search

projectcapsule / capsule

Multi-tenancy and policy-based framework for Kubernetes.
https://projectcapsule.dev/
Apache License 2.0
1.62k stars 157 forks source link

Document how to use Capsule with GCP #623

Open maxgio92 opened 2 years ago

maxgio92 commented 2 years ago

Describe the feature

This issue tracks the work to document how to use Capsule in a GCP environment with GKE and GCP IAM.

What would the new user story look like?

As an adopter I'd like to understand how to setup GCP and Kubernetes resources to make Capsule work in GKE with Tenant users as Google Users.

maxgio92 commented 2 years ago

This is a work in progress

  1. Create/update GKE cluster enabling the Google Groups for Kubernetes RBAC GKE feature
  2. Create a GCP IAM Group:
    • email: gke-security-group@<domain>
    • name: gke-security-group
  3. Create a GCP IAM Group that will be a Capsule Group, e.g.:
    • email: capsule@clastix.io
    • name: capsule-group
  4. Add the capsule-group GCP IAM Group above as a member the gke-security-group GCP IAM Group
  5. Add the Google Users of the Capsule Tenant Owners as members of the capsule-group GCP IAM Group
  6. Create a GCP IAM Role to enable the Capsule Tenant Owner Google Users to authenticate to GKE (and Kubernetes) with permissions:
    • containers.clusters.get
    • containers.clusters.GetCredentials
  7. Assign GCP IAM Role above to Tenant Owner IAM User
  8. Create/update the used CapsuleConfiguration with as Capsule group the email of the GCP IAM Group capsule-group (i.e. capsule@clastix.io)