In order to manage the resources inside a Kubernetes cluster, you will need to have the right permissions. This course will demonstrate how to use Kubernetes role-based access control (RBAC) to create roles and bind them to both user and service accounts.
If you have any comments or feedback, feel free to reach out to us at: firstname.lastname@example.org.
- Create Kubernetes service and user accounts
- Grant permissions to accounts to modify Kubernetes resources
- Access GCP resources from your GKE cluster
- Engineers who want to deploy applications on a Kubernetes cluster
- People who want to get GCP certified (eg: Professional Cloud Developer)
- Basic understanding of Kubernetes
- Experience building and deploying containers
- Complete the “GKE Services and Network Policies Course” course
As I previously mentioned, user accounts provide an identity for users to connect to the Kubernetes cluster. They allow people to do things like list out all the pods in a namespace or to perform a new deployment. Now user accounts are handled very differently from service accounts. User accounts are neither stored inside of the Kubernetes cluster, nor are they managed by the Kubernetes API. You can only refer to user accounts in Kubernetes. You can't change them. Also, there is no default user account. Users are assumed to be managed by an outside independent service like LDAP or Active Directory.
In a standard installation of Kubernetes, authentication is handled via Transport Level Security or TLS certificates. This is why you cannot add or delete users inside of Kubernetes. Also, this means that user accounts are global. They are not specific to a namespace. So you cannot have two user accounts with the same name in a cluster. In GKE, Kubernetes user accounts are managed by Google and there are two types of those as well. There's the Google Account and the Google Cloud Service Account. This is a very important distinction to make.
Google Cloud Service Accounts are different from Kubernetes service accounts. A Google Cloud Service Account is actually a type of Kubernetes user account. Kubernetes service accounts are internal to the cluster in which they are defined. They are created and maintained in Kubernetes. Google Cloud Service Accounts are created and maintained inside of Google Cloud Platform. They can be used to grant permissions inside of clusters or to the GKE clusters themselves. They also can grant permissions to any GCP resource using identity and access management. So when a user needs to be able to view or modify a Kubernetes cluster, you need to assign them a Kubernetes user account. For GKE, this will either be a Google Account or a Google Cloud Service Account.
Now just like creating a service account, creating a user account is pretty simple. However, we can't create accounts using Kubernetes. We have to create our user accounts in GCP instead. So you really should already know how to create a Kubernetes user account. You either create a new IAM account or you create a Google Service Account. So let's search for IAM. And from here, we can create a new account. So you just need to enter a valid email address and then select an appropriate role.
Now there are predefined roles provided for Kubernetes. You could pick an admin role and that will let you make all kinds of changes, or you could pick a role that would just let you view the current status of the cluster. Now I'm not gonna save this account since I didn't provide a valid email. I just wanted to show you how you'd go about creating the account. Now, if the predefined roles aren't sufficient, you can always define a new role. You can pick the exact permissions you want assigned to that new role. So you can enable listing, creating, updating, whatever you want. Again, I'm not gonna save this. I just wanted to show you how you could do it.
Now, the last thing I will show you is how to create a service account. This one, I actually will go ahead and save because we'll use it for an upcoming demo. So I'm going to create a service account called Kubernetes Demo Service Account. So as you can see, creating a user account for Kubernetes is really simple as well.
In the next lesson, I'll show you how to assign permissions to accounts.
Daniel began his career as a Software Engineer, focusing mostly on web and mobile development. After twenty years of dealing with insufficient training and fragmented documentation, he decided to use his extensive experience to help the next generation of engineers.
Daniel has spent his most recent years designing and running technical classes for both Amazon and Microsoft. Today at Cloud Academy, he is working on building out an extensive Google Cloud training library.
When he isn’t working or tinkering in his home lab, Daniel enjoys BBQing, target shooting, and watching classic movies.