为 GKE 启用 IAP

使用集合让一切井井有条 根据您的偏好保存内容并对其进行分类。

本页介绍如何使用 Identity-Aware Proxy (IAP) 保护 Google Kubernetes Engine (GKE) 实例的安全。

概览

在 GKE 上,IAP 通过 Ingress 集成。因此,您无需使用 VPN 即可控制员工的资源级访问权限。

在 GKE 集群中,传入流量由 HTTP(S) 负载平衡服务处理,该服务是 Cloud Load Balancing 的一个组件。HTTP(S) 负载平衡器通常由 Kubernetes Ingress 控制器配置。Ingress 控制器会从与一个或多个 Service 对象关联的 Kubernetes Ingress 对象中获取配置信息。每个 Service 对象包含用于将传入请求定向到特定 Pod 和端口的路由信息。

从 Kubernetes 版本 1.10.5-gke.3 开始,您可以通过将 Service 与 BackendConfig 对象进行关联来添加负载平衡器配置。 BackendConfig 是 kubernetes/ingress-gce 代码库中定义的一个自定义资源定义 (CRD)。

Kubernetes Ingress 控制器会从 BackendConfig 读取配置信息并相应地设置负载平衡器。BackendConfig 包含特定于 Cloud Load Balancing 的配置信息,并可用于为每个 HTTP(S) 负载平衡后端服务定义单独的配置。

准备工作

要为 GKE 启用 IAP,您需要以下各项:

  • 启用了结算功能的 Google Cloud Console 项目。
  • 由 HTTPS 负载平衡器处理的一个或多个 GKE 实例。当您在 GKE 集群中创建 Ingress 对象时,负载平衡器应自动建立。
  • 已注册到负载均衡器地址的域名。
  • 用于验证所有请求是否都有身份的应用代码。

启用 IAP

Configuring the OAuth consent screen

If you haven't configured your project's OAuth consent screen, you need to do so. An email address and product name are required for the OAuth consent screen.

  1. 转到 OAuth 同意屏幕
    配置同意屏幕
  2. 支持电子邮件地址下,选择要显示为公开联系人的电子邮件地址。该电子邮件地址必须属于当前登录的用户帐号,或者属于当前登录的用户所属的 Google 网上论坛。
  3. 输入您要显示的应用名称
  4. 根据需要添加任何可选详细信息。
  5. 点击保存

如需稍后更改 OAuth 同意屏幕上的信息(例如产品名称或电子邮件地址),请重复上述步骤配置同意屏幕。

Creating OAuth credentials

  1. Go to the Credentials page.
    Go to the Credentials page
  2. In the Create credentials drop-down, select OAuth client ID.
  3. Under Application type, select Web application.
  4. Add a Name for your OAuth client ID.
  5. Click Create.

    Your OAuth client ID and client secret are generated and displayed on the OAuth client window.

  6. In the Oauth client created dialog, copy the client ID to the clipboard.
  7. Click OK.
  8. Click the name of the client that you just created to reopen it for editing.
  9. In the Authorized redirect URIs field, enter the following string:
    https://iap.googleapis.com/v1/oauth/clientIds/CLIENT_ID:handleRedirect

    where CLIENT_ID is the OAuth client ID you just copied to the clipboard.

Setting up IAP access

  1. Go to the Identity-Aware Proxy page.
    Go to the Identity-Aware Proxy page
  2. Select the project you want to secure with IAP.
  3. Select the checkbox next to the resource you want to grant access to.
  4. On the right side panel, click Add principal.
  5. In the Add principals dialog that appears, enter the email addresses of groups or individuals who should have the IAP-secured Web App User role for the project.

    The following kinds of principals can have this role:

    • Google Account: user@gmail.com
    • Google Group: admins@googlegroups.com
    • Service account: server@example.gserviceaccount.com
    • Google Workspace domain: example.com

    Make sure to add a Google Account that you have access to.

  6. Select Cloud IAP > IAP-secured Web App User from the Roles drop-down list.
  7. Click Save.

Configuring BackendConfig

To configure BackendConfig for IAP, create a Kubernetes Secret and then add an iap block to the BackendConfig.

Creating a Kubernetes Secret

The BackendConfig uses a Kubernetes Secret to wrap the OAuth client you created earlier. Kubernetes Secrets are managed like other Kubernetes objects by using the kubectl command-line interface (CLI). To create a Secret, run the following command where client_id_key and client_secret_key are the keys from the JSON file you downloaded when you created OAuth credentials:

kubectl create secret generic my-secret --from-literal=client_id=client_id_key \
    --from-literal=client_secret=client_secret_key

The preceding command displays output to confirm when the Secret is successfully created:

secret "my-secret" created

Adding an iap block to the BackendConfig

To configure the BackendConfig for IAP, you need to specify the enabled and secretName values. To specify these values, ensure that you have the compute.backendServices.update permission and add the iap block to BackendConfig. In this block, my-secret is the Kubernetes Secret name you created previously:

apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: config-default
  namespace: my-namespace
spec:
  iap:
    enabled: true
    oauthclientCredentials:
      secretName: my-secret

You also need to associate Service ports with your BackendConfig to trigger turning on IAP. One way to make this association is to make all ports for the service default to your BackendConfig, which you can do by adding the following annotation to your Service resource:

metadata:
  annotations:
    beta.cloud.google.com/backend-config: '{"default": "config-default"}'

To test the configuration, run kubectl get event. If you see the message "no BackendConfig for service port exists", then you successfully associated a service port with your BackendConfig, but the BackendConfig resource wasn't found. This error can occur if you haven't created the BackendConfig resource, created it in the wrong namespace, or misspelled the reference in the Service annotation.

If the secretName you referenced doesn't exist or isn't structured properly, one of the following error messages will display:

  • BackendConfig default/config-default is not valid: error retrieving secret "foo": secrets "foo" not found. To resolve this error, make sure that you've created the Kubernetes Secret correctly as described in the previous section.
  • BackendConfig default/config-default is not valid: secret "foo" missing client_secret data. To resolve this error, make sure that you've created the OAuth credentials correctly. Also, make sure that you referenced the correct client_id and client_secret keys in the JSON you downloaded previously.

When the enabled flag is set to true and the secretName is correctly set, IAP is configured for your selected resource.

Turning IAP off

To turn IAP off, you must set enabled to false in the BackendConfig. If you delete the IAP block from BackendConfig, the settings will persist. For example, if IAP is enabled with secretName: my_secret and you delete the block, then IAP will still be turned on with the OAuth credentials stored in my_secret.

后续步骤