Document how to use Capsule with GCP

[maxgio92]

Describe the feature

This issue tracks the work to document how to use Capsule in a GCP environment with GKE and GCP IAM.

What would the new user story look like?

As an adopter I'd like to understand how to setup GCP and Kubernetes resources to make Capsule work in GKE with Tenant users as Google Users.

[maxgio92]

This is a work in progress

1. Create/update GKE cluster enabling the Google Groups for Kubernetes RBAC GKE feature
2. Create a GCP IAM Group:

• email: gke-security-group@<domain>
• name: gke-security-group

3. Create a GCP IAM Group that will be a Capsule Group, e.g.:

• email: [email protected]
• name: capsule-group

4. Add the capsule-group GCP IAM Group above as a member the gke-security-group GCP IAM Group
5. Add the Google Users of the Capsule Tenant Owners as members of the capsule-group GCP IAM Group
6. Create a GCP IAM Role to enable the Capsule Tenant Owner Google Users to authenticate to GKE (and Kubernetes) with permissions:

• containers.clusters.get
• containers.clusters.GetCredentials

7. Assign GCP IAM Role above to Tenant Owner IAM User
8. Create/update the used CapsuleConfiguration with as Capsule group the email of the GCP IAM Group capsule-group (i.e. [email protected])