All clusters that have been added to your fleet appear in the Google Cloud console.
The Google Cloud console offers a central user interface for managing all your Kubernetes clusters and their resources, no matter where they are running. All your resources are shown in a single dashboard, which gives you visibility into your workloads across multiple Kubernetes clusters. You can find out more about working with Google Cloud clusters in the Google Cloud console in the GKE documentation.
For GKE clusters on Google Cloud, you see cluster details such as nodes and workloads, provided that you have the relevant permissions. The permissions are listed in the subsequent section, Required roles.
If your fleet includes clusters outside Google Cloud, you need to log in to these clusters and view their details in the Google Cloud console. For details, see the following section Log in to clusters.
Required roles
If you are not a project owner, you must have the following Identity and Access Management roles at minimum to view clusters in the Google Cloud console:
. This role lets users view the GKE Clusters page and other container resources in the Google Cloud console. For details about the permissions included in this role, or to grant a role with read/write permissions, see Kubernetes Engine roles in the IAM documentation.roles/gkehub.viewer
. This role lets users view clusters outside Google Cloud in the Google Cloud console. For details about the permissions included in this role, or to grant a role with read/write permissions, see GKE Hub roles in the IAM documentation.roles/gkeonprem.viewer
. For Google Distributed Cloud users, this role is required in addition toroles/gkehub.viewer
to view on-premises clusters on bare metal or VMware in the Google Cloud console. For details about the permissions included in this role, or to grant a role with read/write permissions, see GKE on-prem roles in the IAM documentation.
View registered clusters
After you register a cluster to your project fleet, it appears in the Google Cloud console in the GKE Clusters list. However, to see more details such as nodes and workloads for any cluster outside Google Cloud, you need to log in and authenticate to the cluster. Clusters that require login show an orange warning triangle and prompt you to log in. The following example shows the GKE Clusters page with two clusters outside Google Cloud that require login.
After you log in to the cluster, you can select the cluster and view cluster details. These are the same details that you can see for a GKE on Google Cloud cluster.
Log in to clusters
If your fleet includes clusters outside Google Cloud, your platform administrator needs to set up authentication so that you can log in to these clusters and view their details in the Google Cloud console.
You need to know which authentication method your platform administrator has set up so that you can log in to the Google Cloud console. Ask your platform administrator which of the following authentication methods have been configured:
- Google identity
- Third-party identity:
- Bearer token
Then, follow the instructions in the following sections to log in to your clusters using the relevant authentication method.
Log in using your Google Cloud identity
If your cluster is configured to use your Google Cloud identity, follow these steps to log in:
Open the GKE Clusters page in the Google Cloud console.
Select the checkbox for the one or more clusters that you want to log in to. If you are selecting multiple clusters:
To select all of the clusters displayed on the page, select the checkbox in the table header row.
To select all of the clusters in the project that are not logged in, select the Log in option that accompanies the warning that you're not logged in to a certain number of clusters.
In the menu bar, click Log in.
Select Use your Google identity to log in.
Click Log in.
Log in using OpenID Connect (OIDC)
Note that while GKE Identity Service also supports LDAP identity providers, logging in using the Google Cloud console is supported for OIDC providers only.
If Microsoft Entra ID (Azure AD) is configured as an OIDC identity provider for your cluster using the azuread
anchor in the ClientConfig, follow the instruction in Log in using Microsoft Entra ID (Azure AD) instead.
If your cluster is configured to use an OIDC identity provider with GKE Identity Service, follow these steps to log in:
Open the GKE Clusters page in the Google Cloud console.
Select the checkbox for the one or more clusters that you want to log in to. If you are selecting multiple clusters:
To select all of the clusters displayed on the page, select the checkbox in the table header row.
To select all of the clusters in the project that are not logged in, select the Log in option that accompanies the warning that you're not logged in to a certain number of clusters.
In the menu bar, click Log in.
Select Authenticate with identity provider configured for the cluster. You are redirected to your identity provider, where you might need to log in or consent to the Google Cloud console accessing your account.
Click Log in.
Log in using Microsoft Entra ID (Azure AD)
If your cluster is configured to use
Microsoft Entra ID (Azure ID) with GKE Identity Service using the azuread
anchor (also referred to as Azure AD advanced configuration), follow these steps
to log in:
Open the GKE Clusters page in the Google Cloud console.
Select the checkbox for the one or more clusters that you want to log in to. If you are selecting multiple clusters:
To select all of the clusters displayed on the page, select the checkbox in the table header row.
To select all of the clusters in the project that are not logged in, select the Log in option that accompanies the warning that you're not logged in to a certain number of clusters.
In the menu bar, click Log in.
Select Authenticate with Microsoft Entra ID (formerly Azure AD). You are redirected to your identity provider, where you might need to log in or consent to the Google Cloud console accessing your account.
Click Log in.
Log in using a third-party identity and the Connect gateway
If your cluster is configured to use third-party identity with the Connect gateway, you can log in to the cluster with your third-party identity in the Google Cloud workforce identity federation console, also known as the console (federated). Log in from the regular Google Cloud console is not supported.
Follow these steps to log in:
- Go to the Google Cloud workforce identity federation console, enter your provider ID, and sign in using your identity provider. Your platform administrator should provide you with all the details you need to sign in. To learn more about how this is set up, see Set up user access to the console (federated).
Open the GKE Clusters page in the Google Cloud console.
Select the checkbox for the one or more clusters that you want to log in to. If you are selecting multiple clusters:
To select all of the clusters displayed on the page, select the checkbox in the table header row.
To select all of the clusters in the project that are not logged in, select the Log in option that accompanies the warning that you're not logged in to a certain number of clusters.
In the menu bar, click Log in.
Select Use your third-party identity provider to log in.
Click Log in.
Log in using a bearer token
If your cluster is configured to use a Kubernetes service account's bearer token, follow these steps:
Open the GKE Clusters page in the Google Cloud console.
Select the checkbox for the one or more clusters that you want to log in to. If you are selecting multiple clusters:
To select all of the clusters displayed on the page, select the checkbox in the table header row.
To select all of the clusters in the project that are not logged in, select the Log in option that accompanies the warning that you're not logged in to a certain number of clusters.
In the menu bar, click Log in.
Select Token, and then fill in the Token field with the KSA's bearer token.
Click Log in.
Accesses via the Google Cloud console are audit logged on the cluster's API server.
What's next
Learn more about:
- Working with clusters in the Google Cloud console in the GKE documentation
- Viewing cluster status and resource utilization in the Google Cloud console with the GKE Enterprise overview
- Setting up authentication to fleet clusters in Secure your fleet
Connecting to fleet clusters from the command line: