Manage identity with GKE Identity Service

GKE on VMware supports OpenID Connect (OIDC) and Lightweight Directory Access Protocol (LDAP) as authentication mechanisms for interacting with a cluster's Kubernetes API server, using GKE Identity Service. GKE Identity Service is an authentication service that lets you bring your existing identity solutions for authentication to multiple GKE Enterprise environments. Users can log in to and use your GKE clusters from the command line (all providers) or from the Google Cloud console (OIDC only), all using your existing identity provider.

You can use both on-premises and publicly reachable identity providers with GKE Identity Service. For example, if your enterprise runs an Active Directory Federation Services (ADFS) server, the ADFS server could serve as your OpenID provider. You might also use publicly-reachable identity provider services such as Okta. Identity provider certificates may be issued by either a well-known public certificate authority (CA), or by a private CA.

For an overview of how GKE Identity Service works, see Introducing GKE Identity Service.

If you already use or want to use Google IDs to log in to your GKE clusters instead of an OIDC or LDAP provider, we recommend using the Connect gateway for authentication. Find out more in Connecting to registered clusters with the Connect gateway.

Setup process and options

OIDC

  1. Register GKE Identity Service as a client with your OIDC provider following the instructions in Configuring providers for GKE Identity Service.

  2. Choose from the following cluster configuration options:

    • Configure your clusters at fleet level following the instructions in Configuring clusters for fleet-level GKE Identity Service (preview, GKE on VMware version 1.8 and higher). With this option, your authentication configuration is centrally managed by Google Cloud.
    • Configure your clusters individually following the instructions in Configuring clusters for GKE Identity Service with OIDC. Because fleet-level setup is a preview feature, you may want to use this option in production environments, if you are using an earlier version of GKE on VMware, or if you require GKE Identity Service features that aren't yet supported with fleet-level lifecycle management.
  3. Set up user access to your clusters, including role-based access control (RBAC), following the instructions in Setting up user access for GKE Identity Service.

LDAP

Accessing clusters

After GKE Identity Service has been set up, users can log in to configured clusters using either the command line or the Google Cloud console.