Documentation

Google Kubernetes Engine (GKE)

Suggest Edits

Overview

GKE is a Google-managed implementation of the Kubernetes open-source container orchestration platform. It provides the operational power of Kubernetes while managing many of the underlying components, such as the control plane and nodes, for you.

Entitle can manage Clusters and Namespaces in GKE.

This page will provide you with instructions on how to integrate Entitle and GKE.

General guidelines

To integrate your Google Kubernetes Engine in Entitle, you will need to run the entitle_google_integratorset up you downloaded and unzipped on the Google Integrations page and configure a Domain-Wide Delegation.

Set up GKE to work with Entitle

Stage 1: Running the setup script

The setup will consist of the following actions:

  • Create an Entitle service account in the chosen project
  • Create an organization-level role with the required permissions or add permissions to it if it already exists
  • Bind the role to the service account at the chosen project
  • Enable the required API service for the integration:
  • Generate a key for the service account and download it to your local machine
  1. Go to your GCP web console.
  2. Choose the project which you chose to create Entitle's service account at the top left corner.
  3. Click on the shell icon at the top right corner.
  1. Navigate to the path of the unzipped folder entitle_google_integrator, and run the following commands:
# For a basic configuration, create a service account in the current project and assign the role to it at the project-level
bash run.sh -i gke -k

# You may also assign the role in the parent folder or organization-level
bash run.sh -i gke -b folder -k
bash run.sh -i gke -b organization -k

# For more options use the -h flag
bash run.sh -h
  1. Download the created JSON file on setup completion. you will use it later in this guide.

Stage 2: Configure domain-wide delegation

Your service account needs to have domain-wide delegation on a certain scope.

  1. Go to the Manage Domain-Wide Delegation page
  2. Click ‘Add new’:

  1. In the ‘Client ID’ field, enter the 21-digit number obtained from the key JSON file under the client_id field.

  2. In the ’OAuth scopes’ field, enter the following scopes.

    https://www.googleapis.com/auth/admin.directory.user.readonly,
https://www.googleapis.com/auth/admin.directory.group.readonly

  3. Click ‘Authorize’.

Creating the integration in Entitle

All that is left to do is to create an integration on the Entitle application.

  1. Log into Entitle and navigate into the ‘Integrations’ page.
  2. After clicking the ‘Add Integration’ button, type ‘Google Kubernetes Engine’ in the Application field.
  3. Don’t forget to set ‘Save on’ correctly on your agent or Entitle’s cloud.
  1. Under the “service_account_key” field, paste the downloaded key JSON of your service account.
  2. Under "credential_subject" enter an email of an admin in your organization who has permission to view all users in your organization.
{
  "service_account_key": {
			// A dictionary from the downloaded JSON file
  },
  "credential_subject": "an email of an admin in your organization which has permission to view all users"
}
  1. Click ‘Save’, you are done! 🎉

Updated about 1 month ago

What’s Next