Creating Cloud IAM policies

This page explains how to create Cloud Identity and Access Management (Cloud IAM) policies for authorization in Google Kubernetes Engine.

Overview

Every Google Cloud Platform (GCP), GKE, and Kubernetes API call requires that the account making the request has the necessary permissions. By default, no one except you can access your project or its resources. You can use Cloud Identity and Access Management to manage who can access your project and what they are allowed to do. Cloud IAM permissions work alongside Kubernetes RBAC, which provides granular access controls for specific objects in a cluster or Namespace. Cloud IAM has a stronger focus on permissions at the level of the GCP project and organization, though it does provide several pre-defined roles specific to GKE.

To grant users and service accounts access to your GCP project, you add them as project team members, then assign roles to the team members. Roles define which GCP resources an account can access and which operations they can perform.

In GKE, you can use Cloud IAM to manage which users and service accounts can access, and perform operations in, your clusters.

Before you begin

To prepare for this task, perform the following steps:

  • Ensure that you have enabled the Google Kubernetes Engine API.
    • Enable Google Kubernetes Engine API
  • Ensure that you have installed the Cloud SDK.
  • Set your default project ID: 
    gcloud config set project [PROJECT_ID]
  • If you are working with zonal clusters, set your default compute zone: 
    gcloud config set compute/zone [COMPUTE_ZONE]
  • If you are working with regional clusters, set your default compute region: 
    gcloud config set compute/region [COMPUTE_REGION]
  • Update gcloud to the latest version: 
    gcloud components update

Interaction with Kubernetes RBAC

Kubernetes' native role-based access control (RBAC) system also manages access to your cluster. RBAC controls access on a cluster and namespace level, while Cloud IAM works on the project level.

Cloud IAM and RBAC can work in concert, and an entity must have sufficient permissions at either level to work with resources in your cluster.

Cloud IAM Roles

The following sections describe the Cloud IAM Roles available in GCP.

Predefined GKE Roles

Cloud IAM provides predefined Roles that grant access to specific GCP resources and prevent unauthorized access to other resources.

Cloud IAM offers the following predefined roles for GKE:

Kubernetes Engine roles

Role Title Description Permissions Lowest Resource
roles/
container.admin		 Kubernetes Engine Admin Provides access to full management of Container Clusters and their Kubernetes API objects. container.*
resourcemanager.projects.get
resourcemanager.projects.list
 Project
roles/
container.clusterAdmin		 Kubernetes Engine Cluster Admin Provides access to management of Container Clusters. container.clusters.create
container.clusters.delete
container.clusters.get
container.clusters.list
container.clusters.update
container.operations.*
resourcemanager.projects.get
resourcemanager.projects.list
 Project
roles/
container.clusterViewer		 Kubernetes Engine Cluster Viewer Read-only access to Kubernetes Clusters. container.clusters.get
container.clusters.list
resourcemanager.projects.get
resourcemanager.projects.list
roles/
container.developer		 Kubernetes Engine Developer Provides full access to Kubernetes API objects inside Container Clusters. container.apiServices.*
container.backendConfigs.*
container.bindings.*
container.certificateSigningRequests.create
container.certificateSigningRequests.delete
container.certificateSigningRequests.get
container.certificateSigningRequests.list
container.certificateSigningRequests.update
container.certificateSigningRequests.updateStatus
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.get
container.clusters.list
container.componentStatuses.*
container.configMaps.*
container.controllerRevisions.get
container.controllerRevisions.list
container.cronJobs.*
container.customResourceDefinitions.*
container.daemonSets.*
container.deployments.*
container.endpoints.*
container.events.*
container.horizontalPodAutoscalers.*
container.ingresses.*
container.initializerConfigurations.*
container.jobs.*
container.limitRanges.*
container.localSubjectAccessReviews.*
container.namespaces.*
container.networkPolicies.*
container.nodes.*
container.persistentVolumeClaims.*
container.persistentVolumes.*
container.petSets.*
container.podDisruptionBudgets.*
container.podPresets.*
container.podSecurityPolicies.get
container.podSecurityPolicies.list
container.podTemplates.*
container.pods.*
container.replicaSets.*
container.replicationControllers.*
container.resourceQuotas.*
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.scheduledJobs.*
container.secrets.*
container.selfSubjectAccessReviews.*
container.serviceAccounts.*
container.services.*
container.statefulSets.*
container.storageClasses.*
container.subjectAccessReviews.*
container.thirdPartyObjects.*
container.thirdPartyResources.*
container.tokenReviews.*
resourcemanager.projects.get
resourcemanager.projects.list
 Project
roles/
container.hostServiceAgentUser		 Kubernetes Engine Host Service Agent User Use access of the Kubernetes Engine Host Service Agent. compute.firewalls.get
container.hostServiceAgent.*
roles/
container.viewer		 Kubernetes Engine Viewer Provides read-only access to GKE resources. container.apiServices.get
container.apiServices.list
container.backendConfigs.get
container.backendConfigs.list
container.bindings.get
container.bindings.list
container.certificateSigningRequests.get
container.certificateSigningRequests.list
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.get
container.clusters.list
container.componentStatuses.*
container.configMaps.get
container.configMaps.list
container.controllerRevisions.get
container.controllerRevisions.list
container.cronJobs.get
container.cronJobs.getStatus
container.cronJobs.list
container.customResourceDefinitions.get
container.customResourceDefinitions.list
container.daemonSets.get
container.daemonSets.getStatus
container.daemonSets.list
container.deployments.get
container.deployments.getStatus
container.deployments.list
container.endpoints.get
container.endpoints.list
container.events.get
container.events.list
container.horizontalPodAutoscalers.get
container.horizontalPodAutoscalers.getStatus
container.horizontalPodAutoscalers.list
container.ingresses.get
container.ingresses.getStatus
container.ingresses.list
container.initializerConfigurations.get
container.initializerConfigurations.list
container.jobs.get
container.jobs.getStatus
container.jobs.list
container.limitRanges.get
container.limitRanges.list
container.namespaces.get
container.namespaces.getStatus
container.namespaces.list
container.networkPolicies.get
container.networkPolicies.list
container.nodes.get
container.nodes.getStatus
container.nodes.list
container.operations.*
container.persistentVolumeClaims.get
container.persistentVolumeClaims.getStatus
container.persistentVolumeClaims.list
container.persistentVolumes.get
container.persistentVolumes.getStatus
container.persistentVolumes.list
container.petSets.get
container.petSets.list
container.podDisruptionBudgets.get
container.podDisruptionBudgets.getStatus
container.podDisruptionBudgets.list
container.podPresets.get
container.podPresets.list
container.podSecurityPolicies.get
container.podSecurityPolicies.list
container.podTemplates.get
container.podTemplates.list
container.pods.get
container.pods.getStatus
container.pods.list
container.replicaSets.get
container.replicaSets.getScale
container.replicaSets.getStatus
container.replicaSets.list
container.replicationControllers.get
container.replicationControllers.getScale
container.replicationControllers.getStatus
container.replicationControllers.list
container.resourceQuotas.get
container.resourceQuotas.getStatus
container.resourceQuotas.list
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.scheduledJobs.get
container.scheduledJobs.list
container.serviceAccounts.get
container.serviceAccounts.list
container.services.get
container.services.getStatus
container.services.list
container.statefulSets.get
container.statefulSets.getStatus
container.statefulSets.list
container.storageClasses.get
container.storageClasses.list
container.thirdPartyObjects.get
container.thirdPartyObjects.list
container.thirdPartyResources.get
container.thirdPartyResources.list
container.tokenReviews.*
resourcemanager.projects.get
resourcemanager.projects.list
 Project

To learn about permissions granted by each Cloud IAM role, refer to Permissions granted by Cloud IAM roles.

Primitive Cloud IAM roles

Primitive Cloud IAM roles grant users global, project-level access to all GCP resources. To keep your project and clusters secure, use predefined Roles whenever possible.

To learn more about primitive roles, refer to Primitive roles in the Cloud Identity and Access Management documentation.

Service Account User role

Service Account User grants a GCP user account the permission to perform actions as though a service account were performing them.

  • Granting the iam.serviceAccountUser role to a user for a project gives the user all of the roles granted to all service accounts in the project, including service accounts that may be created in the future.

  • Granting the iam.serviceAccountUser role to a user for a specific service account gives a user all of the roles granted to that service account.

For more information about the ServiceAccountUser role, see ServiceAccountUser in the Cloud IAM documentation.

The following command shows the syntax for granting the Service Account User role:

gcloud iam service-accounts add-iam-policy-binding \
  [SA_NAME]@[PROJECT_ID].iam.gserviceaccount.com \
  --member=user:[USER] \
  --role=roles/iam.serviceAccountUser
Role Title Description Permissions Lowest Resource
roles/
iam.serviceAccountUser		 Service Account User Run operations as the service account. iam.serviceAccounts.actAs
iam.serviceAccounts.get
iam.serviceAccounts.list
resourcemanager.projects.get
resourcemanager.projects.list
 Service Account

Host Service Agent User role

The Host Service Agent User role is only used in Shared VPC clusters.

roles/
container.hostServiceAgentUser Kubernetes Engine Host サービス エージェント ユーザー Kubernetes Engine Host サービス エージェントの使用権限。 compute.firewalls.get
container.hostServiceAgent.*
Role Title Description Permissions Lowest Resource

Custom roles

If predefined roles don't meet your needs, you can create custom roles with permissions that you define.

To learn how to create and assign custom roles, refer to Creating and managing custom roles.

Viewing permissions granted by Cloud Identity and Access Management roles

You can view the permissions granted by each Role using the gcloud command-line tool or GCP Console.

gcloud

To view the permissions granted by a specific role, run the following command. [ROLE] is any Cloud Identity and Access Management role. GKE roles are prefixed with roles/container.:

gcloud iam roles describe roles/[ROLE]

For example:

gcloud iam roles describe roles/container.admin

Console

To view the permissions granted by a specific Role, perform the following steps:

  1. Visit the Roles section of GCP Console's IAM menu.

    Visit the IAM menu

  2. From the Filter table field, enter "GKE"

  3. Select the desired Role.

Managing Cloud Identity and Access Management roles

To learn how to manage Cloud IAM roles and permissions for human users, refer to Granting, changing, and revoking access to project members in the Cloud IAM documentation.

For service accounts, refer to Granting roles to service accounts.

Examples

Here are a few examples of how Cloud Identity and Access Management works with GKE:

  • A new employee has joined a company. They need to be added to the GCP project, but they only need to view the project's clusters and other GCP resources. The project owner assigns them the project-level Compute Viewer role. This role provides read-only access to get and list nodes, which are Compute Engine resources.
  • The employee is working in operations, and they need to update a cluster using gcloud or Google Cloud Platform Console. This operation requires the container.clusters.update permission, so the project owner assigns them the Kubernetes Engine Cluster Admin role. The employee now has the permissions granted by both the Kubernetes Engine Cluster Admin and Compute Viewer roles.
  • The employee needs to investigate why a Deployment is having issues. They need to run kubectl get pods to see Pods running in the cluster. The employee already has the Compute Viewer role, which is not sufficient for listing Pods. The employee needs the Kubernetes Engine Viewer role.
  • The employee needs to create a new cluster. The project owner grants the employee the Service Account User role for the [PROJECT_NUMBER]-compute@developer.gserviceaccount.com service account, so that the employee's account can access Compute Engine's default service account. This service account has the Editor role, which provides a broad set of permission.

What's next

このページは役立ちましたか?評価をお願いいたします。

フィードバックを送信...

このページ
ドキュメントのフィードバック
Kubernetes Engine Documentation
サービスのフィードバック