Securing GKE apps and resources with IAP

This page explains how to secure a Google Kubernetes Engine (GKE) instance with Identity-Aware Proxy (IAP).

To secure resources not on Google Cloud, see Securing on-premises apps and resources.

Overview

IAP is integrated through Ingress for GKE. This integration enables you to control resource-level access for employees instead of using a VPN.

In a GKE cluster, incoming traffic is handled by HTTP(S) Load Balancing, a component of Cloud Load Balancing. The HTTP(S) load balancer is typically configured by the Kubernetes Ingress controller. The Ingress controller gets configuration information from a Kubernetes Ingress object that is associated with one or more Service objects. Each Service object holds routing information that is used to direct an incoming request to a particular Pod and port.

Beginning with Kubernetes version 1.10.5-gke.3, you can add configuration for the load balancer by associating a Service with a BackendConfig object. BackendConfig is a custom resource definition (CRD) that is defined in the kubernetes/ingress-gce repository.

The Kubernetes Ingress controller reads configuration information from the BackendConfig and sets up the load balancer accordingly. A BackendConfig holds configuration information that is specific to Cloud Load Balancing, and enables you to define a separate configuration for each HTTP(S) Load Balancing backend service.

Before you begin

To enable IAP for GKE, you need the following:

• A Google Cloud console project with billing enabled.
• A group of one or more GKE instances, served by an HTTPS load balancer. The load balancer should be created automatically when you create an Ingress object in a GKE cluster.
  • Learn about creating an Ingress for HTTPS.
• A domain name registered to the address of your load balancer.
• App code to verify that all requests have an identity.
  • Learn about getting the user's identity.

IAP uses a Google-managed OAuth client to authenticate users. Only users within the organization can access the IAP-enabled application. If you want to allow access to users outside of your organization, see Enable IAP for external applications.

Enabling IAP

Next steps

• Set richer context rules by applying access levels.
• See access requests by enabling Cloud Audit Logs.
• Learn more about IAP.
• Learn how to set up Cloud CDN on GKE.
• Learn how to configure Cloud Armor for GKE.
• Learn more about the BackendConfig resource.