This page explains how cluster or security administrators can restrict view access to cluster resources based on specific namespaces, and how users with restricted access can view these resources on the Google Cloud console.
Enable namespace-restricted access to cluster resources
As a cluster administrator, you might want to provide restricted access to cluster resources for specific namespaces. This is a common scenario for organizations running multi-tenant Google Kubernetes Engine (GKE) clusters.
You can use tenant permissions to restrict user interactions with the cluster on
the Google Cloud console. You grant users the
roles/container.clusterViewer
IAM permission as well as
role-based access control (RBAC) permissions
to view resources in specific namespaces.
To learn more about using namespaces, see Organizing Kubernetes with Namespaces and Enterprise multi-tenancy best practices.
View namespace-restricted resources in the Google Cloud console
If you have limited IAM or RBAC permissions and want to view namespace-restricted resources on the Google Cloud console, follow these steps:
Go to the Workloads page in the Google Cloud console.
Click the Namespace drop-down list.
Click
Add filter.Enter the namespace you want to access, then click Save.
Click OK.
The list will be filtered to show the selected namespace.
Share saved views
You can also save the filtered list as a named saved view. The saved view will persist across sessions, and can be shared with other users.
To share a saved view, follow these steps:
- Select the saved view from the Saved view drop-down list.
- Next to the Saved view drop-down list, click , then click Share.
- Click to copy the URL in the Share view dialog. You can share this URL with other users who need access to the same cluster and namespaces.