How do I relate GCP users to GKE Kubernetes users, for authentication and subsequent authorization?

#1

0

I am using GKE Kubernetes in GCP. I am new to GCP, GKE, and kubectl. I am trying to create new Kubernetes users in order to assign them ClusterRoleBindings, and then login (kubectl) as those users.

I do not see the relationship between GCP users and Kubernetes “users” (I do understand there’s no User object type in Kubernetes).

According to https://cloud.google.com/kubernetes-engine/docs/concepts/security-overview , Kubernetes user accounts are Google Accounts.

Accordingly, I created some Google accounts and then associated them with my GCP account via IAM. I can see these accounts fine in IAM.

Then I performed gcloud auth login on those new users, and I could see them in gcloud auth list. I then tried accessing gcloud resources (gcloud compute disks list) as my various users. This worked as expected - the GCP user permissions were respected.

I then created a Kubernetes UserRole. Next step was to bind those users to those Roles, with a UserRoleBinding. Those worked fine.

My first problem is that I could create a UserRoleBinding between an existing UserRole and a non -existent user. I would have thought that would fail. It means I’m missing something important.

My second problem is I do not know how to login to kubectl as one of the new users.

Overall I’m missing the connection between GCP/IAM users and GKE users. Help would be much appreciated!

0 Likes

#2

I figured out my cognitive gap :wink: and have it working now, using certificates. The link in my original post was misleading - you do not have to create Google Account/GCP users to create Kubernetes users. Users and groups in Kubernetes are very lightweight “objects” and are derived directly from the authentication system in use.

0 Likes