Configure Google Cloud Identity-Aware Proxy (IAP) as an Identity Provider

Use Google Cloud IAP for identity management with StackRox.

3 minute read

Follow the instructions here to use Google Cloud Identity-Aware Proxy as a Single sign-on (SSO) provider for the StackRox Kubernetes Security Platform.

Prerequisites

Before you begin, you must:

  • be using the StackRox Kubernetes Security Platform version 3.0.44 or newer.
  • be using Google Kubernetes Engine (GKE).
  • have appropriate permissions to configure identity providers in the StackRox Kubernetes Security Platform.

Set up OAuth credentials

For the Google Cloud project where you’ve deployed Central, set up OAuth credentials by following the instructions at Configuring the OAuth consent screen.

On the Credentials page, verify the project name listed in the upper left corner (near the logo) to make sure that you’re using the project where you’ve deployed StackRox Central.

Configure BackendConfig

To configure IAP for an exposed GKE app, you must first create a BackendConfig and use it with a GKE Ingress.

To create a BackendConfig for IAP:

  1. Create a Kubernetes secret
  2. Add an IAP block to BackendConfig

Create a Kubernetes secret

To create a Secret, run the following command where client_id_key and client_secret_key are the keys from the JSON file you downloaded when you created OAuth credentials:

Copy
kubectl create secret generic stackrox-iap-secret -n stackrox --from-literal=client_id=<client_id_key> --from-literal=client_secret=<client_secret_key>

Add an IAP block to BackendConfig

To configure the BackendConfig for IAP, you need to specify the enabled and secretName values.

Copy
kubectl create -f - <<EOF
apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: central-iap-backend
  namespace: stackrox
spec:
  iap:
    enabled: true
    oauthclientCredentials:
      secretName: stackrox-iap-secret
EOF

Configure NodePort service

If you have already exposed Central by using a NodePort when you deployed the StackRox Kubernetes Security Platform, you can skip this section and follow the Create an Ingress object section.

Make sure that your NodePort has the required annotations shown below, and that port 443 is assigned a name that matches those annotations.

If you aren’t exposing Central using NodePort, run the following command to create an additional service and expose it:

Copy
kubectl create -f - <<EOF
apiVersion: v1
kind: Service
metadata:
  name: central-iap-nodeport
  namespace: stackrox
  annotations:
    service.alpha.kubernetes.io/app-protocols: '{"api":"HTTPS"}'
    cloud.google.com/app-protocols: '{"api":"HTTPS"}'
    beta.cloud.google.com/backend-config: '{"default":"central-iap-backend"}'
spec:
  selector:
    app: central
  ports:
  - port: 443
    protocol: TCP
    targetPort: 8443
    name: api
  type: NodePort
EOF

This command creates a new NodePort service and assigns the name api to the port number 443, and references the BackendConfig and port name with annotations.

For more details, see Configuring Ingress for external load balancing.

Create an Ingress object

  1. Create an ingress object that specifies your NodePort service and SSL certificates.

    There are three ways to provide SSL certificates in your Ingress specification:

    1. Self-managed certificates as Secret resources: You can provision your own SSL certificate and create a Secret to hold it. You can then refer to the Secret in an Ingress specification. Refer to the instructions for using certificates in Secrets for more information. Sample specification:

      Copy
      apiVersion: networking.k8s.io/v1beta1
      kind: Ingress
      spec:
        tls:
        - secretName: my-tls-secret
      ...
    2. Self-managed certificates shared with Google Cloud: You can provision your own SSL certificate and create a certificate resource in your Google Cloud project. You can then list the certificate resource in an annotation on an Ingress object that uses the certificate. Refer to instructions for pre-shared certificates for more information. Sample specification:

      Copy
      apiVersion: networking.k8s.io/v1beta1
      kind: Ingress
      metadata:
       annotations:
          ingress.gcp.kubernetes.io/pre-shared-cert: "my-gcp-cert"
      ...
    3. Google-managed certificates: Google-managed SSL certificates are provisioned, deployed, renewed, and managed for your domains. Managed certificates don’t support wildcard domains. For more information, see Using Google-managed SSL certificates. Sample specifications:

      1. Create a ManagedCertificate resource in your GKE cluster.

        Copy
        apiVersion: networking.gke.io/v1beta2
        kind: ManagedCertificate
        metadata:
          name: my-ingress-cert
        spec:
          domains:
            - mydomain.example.com
        ...
      2. Reference it in the Ingress object:

        Copy
        apiVersion: networking.k8s.io/v1beta1
        kind: Ingress
        metadata:
          annotations:
            networking.gke.io/managed-certificates: my-ingress-cert
        ...
  2. Register a domain name or assign an static IP to your Ingress object.

Set up IAP access

Follow the instructions at Setting up IAP access.

Get the Audience claim string

Get the Audience details from Google Cloud Console:

  1. Go to the Identity-Aware Proxy settings for your project.
  2. Select More (near the Load Balancer resource), and then select Signed Header JWT Audience.
  3. From the Signed Header JWT dialog that appears, copy the Audience claim for the resource. You’ll need this when you configure the StackRox Kubernetes Security Platform.

Configure StackRox

  1. On the StackRox portal, navigate to Platform Configuration > Access Control.
  2. Open the Auth Provider menu, select Add auth provider and select Google IAP.
  3. Fill out the details for:
    • Integration name: A user-friendly name to identify this authentication provider. For example, Google IAP. The integration name is shown on the login page to help users select the right sign-in option.
    • Audience: Enter the Audience claim string.
  4. Choose a Minimum access role for users accessing StackRox using this Identity Provider. Leave the Minimum access role set to Admin while you complete setup. Later, you can return to the Access Control page to set up more tailored access rules based on user metadata from the Identity Provider.
  5. Select Save.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.