Setting up Anthos Identity Service for a fleet

A fleet in Google Cloud is a logical group of Kubernetes clusters and other resources that can be managed together, created by registering clusters to Google Cloud using Connect. Fleet-level setup for Anthos Identity Service builds on the power of fleets to let administrators set up authentication with their preferred identity providers for one or more Anthos clusters at once, with their authentication configuration maintained by Anthos and stored in Google Cloud.

This guide explains how to set up Anthos Identity Service at the fleet level for supported cluster types and environments. Fleet-level setup is supported for Anthos clusters on-premises (both VMware and bare metal), Anthos clusters on Azure, and EKS attached clusters on AWS in this preview release. Further environments and cluster types will be added in future releases.

This guide assumes that you have read the Anthos Identity Service Overview and that you are already familiar with some basic fleet concepts and with registering clusters to Google Cloud. If not, you can find out more in the Fleets guide and in Registering a cluster.

Prerequisites

Cluster types

The following cluster types and environments are supported for fleet-level setup:

You can find out how to register attached clusters in the attached clusters setup guide.

Other Anthos Identity Service supported cluster types and environments still require per-cluster setup.

Because fleet-level setup is a preview feature, you may also want to use per-cluster setup for Anthos clusters in production environments, if you are using an earlier version of Anthos clusters, or if you require Anthos Identity Service features that aren't yet supported with fleet-level lifecycle management.

Identity provider types

Anthos Identity Service supports OpenID Connect (OIDC) identity providers only for fleet-level setup.

If you want to use an LDAP identity provider, you can find out how to set this up on a per-cluster basis in Setting up Anthos Identity Service with LDAP.

Setup overview

Setting up Anthos Identity Service at fleet level involves the following users and steps:

  1. The platform administrator registers Anthos Identity Service as a client application with their preferred identity provider and gets a client ID and secret. To do this, follow the instructions in Configuring providers for Anthos Identity Service.
  2. The cluster administrator configures clusters to use the service. To do this, follow the instructions in Configuring clusters for Anthos Identity Service.
  3. The cluster administrator sets up user access, and optionally configures Kubernetes role-based access control (RBAC) for users on the clusters. To do this, follow the instructions in Setting up user access for Anthos Identity Service.