GKE Identity Service overview
GKE Identity Service is an authentication service that integrates with your existing identity solutions, allowing you to use these identity solutions across multiple GKE Enterprise environments. Users can access and manage your GKE clusters from the command line or from the Google Cloud console, all using your existing identity provider.
If you prefer to use Google IDs to log in to your GKE clusters instead of an identity provider, see Connect to registered clusters with the Connect gateway.
Supported identity providers
GKE Identity Service supports the following identity provider protocols to verify and authenticate users when they try to access resources or services:
- OpenID Connect (OIDC): OIDC is a modern, lightweight authentication protocol built on top of the OAuth 2.0 authorization framework. We provide specific instructions for setup of some popular OpenID Connect providers, including Microsoft, but you can use any provider that implements OIDC.
- Security Assertion Markup Language (SAML): SAML is an XML-based standard for exchanging authentication and authorization data between parties, primarily between an identity provider (IdP) and a service provider (SP). You can use GKE Identity Service to authenticate using SAML.
- Lightweight Directory Access Protocol (LDAP): LDAP is a mature, standardized protocol for accessing and managing directory information services. It's commonly used to store and retrieve user information, such as usernames, passwords, and group memberships. You can use GKE Identity Service to authenticate using LDAP with Active Directory or an LDAP server.
Supported cluster types
| Protocol | GKE on VMware | GKE on Bare Metal | GKE on AWS | GKE on Azure | EKS attached clusters | GKE |
|---|---|---|---|---|---|---|
| OIDC | ||||||
| LDAP | ||||||
| SAML |
Other attached cluster types are not supported for use with GKE Identity Service.
Setup process
Setting up GKE Identity Service for your clusters involves the following users and process steps:
- Configure providers: The platform administrator registers GKE Identity Service as a client application with their preferred identity provider and gets a client ID and secret.
- Set up individual clusters or set up your fleet: The cluster administrator sets up clusters for your identity service. You can set up GKE Identity Service on a cluster by cluster basis for GKE clusters on-premises (both VMware and bare metal), on AWS, and on Azure. Alternatively, you can choose to set up GKE Identity Service for a fleet, which is a logical group of clusters that lets you enable functionality and update configuration across these clusters.
- Set up user access: The cluster administrator sets up user login access to authenticate to the clusters using the FQDN access (recommended) or file-based access approach, and optionally configures Kubernetes role-based access control (RBAC) for users on these clusters.