Manage identity with GKE Identity Service

Google Distributed Cloud supports OpenID Connect (OIDC) and Lightweight Directory Access Protocol (LDAP) as authentication mechanisms for interacting with a cluster's Kubernetes API server, using GKE Identity Service. GKE Identity Service is an authentication service that lets you bring your existing identity solutions for authentication to multiple GKE Enterprise environments. Users can log in to and use your GKE clusters from the command line (all providers) or from the Google Cloud console (OIDC only), all using your existing identity provider.

GKE Identity Service works with any kind of bare metal cluster: admin, user, hybrid, or standalone. You can use both on-premises and publicly reachable identity providers. For example, if your enterprise runs an Active Directory Federation Services (ADFS) server, the ADFS server could serve as your OpenID provider. You might also use publicly-reachable identity provider services such as Okta. Identity provider certificates may be issued by either a well-known public certificate authority (CA), or by a private CA.

For an overview of how GKE Identity Service works, see Introducing GKE Identity Service .

If you already use or want to use Google IDs to sign in to your GKE clusters instead of an OIDC or LDAP provider, we recommend using the Connect gateway for authentication. Find out more in Connecting to registered clusters with the Connect gateway .

Before you begin

• Note that headless systems are unsupported. A browser-based authentication flow is used to prompt users for consent and authorize their user account.

• To authenticate through the Google Cloud console, each cluster that you want to configure must be registered with your project fleet .

Setup process and options

GKE Identity Service supports identity providers using the following protocols:

• OpenID Connect (OIDC) . We provide specific instructions for setup for some popular OpenID providers, including Microsoft, but you can use any provider that implements OIDC.

• Lightweight Directory Access Protocol (LDAP) . You can use GKE Identity Service to authenticate using LDAP with Active Directory or an LDAP server.

OIDC

1. Register GKE Identity Service as a client with your OIDC provider following the instructions in Configuring providers for GKE Identity Service .

2. Choose from the following cluster configuration options:

   • Configure your clusters at fleet level following the instructions in Configuring clusters for fleet-level GKE Identity Service (preview, Distributed Cloud version 1.8 and higher). With this option, your authentication configuration is centrally managed by Google Cloud.

   • Configure your clusters individually following the instructions in Configuring clusters for GKE Identity Service with OIDC . Because fleet-level setup is a preview feature, you may want to use this option in production environments, if you are using an earlier version of Google Distributed Cloud, or if you require GKE Identity Service features that aren't yet supported with fleet-level lifecycle management.

3. Set up user access to your clusters, including role-based access control (RBAC), following the instructions in Setting up user access for GKE Identity Service .

LDAP

• Follow the instructions in Set up GKE Identity Service with LDAP .

Access clusters

After GKE Identity Service has been set up, users can sign in to configured clusters using either the command line or the Google Cloud console.

• Learn how to sign in to registered clusters with your OIDC or LDAP ID in Accessing clusters using GKE Identity Service .

• Learn how to sign in to clusters from the Google Cloud console in Work with clusters from the Google Cloud console (OIDC only).