On GKE, there's an interesting overlap between what the IAM roles grant you for Kubernetes clusters. In general, the roles in the tables below line up with each other, but there are some strange exceptions. In each of the tables below are the results of a diff between related IAM roles (only the container.*
permissions are included in these results).
Project Owner |
GKE Admin |
|
container.hostServiceAgent.use |
Project Editor |
GKE Developer |
container.clusters.create |
container.localSubjectAccessReviews.create |
container.clusters.delete |
container.subjectAccessReviews.create |
container.clusters.getCredentials |
|
container.clusters.update |
|
container.controllerRevisions.create |
|
container.controllerRevisions.delete |
|
container.controllerRevisions.update |
|
Project Viewer |
GKE Viewer |
container.localSubjectAccessReviews.list |
|
container.pods.getLogs |
|
container.selfSubjectAccessReviews.create |
|
container.selfSubjectAccessReviews.list |
|
container.statefulSets.getScale |
|
container.subjectAccessReviews.list |
|
For a bit more context, here is the full scope of the GKE Cluster Admin IAM role:
GKE Cluster Admin |
container.clusters.create |
container.clusters.delete |
container.clusters.get |
container.clusters.list |
container.clusters.update |
container.operations.get |
container.operations.list |
resourcemanager.projects.get |
resourcemanager.projects.list |
If you're interested in trying this out yourself, a command like this will get you started:
gcloud iam roles describe roles/container.admin