Setup OIDC in Kubernetes clusters - GKE

In this post we will discuss how to setup OIDC in GKE clusters, in previous post we discuss about Kubernetes OIDC and the configuration on EKS.

OIDC in GKE

GCP uses the GKE service for Kubernetes.

You can use the terraform registry for GKE to setup the cluster.

After starting:

• At this moment, this configuration does not have a specific resource in the official registry for GKE.
• This configuration generates a new ingress for authentication.
• Enabled the Google Kubernetes Engine API. You can follow this steps.

Associate an OIDC identity provider

Before you start, make sure you have enabled the Google Kubernetes Engine API. You can enable the Identity Service for GKE on a new cluster with:

gcloud container clusters create CLUSTER_NAME \
--enable-identity-service

Replace CLUSTER_NAME with the name of your new cluster.

Enable Identity Service for GKE on an existing cluster:

gcloud container clusters update CLUSTER_NAME \
--enable-identity-service

Replace CLUSTER_NAME with the name of your new cluster.

These changes may take a significant amount of time to apply.

Configure Identity Service for GKE

1. Download the default ClientConfig from your cluster:

   kubectl get clientconfig default -n kube-public -o yaml > client-config.yaml
   

2. Update the spec.authentication section with your preferred settings:

   apiVersion: authentication.gke.io/v2alpha1
     kind: ClientConfig
     metadata:
    name: default
    namespace: kube-public
     spec:
      clientID: APP_CLIENT_ID
      cloudConsoleRedirectURI: https://console.cloud.google.com/kubernetes/oidc
      groupsClaim: YOUR_GROUPS_CLAIM
      issuerURI: YOUR_ISSUER_URI
      kubectlRedirectURI: YOUR_REDIRECT_URL
      scopes: offline_access,email,profile,groups
      userClaim: YOUT_USER_CLAIM
   

Visit this link for more details related to the configuration.

1. Apply the updated configuration:

   kubectl apply -f client-config.yaml
   

   After you apply this configuration, Identity Service for GKE runs inside your cluster and serves requests behind the gke-oidc-envoy load balancer. The IP address in the spec.server field must be the IP address of the load balancer. If you change the spec.server field, kubectl commands might fail.

2. Make a copy of the client-config.yaml configuration file:

   cp client-config.yaml login-config.yaml
   

Log in and authenticate to the cluster

You can use the google cloud CLI or kubelogin.

1. Download the login-config.yaml file provided by your administrator.

2. Install the Google Cloud CLI SDK, which offers a separate OIDC component. You can install this by running the following command:

   gcloud components install kubectl-oidc
   

3. Authenticate into your cluster:

   kubectl oidc login --cluster=CLUSTER_NAME --login-config=login-config.yaml
   

4. After you are authenticated, you can run kubectl commands, for example:

   kubectl --user=oidc get nodes
   

The connection mechanism is the same as discussed in Part I and Part II. You’ll need to configure RBAC too.

What’s next?

In future posts, we may be able to use the Kubernetes API with OIDC authentication for querying purposes. But for now, that’s all, folks!