使用 Google IAM 进行 GKE 服务网络访问
[英]Using Google IAM for GKE service web access
问题描述
I am hosting an application on GKE and would like to be able to let users from my organization access this application from the web.
我在 GKE 上托管了一个应用程序,并希望能够让我组织的用户从 Web 访问此应用程序。 I would like them to be able to log-in using their Google Account IAM credentials.我希望他们能够使用他们的 Google 帐户 IAM 凭据登录。
Is there a way to configure a service exposing the clusters web endpoint such that to access this service the user simply needs to login with their google account?有没有办法配置暴露集群 Web 端点的服务,以便用户只需使用他们的 google 帐户登录即可访问此服务?
For example, when testing a service I can easily do a web-preview in the cloud-shell and then access the web application in my browser.例如,在测试服务时,我可以轻松地在 cloud-shell 中进行 Web 预览,然后在浏览器中访问 Web 应用程序。
Is there a way to configure this such that any users authorized in my organization can access the web interface of my application?有没有办法进行配置,以便在我的组织中授权的任何用户都可以访问我的应用程序的 Web 界面?
(Note, I asked the same question on DevOps but I feel like that site is not yet as active as it should be so I ask here as well) (注意,我在 DevOps 上问了同样的问题,但我觉得那个网站还没有像它应该的那样活跃,所以我也在这里问)
1 个解决方案
解决方案1
2 已采纳 2018-09-04 11:23:25
Okay, I managed to make it work perfectly.好的,我设法让它完美地工作。 But it took a few steps.但它走了几步。 I am including the manifest here that is required to setup the IAP using an ingress .我在此处包含使用 ingress设置IAP所需的清单。 It requires a few things which I listed in the manifest below.它需要我在下面的清单中列出的一些东西。 Hopefully this can help others since I could not find a single source that had all of this put together.希望这可以帮助其他人,因为我找不到将所有这些放在一起的单一来源。 Essentially all you need to do is run kubectl apply -f secure-ingress.yaml to make everything work (as long as you have all the depenedencies) and then you just need to configure your IAP as you like it.基本上,您需要做的就是运行kubectl apply -f secure-ingress.yaml以使一切正常(只要您拥有所有依赖项),然后您只需要根据自己的喜好配置IAP 。
secure-ingress.yaml
# Configure IAP security using ingress automatically
# requirements: kubernetes version at least 1.10.5-gke.3
# requirements: service must respond with 200 at / endpoint (the healthcheck)
# dependencies: need certificate secret my-secret-cert
# dependencies: need oath-client secret my-secret-oath (with my.domain.com configured)
# dependencies: need external IP address my-external-ip
# dependencies: need domain my.domain.com to point to my-external-ip IP
# dependencies: need an app (deployment/statefulset) my-app
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-secure-ingress
namespace: default
annotations:
kubernetes.io/ingress.class: "gce"
kubernetes.io/ingress.allow-http: "false"
kubernetes.io/ingress.global-static-ip-name: my-external-ip
spec:
tls:
- secretName: my-secret-cert
backend:
serviceName: my-service-be-web
servicePort: 1234
---
kind: Service
apiVersion: v1
metadata:
name: my-service-be-web
namespace: default
annotations:
beta.cloud.google.com/backend-config:
'{"default": "my-service-be-conf"}'
spec:
type: NodePort
selector:
app: my-app
ports:
- protocol: TCP
port: 1234
targetPort: 1234
name: my-port-web
---
apiVersion: cloud.google.com/v1beta1
kind: BackendConfig
metadata:
name: my-service-be-conf
namespace: default
spec:
iap:
enabled: true
oauthclientCredentials:
secretName: my-secret-oath
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.