Restrict deployment to a GKE namespace

When you deploy to Google Kubernetes Engine (GKE), the default Cloud Deploy execution service account has access to all namespaces in the target cluster. You can configure that service account to deploy to only one namespace.

  1. Ensure that the execution service account doesn't have the roles/container.developer IAM role.

  2. Grant the service account the roles/container.clusterViewer role.

    gcloud projects add-iam-policy-binding PROJECT_ID \
 --member="serviceAccount:SERVICE_ACCOUNT" \
 --role="roles/container.clusterViewer"

    This role allows the service account to authenticate on the cluster, but do nothing else.

  3. Create a Kubernetes RBAC Role that grants admin access to the namespace.

    The RBAC role in this example has broad permissions, equivalent to the clouddeploy.developer IAM role. To minimize the risk of privilege escalation, we recommend you change these permissions to the minimum required for your applications. For instructions, see the RBAC documentation for GKE.

    kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: admin
  namespace: NAMESPACE
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["*"]
  verbs: ["*"]

  4. Create a RoleBinding that binds that RBAC Role in your chosen namespace to the Cloud Deploy execution service account:

    kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: admin
  namespace: NAMESPACE
subjects:
# Google Cloud user account
- kind: User
  name: SERVICE_ACCOUNT
roleRef:
  kind: Role
  name: admin
  apiGroup: rbac.authorization.k8s.io

    This manifest defines an RBAC policy binding the admin Role to your execution service account. NAMESPACE is the namespace for which you want to grant the service account access. The service account can't access any other namespace on the cluster.

  5. Apply the RBAC manifest to the cluster:

    kubectl apply -f YAML_NAME