Enabling IAP for GKE

This page explains how to secure a Google Kubernetes Engine (GKE) instance with Identity-Aware Proxy (IAP).

Overview

IAP is integrated through Ingress for GKE. This integration enables you to control resource-level access for employees instead of using a VPN.

In a GKE cluster, incoming traffic is handled by HTTP(S) Load Balancing, a component of Cloud Load Balancing. The HTTP(S) load balancer is typically configured by the Kubernetes Ingress controller. The Ingress controller gets configuration information from a Kubernetes Ingress object that is associated with one or more Service objects. Each Service object holds routing information that is used to direct an incoming request to a particular Pod and port.

Beginning with Kubernetes version 1.10.5-gke.3, you can add configuration for the load balancer by associating a Service with a BackendConfig object. BackendConfig is a custom resource definition (CRD) that is defined in the kubernetes/ingress-gce repository.

The Kubernetes Ingress controller reads configuration information from the BackendConfig and sets up the load balancer accordingly. A BackendConfig holds configuration information that is specific to Cloud Load Balancing, and enables you to define a separate configuration for each HTTP(S) Load Balancing backend service.

Before you begin

To enable IAP for GKE, you need the following:

  • A Google Cloud Console project with billing enabled.
  • A group of one or more GKE instances, served by an HTTPS load balancer. The load balancer should be created automatically when you create an Ingress object in a GKE cluster.
  • A domain name registered to the address of your load balancer.
  • App code to verify that all requests have an identity.

Enabling IAP

Configuring the OAuth consent screen

If you haven't configured your project's OAuth consent screen, you need to do so. An email address and product name are required for the OAuth consent screen.

  1. Go to the OAuth consent screen.
    Configure consent screen
  2. Under Support email, select the email address you want to display as a public contact. This email address must be your email address, or a Google Group you own.
  3. Enter the Application name you want to display.
  4. Add any optional details you'd like.
  5. Click Save.

To change information on the OAuth consent screen later, such as the product name or email address, repeat the preceding steps to configure the consent screen.

Creating OAuth credentials

  1. Go to the Credentials page.
    Go to the Credentials page
  2. On the Create credentials drop-down list, select OAuth client ID.
  3. Under Application type, select Web application.
  4. Add a Name for your OAuth client ID.
  5. Click Create. Your OAuth client ID and client secret are generated and displayed on the OAuth client window.
  6. Click OK.
  7. Select the client that you created.
  8. Copy the client ID to the clipboard.
  9. Add the universal redirect URL to the authorized redirect URIs field in the following format:
    https://iap.googleapis.com/v1/oauth/clientIds/CLIENT_ID:handleRedirect

    where CLIENT_ID is the OAuth client ID.

  10. Near the top of the page, click Download JSON. You'll use these credentials in a later step.

Setting up IAP access

  1. Go to the Identity-Aware Proxy page.
    Go to the Identity-Aware Proxy page
  2. Select the project you want to secure with IAP.
  3. Select the checkbox next to the resource you want to add members to.
  4. On the right side panel, click Add member.
  5. In the Add members dialog that appears, enter the email addresses of groups or individuals who should have the IAP-secured Web App User role for the project.

    The following kinds of accounts can be members:

    • Google Account: user@gmail.com
    • Google Group: admins@googlegroups.com
    • Service account: server@example.gserviceaccount.com
    • G Suite domain: example.com

    Make sure to add a Google Account that you have access to.

  6. Select Cloud IAP > IAP-secured Web App User from the Roles drop-down list.
  7. Click Save.

Configuring BackendConfig

To configure BackendConfig for IAP, create a Kubernetes Secret and then add an iap block to the BackendConfig.

Creating a Kubernetes Secret

The BackendConfig uses a Kubernetes Secret to wrap the OAuth client you created earlier. Kubernetes Secrets are managed like other Kubernetes objects by using the kubectl command-line interface (CLI). To create a Secret, run the following command where client_id_key and client_secret_key are the keys from the JSON file you downloaded when you created OAuth credentials:

kubectl create secret generic my-secret --from-literal=client_id=client_id_key \
    --from-literal=client_secret=client_secret_key

The preceding command displays output to confirm when the Secret is successfully created:

secret "my-secret" created

Adding an iap block to the BackendConfig

To configure the BackendConfig for IAP, you need to specify the enabled and secretName values. To specify these values, ensure that you have the compute.backendServices.update permission and add the iap block to BackendConfig. In this block, my-secret is the Kubernetes Secret name you created previously:

apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: config-default
  namespace: my-namespace
spec:
  iap:
    enabled: true
    oauthclientCredentials:
      secretName: my-secret

You also need to associate Service ports with your BackendConfig to trigger turning on IAP. One way to make this association is to make all ports for the service default to your BackendConfig, which you can do by adding the following annotation to your Service resource:

metadata:
  annotations:
    beta.cloud.google.com/backend-config: '{"default": "config-default"}'

To test the configuration, run kubectl get event. If you see the message "no BackendConfig for service port exists", then you successfully associated a service port with your BackendConfig, but the BackendConfig resource wasn't found. This error can occur if you haven't created the BackendConfig resource, created it in the wrong namespace, or misspelled the reference in the Service annotation.

If the secretName you referenced doesn't exist or isn't structured properly, one of the following error messages will display:

  • BackendConfig default/config-default is not valid: error retrieving secret "foo": secrets "foo" not found. To resolve this error, make sure that you've created the Kubernetes Secret correctly as described in the previous section.
  • BackendConfig default/config-default is not valid: secret "foo" missing client_secret data. To resolve this error, make sure that you've created the OAuth credentials correctly. Also, make sure that you referenced the correct client_id and client_secret keys in the JSON you downloaded previously.

When the enabled flag is set to true and the secretName is correctly set, IAP is configured for your selected resource.

Turning IAP off

To turn IAP off, you must set enabled to false in the BackendConfig. If you delete the IAP block from BackendConfig, the settings will persist. For example, if IAP is enabled with secretName: my_secret and you delete the block, then IAP will still be turned on with the OAuth credentials stored in my_secret.

What's next