5.8.3 Manage Kubernetes RBAC users with Google Groups for GKE

Information

Cluster Administrators should leverage G Suite Groups and Cloud IAM to assign Kubernetes user roles to a collection of users, instead of to individual emails using only Cloud IAM.

Rationale:

On- and off-boarding users is often difficult to automate and prone to error. Using a single source of truth for user permissions via G Suite Groups reduces the number of locations that an individual must be off-boarded from, and prevents users gaining unique permissions sets that increase the cost of audit.

Impact:

When migrating to using security groups, an audit of RoleBindings and ClusterRoleBindings is required to ensure all users of the cluster are managed using the new groups and not individually.

When managing RoleBindings and ClusterRoleBindings, be wary of inadvertently removing bindings required by service accounts.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Follow the G Suite Groups instructions at https://cloud.google.com/kubernetes-engine/docs/how-to/role-based-access-control#google-groups-for-gke.
Then, create a cluster with

gcloud beta container clusters create my-cluster \
--security-group='gke-security-groups@[yourdomain.com]'

Finally create Roles, ClusterRoles, RoleBindings, and ClusterRoleBindings that reference your G Suite Groups.

Default Value:

Google Groups for GKE is disabled by default.

See Also

https://workbench.cisecurity.org/files/4135