This document describes how you can connect to GKE on AWS as a member of a Google group.
Using Google groups to grant cluster access is more efficient than creating separate authorizations for individual users. For example, let's say you want to add 50 users to the cluster Administrator group, 75 users to an Editor group, and 100 users to a Reader group. Enabling all these users to connect to your cluster would require you to create RBAC rules in the Kubernetes manifest file for 225 users. Enabling access to your cluster with Google groups, however saves you time because you only need to create RBAC rules for three Google groups.
Before you begin
To connect to your cluster as a member of a Google group, you need to satisfy the following prerequisites:
Ensure that you have the latest version of the Google Cloud CLI. For information on updating gcloud CLI, see
gcloud components update
.Use GKE on AWS version 1.25 or above, which is required for
kubectl
access using connect gateway.
Connect to your cluster with Google groups
To authorize Google groups to connect to GKE on AWS, follow these steps:
Enable the
connectgateway
andcloudresourcemanager
APIs with the following command:gcloud services enable --project=PROJECT_ID \ connectgateway.googleapis.com \ cloudresourcemanager.googleapis.com
Replace
PROJECT_ID
with the ID of your AWS project.Create a group called
gke-security-groups
as a group in your project's domain if it doesn't exist.Create one or more sub-groups within the
gke-security-groups
group for cluster authentication.Add users to the newly created sub-groups.
For
kubectl
access using connect gateway, you need to grant IAM roles to Google groups:Select an appropriate role for a group. This role determines how the group interacts with the connect gateway. The role can be one of the following:
roles/gkehub.gatewayAdmin
,roles/gkehub.gatewayEditor
,roles/gkehub.gatewayReader
. (Note that you're not granting permissions over the cluster here - that step comes later. Here, you're just determining how users of the group can manipulate the connect gateway.)Run the following command to grant the role to the group:
gcloud projects add-iam-policy-binding PROJECT_ID \ --member=group:GROUP_NAME@DOMAIN \ --role=GATEWAY_ROLE
Replace the following:
PROJECT_ID
: your Google project IDGROUP_NAME
: the name of the group to grant access toDOMAIN
: your Google Workspace domainGATEWAY_ROLE
: the selected role. For exampleroles/gkehub.gatewayAdmin
,roles/gkehub.gatewayEditor
, orroles/gkehub.gatewayReader
.
In a Kubernetes manifest, define the permissions each Google group has on the cluster. For example, the following manifest grants the Google Group
cluster-admin-team
the role of cluster administrator:apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: gateway-cluster-admin-group subjects: - kind: Group name: cluster-admin-team@example.com roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.io
Save the manifest to a file and apply it to the cluster by running the following command:
kubectl apply -kubeconfig=KUBECONFIG_PATH -f FILENAME
Replace the following:
KUBECONFIG_PATH
: the path to yourkubeconfig
file.FILENAME
: the name of the manifest file you created.
Once you've performed these steps, users belonging to certain Google groups can
connect to the cluster. In the given example, users belonging to the Google
group cluster-admin-team
can connect to the cluster as administrators.