Search code examples
google-cloud-platformgoogle-kubernetes-enginegoogle-cloud-run

Service authentication in GKE similar to Cloud Run

Is there a GKE service invocation authentication similar to OIDC tokens in Cloud Run? If not, how would one implement a similar functionality with GKE such that only authorized service accounts can invoke a service?

Solution

  • Hmm, you have to implement GFE and IAM service by yourselves!!

    In fact, you need a custom ingress controller that

    • check the presence of a authorization header
    • validate the authorization token
    • Extract the principal from the token (the email)
    • Check against an "authorization" database if that email is allowed or not.

    So, you also need a service to administrate the authorization database (list, add, remove emails) maybe add more granular permissions.