This page explains how to restrict view
access to cluster resources based on specific namespaces, and how users with
restricted access can view these resources on the Google Cloud console. This scenario is common for
organizations that runmulti-tenantGoogle Kubernetes Engine (GKE) clusters.
This page is for
Security specialists and Operators who want to provide users
with restricted access to cluster resources for specific namespaces.
To learn more about
common roles and example tasks that we reference in Google Cloud content, seeCommon GKE user roles and tasks.
Before reading this page, ensure that you're familiar with the following namespace concepts:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Enable access and view cluster resources by namespace\n\n[Autopilot](/kubernetes-engine/docs/concepts/autopilot-overview) [Standard](/kubernetes-engine/docs/concepts/choose-cluster-mode)\n\n*** ** * ** ***\n\nThis page explains how to restrict view\naccess to cluster resources based on specific namespaces, and how users with\nrestricted access can view these resources on the Google Cloud console. This scenario is common for\norganizations that run [multi-tenant](/kubernetes-engine/docs/concepts/multitenancy-overview)\nGoogle Kubernetes Engine (GKE) clusters.\n\nThis page is for\nSecurity specialists and Operators who want to provide users\nwith restricted access to cluster resources for specific namespaces.\nTo learn more about\ncommon roles and example tasks that we reference in Google Cloud content, see\n[Common GKE user roles and tasks](/kubernetes-engine/enterprise/docs/concepts/roles-tasks).\n\nBefore reading this page, ensure that you're familiar with the following namespace concepts:\n\n- [Organizing Kubernetes with Namespaces](https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-organizing-with-namespaces)\n- [Enterprise multi-tenancy best practices](/kubernetes-engine/docs/best-practices/enterprise-multitenancy#create-namespaces)\n\nEnable namespace-restricted access to cluster resources\n-------------------------------------------------------\n\nYou can use tenant permissions to restrict user interactions with the cluster on\nthe Google Cloud console. You grant users the\n[`roles/container.clusterViewer`](/kubernetes-engine/docs/how-to/iam#predefined)\nIAM permission as well as\n[role-based access control (RBAC) permissions](/kubernetes-engine/docs/how-to/role-based-access-control)\nto view resources in specific namespaces.\n| **Note:** By default, the Google Cloud console expects users to have view access to all namespaces in all clusters (that is, users have the `roles/container.viewer` IAM permission). If the user only has access to specific namespaces, they should follow the steps described in [View namespace-restricted resources in\n| the Google Cloud console](#viewing-resources).\n\nTo learn more about using namespaces, see\n[Organizing Kubernetes with Namespaces](https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-best-practices-organizing-with-namespaces)\nand [Enterprise multi-tenancy best practices](/kubernetes-engine/docs/best-practices/enterprise-multitenancy#create-namespaces).\n\nView namespace-restricted resources in the Google Cloud console\n---------------------------------------------------------------\n\nIf you have limited IAM or RBAC permissions and want to view\nnamespace-restricted resources on the Google Cloud console, follow these steps:\n\n1. Go to the **Workloads** page in the Google Cloud console.\n\n [Go to Workloads](https://console.cloud.google.com/kubernetes/workload/overview)\n2. Click the **Namespace** drop-down list.\n\n3. Click add **Add filter**.\n\n4. Enter the namespace you want to access, then click **Save**.\n\n5. Click **OK**.\n\nThe list will be filtered to show the selected namespace.\n\nShare saved views\n-----------------\n\nYou can also save the filtered list as a named *saved view*. The saved view\nwill persist across sessions, and can be shared with other users.\n\nTo share a saved view, follow these steps:\n\n1. Select the saved view from the **Saved view** drop-down list.\n2. Next to the **Saved view** drop-down list, click more_vert, then click **Share**.\n3. Click content_copy to copy the URL in the **Share view** dialog. You can share this URL with other users who need access to the same cluster and namespaces."]]
