To operate as a GKE attached cluster, your cluster needs to have the following characteristics.
Generic cluster requirements
- Ensure that the
kubectlcommand-line tool is installed on your local machine and configured to access your cluster. This includes setting up the correct user credentials in thekubeconfigfile. - Ensure that there is network connectivity to your cluster.
- Ensure the cluster Kubernetes version is at least 1.25. The Kubernetes major.minor version should match the selected platform version.
The selected platform version must be at least:
1.25.0-gke.8 1.26.0-gke.6 1.27.0-gke.3You can also list all supported versions using:
gcloud container attached get-server-config \ --location=GOOGLE_CLOUD_REGIONRelease notes for each platform version can be found at the supported versions page.
Networking requirements
Because attached clusters rely on supporting Google Cloud services, you need to modify your cluster's outbound firewall rules to allow it access to the following domains. This is the only change you need to make to your cluster to install and run GKE attached clusters.
| Address | Purpose |
|---|---|
.gcr.io |
Pull images from the Artifact Registry. |
gkeconnect.googleapis.com |
Establish the channel used to receive requests from Google Cloud and issue responses. |
gkemulticloud.googleapis.com |
Exchange Google or third-party credentials for a short-lived access token to Google Cloud resources. If your cluster was registered to the fleet using a
Google Cloud region, you need to allowlist
REGION-gkemulticloud.googleapis.com (for example,
us-central1-gkemulticloud.googleapis.com). |
oauth2.googleapis.com |
Authenticate through OAuth token exchange for account access. |
securetoken.googleapis.com |
Retrieve refresh tokens for workload identity authorization. |
storage.googleapis.com |
Manage object storage and buckets, such as Artifact Registry objects. |
sts.googleapis.com |
Exchange Google or third-party credentials for a short-lived access token to Google Cloud resources. |
www.googleapis.com |
Authenticate service tokens from incoming Google Cloud service requests. |
Logging and monitoring
To use logging and monitoring features, your cluster also needs to be able to access the following URLs:
logging.googleapis.com
monitoring.googleapis.com
opsconfigmonitoring.googleapis.com
kubernetesmetadata.googleapis.com
Google Cloud requirements
Before attaching your cluster to the Google Cloud management service, you must install the gcloud CLI, including the Google Cloud CLI command, and grant access to your Google Cloud account to the Google Cloud management service so it can manage your attached cluster resources.
Check your gcloud CLI installation with the following command:
gcloud versionIf the gcloud CLI isn't installed, or if its version is earlier than version 412.0.0, install version 412.0.0 or higher by following the gcloud CLI installation instructions.
Install the
kubectladditional component.If you haven't already done so, create your Google Cloud project. This will generate a Google Cloud project ID and a project number.
Set your active Google Cloud project and authenticate your account with the following commands.
export PROJECT_ID=<your project id> gcloud auth login gcloud config set project $PROJECT_ID gcloud auth application-default loginEnable the GKE attached clusters API and its required services with the following commands:
gcloud services enable gkemulticloud.googleapis.com gcloud services enable gkeconnect.googleapis.com gcloud services enable connectgateway.googleapis.com gcloud services enable cloudresourcemanager.googleapis.com gcloud services enable anthos.googleapis.com gcloud services enable logging.googleapis.com gcloud services enable monitoring.googleapis.com gcloud services enable opsconfigmonitoring.googleapis.com gcloud services enable kubernetesmetadata.googleapis.com