Set up GKE Identity Service for a fleet

A fleet in Google Cloud is a logical group of Kubernetes clusters and other resources that can be managed together, created by registering clusters to Google Cloud. Fleet-level setup for GKE Identity Service builds on the power of fleets to let administrators set up authentication with their preferred identity providers for one or more GKE clusters at once, with their authentication configuration maintained by GKE Enterprise and stored in Google Cloud.

This guide explains how to set up GKE Identity Service at the fleet level for supported cluster types and environments.

This guide assumes that you have read the GKE Identity Service Overview and that you are already familiar with some basic fleet concepts and with registering clusters to Google Cloud. If not, you can find out more in the Fleets guide and in Registering a cluster.

Prerequisites

Cluster types

The following cluster types and environments are supported for fleet-level setup:

• GKE on VMware, version 1.8.2 or higher
• GKE on Bare Metal, version 1.8.3 or higher
• GKE on Azure
• GKE on AWS running Kubernetes 1.21 or higher,
• GKE clusters on Google Cloud with Identity Service for GKE enabled. Follow the instructions in Identity Service for GKE to enable the feature before configuring authentication for the cluster.

The following cluster type and environment is supported for fleet-level setup that is currently in Pre-GA:

• Amazon Elastic Kubernetes Service (Amazon EKS) attached clusters

You can find out how to register attached clusters in the attached clusters setup guide.

Other GKE Identity Service supported cluster types and environments still require per-cluster setup.

You may also want to use per-cluster setup if you are using an earlier version of GKE clusters, if you require GKE Identity Service features that aren't yet supported with fleet-level lifecycle management.

Identity provider types

If you configure fleet-level GKE Identity Service, you can only use OpenID Connect (OIDC) identity providers.

If you want to use an LDAP identity provider, you can find out how to set this up on a per-cluster basis in Setting up GKE Identity Service with LDAP.

Setup overview

Setting up GKE Identity Service at fleet level involves the following users and steps:

1. The platform administrator registers GKE Identity Service as a client application with their preferred identity provider and gets a client ID and secret. To do this, follow the instructions in Configure OIDC providers for GKE Identity Service.
2. The cluster administrator configures clusters to use the service. To do this, follow the instructions in Configure clusters for GKE Identity Service.
3. The cluster administrator sets up user access, and optionally configures Kubernetes role-based access control (RBAC) for users on the clusters. To do this, follow the instructions in Set up user access for GKE Identity Service.