IssueTracker

I'd like to be able to restrict user access to GKE specific resources (clusters, namespaces) in Google Cloud IAM.

Today we can only give permissions to individuals in GKE on project level in Google Cloud IAM. With the help of RBAC we can of course restrict access within a cluster and across namespaces, however we cannot do the same in IAM and grant roles and permissions on a resource level (per cluster, per namespace). This way if we want to encourage access policies in RBAC, for example being able to see deployments under a certain namespace but not the others, this policy as is cannot be represented/copied in IAM, so users are not able to use Google Cloud Console at all (because general Viewer role gives you access to all the namespaces, so RBAC is useless at this point).

I can imagine it as in BigQuery (dataset), Pub/Sub (topic), GCS (bucket) or Service Accounts (per service account). You can give BigQuery Data Viewer to an individual on project level in IAM and this way he/she will be able to see all the datasets in a BQ project, but you can also give it on a resource level - which is the dataset itself this time - and the user can still use the BQ UI but just seeing those data resources that are marked with the correct permissions points to him/her.

According to this flow when we open up the cluster listing page we can view and set permissions per cluster level and inside a cluster we can also view and set permissions on a namespace level.

It would make it possible to use the GUI - that is restricted by IAM - and kubectl (directly Kubernetes API) - which is controlled by RBAC and IAM at the same time - anytime with the correct restrictions.

I suppose this ability would be a good representation of fine-grained access control in case of GKE.