This page documents how to enable OS Login and configure an organization policy to enforce OS Login for private GKE Standard mode clusters and nodes. OS Login isn't available for GKE Autopilot mode clusters because GKE manages the nodes.
To learn about the OS Login Service, see the Compute Engine documentation on OS Login.
Overview
You can set up an OS Login constraint in your organization to ensure that all new projects, and the VM instances created in these new projects, have OS Login enabled. OS Login has quickly become a Google Cloud security best practice, recommending that you enforce its use through an organization policy.
The following instructions detail how to enable OS Login using an organization policy in GKE.
Before you begin
Before you start, make sure you have performed the following tasks:
- Enable the Google Kubernetes Engine API. Enable Google Kubernetes Engine API
- If you want to use the Google Cloud CLI for this task,
install and then
initialize the
gcloud CLI. If you previously installed the gcloud CLI, get the latest
version by running
gcloud components update
.
Update existing projects to use OS Login
Before setting the organization policy, migrate any existing private clusters to use OS Login.
Update the version in all node pools in a project to a supported version:
gcloud container clusters upgrade CLUSTER_NAME \ --node-pool=NODE_POOL_NAME \ --cluster-version VERSION
Replace the following:
CLUSTER_NAME
: the name of your existing cluster.NODE_POOL_NAME
: the name of the node pool.VERSION
: A version compatible with OS Login, which can be versions 1.20.5 or later.
Enable OS Login on all existing and new VM instances by default by setting the
enable-oslogin
flag toTRUE
. You do not need to reboot the node.gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE
Set the OS Login organization policy
To set the OS Login constraint at the organization level, perform the following:
Find your organization ID by running the following command:
gcloud organizations list
Set the OS Login organization policy. Replace
ORGANIZATION_ID
with your organization ID.gcloud resource-manager org-policies enable-enforce \ compute.requireOsLogin \ --organization=ORGANIZATION_ID
After the organization policy is set, the following conditions are applied:
enable-oslogin
is set totrue
in the project metadata for all new projects.- Update requests to set
enable-oslogin
tofalse
in instance or project metadata are rejected.
Managing node access
Once you have enabled the OS Login organization policy, you no longer need to manage SSH keys to make authorization decisions. OS Login moves authorization management to Identity and Access Management. To manage SSH access to nodes, use OS Login. For more details, see Setting up OS Login.
What's next
- Learn about the OS Login service.
- Learn to troubleshoot OS Login.