When you fill in the
gkeConnect section
in your admin cluster configuration file, the cluster is registered to your
fleet during creation or update. To enable
fleet management functionality, Google Cloud deploys the
Connect agent and creates a Google
service account that represents the project that the cluster is registered to.
The Connect agent establishes a connection with the service account to handle
requests to the cluster's Kubernetes API server. This enables access to
cluster and workload management features in Google Cloud, including access
to the Google Cloud console, which lets you interact with
your cluster.
The admin cluster's Kubernetes API server needs to be able to authorize
requests from the Connect agent. To ensure this, the following
role-based access control (RBAC) policies
are configured on the service account:
An impersonation policy
that authorizes the Connect agent to send requests to the Kubernetes API
server on behalf of the service account.
A permissions policy that specifies the operations that are allowed on
other Kubernetes resources.
The service account and RBAC policies are needed so that you can manage the
lifecycle of your user clusters in the Google Cloud console.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eRegistering a cluster via the \u003ccode\u003egkeConnect\u003c/code\u003e section in the admin cluster configuration file adds it to your fleet.\u003c/p\u003e\n"],["\u003cp\u003eGoogle Cloud deploys a Connect agent and creates a service account to enable fleet management.\u003c/p\u003e\n"],["\u003cp\u003eThe Connect agent uses the service account to make requests to the cluster's Kubernetes API server, facilitating cluster and workload management features.\u003c/p\u003e\n"],["\u003cp\u003eSpecific role-based access control (RBAC) policies, including an impersonation policy and a permissions policy, are configured to authorize the Connect agent.\u003c/p\u003e\n"],["\u003cp\u003eThese steps enable user cluster lifecycle management through the Google Cloud console.\u003c/p\u003e\n"]]],[],null,["# Admin cluster RBAC policies\n\n\u003cbr /\u003e\n\nWhen you fill in the\n[`gkeConnect` section](/anthos/clusters/docs/on-prem/1.11/how-to/admin-cluster-configuration-file#gkeconnect-section)\nin your admin cluster configuration file, the cluster is registered to your\n[fleet](/anthos/fleet-management/docs) during creation or update. To enable\nfleet management functionality, Google Cloud deploys the\n[Connect agent](/anthos/clusters/docs/on-prem/1.11/reference/anthos/fleet-management/docs/connect-agent) and creates a Google\nservice account that represents the project that the cluster is registered to.\nThe Connect agent establishes a connection with the service account to handle\nrequests to the cluster's Kubernetes API server. This enables access to\ncluster and workload management features in Google Cloud, including access\nto the [Google Cloud console](/cloud-console), which lets you interact with\nyour cluster.\nThe admin cluster's Kubernetes API server needs to be able to authorize\nrequests from the Connect agent. To ensure this, the following\n[role-based access control (RBAC) policies](https://kubernetes.io/docs/reference/access-authn-authz/rbac/)\nare configured on the service account:\n\n- An [**impersonation policy**](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation)\n that authorizes the Connect agent to send requests to the Kubernetes API\n server on behalf of the service account.\n\n- A **permissions policy** that specifies the operations that are allowed on\n other Kubernetes resources.\n\nThe service account and RBAC policies are needed so that you can manage the\nlifecycle of your user clusters in the Google Cloud console.\n\nWhat's next\n-----------\n\n- [Create user clusters in the Google Cloud console](/anthos/clusters/docs/on-prem/1.11/how-to/create-user-cluster-api)"]]
