You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Securing a GKE cluster requires a defence-in-depth approach — controlling who can access the cluster (authentication and authorisation), what pods can communicate with each other (network policies), and how workloads access Google Cloud services (Workload Identity). This lesson covers the key security controls available in GKE.
GKE uses Google Cloud IAM for cluster authentication. Users and service accounts authenticate using their Google Cloud credentials.
| Role | Permissions |
|---|---|
| roles/container.admin | Full access to clusters and workloads |
| roles/container.clusterAdmin | Full access to cluster management (not workloads) |
| roles/container.developer | Deploy workloads, read cluster state |
| roles/container.viewer | Read-only access to clusters and workloads |
Kubernetes RBAC controls what authenticated users and service accounts can do within the cluster. RBAC uses four key resources:
| Resource | Scope | Description |
|---|---|---|
| Role | Namespace | Defines permissions within a single namespace |
| ClusterRole | Cluster-wide | Defines permissions across all namespaces |
| RoleBinding | Namespace | Binds a Role or ClusterRole to users/groups in a namespace |
| ClusterRoleBinding | Cluster-wide | Binds a ClusterRole to users/groups cluster-wide |
# Role: allow read access to pods in the "production" namespace
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-reader
namespace: production
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "list", "watch"]
---
# Bind the role to a Google Cloud user
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: pod-reader-binding
namespace: production
subjects:
- kind: User
name: developer@example.com
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.io
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: deployment-manager
rules:
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list", "watch"]
Workload Identity is the recommended way for pods to authenticate to Google Cloud services. It maps a Kubernetes service account to a Google Cloud service account, eliminating the need for exported service account keys.
# Create a Google Cloud service account
gcloud iam service-accounts create my-app-sa \
--display-name="My App Service Account"
# Grant it the necessary Google Cloud role
gcloud projects add-iam-policy-binding my-project \
--member="serviceAccount:my-app-sa@my-project.iam.gserviceaccount.com" \
--role="roles/storage.objectViewer"
# Bind the Kubernetes service account to the Google Cloud service account
gcloud iam service-accounts add-iam-policy-binding \
my-app-sa@my-project.iam.gserviceaccount.com \
--role="roles/iam.workloadIdentityUser" \
--member="serviceAccount:my-project.svc.id.goog[production/my-app-ksa]"
# Annotate the Kubernetes service account
kubectl annotate serviceaccount my-app-ksa \
--namespace production \
iam.gke.io/gcp-service-account=my-app-sa@my-project.iam.gserviceaccount.com
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.