Instantly share code, notes, and snippets.

Embed
What would you like to do?
GKE IAM Roles Compared

GKE IAM Roles

On GKE, there's an interesting overlap between what the IAM roles grant you for Kubernetes clusters. In general, the roles in the tables below line up with each other, but there are some strange exceptions. In each of the tables below are the results of a diff between related IAM roles (only the container.* permissions are included in these results).

Project Owner GKE Admin
container.hostServiceAgent.use
Project Editor GKE Developer
container.clusters.create container.localSubjectAccessReviews.create
container.clusters.delete container.subjectAccessReviews.create
container.clusters.getCredentials
container.clusters.update
container.controllerRevisions.create
container.controllerRevisions.delete
container.controllerRevisions.update
Project Viewer GKE Viewer
container.localSubjectAccessReviews.list
container.pods.getLogs
container.selfSubjectAccessReviews.create
container.selfSubjectAccessReviews.list
container.statefulSets.getScale
container.subjectAccessReviews.list

For a bit more context, here is the full scope of the GKE Cluster Admin IAM role:

GKE Cluster Admin
container.clusters.create
container.clusters.delete
container.clusters.get
container.clusters.list
container.clusters.update
container.operations.get
container.operations.list
resourcemanager.projects.get
resourcemanager.projects.list

If you're interested in trying this out yourself, a command like this will get you started:

gcloud iam roles describe roles/container.admin
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment