Documentation

Google Kubernetes Engine (GKE)

Suggest Edits

Getting Started

This integration allows you to manage user access with Google Kubernetes Engine (GKE). This relies on the Google Groups integration with GKE. It enables you to grant roles to the members of a group in Google Groups.

Setup

Add a Google Groups App

To get started, head to the Apps page. Click the +App button at the top right of the screen, and choose the Google Groups tile.

Opal requires multiple credentials in order to manage your Google Groups.

Step 1 - Configure a service account for Opal

In order for Opal to manage your Google Groups on your behalf, we'll need you to create a service account with proper permission scopes.

  • Open the Service accounts page. If prompted, select a project.
  • Click + Create Service Account. Enter a name and description for the service account. When done click Create.
  • The Service account permissions section that follows is not required. Click Continue.
  • On the Grant users access to this service account screen, click Done.
  • Select the new service account.
  • Click the Keys tab.
  • Click the Add key drop-down menu, then select Create new key.
  • Select JSON as the Key type and click Create.
  • Your new public/private key pair is generated and downloaded to your machine.
  • Click Close on the Private key saved to your computer dialog, then return to the table of your service accounts.
    We then need to enable G Suite domain-wide delegation with the following steps:
  • Locate the newly-created service account in the table. Under Actions, click Manage details.
  • In the service account details, click Show domain-wide delegation, then ensure the Enable G Suite Domain-wide Delegation checkbox is checked.
  • If you haven't yet configured your app's OAuth consent, you must do so before you can enable domain-wide delegation. Follow the on-screen instructions to configure the OAuth consent screen, then repeat the above steps and re-check the checkbox.
  • Click Save to update the service account, and return to the table of service accounts. A new column, Domain-wide delegation, can be seen. Click View Client ID to obtain and make a note of the client ID.
    Now let's delegate domain-wide authority to your service account:

To access user data on a Google Workspace domain, the service account that you created needs to be granted access by a super administrator for the domain. To delegate domain-wide authority to a service account, follow those steps:

  • From your Google Workspace domain's Admin console, go to Main menu > Security > API controls.
  • In the Domain wide delegation pane, select Manage Domain Wide Delegation.
  • Click Add new.
  • In the Client ID field, enter the client ID obtained from the service account creation steps above.
  • In the OAuth Scopes field, enter the following scope:
https://www.googleapis.com/auth/admin.directory.group
  • Click Authorize.
    Your service account now has domain-wide access to the Google Admin Directory API for all the users of your domain with admin access.

Step 2 - Turn on the Google Admin API

Step 3 - Create Opal group

  • Create a Google Group called Opal. This group can be used later to automatically import groups into Opal (outside of GKE) by adding them as members of this group.

Step 4 - Fill out Opal form

  • Back in Opal form, fill in details about your Google Groups service account:
  • For Opal group email, you should enter the email of the Google group created above.
  • For Google Workspace admin email, you should enter the email of someone in your organization with at least Groups Admin privileges. If the service account is used outside of GKE, then Super Admin privileges are required on the admin email.
  • Then click to upload the downloaded JSON file for the created service account.
    If this step is successful, you have completed setting up the Google Groups server connection.

Setting up your GKE clusters

Step 1 - Enable Google Groups for RBAC

In the GKE console, select a cluster and click Edit.

  • Look for the setting Google Groups for RBAC and click the Edit button.
  • Check Enable Google Groups for RBAC.
  • Complete the security group name with your domain name.
  • Click Save changes.

Step 2 - Create Google Groups for access levels

Head over to Google Groups.

  • Create a group with the name gke-security-groups. Make sure the gke-security-groups group has the View Members permission for Group Members.
  • Create a group for cluster admin access level. Please use the following format for naming: opal_CLUSTER_NAME_ACCESS_LEVEL. Each group must have the View Members permission for Group Members.
    - Example: if your cluster name is Acme-prod, and access level is admin, the group name should be opal_Acme-prod_admin.
  • In the gke-security-groups group, click Add member and add the group we just created.

Step 3 - Define cluster role bindings in Kubernetes

Let's now assign the Google Group to a Kubernetes RBAC role.

  • Run kubectl edit clusterrolebinding cluster-admin
  • Edit the subjects array so it contains the following:
subjects:
- apiGroup: rbac.authorization.k8s.io  
  kind: Group  
  name: system:masters
- apiGroup: rbac.authorization.k8s.io  
  kind: Group  
  name: opal\_Acme-prod\[email protected]
  • Save and exit.

Accessing your clusters in Opal

The groups that were added under the gke-security-groups group will show up as Roles for your clusters.

Users are then able to request access to the Roles defined earlier. Once the access is granted users will be able to run kubectl commands after connecting to the cluster with gcloud.

Updated 26 days ago