Does the user have any other IAM roles/permissions to the project the GKE cluster is in?
On Thursday, July 13, 2017 at 4:45:58 AM UTC-4, Vinoth Narasimhan wrote: > > I am running the cluster 1.6.4 in GKE where i trying to restrict the user > to do only certain actions on the cluster using RBAC. > > But this is not working as expected. Can someone shed some light on this > will be really helpfull. > > > I create the below rule in the cluster > > #kubectl create clusterrolebinding admin1-cluster-view-binding > --clusterrole=view --user=adm...@xyz.com <javascript:> > > If i am correct the above RBAC will give access cluster wide view access > to the object across the cluster. He cannot able to create and delete the > objects on the cluster. > > > The adm...@xyz.com <javascript:> is logged in via gcloud command and > successfully authenticate the cluster using the email id "adm...@xyz.com > <javascript:>" > > #gcloud container clusters get-credentials abc-cluster --zone xxx > --project yyy > > After obtain the kubeconfig for the abc-cluster. My expectation is he can > do only the view part of the cluster. But it is not the case. He " > adm...@xyz.com <javascript:>" can do all the stuff irrespective of RBAC > policy. > > Please let me know if am doing something wrong or if i am missing > something. > > Anyhelp on this is really helpfull. > -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
