En esta página, se explica cómo proteger una instancia de Google Kubernetes Engine (GKE) con Identity-Aware Proxy (IAP).
Descripción general
IAP está integrado a través de Ingress para GKE. Esta integración te permite controlar el nivel de acceso de los empleados en lugar de usar una VPN.
En el clúster de GKE, el tráfico entrante es controlado por el balanceo de cargas de HTTP(S), un componente de Cloud Load Balancing. Por lo general, el balanceador de cargas de HTTP(S) está configurado por el controlador de Ingress de Kubernetes. El controlador de Ingress recibe información sobre la configuración de un objeto Ingress de Kubernetes, que está vinculado con uno o más objetos de Servicio. Cada objeto de servicio contiene información de enrutamiento que se usa para direccionar una solicitud entrante a un pod o puerto específico.
A partir de la versión Kubernetes 1.10.5-gke.3, tienes la posibilidad de agregar configuraciones al balanceador de cargas mediante la asociación de un servicio con un objeto de BackendConfig. BackendConfig es una definición personalizada de recurso (CRD) que está definida en el repositorio kubernetes/ingress-gce.
El controlador de ingreso de Kubernetes lee los datos de configuración provenientes de BackendConfig y configura el balanceador de cargas según corresponda. BackendConfig contiene datos de configuración específicos de Cloud Load Balancing y permite definir una configuración aparte para cada servicio de backend de balanceo de cargas de HTTP(S).
Antes de comenzar
Con el fin de habilitar IAP para GKE, necesitas lo siguiente:
- Un proyecto de la consola de Google Cloud con facturación habilitada
- Un grupo de una o más instancias de GKE entregadas mediante un balanceador de cargas de HTTPS. El balanceador de cargas debería crearse de forma automática cuando generas un objeto Ingress en un clúster de GKE
- Aprende cómo crear un Ingress para HTTPS
- Un nombre de dominio registrado con la dirección de tu balanceador de cargas
- Un código de la app para verificar que todas las solicitudes tengan una identidad
- Aprender cómo obtener la identidad del usuario
Habilita IAP
If you haven't configured your project's OAuth consent screen, you'll be prompted to do so. To configure your OAuth consent screen, see Setting up your OAuth consent screen.
Setting up IAP access
-
Go to the
Identity-Aware Proxy page.
Go to the Identity-Aware Proxy page - Select the project you want to secure with IAP.
-
Select the checkbox next to the resource you want to grant access to.
If you don't see a resource, ensure that the resource is created and that the BackendConfig Compute Engine ingress controller is synced.
To verify that the backend service is available, run the following gcloud command:
gcloud compute backend-services list
- On the right side panel, click Add principal.
-
In the Add principals dialog that appears, enter the email addresses of groups or
individuals who should have the IAP-secured Web App User role for the project.
The following kinds of principals can have this role:
- Google Account: user@gmail.com
- Google Group: admins@googlegroups.com
- Service account: server@example.gserviceaccount.com
- Google Workspace domain: example.com
Make sure to add a Google Account that you have access to.
- Select Cloud IAP > IAP-secured Web App User from the Roles drop-down list.
- Click Save.
Configuring BackendConfig
To configure BackendConfig for IAP, create a Kubernetes Secret and then
add an iap
block to the BackendConfig.
Creating a Kubernetes Secret
The BackendConfig uses a Kubernetes
Secret
to wrap the OAuth client you created earlier. Kubernetes Secrets are managed like
other Kubernetes objects by using the
kubectl
command-line interface (CLI). To create a Secret, run the following command where
client_id_key and client_secret_key are the keys from the JSON file you
downloaded when you created OAuth credentials:
kubectl create secret generic my-secret --from-literal=client_id=client_id_key \ --from-literal=client_secret=client_secret_key
The preceding command displays output to confirm when the Secret is successfully created:
secret "my-secret" created
Adding an iap
block to the BackendConfig
To configure the BackendConfig for IAP, you need to specify the
enabled
and secretName
values. To specify these values, ensure
that you have the compute.backendServices.update
permission and add the
iap
block to BackendConfig. In this block, my-secret is
the Kubernetes Secret name you created previously:
For GKE versions 1.16.8-gke.3 and higher, use the `cloud.google.com/v1` API version. If you are using an earlier GKE version, use `cloud.google.com/v1beta1`.
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: config-default namespace: my-namespace spec: iap: enabled: true oauthclientCredentials: secretName: my-secret
You also need to associate Service ports with your BackendConfig to trigger turning on IAP. One way to make this association is to make all ports for the service default to your BackendConfig, which you can do by adding the following annotation to your Service resource:
metadata: annotations: beta.cloud.google.com/backend-config: '{"default": "config-default"}'
To test the configuration, run kubectl get event
. If you see the message
"no BackendConfig for service port exists
", then you successfully
associated a service port with your BackendConfig, but the BackendConfig
resource wasn't found. This error can occur if you haven't created the BackendConfig resource,
created it in the wrong namespace, or misspelled the reference in the Service annotation.
If the secretName
you referenced doesn't exist or isn't structured
properly, one of the following error messages will display:
-
BackendConfig default/config-default is not valid: error retrieving secret "foo": secrets "foo" not found.
To resolve this error, make sure that you've created the Kubernetes Secret correctly as described in the previous section. -
BackendConfig default/config-default is not valid: secret "foo" missing client_secret data.
To resolve this error, make sure that you've created the OAuth credentials correctly. Also, make sure that you referenced the correctclient_id
andclient_secret
keys in the JSON you downloaded previously.
When the enabled
flag is set to true
and
the secretName
is correctly set, IAP is configured
for your selected resource.
Turning IAP off
To turn IAP off, you must set enabled
to
false
in the BackendConfig. If you delete the IAP
block from BackendConfig, the settings will persist. For example, if IAP is
enabled with secretName: my_secret
and you delete the block, then
IAP will still be turned on with the OAuth credentials stored in
my_secret
.
¿Qué sigue?
- Más información sobre cómo configurar Cloud CDN en GKE
- Más información sobre cómo configurar Cloud Armor para GKE
- Más información acerca del recurso de BackendConfig