A fleet in Google Cloud is a logical group of Kubernetes clusters and other resources that can be managed together, created by registering clusters to Google Cloud using Connect. Fleet-level setup for Anthos Identity Service builds on the power of fleets to let administrators set up authentication with their preferred identity providers for one or more Anthos clusters at once, with their authentication configuration maintained by Anthos and stored in Google Cloud.
This guide explains how to set up Anthos Identity Service at the fleet level for supported cluster types and environments. Fleet-level setup is supported for Anthos clusters on-premises (both VMware and bare metal), Anthos clusters on Azure, and EKS attached clusters on AWS in this preview release. Further environments and cluster types will be added in future releases.
This guide assumes that you have read the Anthos Identity Service Overview and that you are already familiar with some basic fleet concepts and with registering clusters to Google Cloud. If not, you can find out more in the Fleets guide and in Registering a cluster.
The following cluster types and environments are supported for fleet-level setup:
- Anthos clusters on VMware, version 1.8.2 or higher
- Anthos clusters on bare metal, version 1.8.3 or higher
- Anthos clusters on Azure
- Anthos clusters on AWS running Kubernetes 1.21 or higher,
- GKE clusters on Google Cloud with Identity Service for GKE enabled. Follow the instructions in Identity Service for GKE to enable the feature before configuring authentication for the cluster.
- Amazon Elastic Kubernetes Service (Amazon EKS) attached clusters
You can find out how to register attached clusters in the attached clusters setup guide.
Other Anthos Identity Service supported cluster types and environments still require per-cluster setup.
Because fleet-level setup is a preview feature, you may also want to use per-cluster setup for Anthos clusters in production environments, if you are using an earlier version of Anthos clusters, or if you require Anthos Identity Service features that aren't yet supported with fleet-level lifecycle management.
Identity provider types
Anthos Identity Service supports OpenID Connect (OIDC) identity providers only for fleet-level setup.
If you want to use an LDAP identity provider, you can find out how to set this up on a per-cluster basis in Setting up Anthos Identity Service with LDAP.
Setting up Anthos Identity Service at fleet level involves the following users and steps:
- The platform administrator registers Anthos Identity Service as a client application with their preferred identity provider and gets a client ID and secret. To do this, follow the instructions in Configuring providers for Anthos Identity Service.
- The cluster administrator configures clusters to use the service. To do this, follow the instructions in Configuring clusters for Anthos Identity Service.
- The cluster administrator sets up user access, and optionally configures Kubernetes role-based access control (RBAC) for users on the clusters. To do this, follow the instructions in Setting up user access for Anthos Identity Service.