Enable and configure OS Login in GKE

Standard

This page explains how to enable OS Login and configure an organization policy to enforce OS Login for GKE Standard mode clusters and nodes. You can use OS Login to manage SSH access to your instances using IAM without having to create and manage individual SSH keys.

OS Login isn't available for GKE Autopilot mode clusters because GKE manages the nodes.

Clusters that use public nodes don't support OS Login. If this constraint is applied to a project that runs clusters with public nodes, VM instances that are running in that project might not function properly.

This page is for Security specialists who want to add OS Login policies on GKE Standard clusters to ensure that all VM instances have OS Login by default. To learn more about common roles and example tasks that we reference in Google Cloud content, see Common GKE Enterprise user roles and tasks.

Before reading this page, ensure that you're familiar with the general overview of OS Login.

Overview

You can set up an OS Login constraint in your organization to ensure that all new projects, and the VM instances created in these new projects, have OS Login enabled. OS Login has quickly become a Google Cloud security best practice, recommending that you enforce its use through an organization policy.

The following instructions detail how to enable OS Login using an organization policy in GKE.

Before you begin

Before you start, make sure you have performed the following tasks:

Enable the Google Kubernetes Engine API.

Enable Google Kubernetes Engine API

If you want to use the Google Cloud CLI for this task, install and then initialize the gcloud CLI. If you previously installed the gcloud CLI, get the latest version by running gcloud components update.
Note: For existing gcloud CLI installations, make sure to set the compute/region and compute/zone properties. By setting default locations, you can avoid errors in gcloud CLI like the following: One of [--zone, --region] must be supplied: Please specify location.

Update existing projects to use OS Login

Before setting the organization policy, migrate any existing clusters to use OS Login.

Update the version in all node pools in a project to a supported version:
```
gcloud container clusters upgrade CLUSTER_NAME \
    --node-pool=NODE_POOL_NAME \
    --cluster-version VERSION
```
Replace the following:
- CLUSTER_NAME: the name of your existing cluster.
- NODE_POOL_NAME: the name of the node pool.
- VERSION: A version compatible with OS Login, which can be versions 1.20.5 or later.
Enable OS Login on all existing and new VM instances by default by setting the enable-oslogin flag to TRUE. You don't need to reboot the node.
```
gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE
```
Caution: Enabling OS Login on instances disables metadata-based SSH key configurations on those instances. Disabling OS Login restores SSH keys that you have configured in project or instance metadata.

Set the OS Login organization policy

To set the OS Login constraint at the organization level, perform the following:

Find your organization ID by running the following command:
```
gcloud organizations list
```

Set the OS Login organization policy. Replace ORGANIZATION_ID with your organization ID.

gcloud resource-manager org-policies enable-enforce \
    compute.requireOsLogin \
    --organization=ORGANIZATION_ID

After the organization policy is set, the following conditions are applied:

enable-oslogin is set to true in the project metadata for all new projects.
Update requests to set enable-oslogin to false in instance or project metadata are rejected.

Manage node access

Once you have enabled the OS Login organization policy, you no longer need to manage SSH keys to make authorization decisions. OS Login moves authorization management to Identity and Access Management. To manage SSH access to nodes, use OS Login. For more details, see Setting up OS Login.

What's next

Learn about the OS Login service.
Learn to troubleshoot OS Login.