Manage identity with GKE Identity Service
GKE on Azure supports OpenID Connect (OIDC) as an authentication mechanism for interacting with a cluster's Kubernetes API server, using GKE Identity Service. GKE Identity Service is an authentication service that lets you bring your existing identity solutions for authentication to multiple environments. Users can log in to and use your GKE clusters from the command line or from the Google Cloud console, all using your existing identity provider.
For an overview of how GKE Identity Service works, see Introducing GKE Identity Service.
If you already use or want to use Google identities to log in to your
GKE clusters, we recommend using the
gcloud containers azure clusters get-credentials
command for authentication. Find out
more in
Connect and authenticate to your cluster.
OpenID Connect authentication
Before you begin
To use OIDC authentication, users must be able to connect to the cluster's control plane. See Connect to your cluster's control plane.
To authenticate through the Google Cloud console, you must register each cluster that you want to configure with your project fleet. For GKE on Azure, this is automatic once you have created a node pool.
To allow users to authenticate through the Google Cloud console, ensure that all clusters you want to configure are registered with your project fleet. For GKE on Azure, this is automatic once you have created a node pool.
Setup process and options
Register GKE Identity Service as a client with your OIDC provider following the instructions in Configuring providers for GKE Identity Service.
Choose from the following cluster configuration options:
Configure your clusters at the fleet-level following the instructions in Configuring clusters for fleet-level GKE Identity Service. With this option, your authentication configuration is centrally managed by Google Cloud.
Configure your clusters individually following the instructions in Configuring clusters for GKE Identity Service with OIDC.
Set up user access to your clusters, including role-based access control (RBAC), following the instructions in Setting up user access for GKE Identity Service.
Accessing clusters
After GKE Identity Service has been set up on a cluster, users can log in to clusters using either the command line or the Google Cloud console.
- Learn how to log in to registered clusters with your OIDC ID in Accessing clusters using GKE Identity Service.
- Learn how to log in to clusters from the Google Cloud console in Logging in to a cluster from the Google Cloud console.