Enabling Cloud IAP for Kubernetes Engine

This page explains how to secure a Kubernetes Engine instance with Cloud Identity-Aware Proxy (Cloud IAP). To enable Cloud IAP, you'll complete the following tasks:

  • Configure your app's OAuth consent screen
  • Set up Cloud IAP access
  • Create OAuth credentials
  • Configure BackendConfig

Overview

Cloud IAP is integrated through Ingress for Kubernetes Engine. This enables you to control application-level access for employees instead of using a VPN.

In a Kubernetes Engine cluster, incoming traffic is handled by HTTP(S) Load Balancing, a component of Cloud Load Balancing. The HTTP(S) load balancer is typically configured by the Kubernetes Ingress controller. The Ingress controller gets configuration information from a Kubernetes Ingress object that is associated with one or more Service objects. Each Service object holds routing information that is used to direct an incoming request to a particular Pod and port.

Beginning with Kubernetes version 1.10.5-gke.3, you can add configuration for the load balancer by associating a Service with a BackendConfig object. BackendConfig is a custom resource definition (CRD) that is defined in the kubernetes/ingress-gce repository.

The Kubernetes Ingress controller reads configuration information from the BackendConfig and sets up the load balancer accordingly. A BackendConfig holds configuration information that is specific to Cloud Load Balancing, and enables you to define a separate configuration for each HTTP(S) Load Balancing backend service.

Before you begin

To enable Cloud IAP for Kubernetes Engine, you'll need the following:

  • A Google Cloud Platform Console project with billing enabled.
  • A group of one or more Kubernetes Engine instances, served by an HTTPS load balancer. The load balancer should be created automatically when you create an Ingress object in a Kubernetes Engine cluster.
  • A domain name registered to the address of your load balancer.
  • Application code to verify that all requests have an identity.

Enabling Cloud IAP

Configuring the OAuth consent screen

If you haven't configured your project's OAuth consent screen, you'll need to do so. An email address and product name are required for the OAuth consent screen.
  1. Go to the OAuth consent screen.
    Configure consent screen
  2. Under Email address, select the email address you want to display as a public contact. This must be your email address, or a Google Group you own.
  3. Enter the Product name you want to display.
  4. Add any optional details you'd like.
  5. Click Save.

To change information on the OAuth consent screen later, such as the product name or email address, repeat the steps above to configure the consent screen.

Setting up Cloud IAP access

  1. Go to the Identity-Aware Proxy page.
    Go to the Identity-Aware Proxy page
  2. Select the project you want to secure with Cloud IAP.
  3. On the right side panel, next to Access, click Add.
  4. In the Add members dialog that appears, add the email addresses of groups or individuals who should have the IAP-Secured Web App User role for the project.

    The following kinds of accounts can be members:

    • Google Accounts: user@gmail.com
    • Google Groups: admins@googlegroups.com
    • Service accounts: server@example.gserviceaccount.com
    • G Suite domains: example.com

    Make sure to add a Google account that you have access to.

  5. When you're finished adding members, click Add.

Creating OAuth credentials

  1. Go to the Credentials page.
    Go to the Credentials page
  2. On the Create credentials drop-down list, select OAuth client ID.
  3. Under Application type, select Web application.
  4. Add a Name and Authorized redirect URLs in the format of your_domain/_gcp_gatekeeper/authenticate, where your_domain is a domain that you want to access your Cloud IAP-enabled backend service from.
  5. When you're finished adding authorized redirect URLs, click Create, then click OK on the OAuth client window that appears.
  6. Under OAuth 2.0 client IDs, next to the credentials you created, click Download JSON on the right side. You'll use these credentials in a later step.

Adding authorized domains

To access your app from more domains later, follow the process below:

  1. Go to the Identity-Aware Proxy page.
    Go to the Identity-Aware Proxy page
  2. Click More next to the resource to which you want to add a domain, then click Edit OAuth client.
  3. In the Credentials window that appears, under Authorized redirect URIs, add the domains in the format of your_domain/_gcp_gatekeeper/authenticate.
  4. When you're finished adding domains, click Save. You'll now be able to access your app from those domains with Cloud IAP turned on.

Configuring BackendConfig

To configure BackendConfig for Cloud IAP, you'll create a Kubernetes Secret and then add an iap block to the BackendConfig.

Creating a Kubernetes Secret

The BackendConfig uses a Kubernetes Secret to wrap the OAuth client you created earlier. Kubernetes Secrets are managed like other Kubernetes objects by using the kubectl command-line interface (CLI). To create a Secret, run the following command where client_id_key and client_secret_key are the keys from the JSON file you downloaded when you created OAuth credentials above:

kubectl create secret generic my-secret --from-literal=client_id=client_id_key \
    --from-literal=client_secret=client_secret_key

The above command displays output to confirm when the Secret is successfully created:

secret "my-secret" created

Adding an iap block to the BackendConfig

To configure the BackendConfig for Cloud IAP, you'll specify the enabled and secretName values. Note that you can't enable both Cloud IAP and Cloud Content Delivery Network (Cloud CDN) in a BackendConfig. If the BackendConfig doesn't have a Cloud IAP block, then any existing Cloud IAP settings on the backend service are inherited. To enable Cloud IAP, add the iap block to BackendConfig where my_secret is the Kubernetes Secret name you created above:

apiVersion: cloud.google.com/v1beta1
kind: BackendConfig
metadata:
  name: config-default
  namespace: my-namespace
spec:
  iap:
    enabled: true
    oauthclientCredentials:
      secretName: my_secret

To test the configuration, run kubectl get event. If a message displays that no BackendConfig for service port exists, then BackendConfig for a Service port is specified in the Service annotation, but the BackendConfig resource wasn't found. This can occur if you haven't created the BackendConfig resource, created it in the wrong namespace, or misspelled the reference in the Service annotation.

If the secretName you referenced doesn't exist or isn't structured properly, one of the following error messages will display:

  • BackendConfig default/config-default is not valid: error retrieving secret "foo": secrets "foo" not found. To resolve this error, make sure that you've created the Kubernetes Secret correctly as described above.
  • BackendConfig default/config-default is not valid: secret "foo" missing client_secret data. To resolve this error, make sure that you've created the OAuth credentials correctly and referenced the correct client_id and client_secret keys in the JSON you downloaded above.

When the enabled flag is set to true and the secretName is correctly set, Cloud IAP is configured for the resource you selected.

Turning Cloud IAP off

To turn Cloud IAP off, you must set enabled to false in the BackendConfig. If you delete the Cloud IAP block from BackendConfig, the settings will persist. For example, if Cloud IAP is enabled with secretName: my_secret and you delete the block, then Cloud IAP will still be turned on with the OAuth credentials stored in my_secret.

What's next

Was this page helpful? Let us know how we did:

Send feedback about...

Identity-Aware Proxy Documentation