I was enabling Google group RBAC in our GKE private Cluster. I have already created all the groups and added them on gke-security-groups@ourdomain.com according to the documentation. All groups are nested on gke-security-groups@ourdomain.com and when I click on the members i can see the emails of the users in indirect members. So i think it is configured fine I have created a group named
testapik8@domain.com and added it on the IAM and gave it custom role
"container.apiServices.get",
"container.apiServices.list",
"container.clusters.getCredentials",
"container.clusters.get",
"container.clusters.list",
I have created and applied my two yaml for role and rolebinding
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: test-role
namespace: test
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: test-rolebinding
namespace: test
roleRef:
kind: Role
name: test-role
apiGroup: rbac.authorization.k8s.io
subjects:
- kind: Group
name: testapik8@domain.com
It is applied successfully when i run this command kubectl get roles,rolebindings -n test it shows the role and rolebindings too but when the user tries to run the command it shows error ie
Error from server (Forbidden): pods is forbidden: User “user@ourdomain.com” cannot list resource “pods” in API group “” in the namespace “test”: requires one of [“container.pods.list”] permission(s).
I want to know what is the issue i have checked all the spellings but still cannot fix the issue