Role-Based Access Control (RBAC)
Using role-based access control allows a project admin to provide more fine-grained access based on predefined
Roles. With the GKS dashboard, the admin can easily create (cluster-wide)
ClusterRoleBindings and (namespace-scoped)
A user with this level of access can download a specific
kubeconfig, which can be directly downloaded with a direct link (see below). Such a user does not need access to the GKS dashboard at all.
More information on Kubernetes RBAC is available here.
Granting User Access with RBAC
To grant a user access with RBAC, expand the RBAC-widget, and click
To grant users cluster-wide permissions, leave the switch on
Cluster, add the email of the user, and select the role for the user:
Note that the user must exist in GKS, or otherwise he or she will not be able to log in to download
kubeconfig later on. The selectable roles are predefined
ClusterRoles which can be viewed by running
kubectl get clusterrole $NAME_OF_CLUSTERROLE -o yaml
When access shall be granted on a namespace-level, switch to
Namespace and add the user email there.
First, you have to select the role which should be assigned to the user:
Finally, you need to select the namespace where this should be valid:
In case you want to see and understand the level of access granted here, you can view the mentioned roles with
kubectl as well. Unlike
Roles are scoped to a namespace, so you have to specify the namespace as well:
kubectl get role $NAME_OF_ROLE -n $NAMESPACE -o yaml
After you completed these steps, the rights should be visible in the RBAC widget of the Dashboard:
Providing Users with Their Kubeconfig
Once you assigned the user a cluster- or namespace-wide role, you can provide the user a link to download
To do so, click the
Share button on the top of the dashboard:
Next, copy the link and send it to the user:
After the user has logged in, the download of
kubeconfig will start directly:
Once a user has downloaded
kubeconfig, any further changes made on the RBAC will have immediate effect. Especially there is no need to revoke cluster tokens to remove access for a user. Just remove the RoleBindings and access is no longer possible.