Prerequisites for your CNCF conformant attached cluster
Stay organized with collections
Save and categorize content based on your preferences.
To operate as a GKE attached cluster, your cluster needs to have
the following characteristics.
Generic cluster requirements
Ensure that the kubectl command-line tool is installed on your local machine
and configured to access your cluster. This includes setting up the correct
user credentials in the kubeconfig file.
Ensure that there is network connectivity to your cluster.
Ensure the cluster Kubernetes version is at least 1.25. The Kubernetes
major.minor version should match the selected platform version.
Release notes for each platform version can be found at the
supported versions page.
Networking requirements
Because attached clusters rely on supporting Google Cloud services, you need to
modify your cluster's outbound firewall rules to allow it
access to the following domains. This is the only change you need to make to
your cluster to install and run GKE attached clusters.
Address
Purpose
.gcr.io
Pull images from the Artifact Registry.
gkeconnect.googleapis.com
Establish the channel used to receive requests from Google Cloud and
issue responses.
gkemulticloud.googleapis.com
Exchange Google or third-party credentials for a short-lived access token to Google Cloud resources. If your cluster was registered to the fleet using a
Google Cloud region, you need to allowlist
REGION-gkemulticloud.googleapis.com (for example,
us-central1-gkemulticloud.googleapis.com).
oauth2.googleapis.com
Authenticate through OAuth token exchange for account access.
securetoken.googleapis.com
Retrieve refresh tokens for workload identity authorization.
storage.googleapis.com
Manage object storage and buckets, such as Artifact Registry objects.
sts.googleapis.com
Exchange Google or third-party credentials for a short-lived access token to
Google Cloud resources.
www.googleapis.com
Authenticate service tokens from incoming Google Cloud service
requests.
Logging and monitoring
To use logging and monitoring features, your cluster also needs to
be able to access the following URLs:
Before attaching your cluster to the Google Cloud management service, you must
install the gcloud CLI, including the Google Cloud CLI command, and
grant access to your Google Cloud account to the Google Cloud management
service so it can manage your attached cluster resources.
Check your gcloud CLI installation with the following command:
gcloudversion
If the gcloud CLI isn't installed, or if its version is earlier than
version 412.0.0, install version 412.0.0 or higher by following the
gcloud CLI installation instructions.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Prerequisites for your CNCF conformant attached cluster\n\nTo operate as a GKE attached cluster, your cluster needs to have\nthe following characteristics.\n\n### Generic cluster requirements\n\n- Ensure that the `kubectl` command-line tool is installed on your local machine and configured to access your cluster. This includes setting up the correct user credentials in the `kubeconfig` file.\n- Ensure that there is network connectivity to your cluster.\n- Ensure the cluster Kubernetes version is at least 1.25. The Kubernetes major.minor version should match the selected platform version.\n- The selected platform version must be at least:\n\n 1.25.0-gke.8\n 1.26.0-gke.6\n 1.27.0-gke.3\n\n You can also list all supported versions using: \n\n gcloud container attached get-server-config \\\n --location=\u003cvar translate=\"no\"\u003eGOOGLE_CLOUD_REGION\u003c/var\u003e\n\n Release notes for each platform version can be found at the\n [supported versions](/kubernetes-engine/multi-cloud/docs/attached/generic/reference/supported-versions) page.\n\nNetworking requirements\n-----------------------\n\nBecause attached clusters rely on supporting Google Cloud services, you need to\nmodify your cluster's outbound firewall rules to allow it\naccess to the following domains. This is the only change you need to make to\nyour cluster to install and run GKE attached clusters.\n\n### Logging and monitoring\n\nTo use logging and monitoring features, your cluster also needs to\nbe able to access the following URLs: \n\n logging.googleapis.com\n monitoring.googleapis.com\n opsconfigmonitoring.googleapis.com\n kubernetesmetadata.googleapis.com\n\nGoogle Cloud requirements\n-------------------------\n\nBefore attaching your cluster to the Google Cloud management service, you must\ninstall the gcloud CLI, including the Google Cloud CLI command, and\ngrant access to your Google Cloud account to the Google Cloud management\nservice so it can manage your attached cluster resources.\n\n1. Check your gcloud CLI installation with the following command:\n\n gcloud version\n\n2. If the gcloud CLI isn't installed, or if its version is earlier than\n version 412.0.0, install version 412.0.0 or higher by following the\n [gcloud CLI installation instructions](/sdk/docs/install).\n\n3. Install the `kubectl`\n [additional component](/sdk/docs/components#additional_components).\n\n4. If you haven't already done so,\n [create your Google Cloud project](/resource-manager/docs/creating-managing-projects#creating_a_project).\n This will generate a Google Cloud project ID and a project number.\n\n5. Set your active Google Cloud project and authenticate your account with\n the following commands.\n\n export PROJECT_ID=\u003cyour project id\u003e\n gcloud auth login\n gcloud config set project $PROJECT_ID\n gcloud auth application-default login\n\n6. Enable the GKE attached clusters API and its required services with\n the following commands:\n\n gcloud services enable gkemulticloud.googleapis.com\n gcloud services enable gkeconnect.googleapis.com\n gcloud services enable connectgateway.googleapis.com\n gcloud services enable cloudresourcemanager.googleapis.com\n gcloud services enable anthos.googleapis.com\n gcloud services enable logging.googleapis.com\n gcloud services enable monitoring.googleapis.com\n gcloud services enable opsconfigmonitoring.googleapis.com\n gcloud services enable kubernetesmetadata.googleapis.com"]]
