Enabling and configuring OS Login in GKE

This page documents how to enable OS Login and configure an organization policy to enforce OS Login for private GKE clusters and nodes. To learn about the OS Login Service, see the Compute Engine documentation on OS Login.


You can set up an OS Login constraint in your organization to ensure that all new projects, and the VM instances created in these new projects, have OS Login enabled. OS Login has quickly become a Google Cloud security best practice, recommending that you enforce its use through an organization policy.

The following instructions detail how to enable OS Login using an organization policy in GKE.

Before you begin

Before you start, make sure you have performed the following tasks:

  • Ensure that you have enabled the Google Kubernetes Engine API.
  • Enable Google Kubernetes Engine API
  • Ensure that you have installed the Google Cloud CLI.
  • Set up default Google Cloud CLI settings for your project by using one of the following methods:
    • Use gcloud init, if you want to be walked through setting project defaults.
    • Use gcloud config, to individually set your project ID, zone, and region.

    gcloud init

    1. Run gcloud init and follow the directions:

      gcloud init

      If you are using SSH on a remote server, use the --console-only flag to prevent the command from launching a browser:

      gcloud init --console-only
    2. Follow the instructions to authorize the gcloud CLI to use your Google Cloud account.
    3. Create a new configuration or select an existing one.
    4. Choose a Google Cloud project.
    5. Choose a default Compute Engine zone.
    6. Choose a default Compute Engine region.

    gcloud config

    1. Set your default project ID:
      gcloud config set project PROJECT_ID
    2. Set your default Compute Engine region (for example, us-central1):
      gcloud config set compute/region COMPUTE_REGION
    3. Set your default Compute Engine zone (for example, us-central1-c):
      gcloud config set compute/zone COMPUTE_ZONE
    4. Update gcloud to the latest version:
      gcloud components update

    By setting default locations, you can avoid errors in gcloud CLI like the following: One of [--zone, --region] must be supplied: Please specify location.

Update existing projects to use OS Login

Before setting the organization policy, migrate any existing private clusters to use OS Login.

  1. Update the version in all node pools in a project to a supported version:

    gcloud container clusters upgrade CLUSTER_NAME \
        --node-pool=NODE_POOL_NAME \
        --cluster-version VERSION

    Replace the following:

    • CLUSTER_NAME: the name of your existing cluster.
    • NODE_POOL_NAME: the name of the node pool.
    • VERSION: A version compatible with OS Login, which can be versions 1.20.5 or later.
  2. Enable OS Login on all existing and new VM instances by default by setting the enable-oslogin flag to TRUE. You do not need to reboot the node.

    gcloud compute project-info add-metadata --metadata enable-oslogin=TRUE

Set the OS Login organization policy

To set the OS Login constraint at the organization level, perform the following:

  1. Find your organization ID by running the following command:

    gcloud organizations list
  2. Set the OS Login organization policy. Replace ORGANIZATION_ID with your organization ID.

    gcloud resource-manager org-policies enable-enforce \
        compute.requireOsLogin \

After the organization policy is set, the following conditions are applied:

  • enable-oslogin is set to true in the project metadata for all new projects.
  • Update requests to set enable-oslogin to false in instance or project metadata are rejected.

Managing node access

Once you have enabled the OS Login organization policy, you no longer need to manage SSH keys to make authorization decisions. OS Login moves authorization management to Identity and Access Management. To manage SSH access to nodes, use OS Login. For more details, see Setting up OS Login.

What's next