Connect Google groups to Anthos clusters on Azure
This document describes how you can connect to Anthos clusters on Azure as a member of a Google group.
Using Google groups to grant cluster access is more efficient than creating separate authorizations for individual users. For example, let's say you want to add 50 users to the cluster Administrator group, 75 users to an Editor group, and 100 users to a Reader group. Enabling all these users to connect to your cluster would require you to create RBAC rules in the Kubernetes manifest file for 225 users. Enabling access to your cluster with Google groups, however saves you time because you only need to create RBAC rules for three Google groups.
Before you begin
To connect to your cluster as a member of a Google group, you need to satisfy the following prerequisites:
Ensure that you have the latest version of the Google Cloud CLI. For information on updating gcloud CLI, see
gcloud components update.
Use Anthos clusters on Azure version 1.25 or above, which is required for
kubectlaccess using connect gateway.
Connect to your cluster with Google groups
To authorize Google groups to connect to Anthos clusters on Azure, follow these steps:
cloudresourcemanagerAPIs with the following command:
gcloud services enable --project=PROJECT_ID \ connectgateway.googleapis.com \ cloudresourcemanager.googleapis.com
PROJECT_IDwith the ID of your Azure project.
Create a group called
gke-security-groupsas a group in your project's domain if it doesn't exist.
Create one or more sub-groups within the
gke-security-groupsgroup for cluster authentication.
Add users to the newly created sub-groups.
kubectlaccess using connect gateway, you need to grant IAM roles to Google groups:
Select an appropriate role for a group. This role determines how the group interacts with the connect gateway. The role can be one of the following:
roles/gkehub.gatewayReader. (Note that you're not granting permissions over the cluster here - that step comes later. Here, you're just determining how users of the group can manipulate the connect gateway.)
Run the following command to grant the role to the group:
gcloud projects add-iam-policy-binding PROJECT_ID \ --member=group:GROUP_NAME@DOMAIN \ --role=GATEWAY_ROLE
Replace the following:
PROJECT_ID: your Google project ID
GROUP_NAME: the name of the group to grant access to
DOMAIN: your Google Workspace domain
GATEWAY_ROLE: the selected role. For example
In a Kubernetes manifest, define the permissions each Google group has on the cluster. For example, the following manifest grants the Google Group
cluster-admin-teamthe role of cluster administrator:
apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: gateway-cluster-admin-group subjects: - kind: Group name: firstname.lastname@example.org roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.io
Save the manifest to a file and apply it to the cluster by running the following command:
kubectl apply -kubeconfig=KUBECONFIG_PATH -f FILENAME
Replace the following:
KUBECONFIG_PATH: the path to your
FILENAME: the name of the manifest file you created.
Once you've performed these steps, users belonging to certain Google groups can
connect to the cluster. In the given example, users belonging to the Google
cluster-admin-team can connect to the cluster as administrators.