create a new Autopilot cluster and enable Google Groups for RBAC, run the following command:

gcloud container clusters create-auto CLUSTER_NAME \
    --region=COMPUTE_REGION \
    --security-group="gke-security-groups@DOMAIN"

Console

To create a new cluster and enable the Google Groups for RBAC feature, perform the following steps:

  1. Go to the Google Kubernetes Engine page in the Google Cloud console.

    Go to Google Kubernetes Engine

  2. On the Google Kubernetes Engine page, click Create.
  3. For Autopilot clusters, expand the Advanced Options section to locate the Security options.
  4. For Standard clusters, under Cluster in the navigation pane, click Security.
  5. Select the Enable Google Groups for RBAC checkbox.
  6. Fill in Security Group with gke-security-groups@DOMAIN.
  7. Click Create.

Update an existing cluster

gcloud

To update an existing cluster to enable Google Groups for RBAC, run the following command:

gcloud container clusters update CLUSTER_NAME \
    --region=COMPUTE_REGION \
    --security-group="gke-security-groups@DOMAIN"

Replace the following:

  • CLUSTER_NAME: the name of the cluster.
  • COMPUTE_REGION: the Compute Engine region of cluster. For zonal clusters, use --zone=COMPUTE_ZONE.
  • DOMAIN: the domain name of the gke-security-groups group you created.

Console

To update an existing cluster to enable Google Groups for RBAC, perform the following steps:

  1. Go to the Google Kubernetes Engine page in the Google Cloud console.

    Go to Google Kubernetes Engine

  2. In the cluster list on the Google Kubernetes Engine page, click the name of the cluster you want to modify.
  3. On the Details tab, locate the Security section.
  4. For the Google Groups for RBAC field, click Edit Google Groups for RBAC.
  5. Select the Enable Google Groups for RBAC checkbox.
  6. Fill in Security Group with gke-security-groups@DOMAIN.
  7. Click Save Changes.

Define and assign permissions

After creating and configuring Google Groups for RBAC, use roles and role bindings to define RBAC permissions and assign those permissions to Groups that are members of the gke-security-groups group. For instructions, refer to Define and assign permissions.

Troubleshooting

Debug issues with Groups integration

The following instructions let you view logs to validate if your clusters have been successfully configured to use Google Groups for RBAC role bindings.

Before you begin

Before you begin examining the logs, ensure the following:

  • You have not interacted with the cluster you want to test (for example, ran any kubectl commands) for at least one hour. Authentication is cached for one hour. Letting the cached credentials expire lets you make sure that the request gets logged when it happens.
  • You are a member of at least one of the groups that are members of the gke-security-groups group, which ensures that some Groups information is logged.

Verify Google Groups for RBAC configuration in logs

To verify that you successfully configured Google Groups for RBAC for a specific group, perform the following steps:

  1. Enable data access logging for your Google Cloud project:
    1. Go to the Audit Logs page in Google Cloud console.

      Go to Audit Logs

    2. In the table on the Audit Logs page, select Kubernetes Engine API.
    3. In the Log Type menu, select:
      • Admin Read
      • Data Read
      • Data Write
    4. Click Save.

    For more information about enabling Audit Logging, see Configuring Data Access logs with the Cloud console.

    Enabling Audit Logging incurs charges. If you only enabled Audit Logging for testing purposes, you should disable it after you've completed testing to avoid charges.

  2. Run a command using kubectl in the cluster, such as the following:
        kubectl create ns helloworld
  3. Enter a custom query in the Logs Explorer page. To run the query:
    1. Go to the Logs Explorer page in Google Cloud console.

      Go to Logs Explorer

    2. Click Show query at the top of the page.
    3. In the query editor that appears, specify the following query:
      resource.type="k8s_cluster"
      resource.labels.location="CLUSTER_LOCATION"
      resource.labels.cluster_name="CLUSTER_NAME"
      protoPayload.resourceName="authorization.k8s.io/v1beta1/subjectaccessreviews"
      protoPayload.response.spec.user="EMAIL_ADDRESS"

      Replace the following:

      • CLUSTER_LOCATION: your cluster's region or zone.
      • CLUSTER_NAME: the name of your cluster.
      • EMAIL_ADDRESS: the registered email address of your Google account.
    4. Select Run Query. At least one result should appear. If there are no results, try increasing the time range.
    5. Select the cluster you want to examine.
    6. Click Expand nested fields.
    7. The field protoPayload.request.spec.group contains the groups where:
      • The groups are members of gke-security-group.
      • You are a member of the group.

      This list should match the set of groups you are a member of. If no groups are present, there might be an issue with how the groups are set up.

  4. Optionally, restore data access logging to previous settings to avoid further charges.

What's next