Skip to content

Kubernetes RBAC users are not managed with Google Groups for GKE

Description

Cluster Administrators should leverage G Suite Groups and Cloud IAM to assign Kubernetes user roles to a collection of users, instead of to individual emails using only Cloud IAM.

On- and off-boarding users is often difficult to automate and prone to error. Using a single source of truth for user permissions via G Suite Groups reduces the number of locations that an individual must be off-boarded from, and prevents users gaining unique permissions sets that increase the cost of audit.

Fix - Buildtime

Terraform

  • Resource: google_container_cluster
  • Argument: authenticator_groups_config.security_group
resource "google_container_cluster" "example" {
  name               = var.name
  location           = var.location
  project            = data.google_project.project.name

+ authenticator_groups_config{
+   security_group="[email protected]"
+ }