# Copyright 2020 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. ######### # Client viewer permissions for GKE, logging, and monitoring ######### # AC-1 - Implementation of access control # AC-3(7), AC-3 - Grant role: roles/container.clusterViewer on the GKE Cluster project to client group apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: containerclusterviewer-permissions annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: project-id # kpt-set: ${project-id} namespace: client-name-projects # kpt-set: ${client-name}-projects role: roles/container.clusterViewer member: team-gkeviewer # kpt-set: ${team-gkeviewer} --- # AC-3(7), AC-3 - Grant role: roles/logging.viewer on the GKE Cluster project to client group apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: loggingviewer-permissions annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: project-id # kpt-set: ${project-id} namespace: client-name-projects # kpt-set: ${client-name}-projects role: roles/logging.viewer member: team-gkeviewer # kpt-set: ${team-gkeviewer} --- # AC-3(7), AC-3 - Grant role: roles/monitoring.viewer on the GKE Cluster project to client group apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: monitoringviewer-permissions annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: project-id # kpt-set: ${project-id} namespace: client-name-projects # kpt-set: ${client-name}-projects role: roles/monitoring.viewer member: team-gkeviewer # kpt-set: ${team-gkeviewer} --- # AC-3(7), AC-3 - Grant role: roles/monitoring.dashboardEditor on the GKE Cluster project to client group apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: monitoringdashboardeditor-permissions annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: project-id # kpt-set: ${project-id} namespace: client-name-projects # kpt-set: ${client-name}-projects role: roles/monitoring.dashboardEditor member: team-gkeviewer # kpt-set: ${team-gkeviewer} --- # AC-3(7), AC-3 - Grant role: roles/pubsub.viewer on the GKE Cluster project to client group apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: pubsubviewer-permissions annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: project-id # kpt-set: ${project-id} namespace: client-name-projects # kpt-set: ${client-name}-projects role: roles/pubsub.viewer member: team-gkeviewer # kpt-set: ${team-gkeviewer} --- # AC-3(7), AC-3 - Grant role: roles/pubsub.subscriber on the GKE Cluster project to client group apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: pubsubsubscriber-permissions annotations: cnrm.cloud.google.com/ignore-clusterless: "true" spec: # AC-1, AC-3(7), AC-3 resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project name: project-id # kpt-set: ${project-id} namespace: client-name-projects # kpt-set: ${client-name}-projects role: roles/pubsub.subscriber member: team-gkeviewer # kpt-set: ${team-gkeviewer}