Skip to content

Instantly share code, notes, and snippets.

@hugocosme

hugocosme/gke-iam-roles.md

Forked from robscott/gke-iam-roles.md
Created June 25, 2019 17:12
Show Gist options
  • Save hugocosme/cac3ac136c4b15672811f4c06cae4ac7 to your computer and use it in GitHub Desktop.
Save hugocosme/cac3ac136c4b15672811f4c06cae4ac7 to your computer and use it in GitHub Desktop.
Download ZIP

Revisions

  1. @robscott robscott created this gist Oct 2, 2018.
    48 changes: 48 additions & 0 deletions gke-iam-roles.md
    View file
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,48 @@
    # GKE IAM Roles

    On GKE, there's an interesting overlap between what the IAM roles grant you for Kubernetes clusters. In general, the roles in the tables below line up with each other, but there are some strange exceptions. In each of the tables below are the results of a diff between related IAM roles (only the `container.*` permissions are included in these results).

    | Project Owner | GKE Admin |
    |---------------|--------------------------------|
    | | container.hostServiceAgent.use |

    | Project Editor | GKE Developer |
    |--------------------------------------|--------------------------------------------|
    | container.clusters.create | container.localSubjectAccessReviews.create |
    | container.clusters.delete | container.subjectAccessReviews.create |
    | container.clusters.getCredentials | |
    | container.clusters.update | |
    | container.controllerRevisions.create | |
    | container.controllerRevisions.delete | |
    | container.controllerRevisions.update | |


    | Project Viewer | GKE Viewer |
    |-------------------------------------------|------------|
    | container.localSubjectAccessReviews.list | |
    | container.pods.getLogs | |
    | container.selfSubjectAccessReviews.create | |
    | container.selfSubjectAccessReviews.list | |
    | container.statefulSets.getScale | |
    | container.subjectAccessReviews.list | |


    For a bit more context, here is the full scope of the GKE Cluster Admin IAM role:

    | GKE Cluster Admin |
    |-------------------------------|
    | container.clusters.create |
    | container.clusters.delete |
    | container.clusters.get |
    | container.clusters.list |
    | container.clusters.update |
    | container.operations.get |
    | container.operations.list |
    | resourcemanager.projects.get |
    | resourcemanager.projects.list |


    If you're interested in trying this out yourself, a command like this will get you started:
    ```
    gcloud iam roles describe roles/container.admin
    ```