Google Cloud provides a range of features to secure your fleet and the applications that run on it. This page provides an overview of fleet security features, with links to find out more.
Google Cloud provides the following options for authenticating to fleet clusters in a simple, consistent, and secured way, wherever the clusters live. After you have set up authentication, you can configure more fine-grained access control to your clusters using Kubernetes role-based access control (RBAC).
Authenticate with Google Cloud
All GKE clusters on Google Cloud are configured to accept Google Cloud user and service account identities by default. If your fleet contains clusters in multiple environments, you can configure the Connect gateway so that users and service accounts can also authenticate to any registered cluster using their Google Cloud ID.
Learn more about setting up and using authentication with Google Cloud in the following guides:
- Configuring cluster access for
- Connecting to registered clusters with the Connect gateway
- Setting up the Connect gateway
- Using the Connect gateway
Authenticate with third-party providers
If you want to use your existing third-party identity provider to authenticate to your fleet clusters, Anthos Identity Service is an authentication service that lets you bring your existing identity solutions to multiple environments. It supports all OpenID Connect (OIDC) providers such as Okta and Microsoft AD FS, as well as preview support for LDAP providers in some environments. You can set up Anthos Identity Service on a cluster-by-cluster basis or with a single configuration for your entire fleet, where supported.
Learn more about setting up and using third-party authentication, including supported environments and providers, in the following guides:
Authenticate with a bearer token
If the preceding Google-provided solutions aren't suitable for your organization, you can set up authentication using a Kubernetes service account and using its bearer token to log in. For details, see Set up using a bearer token.
Manage cluster policies
Policy Controller enables the enforcement of fully programmable policies for your fleet clusters. These policies act as "guardrails" and prevent any changes to the configuration of the Kubernetes API from violating security, operational, or compliance controls.
Learn more about what you can do with Policy Controller in the Policy Controller documentation.
Manage application security
Google Cloud provides a range of features and products that provide security at the application level, including Binary Authorization to ensure only trusted images are deployed on your fleet clusters, Kubernetes network policies to control connections between Pods, and fine-grained service access control for Anthos Service Mesh.
For fleet clusters on Google Cloud, VMware, and bare metal only, the Anthos Security dashboard also provides an at-a-glance view of your applications' current security features, as well as a more detailed policy audit view to show you where you can modify security configurations or workloads to improve your security posture.
Learn more about fleet application security features in the following guides:
- Monitor application security
- Binary Authorization
- Kubernetes network policies
- Application security in Anthos Service Mesh: