Configure Google Groups for RBAC

This page shows you how to set up Google Groups towork with Kubernetes role-based access control (RBAC) in your Google Kubernetes Engine (GKE)clusters.

Google Groups for RBAC lets you assign RBAC permissions to members of Google Groupsin Google Workspace. Your Google Workspace administrators maintainthe users and groups completely outside of GKE or the Google Cloud console. Yourcluster administrators therefore won't need detailed information about users.

Using Google Groups for RBAC also lets you integrate with your existing user accountmanagement practices, such as revoking access when someone leaves your organization.

This page is forSecurity specialists and Operators who want to use Google Groupswith Kubernetes RBAC in GKE clusters. To learn more aboutcommon roles and example tasks that we reference in Google Cloud content, seeCommon GKE user roles and tasks.

Before reading this page, ensure that you're familiar with thelimitations of Google Groupswhen creating groups and adding users as members.

To use Google Groups for RBAC, complete the following tasks:

  1. Meet the requirements.
  2. Set up your Google Groups.
  3. Enable Google Groups for RBAC on a cluster.
  4. Define and assign RBAC permissions to the Google Groups.

Requirements

To use Google Groups for RBAC, you must have access toGoogle Workspace or any edition ofCloud Identity.

Limitations

  • GKE supports users with membership in up to 2000 groups underthe security group, including nested memberships, with Google Groups for RBAC.

Set up your Google Groups

The following steps show you how to set up a group in Google Groups thatworks with RBAC:

  1. Create a group in your domain namedgke-security-groups. Thegke-security-groups name is required. Make sure the group has theViewMembers permission selected forGroup Members. For details, seeSet permissions for managing members and content.

  2. Create groups, if they do not already exist, that represent sets of userswho should have different permissions on your clusters, such as developersand cluster administrators. Each group must have theView memberspermission forGroup members.

  3. Add your groups as nested groups to thegke-security-groups group. Don'tadd individual users as members ofgke-security-groups.

For more information on managing Google Groups, refer to theGoogle Groups Help Center.

To check whether a specific user can perform an action on a cluster resource,GKE checks if the user is a member of a group with access and ifthat group isnested in thegke-security-groups group.

Information about Google Groups membership is cached for a short time.It might take a few minutes for changes in group memberships to propagate to allyour clusters. In addition to latency from group changes, standard cachingof user credentials on the cluster is about one hour.

Enable Google Groups for RBAC on clusters

You can enable Google Groups for RBAC on new and existing GKEStandard and Autopilot clusters using the Google Cloud CLI orthe Google Cloud console.

Caution: After you create or update a cluster to use Google Groups for RBAC,deleting any of your groups causes your role bindings and access grants to fail.For more information, see theEffects of deleting groups section.

Create a new cluster

gcloud

Standard

To create a new Standard cluster and enable Google Groups for RBAC, runthe following command:

gcloudcontainerclusterscreateCLUSTER_NAME\--location=CONTROL_PLANE_LOCATION\--security-group="gke-security-groups@DOMAIN"

Replace the following:

  • CLUSTER_NAME: the name of the new cluster.
  • CONTROL_PLANE_LOCATION: the Compute Enginelocation of the control plane of yourcluster. Provide a region for regional clusters, or a zone for zonal clusters.
  • DOMAIN: the domain name of thegke-security-groupsgroup you created.

Autopilot

To create a new Autopilot cluster and enable Google Groups for RBAC, runthe following command:

gcloudcontainerclusterscreate-autoCLUSTER_NAME\--location=CONTROL_PLANE_LOCATION\--security-group="gke-security-groups@DOMAIN"

Console

To create a new cluster and enable the Google Groups for RBAC feature, performthe following steps:

  1. Go to theGoogle Kubernetes Engine page in Google Cloud console.

    Go to Google Kubernetes Engine

  2. ClickCreate.

  3. ClickConfigure for the cluster mode that you want to use.

  4. For Autopilot clusters, expand theAdvanced Options section to locate theSecurity options.

  5. For Standard clusters, in theCluster section,clickSecurity.

  6. Select theEnable Google Groups for RBAC checkbox.

  7. Fill inSecurity Group withgke-security-groups@DOMAIN.

  8. ClickCreate.

Update an existing cluster

gcloud

To update an existing cluster to enable Google Groups for RBAC, run the followingcommand:

gcloudcontainerclustersupdateCLUSTER_NAME\--location=CONTROL_PLANE_LOCATION\--security-group="gke-security-groups@DOMAIN"

Replace the following:

  • CLUSTER_NAME: the name of the cluster.
  • CONTROL_PLANE_LOCATION: the Compute Enginelocation of the control plane of yourcluster. Provide a region for regional clusters, or a zone for zonal clusters.
  • DOMAIN: the domain name of thegke-security-groupsgroup you created.

Console

To update an existing cluster to enable Google Groups for RBAC, perform thefollowing steps:

  1. Go to theGoogle Kubernetes Engine page in Google Cloud console.

    Go to Google Kubernetes Engine

  2. Click the name of the cluster that you want to update.

  3. On theDetails tab, locate theSecurity section.

  4. For theGoogle Groups for RBAC field, clickEdit Google Groups for RBAC.

  5. Select theEnable Google Groups for RBAC checkbox.

  6. Fill inSecurity Group withgke-security-groups@DOMAIN.

  7. ClickSave changes.

Define and assign permissions

After creating and configuring Google Groups for RBAC, use roles and role bindingsto define RBAC permissions and assign those permissions to Google Groupsthat are members of thegke-security-groups group. For instructions, refer toDefine and assign permissions.

Note: The Google Groups references in RBAC are case-sensitive.Use the exact group name in your RoleBinding and ClusterRoleBinding definitions.

Verify Google Groups for RBAC configuration

The following sections show you how to verify that your Google Groups for RBACconfiguration was successful, using either the gcloud CLI or theGoogle Cloud console.

Verify using the gcloud CLI

Run a kubectlcan-i command to check whether you can perform a specific actionagainst a specific Kubernetes resource. You can use this method to automatetesting RBAC access as part of your CI/CD workflow.For example, the followingcommand tests forget access topods resources in thedev namespace:

kubectlauthcan-igetpods\--namespace=dev\--as=USER\--as-group=GROUP

Replace the following:

  • USER: the name of the user toimpersonate, such asgke-user@example.com. The specified user must be amember of the group for which you're testing access.
  • GROUP: the name of the group to impersonate, such asgke-dev-users@example.com.

IfUSER has access, the output isyes. Ifnot, the output isno.

Verify using the Google Cloud console

You can also verify RBAC access by running a kubectl command against yourcluster and checking your logs.

Before you begin

Before you begin, ensure the following:

  • You have not interacted with the cluster you want to test (for example, youhaven't run anykubectl commands) for at least one hour. Authentication iscached for one hour. Letting the cached credentials expire lets you makesure that the request gets logged when it happens.
  • You are a member of at least one of the groups that are members of thegke-security-groups group, which ensures that some Google Groupsinformation is logged.

Enable logs and run a test command

  1. Enable data access logging for your Google Cloud project. To enable thelogging:

    1. Go to theAudit Logs page in Google Cloud console.

      Go to Audit Logs

    2. In the table, selectKubernetes Engine API.

    3. In theLog Type menu, select:

      • Admin Read
      • Data Read
      • Data Write

    4. ClickSave.

    For more information about enabling Audit Logging, seeConfiguring Data Access logs with the Cloud console.

    Important: Enabling Audit Logging incurs charges. If you only enabled AuditLogging for testing purposes, you should disable it after you've completedtesting to avoid charges.

  2. Run a command usingkubectl in the cluster, such as the following:

    kubectlcreatenshelloworld

  3. Enter a custom query in theLogs Explorer page. To run the query:

    1. Go to theLogs Explorer page in Google Cloud console.

      Go to Logs Explorer

    2. Click the arrow in theQuery preview box at the top of the page.

    3. In the dropdown box that appears, specify the following query:

      resource.type="k8s_cluster"resource.labels.location="CLUSTER_LOCATION"resource.labels.cluster_name="CLUSTER_NAME"protoPayload.resourceName="authorization.k8s.io/v1beta1/subjectaccessreviews"protoPayload.response.spec.user="EMAIL_ADDRESS"

      Replace the following:

      • CLUSTER_LOCATION: your cluster's region or zone.
      • CLUSTER_NAME: the name of your cluster.
      • EMAIL_ADDRESS: the registered email address ofyour Google account.

    4. SelectRun Query. At least one result should appear. If there are noresults, try increasing the time range.

    5. Select the cluster you want to examine.

    6. ClickExpand nested fields.

    7. The fieldprotoPayload.request.spec.group contains the groups where:

      • The groups are members ofgke-security-group.
      • You are a member of the group.

      This list should match the set of groups you are a member of. If no groupsare present, there might be an issue with how the groups are set up.

  4. Optionally, restore data access logging to previous settings to avoid furthercharges.

Effects of deleting groups

After you configure Google Groups for RBAC, your RBAC access grants depend on theexistence of the Google Groups that you created. Consider the followingeffects of deleting one of the groups:

  • gke-security-group: GKE uses the unique ID of thegke-security-group group to find the subjects that you reference in yourRBAC policies. If you delete this group, all of the access grants forGoogle Groups for RBAC fail.

    If you recreate thegke-security-group group, you must re-enableGoogle Groups for RBAC on your cluster by using the steps in theUpdate an existing cluster section. Re-enablingGoogle Groups for RBAC updates the cluster to use the group ID of the newgke-security-group group.

  • Member groups: if you delete one of the member groups that you configuredfor Google Groups for RBAC, any RBAC bindings for that group fail. As a result,all of the members of that group lose the corresponding access.

    To fix an unintentional member group deletion, create a new group with exactlythe same name as the deleted group. Make the new group a member of thegke-security-group group by following the steps in theSet up your Google Groups section.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-15 UTC.