0
I am using GKE Kubernetes in GCP. I am new to GCP, GKE, and kubectl. I am trying to create new Kubernetes users in order to assign them ClusterRoleBindings, and then login (kubectl) as those users.
I do not see the relationship between GCP users and Kubernetes “users” (I do understand there’s no User object type in Kubernetes).
According to https://cloud.google.com/kubernetes-engine/docs/concepts/security-overview , Kubernetes user accounts are Google Accounts.
Accordingly, I created some Google accounts and then associated them with my GCP account via IAM. I can see these accounts fine in IAM.
Then I performed gcloud auth login on those new users, and I could see them in gcloud auth list. I then tried accessing gcloud resources (gcloud compute disks list) as my various users. This worked as expected - the GCP user permissions were respected.
I then created a Kubernetes UserRole. Next step was to bind those users to those Roles, with a UserRoleBinding. Those worked fine.
My first problem is that I could create a UserRoleBinding between an existing UserRole and a non -existent user. I would have thought that would fail. It means I’m missing something important.
My second problem is I do not know how to login to kubectl as one of the new users.
Overall I’m missing the connection between GCP/IAM users and GKE users. Help would be much appreciated!
and have it working now, using certificates. The link in my original post was misleading - you do not have to create Google Account/GCP users to create Kubernetes users. Users and groups in Kubernetes are very lightweight “objects” and are derived directly from the authentication system in use.