本頁面說明如何使用 Identity-Aware Proxy (IAP) 保護 Google Kubernetes Engine (GKE) 執行個體。
總覽
IAP 已透過 GKE 的輸入整合。這項整合功能可讓您控制員工的資源層級存取權,而非使用 VPN。
在 GKE 叢集中,連入流量是由 Cloud Load Balancing 的元件「HTTP(S) 負載平衡」處理。HTTP(S) 負載平衡器通常是由 Kubernetes Ingress 控制器設定。輸入控制器會從 Kubernetes 輸入物件取得設定資訊,這個輸入物件與一或多個 Service 物件相關聯。每個 Service 物件都會保留用來將傳入要求導向特定 Pod 及通訊埠的轉送資訊。
從 Kubernetes 1.10.5-gke.3 版開始,您可以為負載平衡器新增設定,方法是建立服務與 BackendConfig 物件之間的關聯。BackendConfig 是在 kubernetes/ingress-gce 存放區定義的自訂資源定義 (CRD)。
Kubernetes 輸入控制器會讀取 BackendConfig 中的設定資訊,並據此設定負載平衡器。BackendConfig 會保留 Cloud Load Balancing 專屬的設定資訊,並且可讓您為每個 HTTP(S) 負載平衡後端服務定義單獨的設定。
事前準備
如要為 GKE 啟用 IAP,請先準備好下列項目:
- 已啟用計費功能的 Google Cloud 主控台專案。
- 一或多個 GKE 執行個體的群組,由 HTTPS 負載平衡器提供服務。當您在 GKE 叢集中建立輸入物件時,系統應會自動建立負載平衡器。
- 瞭解如何為 HTTPS 建立輸入。
- 已註冊至您負載平衡器位址的網域名稱。
- 確認所有要求都擁有身分識別資訊的應用程式程式碼。
- 瞭解如何取得使用者身分識別資訊。
IAP 會使用 Google 代管的 OAuth 用戶端來驗證使用者。只有機構內的使用者可以存取啟用 IAP 的應用程式。如要允許機構外使用者存取,請參閱「為外部應用程式啟用應用程式內購功能」。
啟用 IAP
If you haven't configured your project's OAuth consent screen, you'll be prompted to do so. To configure your OAuth consent screen, see Setting up your OAuth consent screen.
If you are running GKE clusters version 1.24 or later, you can configure
IAP and GKE by using the Kubernetes Gateway API. To do so, complete
the following steps and then follow the instructions in
Configure IAP.
Do not configure BackendConfig.
Setting up IAP access
-
Go to the
Identity-Aware Proxy page.
Go to the Identity-Aware Proxy page - Select the project you want to secure with IAP.
-
Select the checkbox next to the resource you want to grant access to.
If you don't see a resource, ensure that the resource is created and that the BackendConfig Compute Engine ingress controller is synced.
To verify that the backend service is available, run the following gcloud command:
gcloud compute backend-services list - On the right side panel, click Add principal.
-
In the Add principals dialog that appears, enter the email addresses of groups or
individuals who should have the IAP-secured Web App User role for the project.
The following kinds of principals can have this role:
- Google Account: user@gmail.com
- Google Group: admins@googlegroups.com
- Service account: server@example.gserviceaccount.com
- Google Workspace domain: example.com
Make sure to add a Google Account that you have access to.
- Select Cloud IAP > IAP-secured Web App User from the Roles drop-down list.
- Click Save.
Configuring BackendConfig
You can configure a BackendConfig for IAP by adding an iap block.
Adding an iap block to the BackendConfig
To configure the BackendConfig for IAP, you need to specify the
enabled value. Ensure
that you have the compute.backendServices.update permission and add the
iap block to BackendConfig.
For GKE versions 1.16.8-gke.3 and higher, use the cloud.google.com/v1 API version.
If you are using an earlier GKE version, use cloud.google.com/v1beta1.
apiVersion: cloud.google.com/v1 kind: BackendConfig metadata: name: CONFIG_DEFAULT namespace: my-namespace spec: iap: enabled: true
Associate a service port with a BackendConfig
You also need to associate Service ports with your BackendConfig to trigger turning on IAP. One way to make this association is to make all ports for the service default to your BackendConfig, which you can do by adding the following annotation to your Service resource:
metadata: annotations: beta.cloud.google.com/backend-config: '{"default": "CONFIG_DEFAULT"}'
Verify the BackendConfig
To test the configuration, run kubectl get event. If you see the message
"no BackendConfig for service port exists", then you successfully
associated a service port with your BackendConfig, but the BackendConfig
resource wasn't found. This error can occur if you haven't created the BackendConfig resource,
created it in the wrong namespace, or misspelled the reference in the Service annotation.
Turning IAP off
To turn IAP off, you must set enabled to
false in the BackendConfig. If you delete the IAP
block from BackendConfig, the settings will persist. For example, if IAP is
enabled and you delete the block then IAP will still be turned on.