This page explains how to restrict view access to cluster resources based on specific namespaces, and how users with restricted access can view these resources on the Google Cloud console. This scenario is common for organizations that run multi-tenant Google Kubernetes Engine (GKE) clusters.
This page is for Security specialists and Operators who want to provide users with restricted access to cluster resources for specific namespaces. To learn more about common roles and example tasks that we reference in Google Cloud content, see Common GKE Enterprise user roles and tasks.
Before reading this page, ensure that you're familiar with the following namespace concepts:
Enable namespace-restricted access to cluster resources
You can use tenant permissions to restrict user interactions with the cluster on
the Google Cloud console. You grant users the
roles/container.clusterViewer
IAM permission as well as
role-based access control (RBAC) permissions
to view resources in specific namespaces.
To learn more about using namespaces, see Organizing Kubernetes with Namespaces and Enterprise multi-tenancy best practices.
View namespace-restricted resources in the Google Cloud console
If you have limited IAM or RBAC permissions and want to view namespace-restricted resources on the Google Cloud console, follow these steps:
Go to the Workloads page in the Google Cloud console.
Click the Namespace drop-down list.
Click Add filter.
Enter the namespace you want to access, then click Save.
Click OK.
The list will be filtered to show the selected namespace.
Share saved views
You can also save the filtered list as a named saved view. The saved view will persist across sessions, and can be shared with other users.
To share a saved view, follow these steps:
- Select the saved view from the Saved view drop-down list.
- Next to the Saved view drop-down list, click , then click Share.
- Click to copy the URL in the Share view dialog. You can share this URL with other users who need access to the same cluster and namespaces.