Stay organized with collections
Save and categorize content based on your preferences.
This document describes how to deploy your applications to
GKE Enterprise clusters. Support for
GKE Enterprise targets enables deployment to AWS, Azure, and on-premises
clusters.
Cloud Deploy lets you deploy your container-based workloads to any
GKE Enterprise user cluster that you can access using
Connect gateway.
Before you begin
Have a GKE Enterprise user cluster that you will deploy to.
This cluster can be one which you created as an GKE Enterprise user
cluster, or you can
register an existing Kubernetes cluster.
Clusters which you create for GKE Enterprise automatically receive
memberships. For existing clusters which you
register to a fleet, you
designate a membership name when registering. You will need this membership
name for the target configuration.
If you're using Google Cloud CLI version 407.0.0 or newer, you need to
include the --install-connect-agent flag on the
gcloud container fleet memberships register command,
when you register a Google Kubernetes Engine cluster. The Connect agent is no longer
installed by default.
Set up Connect gateway to
connect the registered cluster or clusters to Google Cloud.
Be sure to set up the gateway using the same service account that will be used
as the Cloud Deploy execution service account. If you don't, then the execution service
account won't have the necessary permissions to deploy to the
GKE Enterprise cluster.
Set up your Cloud Deploy to deploy to GKE Enterprise
The target can be configured in your delivery pipeline YAML, or can be in a
separate file. Also, you can configure more than one target in the same file,
but they must be in different kind: Target stanzas.
Optional: if the underlying cluster is not a GKE
cluster, you might need to configure an imagePullSecret
to allow your cluster to pull from Artifact Registry.
In the target definition, create an anthosCluster stanza to point to the
GKE Enterprise cluster:
The syntax for specifying an GKE Enterprise cluster is as follows:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eCloud Deploy facilitates the deployment of container-based workloads to any GKE Enterprise user cluster accessible via Connect gateway, including AWS, Azure, and on-premises clusters.\u003c/p\u003e\n"],["\u003cp\u003eTo prepare for deployment, you must have a GKE Enterprise user cluster, which can be a newly created or registered existing Kubernetes cluster, and have Connect gateway configured.\u003c/p\u003e\n"],["\u003cp\u003eThe execution service account needs to be granted the necessary roles to interact with connected clusters through the gateway, whether using the default Cloud Deploy service account or a custom one.\u003c/p\u003e\n"],["\u003cp\u003eTarget configuration, which can be defined within the delivery pipeline YAML or in a separate file, must include an \u003ccode\u003eanthosCluster\u003c/code\u003e stanza that specifies the GKE Enterprise cluster membership using its project name, membership name, and \u003ccode\u003eglobal\u003c/code\u003e location.\u003c/p\u003e\n"],["\u003cp\u003eIn order to set up Connect gateway you will need to enable Workload Identity on the GKE clusters.\u003c/p\u003e\n"]]],[],null,["# Deploy to GKE Enterprise user clusters\n\nThis document describes how to deploy your applications to\n[GKE Enterprise clusters](/anthos/clusters/docs). Support for\nGKE Enterprise targets enables deployment to AWS, Azure, and on-premises\nclusters.\n\nCloud Deploy lets you deploy your container-based workloads to any\nGKE Enterprise user cluster that you can access using\n[Connect](/anthos/multicluster-management/gateway/using) gateway.\n\nBefore you begin\n----------------\n\n- Have a GKE Enterprise user cluster that you will deploy to.\n\n This cluster can be one which you created as an GKE Enterprise user\n cluster, or you can\n [register an existing Kubernetes cluster](/anthos/multicluster-management/connect/registering-a-cluster).\n Clusters which you create for GKE Enterprise automatically receive\n memberships. For existing clusters which you\n [register to a fleet](/anthos/multicluster-management/fleets), you\n designate a membership name when registering. You will need this membership\n name for the target configuration.\n\n If you're using Google Cloud CLI version 407.0.0 or newer, you need to\n include the `--install-connect-agent` flag on the\n [`gcloud container fleet memberships register` command](https://cloud.google.com/sdk/gcloud/reference/container/fleet/memberships/register),\n when you register a Google Kubernetes Engine cluster. The Connect agent is no longer\n installed by default.\n- Set up [Connect gateway](/anthos/multicluster-management/gateway/setup) to\n connect the registered cluster or clusters to Google Cloud.\n\n Be sure to set up the gateway using the same service account that will be used\n as the [Cloud Deploy execution service account](/deploy/docs/cloud-deploy-service-account#execution_service_account). If you don't, then the execution service\n account won't have the necessary permissions to deploy to the\n GKE Enterprise cluster.\n | **Note:** Enable [Workload Identity](/kubernetes-engine/docs/how-to/workload-identity) on the GKE clusters in order to set up Connect gateway.\n\nSet up your Cloud Deploy to deploy to GKE Enterprise\n----------------------------------------------------\n\n1. Create your [target configuration](/deploy/docs/config-files).\n\n The target can be configured in your delivery pipeline YAML, or can be in a\n separate file. Also, you can configure more than one target in the same file,\n but they must be in different `kind: Target` stanzas.\n2. Grant the [execution service account](/deploy/docs/execution-environment)\n the [roles that it needs](/anthos/multicluster-management/gateway/setup#grant_roles_to_users)\n so that it can interact with connected clusters through the gateway.\n\n This grant is necessary whether you're using the default Cloud Deploy\n service account or a [custom service account](/deploy/docs/execution-environment#changing_from_the_default_to_custom_execution_service_account).\n3. [Set up RBAC](/anthos/multicluster-management/gateway/setup#configure_role-based_access_control_rbac_policies) for the [execution service account](/deploy/docs/execution-environment) on the Kubernetes cluster that underlies the\n Anthos cluster.\n\n4. Optional: if the underlying cluster is not a GKE\n cluster, you might need to [configure an imagePullSecret](/artifact-registry/docs/access-control#pullsecrets)\n to allow your cluster to pull from Artifact Registry.\n\n5. In the target definition, create an `anthosCluster` stanza to point to the\n GKE Enterprise cluster:\n\n The syntax for specifying an GKE Enterprise cluster is as follows: \n\n anthosCluster:\n membership: projects/[project_name]/locations/global/memberships/[membership_name]\n\n This GKE Enterprise resource identifier uses the following elements:\n - \\[`project_name`\\] is the name of the Google Cloud project in which\n you're running this cluster.\n\n The cluster you're deploying to, including GKE Enterprise\n clusters, does *not* need to be in the same project as your delivery\n pipeline.\n - \\[`membership_name`\\] is the name that you chose when\n [registering the cluster](/anthos/multicluster-management/connect/registering-a-cluster)\n to a fleet.\n\n For `location`, all GKE Enterprise cluster memberships are `global`,\n so you don't need to change `/locations/global/` in this resource identifier.\n\nThe following is an example target configuration, pointing to an GKE Enterprise\nuser cluster: \n\n apiVersion: deploy.cloud.google.com/v1\n kind: Target\n metadata:\n name: qsdev\n description: development cluster\n anthosCluster:\n membership: projects/my-app/locations/global/memberships/my-app-dev-cluster\n\nWhat's next\n-----------\n\n- Learn more about [configuring Cloud Deploy targets](/deploy/docs/config-files#target_definitions)\n\n- Learn about Cloud Deploy [execution environments](/deploy/docs/execution-environment).\n\n- Learn more about [GKE Enterprise](/anthos/docs)\n\n- Learn more about [Connect gateway](/anthos/multicluster-management/gateway)."]]
