Some parts of the Google Kubernetes Engine (GKE) API and the Kubernetes API require additional permissions before you can use them. Those permissions are described in the following tables. For instructions on managing permissions, see Granting, Changing, and Revoking Access to Resources.
Google Kubernetes Engine API permissions
The information in this table is relevant to the GKE API.
Method | Required Permission(s) |
---|---|
projects.locations.clusters.create |
container.clusters.create on the containing Cloud project, and iam.serviceAccounts.actAs on the specified service account. |
projects.locations.clusters.delete |
container.clusters.delete on the requested cluster. |
projects.locations.clusters.get |
container.clusters.get on the requested cluster, and container.clusters.getCredentials to see the cluster's credentials. |
projects.locations.clusters.list |
container.clusters.list on the requested Cloud project, and container.clusters.getCredentials to see each cluster's credentials. |
projects.locations.clusters.update |
container.clusters.update on the requested cluster. |
projects.locations.clusters.nodePools.create |
container.clusters.update on the requested cluster. |
projects.locations.clusters.nodePools.delete |
container.clusters.update on the requested cluster. |
projects.locations.clusters.nodePools.get |
container.clusters.get on the requested cluster. |
projects.locations.clusters.nodePools.list |
container.clusters.get on the requested cluster. |
projects.locations.operations.get |
container.operations.get on the requested operations. |
projects.locations.operations.list |
container.operations.list on the requested Cloud project. |
POST /apis/{path_to_custom_resource} |
container.thirdPartyObjects.create |
DELETE /apis/{path_to_custom_resource}/{name} |
container.thirdPartyObjects.delete |
DELETE /apis/{path_to_custom_resource} |
container.thirdPartyObjects.delete |
GET /apis/{path_to_custom_resource}/{name} |
container.thirdPartyObjects.get |
GET /apis/{path_to_custom_resource} |
container.thirdPartyObjects.list |
PATCH /apis/{path_to_custom_resource} |
container.thirdPartyObjects.update |
PUT /apis/{path_to_custom_resource} |
container.thirdPartyObjects.update |
{other_verb} /apis/{path_to_custom_resource} |
container.thirdPartyObjects.update |
Bind to a ClusterRole | container.clusterRoles.bind |
Bind to a Role | container.roles.bind |
Kubernetes API permissions
The information in this table is relevant to the Kubernetes core API.