0
# Authentication and Security
1
2
Authentication configuration, security policies, and access control for Google Kubernetes Engine clusters. This module covers master authentication, client certificates, workload identity, network security policies, and cluster security features.
3
4
## Capabilities
5
6
### Master Authentication Configuration
7
8
Configure master authentication including client certificates, username/password, and cluster CA certificates.
9
10
```python { .api }
11
def set_master_auth(
12
self,
13
request=None, *,
14
project_id=None,
15
zone=None,
16
cluster_id=None,
17
action=None,
18
update=None,
19
name=None,
20
retry=gapic_v1.method.DEFAULT,
21
timeout=None,
22
metadata=()
23
) -> Operation:
24
"""
25
Sets master auth materials. Currently supports changing the admin password or a specific cluster.
26
27
Args:
28
project_id (str): Deprecated. The Google Developers Console project ID or project number.
29
zone (str): Deprecated. The name of the Google Compute Engine zone.
30
cluster_id (str): Deprecated. The name of the cluster to upgrade.
31
action (SetMasterAuthRequest.Action): Required. The exact form of action to be taken on the master auth.
32
update (MasterAuth): Required. A description of the update.
33
name (str): The name (project, location, cluster) of the cluster to set auth.
34
Format: projects/{project_id}/locations/{location}/clusters/{cluster_id}
35
retry: Retry configuration.
36
timeout (float): Request timeout in seconds.
37
metadata: Additional gRPC metadata.
38
39
Returns:
40
Operation: An operation representing the master auth configuration.
41
"""
42
```
43
44
Usage example:
45
46
```python
47
from google.cloud.container_v1.types import MasterAuth, ClientCertificateConfig, SetMasterAuthRequest
48
49
# Enable client certificate authentication
50
master_auth = MasterAuth(
51
client_certificate_config=ClientCertificateConfig(
52
issue_client_certificate=True
53
)
54
)
55
56
operation = client.set_master_auth(
57
project_id="my-project",
58
zone="us-central1-a",
59
cluster_id="my-cluster",
60
action=SetMasterAuthRequest.Action.SET_PASSWORD, # or other actions
61
update=master_auth
62
)
63
64
print(f"Updating master auth. Operation: {operation.name}")
65
```
66
67
### JSON Web Keys Retrieval
68
69
Get the public component of cluster signing keys in JSON Web Key format for token verification.
70
71
```python { .api }
72
def get_json_web_keys(
73
self,
74
request=None, *,
75
parent=None,
76
retry=gapic_v1.method.DEFAULT,
77
timeout=None,
78
metadata=()
79
) -> GetJSONWebKeysResponse:
80
"""
81
Gets the public component of the cluster signing keys in JSON Web Key format.
82
83
Args:
84
parent (str): The cluster (project, location, cluster) to get keys for.
85
Format: projects/{project_id}/locations/{location}/clusters/{cluster_id}
86
retry: Retry configuration.
87
timeout (float): Request timeout in seconds.
88
metadata: Additional gRPC metadata.
89
90
Returns:
91
GetJSONWebKeysResponse: Response containing the JSON Web Keys.
92
"""
93
```
94
95
Usage example:
96
97
```python
98
jwks_response = client.get_json_web_keys(
99
parent="projects/my-project/locations/us-central1-a/clusters/my-cluster"
100
)
101
102
for key in jwks_response.keys:
103
print(f"Key ID: {key.kty}")
104
print(f"Algorithm: {key.alg}")
105
print(f"Use: {key.use}")
106
print(f"Key Type: {key.kty}")
107
```
108
109
### OpenID Configuration
110
111
Get OpenID Connect configuration for the cluster's identity provider.
112
113
```python { .api }
114
def get_open_id_config(
115
self,
116
request=None, *,
117
parent=None,
118
retry=gapic_v1.method.DEFAULT,
119
timeout=None,
120
metadata=()
121
) -> GetOpenIDConfigResponse:
122
"""
123
Gets the OIDC discovery document for the cluster.
124
125
Args:
126
parent (str): The cluster (project, location, cluster) to get the discovery document for.
127
Format: projects/{project_id}/locations/{location}/clusters/{cluster_id}
128
retry: Retry configuration.
129
timeout (float): Request timeout in seconds.
130
metadata: Additional gRPC metadata.
131
132
Returns:
133
GetOpenIDConfigResponse: Response containing the OpenID configuration.
134
"""
135
```
136
137
Usage example:
138
139
```python
140
oidc_config = client.get_open_id_config(
141
parent="projects/my-project/locations/us-central1-a/clusters/my-cluster"
142
)
143
144
print(f"Issuer: {oidc_config.issuer}")
145
print(f"JWKS URI: {oidc_config.jwks_uri}")
146
print(f"Response types supported: {oidc_config.response_types_supported}")
147
print(f"Subject types supported: {oidc_config.subject_types_supported}")
148
```
149
150
### Workload Identity Configuration
151
152
Configure workload identity for secure access to Google Cloud services from Kubernetes workloads.
153
154
```python
155
# Workload Identity is configured through cluster updates
156
from google.cloud.container_v1.types import ClusterUpdate, WorkloadIdentityConfig
157
158
# Enable Workload Identity during cluster update
159
update_config = ClusterUpdate(
160
desired_workload_identity_config=WorkloadIdentityConfig(
161
workload_pool="my-project.svc.id.goog"
162
)
163
)
164
165
operation = client.update_cluster(
166
project_id="my-project",
167
zone="us-central1-a",
168
cluster_id="my-cluster",
169
update=update_config
170
)
171
```
172
173
### Binary Authorization
174
175
Configure Binary Authorization for container image security.
176
177
```python
178
# Binary Authorization is configured through cluster updates
179
from google.cloud.container_v1.types import ClusterUpdate, BinaryAuthorization
180
181
# Enable Binary Authorization
182
update_config = ClusterUpdate(
183
desired_binary_authorization=BinaryAuthorization(
184
enabled=True,
185
evaluation_mode=BinaryAuthorization.EvaluationMode.PROJECT_SINGLETON_POLICY_ENFORCE
186
)
187
)
188
189
operation = client.update_cluster(
190
project_id="my-project",
191
zone="us-central1-a",
192
cluster_id="my-cluster",
193
update=update_config
194
)
195
```
196
197
### Shielded Nodes
198
199
Configure shielded nodes for enhanced security using Compute Engine Shielded VMs.
200
201
```python
202
# Shielded Nodes are configured through cluster updates
203
from google.cloud.container_v1.types import ClusterUpdate, ShieldedNodes
204
205
# Enable Shielded Nodes
206
update_config = ClusterUpdate(
207
desired_shielded_nodes=ShieldedNodes(
208
enabled=True
209
)
210
)
211
212
operation = client.update_cluster(
213
project_id="my-project",
214
zone="us-central1-a",
215
cluster_id="my-cluster",
216
update=update_config
217
)
218
```
219
220
### Confidential Nodes
221
222
Configure confidential computing for enhanced data protection.
223
224
```python
225
# Confidential Nodes are configured through cluster updates
226
from google.cloud.container_v1.types import ClusterUpdate, ConfidentialNodes
227
228
# Enable Confidential Nodes
229
update_config = ClusterUpdate(
230
desired_confidential_nodes=ConfidentialNodes(
231
enabled=True
232
)
233
)
234
235
operation = client.update_cluster(
236
project_id="my-project",
237
zone="us-central1-a",
238
cluster_id="my-cluster",
239
update=update_config
240
)
241
```
242
243
### Network Security Policies
244
245
Configure master authorized networks for API server access control.
246
247
```python
248
from google.cloud.container_v1.types import ClusterUpdate, MasterAuthorizedNetworksConfig
249
250
# Configure authorized networks
251
authorized_networks_config = MasterAuthorizedNetworksConfig(
252
enabled=True,
253
cidr_blocks=[
254
MasterAuthorizedNetworksConfig.CidrBlock(
255
display_name="Office Network",
256
cidr_block="203.0.113.0/24"
257
),
258
MasterAuthorizedNetworksConfig.CidrBlock(
259
display_name="VPN Network",
260
cidr_block="198.51.100.0/24"
261
)
262
]
263
)
264
265
update_config = ClusterUpdate(
266
desired_master_authorized_networks_config=authorized_networks_config
267
)
268
269
operation = client.update_cluster(
270
project_id="my-project",
271
zone="us-central1-a",
272
cluster_id="my-cluster",
273
update=update_config
274
)
275
```
276
277
### Private Cluster Configuration
278
279
Configure private clusters with private node IPs and private Google access.
280
281
```python
282
from google.cloud.container_v1.types import ClusterUpdate, PrivateClusterConfig
283
284
# Configure private cluster
285
private_config = PrivateClusterConfig(
286
enable_private_nodes=True,
287
enable_private_endpoint=False,
288
master_ipv4_cidr_block="172.16.0.0/28",
289
private_endpoint_subnetwork="projects/my-project/regions/us-central1/subnetworks/my-subnet"
290
)
291
292
update_config = ClusterUpdate(
293
desired_private_cluster_config=private_config
294
)
295
296
operation = client.update_cluster(
297
project_id="my-project",
298
zone="us-central1-a",
299
cluster_id="my-cluster",
300
update=update_config
301
)
302
```
303
304
## Types
305
306
```python { .api }
307
class SetMasterAuthRequest:
308
"""SetMasterAuthRequest updates the admin password of a cluster."""
309
project_id: str # Deprecated
310
zone: str # Deprecated
311
cluster_id: str # Deprecated
312
action: SetMasterAuthRequest.Action # Required
313
update: MasterAuth # Required
314
name: str # Required
315
316
class Action(proto.Enum):
317
"""Action describes the type of master auth action."""
318
UNKNOWN = 0
319
SET_PASSWORD = 1
320
GENERATE_PASSWORD = 2
321
SET_USERNAME = 3
322
323
class GetJSONWebKeysRequest:
324
"""GetJSONWebKeysRequest gets the public component of the keys used by the cluster to sign tokens."""
325
parent: str # Required. Format: projects/{project}/locations/{location}/clusters/{cluster}
326
327
class GetJSONWebKeysResponse:
328
"""GetJSONWebKeysResponse is a valid JSON Web Key Set."""
329
keys: MutableSequence[Jwk]
330
331
class GetOpenIDConfigRequest:
332
"""GetOpenIDConfigRequest gets the OIDC discovery document for the cluster."""
333
parent: str # Required. Format: projects/{project}/locations/{location}/clusters/{cluster}
334
335
class GetOpenIDConfigResponse:
336
"""GetOpenIDConfigResponse is an OIDC discovery document for the cluster."""
337
issuer: str
338
jwks_uri: str
339
response_types_supported: MutableSequence[str]
340
subject_types_supported: MutableSequence[str]
341
id_token_signing_alg_values_supported: MutableSequence[str]
342
claims_supported: MutableSequence[str]
343
grant_types: MutableSequence[str]
344
345
class MasterAuth:
346
"""The authentication information for accessing the master endpoint."""
347
username: str # The username to use for HTTP basic authentication
348
password: str # The password to use for HTTP basic authentication
349
client_certificate_config: ClientCertificateConfig # Configuration for client certificate authentication
350
cluster_ca_certificate: str # Base64-encoded public certificate that is the root of trust for the cluster
351
client_certificate: str # Base64-encoded public certificate used by clients to authenticate to the cluster
352
client_key: str # Base64-encoded private key used by clients to authenticate to the cluster
353
354
class ClientCertificateConfig:
355
"""Configuration for client certificates on the cluster."""
356
issue_client_certificate: bool # Issue a client certificate
357
358
class Jwk:
359
"""Jwk is a JSON Web Key as specified in RFC 7517."""
360
kty: str # Key Type
361
alg: str # Algorithm
362
use: str # Public Key Use
363
kid: str # Key ID
364
n: str # RSA public key modulus
365
e: str # RSA public key exponent
366
x: str # Elliptic curve public key x coordinate
367
y: str # Elliptic curve public key y coordinate
368
crv: str # Elliptic curve name
369
370
class WorkloadIdentityConfig:
371
"""Configuration for the use of Kubernetes Service Accounts in GCP IAM policies."""
372
workload_pool: str # The workload pool to attach all Kubernetes service accounts to
373
374
class BinaryAuthorization:
375
"""Configuration for Binary Authorization."""
376
enabled: bool # Enable Binary Authorization for this cluster
377
evaluation_mode: BinaryAuthorization.EvaluationMode # Mode of operation for Binary Authorization policy evaluation
378
379
class EvaluationMode(proto.Enum):
380
"""Binary Authorization policy evaluation mode."""
381
EVALUATION_MODE_UNSPECIFIED = 0
382
DISABLED = 1
383
PROJECT_SINGLETON_POLICY_ENFORCE = 2
384
385
class ShieldedNodes:
386
"""Configuration of Shielded Nodes feature."""
387
enabled: bool # Whether Shielded Nodes features are enabled on all nodes in this cluster
388
389
class ConfidentialNodes:
390
"""ConfidentialNodes is configuration of confidential nodes feature."""
391
enabled: bool # Whether Confidential Nodes feature is enabled for all nodes in this cluster
392
393
class MasterAuthorizedNetworksConfig:
394
"""Configuration options for the master authorized networks feature."""
395
enabled: bool # Whether or not master authorized networks is enabled
396
cidr_blocks: MutableSequence[MasterAuthorizedNetworksConfig.CidrBlock] # cidr_blocks define up to 50 external networks
397
gcp_public_cidrs_access_enabled: bool # Whether master is accessible via Google Compute Engine Public IPs
398
399
class CidrBlock:
400
"""CidrBlock contains an optional name and one CIDR block."""
401
display_name: str # display_name is an optional field for users to identify CIDR blocks
402
cidr_block: str # cidr_block must be specified in CIDR notation
403
404
class PrivateClusterConfig:
405
"""Configuration options for private clusters."""
406
enable_private_nodes: bool # Whether nodes have internal IP addresses only
407
enable_private_endpoint: bool # Whether the master's internal IP address is used as the cluster endpoint
408
master_ipv4_cidr_block: str # The IP range in CIDR notation to use for the hosted master network
409
private_endpoint: str # Output only. The internal IP address of this cluster's master endpoint
410
public_endpoint: str # Output only. The external IP address of this cluster's master endpoint
411
peering_name: str # Output only. The peering name in the customer VPC used by this cluster
412
master_global_access_config: PrivateClusterMasterGlobalAccessConfig # Controls master global access settings
413
private_endpoint_subnetwork: str # Subnet to provision the master's private endpoint during cluster creation
414
415
class PrivateClusterMasterGlobalAccessConfig:
416
"""Configuration for controlling master global access settings."""
417
enabled: bool # Whenever master is accessible globally or not
418
```