Changing Permissions of Google Container Engine Cluster
The permissions are defined by the service accounts attached to your node VMs during cluster creation (service accounts can't be changed after a VM is instantiated, so this the only time you can pick the permissions).
If you use the cloud console, click the "More" link on the create cluster page and you will see a list of permissions that you can add to the nodes in your cluster (all defaulting to off). Toggle any on that you'd like and you should see the appropriate permissions after your cluster is created.
If you use the command line to create your cluster, pass the --scopes command to gcloud container clusters create to set the appropriate service account scopes on your node VMs.
With Node Pools, you can sort of add scopes to a running cluster by creating a new node pool with the scopes you want (and then deleting the old one):
gcloud container node-pools create np1 --cluster $CLUSTER --scopes $SCOPES
gcloud container node-pools delete default-pool --cluster $CLUSTER
Hmm, I've found a couple of things, that maybe would be interested:
Permissions belong to a service account (so-called
Compute Engine default service account, looks like[email protected])Any VM by default works using this service account. And its permissions do not let us
Cloud SQL, buckets and so on. But...But you can change this behavior using another service account with the right perms. Just create it manually and set only needed perms. Switch it out using
gcloud auth activate-service-account --key-file=/new-service-account-cred.jsonThat's it.