Connect Google groups to Anthos clusters on Azure

This document describes how you can connect to Anthos clusters on Azure as a member of a Google group.

Using Google groups to grant cluster access is more efficient than creating separate authorizations for individual users. For example, let's say you want to add 50 users to the cluster Administrator group, 75 users to an Editor group, and 100 users to a Reader group. Enabling all these users to connect to your cluster would require you to create RBAC rules in the Kubernetes manifest file for 225 users. Enabling access to your cluster with Google groups, however saves you time because you only need to create RBAC rules for three Google groups.

Before you begin

To connect to your cluster as a member of a Google group, you need to satisfy the following prerequisites:

  1. Ensure that you have the latest version of the Google Cloud CLI. For information on updating gcloud CLI, see gcloud components update.

  2. Use Anthos clusters on Azure version 1.25 or above, which is required for kubectl access using connect gateway.

Connect to your cluster with Google groups

To authorize Google groups to connect to Anthos clusters on Azure, follow these steps:

  1. Enable the connectgateway and cloudresourcemanager APIs with the following command:

      gcloud services enable --project=PROJECT_ID \
          connectgateway.googleapis.com \
          cloudresourcemanager.googleapis.com
    

    Replace PROJECT_ID with the ID of your Azure project.

  2. Create a group called gke-security-groups as a group in your project's domain if it doesn't exist.

  3. Create one or more sub-groups within the gke-security-groups group for cluster authentication.

  4. Add users to the newly created sub-groups.

  5. For kubectl access using connect gateway, you need to grant IAM roles to Google groups:

    1. Select an appropriate role for a group. This role determines how the group interacts with the connect gateway. The role can be one of the following: roles/gkehub.gatewayAdmin, roles/gkehub.gatewayEditor, roles/gkehub.gatewayReader. (Note that you're not granting permissions over the cluster here - that step comes later. Here, you're just determining how users of the group can manipulate the connect gateway.)

    2. Run the following command to grant the role to the group:

      gcloud projects add-iam-policy-binding PROJECT_ID \
        --member=group:GROUP_NAME@DOMAIN \
        --role=GATEWAY_ROLE
      

      Replace the following:

      • PROJECT_ID: your Google project ID
      • GROUP_NAME: the name of the group to grant access to
      • DOMAIN: your Google Workspace domain
      • GATEWAY_ROLE: the selected role. For example roles/gkehub.gatewayAdmin, roles/gkehub.gatewayEditor, or roles/gkehub.gatewayReader.
  6. In a Kubernetes manifest, define the permissions each Google group has on the cluster. For example, the following manifest grants the Google Group cluster-admin-team the role of cluster administrator:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: gateway-cluster-admin-group
    subjects:
    - kind: Group
      name: cluster-admin-team@example.com
    roleRef:
      kind: ClusterRole
      name: cluster-admin
      apiGroup: rbac.authorization.k8s.io
    
  7. Save the manifest to a file and apply it to the cluster by running the following command:

    kubectl apply -kubeconfig=KUBECONFIG_PATH -f FILENAME
    

    Replace the following:

    • KUBECONFIG_PATH: the path to your kubeconfig file.
    • FILENAME: the name of the manifest file you created.

Once you've performed these steps, users belonging to certain Google groups can connect to the cluster. In the given example, users belonging to the Google group cluster-admin-team can connect to the cluster as administrators.