When you fill in the
gkeConnect section
in your admin cluster configuration file, the cluster is registered to your
fleet during creation or update. To enable
fleet management functionality, Google Cloud deploys the
Connect agent and creates a Google
service account that represents the project that the cluster is registered to.
The Connect agent establishes a connection with the service account to handle
requests to the cluster's Kubernetes API server. This enables access to
cluster and workload management features in Google Cloud, including access
to the Google Cloud console, which lets you interact with
your cluster.
The admin cluster's Kubernetes API server needs to be able to authorize
requests from the Connect agent. To ensure this, the following
role-based access control (RBAC) policies
are configured on the service account:
An impersonation policy
that authorizes the Connect agent to send requests to the Kubernetes API
server on behalf of the service account.
A permissions policy that specifies the operations that are allowed on
other Kubernetes resources.
The service account and RBAC policies are needed so that you can manage the
lifecycle of your user clusters in the Google Cloud console.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-06 UTC."],[[["Registering a cluster via the `gkeConnect` section in the admin cluster configuration file adds it to your fleet."],["Google Cloud deploys a Connect agent and creates a service account to enable fleet management."],["The Connect agent uses the service account to make requests to the cluster's Kubernetes API server, facilitating cluster and workload management features."],["Specific role-based access control (RBAC) policies, including an impersonation policy and a permissions policy, are configured to authorize the Connect agent."],["These steps enable user cluster lifecycle management through the Google Cloud console."]]],[]]
