Google Kubernetes Engine (GKE) takes a unique approach to auth. Google IAM users are automatically mapped to Kubernetes RBAC users. Unfortunately there is no mapping for IAM groups to RBAC groups with GKE at this point.
Google IAM users are mapped to Kubernetes RBAC users with their email as the username. This is also the case for Google IAM Service accounts. That makes RBAC Bindings very straightforward:
apiVersion: rbacmanager.reactiveops.io/v1beta1
kind: RBACDefinition
metadata:
name: sample-config
rbacBindings:
- name: web-developers
subjects:
- kind: User
name: jane@example.com
- kind: User
name: joe@example.com
roleBindings:
- clusterRole: edit
namespace: webGoogle Cloud IAM roles can provide fairly specific Kubernetes authorization configuration that overlaps with RBAC roles. This means that a user's access to a GKE cluster ends up being a union of both IAM and RBAC roles. This blog post provides more information on how IAM and RBAC work together in GKE. If you're simply trying to see relevant GKE IAM and RBAC roles in one place, rbac-lookup can help with that.