Set up Anthos Identity Service for a fleet
A fleet in Google Cloud is a logical group of Kubernetes clusters and other resources that can be managed together, created by registering clusters to Google Cloud. Fleet-level setup for Anthos Identity Service builds on the power of fleets to let administrators set up authentication with their preferred identity providers for one or more Anthos clusters at once, with their authentication configuration maintained by Anthos and stored in Google Cloud.
This guide explains how to set up Anthos Identity Service at the fleet level for supported cluster types and environments.
This guide assumes that you have read the Anthos Identity Service Overview and that you are already familiar with some basic fleet concepts and with registering clusters to Google Cloud. If not, you can find out more in the Fleets guide and in Registering a cluster.
The following cluster types and environments are supported for fleet-level setup:
- Anthos clusters on VMware, version 1.8.2 or higher
- Anthos clusters on bare metal, version 1.8.3 or higher
- Anthos clusters on Azure
- Anthos clusters on AWS running Kubernetes 1.21 or higher,
- GKE clusters on Google Cloud with Identity Service for GKE enabled. Follow the instructions in Identity Service for GKE to enable the feature before configuring authentication for the cluster.
The following cluster type and environment is supported for fleet-level setup that is currently in Pre-GA:
- Amazon Elastic Kubernetes Service (Amazon EKS) attached clusters
You can find out how to register attached clusters in the attached clusters setup guide.
Other Anthos Identity Service supported cluster types and environments still require per-cluster setup.
You may also want to use per-cluster setup if you are using an earlier version of Anthos clusters, if you require Anthos Identity Service features that aren't yet supported with fleet-level lifecycle management.
Identity provider types
If you configure fleet-level Anthos Identity Service, you can only use OpenID Connect (OIDC) identity providers.
If you want to use an LDAP identity provider, you can find out how to set this up on a per-cluster basis in Setting up Anthos Identity Service with LDAP.
Setting up Anthos Identity Service at fleet level involves the following users and steps:
- The platform administrator registers Anthos Identity Service as a client application with their preferred identity provider and gets a client ID and secret. To do this, follow the instructions in Configure OIDC providers for Anthos Identity Service.
- The cluster administrator configures clusters to use the service. To do this, follow the instructions in Configure clusters for Anthos Identity Service.
- The cluster administrator sets up user access, and optionally configures Kubernetes role-based access control (RBAC) for users on the clusters. To do this, follow the instructions in Set up user access for Anthos Identity Service.