This page explains how to enableOS Login andconfigure an organization policy to enforce OS Login forGKE Standard mode clusters and nodes. You can useOS Login to manage SSH access to your instances using IAMwithout having to create and manage individual SSH keys.

OS Login isn't available for GKEAutopilot mode clusters because GKE manages the nodes.

This page is forSecurity specialists whowant to add OS Login policies on GKE Standard clustersto ensure that all VM instances have OS Login by default.To learn more aboutcommon roles and example tasks that we reference in Google Cloud content, seeCommon GKE user roles and tasks.

Before reading this page, ensure that you're familiar with thegeneral overview of OS Login.

Overview

You can set up anOS Login constraint in yourorganization to ensure that all new projects, and the VM instances created inthese new projects, have OS Login enabled. OS Login has quickly become aGoogle Cloud security best practice, recommending that you enforce its usethrough anorganization policy.

The following instructions detail how to enable OS Login using an organizationpolicy in GKE.

Before you begin

Before you start, make sure that you have performed the following tasks:

• Enable the Google Kubernetes Engine API.
Enable Google Kubernetes Engine API
• If you want to use the Google Cloud CLI for this task,install and theninitialize the gcloud CLI. If you previously installed the gcloud CLI, get the latest version by running thegcloud components update command. Earlier gcloud CLI versions might not support running the commands in this document.Note: For existing gcloud CLI installations, make sure to set thecompute/regionproperty. If you use primarily zonal clusters, set thecompute/zone instead. By setting a default location, you can avoid errors in the gcloud CLI like the following:One of [--zone, --region] must be supplied: Please specify location. You might need to specify the location in certain commands if the location of your cluster differs from the default that you set.

Update existing projects to use OS Login

Before setting the organization policy, migrate any existing clusters to use OSLogin.

• Enable OS Login on all existing and new VM instances by default by settingtheenable-oslogin flag toTRUE. You don't need to reboot the node.

  gcloudcomputeproject-infoadd-metadata--metadataenable-oslogin=TRUE

  Caution: Enabling OS Login on instances disables metadata-based SSH keyconfigurations on those instances. Disabling OS Login restores SSH keysthat you haveconfigured in project or instance metadata.

Set the OS Login organization policy

To set the OS Login constraint at the organization level, perform the following:

1. Find your organization ID by running the following command:

   gcloudorganizationslist

2. Set the OS Login organization policy. ReplaceORGANIZATION_IDwith your organization ID.

   gcloudresource-managerorg-policiesenable-enforce\compute.requireOsLogin\--organization=ORGANIZATION_ID

After the organization policy is set, the following conditions are applied:

• enable-oslogin is set totrue in the project metadata for all newprojects.
• Update requests to setenable-oslogin tofalse in instance or projectmetadata are rejected.

Manage node access

Once you have enabled the OS Login organization policy, you no longer need tomanage SSH keys to make authorization decisions. OS Login moves authorizationmanagement to Identity and Access Management. To manage SSH access to nodes, use OS Login. Formore details, seeSetting up OS Login.

What's next

• Learn about theOS Login service.
• Learn totroubleshoot OS Login.