K
Q

Using Google IAM for GKE service web access

9/2/2018

I am hosting an application on GKE and would like to be able to let users from my organization access this application from the web. I would like them to be able to log-in using their Google Account IAM credentials.

Is there a way to configure a service exposing the clusters web endpoint such that to access this service the user simply needs to login with their google account?

For example, when testing a service I can easily do a web-preview in the cloud-shell and then access the web application in my browser.

Is there a way to configure this such that any users authorized in my organization can access the web interface of my application?

(Note, I asked the same question on DevOps but I feel like that site is not yet as active as it should be so I ask here as well)

-- Inbar Rose
google-cloud-platform
google-iam
google-identity
google-kubernetes-engine
kubernetes

Similar Questions

How do I talk to a pod from sidecar container in Kubernetes?
Kubernetes nginx php deployment
Pull images from Kubernetes running on AWS with ECR pulls images from the wrong region in other account
Make external API hit from kubernetes
Get details of a Helm dependency
What is `deployment.apps` in Kubernetes?
How to deploy React and Django REST framework on kubernetes using minikube?
Unable to attach or mount volumes : timed out waiting for the condition
Kubernetes: kafka pod rechability issue from another pod
How to keep long lived connection alive even when the Kubernetes pod get killed?

1 Answer

9/4/2018

Okay, I managed to make it work perfectly. But it took a few steps. I am including the manifest here that is required to setup the IAP using an ingress. It requires a few things which I listed in the manifest below. Hopefully this can help others since I could not find a single source that had all of this put together. Essentially all you need to do is run kubectl apply -f secure-ingress.yaml to make everything work (as long as you have all the depenedencies) and then you just need to configure your IAP as you like it.

secure-ingress.yaml

# Configure IAP security using ingress automatically
# requirements: kubernetes version at least 1.10.5-gke.3
# requirements: service must respond with 200 at / endpoint (the healthcheck)
# dependencies: need certificate secret my-secret-cert
# dependencies: need oath-client secret my-secret-oath (with my.domain.com configured)
# dependencies: need external IP address my-external-ip
# dependencies: need domain my.domain.com to point to my-external-ip IP
# dependencies: need an app (deployment/statefulset) my-app
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-secure-ingress
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "gce"
    kubernetes.io/ingress.allow-http: "false"
    kubernetes.io/ingress.global-static-ip-name: my-external-ip
spec:
  tls:
  - secretName: my-secret-cert
  backend:
    serviceName: my-service-be-web
    servicePort: 1234
---
kind: Service
apiVersion: v1
metadata:
  name: my-service-be-web
  namespace: default
  annotations:
    beta.cloud.google.com/backend-config:
      '{"default": "my-service-be-conf"}'
spec:
  type: NodePort
  selector:
    app: my-app
  ports:
    - protocol: TCP
      port: 1234
      targetPort: 1234
      name: my-port-web
---
apiVersion: cloud.google.com/v1beta1
kind: BackendConfig
metadata:
  name: my-service-be-conf
  namespace: default
spec:
  iap:
    enabled: true
    oauthclientCredentials:
      secretName: my-secret-oath
-- Inbar Rose
Source: StackOverflow