Skip to content
Google Group User --> Kubernetes RBAC
Branch: master
Clone or download
Latest commit cba9d32 Jan 20, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
examples adjust repo Apr 16, 2018
.editorconfig refactor Nov 20, 2017
.gitignore
CONTRIBUTING.md
Dockerfile Upgrade go to 1.11.4 Jan 20, 2019
LICENSE Update LICENSE Nov 23, 2017
Makefile fix installation Dec 7, 2017
README.md
draw.xml add graph Apr 18, 2018
graph.png add graph Apr 18, 2018
kubernetes-rbac-synchroniser.go rename flags Dec 7, 2017
kubernetes-rbac-synchroniser_test.go fix deduplicate func Nov 23, 2017

README.md

kubernetes-rbac-synchroniser

license Docker Repository on Quay Docker Pulls Go Report Card

What It Does

RBAC Synchroniser pulls a Google Group, extracts Google Group Member Emails and updates the Kubernetes RoleBinding in the given namespace.

graph

Requirements

  • The service account's private key file: -config-file-path flag
  • The email of the user with permissions to access the Admin APIs: -google-admin-email flag

see guide: https://developers.google.com/admin-sdk/directory/v1/guides/delegation

  • The Google Group list per Kubernetes namespace: -namespace-group flag
  • Configure Minimal GKE IAM permissions for each Google Group: gcloud beta iam roles create minimal_gke_role --project my_project --title "Container Engine Minimal" --description "Minimal GKE Role which allows 'gcloud container clusters get-credentials' command" --permissions "container.apiServices.get,container.apiServices.list,container.clusters.get,container.clusters.getCredentials"

see: https://stackoverflow.com/questions/45945074/iam-and-rbac-conflicts-on-google-cloud-container-engine-gke/45945239#45945239

Flags

Flag Description Defalut
-cluster-role-name The cluster role name with permissions. "view"
-config-file-path The Path to the Service Account's Private Key file.
-google-admin-email The Google Admin Email.
-fake-group-response Fake Google Admin API Response.
-namespace-group The group and namespace. May be used multiple times.
-in-cluster-config Use in cluster kubeconfig. true
-kubeconfig Absolute path to the kubeconfig file.
-listen-address The address to listen on for HTTP requests. ":8080"
-rolebinding-name The role binding name per namespace. "developer"
-update-interval Update interval in seconds. 15m0s
-log-json Log as JSON instead of the default ASCII formatter. false

Prometheus metrics

  • rbac_synchroniser_success: Cumulative number of role update operations.
  • rbac_synchroniser_errors: Cumulative number of errors during role update operations.

Examples

https://github.com/google-cloud-tools/kubernetes-rbac-synchroniser/tree/master/examples

Links

You can’t perform that action at this time.