If by "full container access" you mean something above roles/container.developer, then this is your problem. You grant the access via the IAM role.
On Monday, July 17, 2017 at 7:50:50 AM UTC+2, Vinoth Narasimhan wrote: > > yes the user has full container access via IAM. > > On Friday, July 14, 2017 at 7:02:39 PM UTC+5:30, Matt Brown wrote: >> >> Does the user have any other IAM roles/permissions to the project the GKE >> cluster is in? >> >> On Thursday, July 13, 2017 at 4:45:58 AM UTC-4, Vinoth Narasimhan wrote: >>> >>> I am running the cluster 1.6.4 in GKE where i trying to restrict the >>> user to do only certain actions on the cluster using RBAC. >>> >>> But this is not working as expected. Can someone shed some light on this >>> will be really helpfull. >>> >>> >>> I create the below rule in the cluster >>> >>> #kubectl create clusterrolebinding admin1-cluster-view-binding >>> --clusterrole=view --user=adm...@xyz.com >>> >>> If i am correct the above RBAC will give access cluster wide view access >>> to the object across the cluster. He cannot able to create and delete the >>> objects on the cluster. >>> >>> >>> The adm...@xyz.com is logged in via gcloud command and successfully >>> authenticate the cluster using the email id "adm...@xyz.com" >>> >>> #gcloud container clusters get-credentials abc-cluster --zone xxx >>> --project yyy >>> >>> After obtain the kubeconfig for the abc-cluster. My expectation is he >>> can do only the view part of the cluster. But it is not the case. He " >>> adm...@xyz.com" can do all the stuff irrespective of RBAC policy. >>> >>> Please let me know if am doing something wrong or if i am missing >>> something. >>> >>> Anyhelp on this is really helpfull. >>> >> -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
