Stay organized with collectionsSave and categorize content based on your preferences.
When you deploy to Google Kubernetes Engine (GKE), the default Cloud Deployexecution service accounthas access to all namespaces in the target cluster. You can configure that
service account to deploy to only one namespace.
Ensure that the execution service account doesn't have theroles/container.developerIAM role.
Grant the service account theroles/container.clusterViewerrole.
This role allows the service account to authenticate on the cluster, but do
nothing else.
Create a Kubernetes RBAC Role that grants admin access to the namespace.
The RBAC role in this example has broad permissions, equivalent to theclouddeploy.developerIAM role.
To minimize the risk of privilege escalation, we recommend you change these
permissions to the minimum required for your applications. For instructions,
see theRBAC documentation for GKE.
Create aRoleBindingthat binds that RBAC Role in your chosen
namespace to the Cloud Deploy execution service account:
kind:RoleBindingapiVersion:rbac.authorization.k8s.io/v1metadata:name:adminnamespace:NAMESPACEsubjects:# Google Cloud user account-kind:Username:SERVICE_ACCOUNTroleRef:kind:Rolename:adminapiGroup:rbac.authorization.k8s.io
This manifest defines an RBAC policy binding theadminRole to your execution
service account.NAMESPACEis the namespace for
which you want to grant the service account access. The service account can't
access any other namespace on the cluster.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eBy default, Cloud Deploy's execution service account has access to all namespaces in a GKE cluster, but this can be configured to restrict access to a single namespace.\u003c/p\u003e\n"],["\u003cp\u003eRemove the \u003ccode\u003eroles/container.developer\u003c/code\u003e IAM role from the execution service account and grant it the \u003ccode\u003eroles/container.clusterViewer\u003c/code\u003e role for authentication.\u003c/p\u003e\n"],["\u003cp\u003eCreate a Kubernetes RBAC Role to provide the necessary admin access within the specified namespace, adjusting permissions as needed for the applications, and this Role is equivalent to the \u003ccode\u003eclouddeploy.developer\u003c/code\u003e IAM role.\u003c/p\u003e\n"],["\u003cp\u003eCreate a RoleBinding to link the RBAC Role to the Cloud Deploy execution service account, limiting its access to the specified namespace only.\u003c/p\u003e\n"],["\u003cp\u003eApply the created RBAC manifest to the cluster to enforce the namespace-specific access restrictions.\u003c/p\u003e\n"]]],[],null,["# Restrict deployment to a GKE namespace\n\nWhen you deploy to Google Kubernetes Engine (GKE), the default Cloud Deploy\n[execution service account](/deploy/docs/cloud-deploy-service-account#execution_service_account)\nhas access to all namespaces in the target cluster. You can configure that\nservice account to deploy to only one namespace.\n| **Note:** The instructions in this document are for deploying to GKE. If you're deploying to GKE Enterprise clusters, see [this document](/anthos/multicluster-management/gateway/setup#configure_role-based_access_control_rbac_policies) for further instructions on setting up RBAC policies.\n\n1. Ensure that the execution service account doesn't have the\n `roles/container.developer` IAM role.\n\n2. Grant the service account the `roles/container.clusterViewer` role.\n\n gcloud projects add-iam-policy-binding \u003cvar label=\"project id\" translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e \\\n --member=\"serviceAccount:\u003cvar label=\"service account\" translate=\"no\"\u003eSERVICE_ACCOUNT\u003c/var\u003e\" \\\n --role=\"roles/container.clusterViewer\"\n\n This role allows the service account to authenticate on the cluster, but do\n nothing else.\n3. Create a Kubernetes RBAC Role that grants admin access to the namespace.\n\n The RBAC role in this example has broad permissions, equivalent to the\n [`clouddeploy.developer` IAM role](/deploy/docs/iam-roles-permissions#predefined_roles).\n To minimize the risk of privilege escalation, we recommend you change these\n permissions to the minimum required for your applications. For instructions,\n see the [RBAC documentation for GKE](/kubernetes-engine/docs/how-to/role-based-access-control). \n\n kind: Role\n apiVersion: rbac.authorization.k8s.io/v1\n metadata:\n name: admin\n namespace: \u003cvar label=\"namespace\" translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eNAMESPACE\u003c/span\u003e\u003c/var\u003e\n rules:\n - apiGroups: [\"\", \"extensions\", \"apps\"]\n resources: [\"*\"]\n verbs: [\"*\"]\n\n4. Create a `RoleBinding` that binds that RBAC Role in your chosen\n namespace to the Cloud Deploy execution service account:\n\n kind: RoleBinding\n apiVersion: rbac.authorization.k8s.io/v1\n metadata:\n name: admin\n namespace: \u003cvar label=\"namespace\" translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eNAMESPACE\u003c/span\u003e\u003c/var\u003e\n subjects:\n # Google Cloud user account\n - kind: User\n name: \u003cvar label=\"service account\" translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eSERVICE_ACCOUNT\u003c/span\u003e\u003c/var\u003e\n roleRef:\n kind: Role\n name: admin\n apiGroup: rbac.authorization.k8s.io\n\n This manifest defines an RBAC policy binding the `admin` Role to your execution\n service account. \u003cvar translate=\"no\"\u003eNAMESPACE\u003c/var\u003e is the namespace for\n which you want to grant the service account access. The service account can't\n access any other namespace on the cluster.\n5. Apply the RBAC manifest to the cluster:\n\n kubectl apply -f \u003cvar label=\"yaml\" translate=\"no\"\u003eYAML_NAME\u003c/var\u003e"]]
