CtrlK
BlogDocsLog inGet started
Tessl Logo

tessl/pypi-google-cloud-container

Google Cloud Container API client library for managing Google Kubernetes Engine clusters.

Pending
Overview
Eval results
Files

authentication-security.mddocs/

Authentication and Security

Authentication configuration, security policies, and access control for Google Kubernetes Engine clusters. This module covers master authentication, client certificates, workload identity, network security policies, and cluster security features.

Capabilities

Master Authentication Configuration

Configure master authentication including client certificates, username/password, and cluster CA certificates.

def set_master_auth(
    self,
    request=None, *,
    project_id=None,
    zone=None,
    cluster_id=None,
    action=None,
    update=None,
    name=None,
    retry=gapic_v1.method.DEFAULT,
    timeout=None,
    metadata=()
) -> Operation:
    """
    Sets master auth materials. Currently supports changing the admin password or a specific cluster.

    Args:
        project_id (str): Deprecated. The Google Developers Console project ID or project number.
        zone (str): Deprecated. The name of the Google Compute Engine zone.
        cluster_id (str): Deprecated. The name of the cluster to upgrade.
        action (SetMasterAuthRequest.Action): Required. The exact form of action to be taken on the master auth.
        update (MasterAuth): Required. A description of the update.
        name (str): The name (project, location, cluster) of the cluster to set auth.
            Format: projects/{project_id}/locations/{location}/clusters/{cluster_id}
        retry: Retry configuration.
        timeout (float): Request timeout in seconds.
        metadata: Additional gRPC metadata.

    Returns:
        Operation: An operation representing the master auth configuration.
    """

Usage example:

from google.cloud.container_v1.types import MasterAuth, ClientCertificateConfig, SetMasterAuthRequest

# Enable client certificate authentication
master_auth = MasterAuth(
    client_certificate_config=ClientCertificateConfig(
        issue_client_certificate=True
    )
)

operation = client.set_master_auth(
    project_id="my-project",
    zone="us-central1-a",
    cluster_id="my-cluster",
    action=SetMasterAuthRequest.Action.SET_PASSWORD,  # or other actions
    update=master_auth
)

print(f"Updating master auth. Operation: {operation.name}")

JSON Web Keys Retrieval

Get the public component of cluster signing keys in JSON Web Key format for token verification.

def get_json_web_keys(
    self,
    request=None, *,
    parent=None,
    retry=gapic_v1.method.DEFAULT,
    timeout=None,
    metadata=()
) -> GetJSONWebKeysResponse:
    """
    Gets the public component of the cluster signing keys in JSON Web Key format.

    Args:
        parent (str): The cluster (project, location, cluster) to get keys for.
            Format: projects/{project_id}/locations/{location}/clusters/{cluster_id}
        retry: Retry configuration.
        timeout (float): Request timeout in seconds.
        metadata: Additional gRPC metadata.

    Returns:
        GetJSONWebKeysResponse: Response containing the JSON Web Keys.
    """

Usage example:

jwks_response = client.get_json_web_keys(
    parent="projects/my-project/locations/us-central1-a/clusters/my-cluster"
)

for key in jwks_response.keys:
    print(f"Key ID: {key.kty}")
    print(f"Algorithm: {key.alg}")
    print(f"Use: {key.use}")
    print(f"Key Type: {key.kty}")

OpenID Configuration

Get OpenID Connect configuration for the cluster's identity provider.

def get_open_id_config(
    self,
    request=None, *,
    parent=None,
    retry=gapic_v1.method.DEFAULT,
    timeout=None,
    metadata=()
) -> GetOpenIDConfigResponse:
    """
    Gets the OIDC discovery document for the cluster.

    Args:
        parent (str): The cluster (project, location, cluster) to get the discovery document for.
            Format: projects/{project_id}/locations/{location}/clusters/{cluster_id}
        retry: Retry configuration.
        timeout (float): Request timeout in seconds.
        metadata: Additional gRPC metadata.

    Returns:
        GetOpenIDConfigResponse: Response containing the OpenID configuration.
    """

Usage example:

oidc_config = client.get_open_id_config(
    parent="projects/my-project/locations/us-central1-a/clusters/my-cluster"
)

print(f"Issuer: {oidc_config.issuer}")
print(f"JWKS URI: {oidc_config.jwks_uri}")
print(f"Response types supported: {oidc_config.response_types_supported}")
print(f"Subject types supported: {oidc_config.subject_types_supported}")

Workload Identity Configuration

Configure workload identity for secure access to Google Cloud services from Kubernetes workloads.

# Workload Identity is configured through cluster updates
from google.cloud.container_v1.types import ClusterUpdate, WorkloadIdentityConfig

# Enable Workload Identity during cluster update
update_config = ClusterUpdate(
    desired_workload_identity_config=WorkloadIdentityConfig(
        workload_pool="my-project.svc.id.goog"
    )
)

operation = client.update_cluster(
    project_id="my-project",
    zone="us-central1-a",
    cluster_id="my-cluster",
    update=update_config
)

Binary Authorization

Configure Binary Authorization for container image security.

# Binary Authorization is configured through cluster updates
from google.cloud.container_v1.types import ClusterUpdate, BinaryAuthorization

# Enable Binary Authorization
update_config = ClusterUpdate(
    desired_binary_authorization=BinaryAuthorization(
        enabled=True,
        evaluation_mode=BinaryAuthorization.EvaluationMode.PROJECT_SINGLETON_POLICY_ENFORCE
    )
)

operation = client.update_cluster(
    project_id="my-project",
    zone="us-central1-a",
    cluster_id="my-cluster",
    update=update_config
)

Shielded Nodes

Configure shielded nodes for enhanced security using Compute Engine Shielded VMs.

# Shielded Nodes are configured through cluster updates
from google.cloud.container_v1.types import ClusterUpdate, ShieldedNodes

# Enable Shielded Nodes
update_config = ClusterUpdate(
    desired_shielded_nodes=ShieldedNodes(
        enabled=True
    )
)

operation = client.update_cluster(
    project_id="my-project",
    zone="us-central1-a",
    cluster_id="my-cluster",
    update=update_config
)

Confidential Nodes

Configure confidential computing for enhanced data protection.

# Confidential Nodes are configured through cluster updates
from google.cloud.container_v1.types import ClusterUpdate, ConfidentialNodes

# Enable Confidential Nodes
update_config = ClusterUpdate(
    desired_confidential_nodes=ConfidentialNodes(
        enabled=True
    )
)

operation = client.update_cluster(
    project_id="my-project",
    zone="us-central1-a",
    cluster_id="my-cluster",
    update=update_config
)

Network Security Policies

Configure master authorized networks for API server access control.

from google.cloud.container_v1.types import ClusterUpdate, MasterAuthorizedNetworksConfig

# Configure authorized networks
authorized_networks_config = MasterAuthorizedNetworksConfig(
    enabled=True,
    cidr_blocks=[
        MasterAuthorizedNetworksConfig.CidrBlock(
            display_name="Office Network",
            cidr_block="203.0.113.0/24"
        ),
        MasterAuthorizedNetworksConfig.CidrBlock(
            display_name="VPN Network", 
            cidr_block="198.51.100.0/24"
        )
    ]
)

update_config = ClusterUpdate(
    desired_master_authorized_networks_config=authorized_networks_config
)

operation = client.update_cluster(
    project_id="my-project",
    zone="us-central1-a",
    cluster_id="my-cluster",
    update=update_config
)

Private Cluster Configuration

Configure private clusters with private node IPs and private Google access.

from google.cloud.container_v1.types import ClusterUpdate, PrivateClusterConfig

# Configure private cluster
private_config = PrivateClusterConfig(
    enable_private_nodes=True,
    enable_private_endpoint=False,
    master_ipv4_cidr_block="172.16.0.0/28",
    private_endpoint_subnetwork="projects/my-project/regions/us-central1/subnetworks/my-subnet"
)

update_config = ClusterUpdate(
    desired_private_cluster_config=private_config
)

operation = client.update_cluster(
    project_id="my-project",
    zone="us-central1-a", 
    cluster_id="my-cluster",
    update=update_config
)

Types

class SetMasterAuthRequest:
    """SetMasterAuthRequest updates the admin password of a cluster."""
    project_id: str  # Deprecated
    zone: str  # Deprecated
    cluster_id: str  # Deprecated
    action: SetMasterAuthRequest.Action  # Required
    update: MasterAuth  # Required
    name: str  # Required

    class Action(proto.Enum):
        """Action describes the type of master auth action."""
        UNKNOWN = 0
        SET_PASSWORD = 1
        GENERATE_PASSWORD = 2
        SET_USERNAME = 3

class GetJSONWebKeysRequest:
    """GetJSONWebKeysRequest gets the public component of the keys used by the cluster to sign tokens."""
    parent: str  # Required. Format: projects/{project}/locations/{location}/clusters/{cluster}

class GetJSONWebKeysResponse:
    """GetJSONWebKeysResponse is a valid JSON Web Key Set."""
    keys: MutableSequence[Jwk]

class GetOpenIDConfigRequest:
    """GetOpenIDConfigRequest gets the OIDC discovery document for the cluster."""
    parent: str  # Required. Format: projects/{project}/locations/{location}/clusters/{cluster}

class GetOpenIDConfigResponse:
    """GetOpenIDConfigResponse is an OIDC discovery document for the cluster."""
    issuer: str
    jwks_uri: str
    response_types_supported: MutableSequence[str]
    subject_types_supported: MutableSequence[str]
    id_token_signing_alg_values_supported: MutableSequence[str]
    claims_supported: MutableSequence[str]
    grant_types: MutableSequence[str]

class MasterAuth:
    """The authentication information for accessing the master endpoint."""
    username: str  # The username to use for HTTP basic authentication
    password: str  # The password to use for HTTP basic authentication
    client_certificate_config: ClientCertificateConfig  # Configuration for client certificate authentication
    cluster_ca_certificate: str  # Base64-encoded public certificate that is the root of trust for the cluster
    client_certificate: str  # Base64-encoded public certificate used by clients to authenticate to the cluster
    client_key: str  # Base64-encoded private key used by clients to authenticate to the cluster

class ClientCertificateConfig:
    """Configuration for client certificates on the cluster."""
    issue_client_certificate: bool  # Issue a client certificate

class Jwk:
    """Jwk is a JSON Web Key as specified in RFC 7517."""
    kty: str  # Key Type
    alg: str  # Algorithm
    use: str  # Public Key Use  
    kid: str  # Key ID
    n: str  # RSA public key modulus
    e: str  # RSA public key exponent
    x: str  # Elliptic curve public key x coordinate
    y: str  # Elliptic curve public key y coordinate
    crv: str  # Elliptic curve name

class WorkloadIdentityConfig:
    """Configuration for the use of Kubernetes Service Accounts in GCP IAM policies.""" 
    workload_pool: str  # The workload pool to attach all Kubernetes service accounts to

class BinaryAuthorization:
    """Configuration for Binary Authorization."""
    enabled: bool  # Enable Binary Authorization for this cluster
    evaluation_mode: BinaryAuthorization.EvaluationMode  # Mode of operation for Binary Authorization policy evaluation

    class EvaluationMode(proto.Enum):
        """Binary Authorization policy evaluation mode."""
        EVALUATION_MODE_UNSPECIFIED = 0
        DISABLED = 1
        PROJECT_SINGLETON_POLICY_ENFORCE = 2

class ShieldedNodes:
    """Configuration of Shielded Nodes feature."""
    enabled: bool  # Whether Shielded Nodes features are enabled on all nodes in this cluster

class ConfidentialNodes:
    """ConfidentialNodes is configuration of confidential nodes feature."""
    enabled: bool  # Whether Confidential Nodes feature is enabled for all nodes in this cluster   

class MasterAuthorizedNetworksConfig:
    """Configuration options for the master authorized networks feature."""
    enabled: bool  # Whether or not master authorized networks is enabled
    cidr_blocks: MutableSequence[MasterAuthorizedNetworksConfig.CidrBlock]  # cidr_blocks define up to 50 external networks
    gcp_public_cidrs_access_enabled: bool  # Whether master is accessible via Google Compute Engine Public IPs

    class CidrBlock:
        """CidrBlock contains an optional name and one CIDR block."""
        display_name: str  # display_name is an optional field for users to identify CIDR blocks
        cidr_block: str  # cidr_block must be specified in CIDR notation

class PrivateClusterConfig:
    """Configuration options for private clusters."""
    enable_private_nodes: bool  # Whether nodes have internal IP addresses only
    enable_private_endpoint: bool  # Whether the master's internal IP address is used as the cluster endpoint
    master_ipv4_cidr_block: str  # The IP range in CIDR notation to use for the hosted master network
    private_endpoint: str  # Output only. The internal IP address of this cluster's master endpoint
    public_endpoint: str  # Output only. The external IP address of this cluster's master endpoint  
    peering_name: str  # Output only. The peering name in the customer VPC used by this cluster
    master_global_access_config: PrivateClusterMasterGlobalAccessConfig  # Controls master global access settings
    private_endpoint_subnetwork: str  # Subnet to provision the master's private endpoint during cluster creation

class PrivateClusterMasterGlobalAccessConfig:
    """Configuration for controlling master global access settings."""
    enabled: bool  # Whenever master is accessible globally or not

Install with Tessl CLI

npx tessl i tessl/pypi-google-cloud-container

docs

authentication-security.md

cluster-configuration.md

cluster-management.md

index.md

node-pool-operations.md

operations-management.md

tile.json