Configure the identity provider of your choice
This document is for platform administrators who are responsible for setting up and managing identity within your organization. If you're a cluster administrator or application operator, ask your platform administrator to complete the setup described here before you configure individual clusters or use the fleet setup.
Before you begin
If you want cluster administrators to provide authentication access using the fully qualified domain name (FQDN) of the cluster's Kubernetes API server (recommended), do the following. Otherwise, you can skip ahead to configuring your identity provider. You can learn more about user authentication methods in Set up an authentication method for user access.
- Configure your domain name service (DNS) to resolve your chosen fully qualified domain name to the cluster's control plane VIPs (virtual IP addresses). Users can access the cluster using this domain name.
- Use a Server Name Indication (SNI) certificate issued by your trusted enterprise Certificate Authority (CA). This certificate specifically mentions your FQDN as a valid domain, eliminating potential certificate warnings for users. You can provide the SNI certificate during cluster creation. For more information on specifying SNI certificates, see SNI certificate authentication.
- If SNI certificates are not feasible, cluster administrators need to configure all user devices to trust the cluster-CA certificate. This avoids certificate warnings but requires distributing the cluster-CA certificate to all users.
For more information on user login access using these certificates, see Authenticate using FQDN access.
Configure the identity provider
The configuration of GKE Identity Service depends on the identity provider you choose to use. To get started, choose the appropriate provider you want to configure: