Manage identity with GKE Identity Service

GKE on Azure supports OpenID Connect (OIDC) as an authentication mechanism for interacting with a cluster's Kubernetes API server, using GKE Identity Service. GKE Identity Service is an authentication service that lets you bring your existing identity solutions for authentication to multiple environments. Users can log in to and use your GKE clusters from the command line or from the Google Cloud console, all using your existing identity provider.

For an overview of how GKE Identity Service works, see Introducing GKE Identity Service.

If you already use or want to use Google identities to log in to your GKE clusters, we recommend using the gcloud containers azure clusters get-credentials command for authentication. Find out more in Connect and authenticate to your cluster.

OpenID Connect authentication

Before you begin

  1. To use OIDC authentication, users must be able to connect to the cluster's control plane. See Connect to your cluster's control plane.

  2. To authenticate through the Google Cloud console, you must register each cluster that you want to configure with your project fleet. For GKE on Azure, this is automatic once you have created a node pool.

  3. To allow users to authenticate through the Google Cloud console, ensure that all clusters you want to configure are registered with your project fleet. For GKE on Azure, this is automatic once you have created a node pool.

Setup process and options

  1. Register GKE Identity Service as a client with your OIDC provider following the instructions in Configuring providers for GKE Identity Service.

  2. Choose from the following cluster configuration options:

  3. Set up user access to your clusters, including role-based access control (RBAC), following the instructions in Setting up user access for GKE Identity Service.

Accessing clusters

After GKE Identity Service has been set up on a cluster, users can log in to clusters using either the command line or the Google Cloud console.