GKE RBAC Group bindings work without Enabling Google Groups for RBAC

Question

GKE RBAC Group bindings work without Enabling Google Groups for RBAC

• We have Groups in Google Workspace synced from Azure
• We didn't enable Google Groups for RBAC in GKE
• We did setup RBAC bindings to allow a group to delete and create pods and it worked
• The groups only has viewer role at project level via IAM

So the question is how does it work without enabling Google Groups for RBAC in GKE

We expected the RBAC binding not to work as we didn't enable Google Groups for RBAC in GKE

Answer 1

Google Groups for RBAC lets you assign RBAC permissions to members of Google Groups in Google Workspace. In GKE, RBAC allows you to control access to resources within your cluster based on roles assigned to users and groups. By default, GKE uses Google Groups for RBAC, which means that you need to enable Google Groups and manage your groups within Google Cloud Console.

However GKE also supports using external identity providers, such as Azure active directory for RBAC group bindings. This means that you can leverage existing groups in external identity providers like Google Workspace from Azure, without enabling Google Groups for RBAC in GKE.

Since you have already setup integration between GKE and Azure AD and have created group bindings which allows a specific group to delete and create pods, this doesn't need the enabling of google groups.

Note: The GCP IAM users (Google groups or individuals) should not have an IAM role other than Kubernetes Engine Cluster Viewer or Kubernetes Engine Cluster Admin. These two roles don’t grant access to any Kubernetes workloads, and allow us to manage the access via Kubernetes RBAC. Other predefined IAM roles like Editor, Kubernetes Engine Admin etc. can inherently grant access to Kubernetes resources/workloads.

Refer to the documentation on how to configure Google groups for RBAC.