Search code examples
kubernetesgoogle-cloud-platformrbacgoogle-kubernetes-enginekubernetes-security

Limit access to a a kubernetes cluster on google cloud platform

We have created 2 different Kubernetes clusters on Google Cloud Platform, one for Development and the other for Production. Our team members have the "editor" role (so they can create, update delete and list pods)

We want to limit access to the production cluster by using RBAC authorization provided by Kubernetes. I've created a ClusterRole and a ClusterBindingRole, as follow:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: prod-all
rules:
- apiGroups: ["*"]
  resources: ["*"]
  verbs: ["*"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: access-prod-all
subjects:
- kind: User
  name: [email protected]
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: prod-all
  apiGroup: rbac.authorization.k8s.io

But the users already have an "editor" role (complete access to all the clusters). So I don't know if we should assign a simple "viewer" role than extend it using kubernetes RBAC.

I also want to know if there is a way to completely hide the production cluster from some users. (our clusters are in the same project)

Solution

  • If you are in a initial phase or you can manage to move your testing cluster I would advise you to set up the clusters in two different projects.

    This will create two completely different environments and you will not have any kind of issues in the future and you automatically forbid the access to half of your resources and you don't have to fear that something is misconfigured and your production is still reachable. When you need to grant something you simply add that person to the project with the corresponding role

    Because maybe you succeed in blocking the cluster access using IAM and RBAC, but then you would need to deal with securing the access to the networking components, LoadBalacers, Firewalls, to the Compute Engine ecc

    Maybe at the beginning it is a lot of work, but in the long run it will save you a lot of issues.

    This is the link for the official Google Cloud documentation about how to set up two cluster of which one is in production.