RBAC Synchroniser pulls a Google Group, extracts Google Group Member Emails and updates the Kubernetes RoleBinding in the given namespace.
- The service account's private key file: -config-file-path flag
- The email of the user with permissions to access the Admin APIs: -google-admin-email flag
see guide: https://developers.google.com/admin-sdk/directory/v1/guides/delegation
- The Google Group list per Kubernetes namespace: -namespace-group flag
- Configure Minimal GKE IAM permissions for each Google Group:
gcloud beta iam roles create minimal_gke_role --project my_project --title "Container Engine Minimal" --description "Minimal GKE Role which allows 'gcloud container clusters get-credentials' command" --permissions "container.apiServices.get,container.apiServices.list,container.clusters.get,container.clusters.getCredentials"
| Flag | Description | Defalut |
|---|---|---|
| -cluster-role-name | The cluster role name with permissions. | "view" |
| -config-file-path | The Path to the Service Account's Private Key file. | |
| -google-admin-email | The Google Admin Email. | |
| -fake-group-response | Fake Google Admin API Response. | |
| -namespace-group | The group and namespace. May be used multiple times. | |
| -in-cluster-config | Use in cluster kubeconfig. | true |
| -kubeconfig | Absolute path to the kubeconfig file. | |
| -listen-address | The address to listen on for HTTP requests. | ":8080" |
| -rolebinding-name | The role binding name per namespace. | "developer" |
| -update-interval | Update interval in seconds. | 15m0s |
| -log-json | Log as JSON instead of the default ASCII formatter. | false |
- rbac_synchroniser_success: Cumulative number of role update operations.
- rbac_synchroniser_errors: Cumulative number of errors during role update operations.
https://github.com/google-cloud-tools/kubernetes-rbac-synchroniser/tree/master/examples