Attach third-party clusters to Google Cloud (previous generation)

GKE attached clusters lets you view your existing Kubernetes clusters in the Google Cloud console along with your GKE clusters, and enable several GKE Enterprise features on them, including centralized configuration control with Config Sync.

Supported Kubernetes clusters

You can attach any conformant Kubernetes cluster that includes x86 nodes to your fleet and view it in the Google Cloud console with your GKE clusters.

The following cluster types and versions have been validated by Google. For information on the GKE Enterprise features that are supported on attached clusters, see Anthos components and multi-cloud support.

Attached cluster types Kubernetes versions
Red Hat OpenShift Kubernetes Engine (OKE) 4.9, 4.10 1.23, 1.24
Red Hat OpenShift Container Platform (OCP) 4.9, 4.10 1.23, 1.24
Rancher Kubernetes Engine (RKE) 1.3.8 1.23, 1.24
KIND 0.12 1.23, 1.24
K3s 1.20 1.20
K3d 4.4.3 1.20

Before you start

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
  2. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Google Cloud project.

  4. Enable the Anthos API.

    Enable the API

  5. Install the Google Cloud CLI.
  6. To initialize the gcloud CLI, run the following command:

    gcloud init
  7. In the Google Cloud console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  8. Make sure that billing is enabled for your Google Cloud project.

  9. Enable the Anthos API.

    Enable the API

  10. Install the Google Cloud CLI.
  11. To initialize the gcloud CLI, run the following command:

    gcloud init
  12. Check the fleet registration prerequisites to ensure that you have the relevant permissions and enabled APIs to register a cluster.
  13. See the Before you begin guide for specific requirements for attaching clusters outside Google Cloud, including any special setup steps you may need for your cluster type.

Register attached clusters

You must register all clusters that you want to use with GKE Enterprise to your project's fleet. A fleet provides a way to logically group and normalize Kubernetes clusters, making administration of infrastructure easier. Clusters in the same fleet can be browsed and managed together in the Google Cloud console, and many GKE Enterprise and Google Cloud components use fleet concepts such as identity sameness and namespace sameness to simplify working with multiple clusters. You can find out much more about fleets and the functionality that they enable in our Fleet management guide.

You are entitled to enable and use GKE Enterprise features on these clusters, and you can manage some GKE Enterprise features at fleet level from the GKE features page. GKE Enterprise charges apply only to your registered clusters.

Set up identity

All attached clusters require an identity for the Connect Agent to use when authenticating to Google. If your cluster meets the requirements, you can register it with fleet Workload Identity enabled for authentication. Clusters with this feature enabled use identities from a fleet-wide fleet workload identity pool. You can find out more about how fleet Workload Identity works and the advantages of using it in Use fleet Workload Identity.

If you can't use fleet Workload Identity, registering an attached cluster requires a Google Cloud service account for authentication. We recommend creating a new service account for each cluster you want to attach. To create a service account for a cluster with the appropriate roles, follow the instructions in Creating a Google Cloud service account with gcloud. After you have created your service account, you can use the JSON file with the service account's credentials (key file) to register your cluster, as described in the next section.

Register your cluster

We recommend getting your cluster's membership status after you register it to ensure that it is properly connected to Google Cloud. See our troubleshooting guide if you have any issues with your registration.

gcloud

Run the following command:

gcloud container fleet memberships register MEMBERSHIP_NAME \
   --context=KUBECONFIG_CONTEXT \
   --kubeconfig=KUBECONFIG_PATH \
   --service-account-key-file=SERVICE_ACCOUNT_KEY_PATH

Replace the following:

  • MEMBERSHIP_NAME: the membership name that you choose and that is used to uniquely represent the cluster being registered to the fleet.
  • SERVICE_ACCOUNT_KEY_PATH: the local filepath to the service account's private key JSON file downloaded as part of Prerequisites. This service account key is stored as a secret named creds-gcp in the gke-connect namespace.
  • KUBECONFIG_CONTEXT: the cluster context of the cluster being registered as it appears in the kubeconfig file. You can get this value from the command line by running kubectl config current-context.
  • KUBECONFIG_PATH: the local filepath where your kubeconfig containing an entry for the cluster being registered is stored. This defaults to $KUBECONFIG if that environment variable is set; otherwise, this defaults to $HOME/.kube/config.

Register an attached cluster with fleet Workload Identity

To register an attached cluster with fleet Workload Identity enabled, run the following command. For more information about which attached cluster types can use this feature and any additional requirements, see Attached cluster prerequisites.

gcloud container fleet memberships register MEMBERSHIP_NAME \
   --context=KUBECONFIG_CONTEXT \
   --kubeconfig=KUBECONFIG_PATH \
   --enable-workload-identity \
   --has-private-issuer

Console

Generate a registration command

You can use the Google Cloud console to help generate a gcloud registration command to register your cluster (with a service account only).

To register a cluster:

  1. In the Google Cloud console, go to the Google Kubernetes Engine clusters overview page.

    Go to GKE clusters

  2. Click Register existing cluster.

  3. Click Add external cluster.

  4. Enter the name of the cluster that you want to register in the Cluster name field.

  5. Optional: Add Google Cloud labels to your cluster.

  6. Click Generate registration command.

  7. In Cloud Shell or wherever you have saved your service account credentials, edit and run the gcloud command that is displayed on the page. You need to specify the following values:

    • The CLUSTER_CONTEXT is the cluster's context as it appears in the kubeconfig file. You can get this value from the command line by running kubectl config current-context.
    • The KUBECONFIG_PATH is the local filepath where your kubeconfig file is stored. This defaults to $KUBECONFIG if that environment variable is set; otherwise, it defaults to $HOME/.kube/config.
    • The LOCAL_KEY_PATH is the path to your service account key file.

    Running this command deploys the Connect Agent in your user cluster. When the Connect Agent connects to Google Cloud and your cluster is registered, a success message is displayed on the page.

  8. Click Set labels, or click Skip if you didn't set any labels.

Advanced registration options (command line only)

Download the Connect Agent manifest

To download the Connect Agent installation manifest without deploying the agent, for example if you want to examine or edit the manifest before installation, pass in the --manifest-output-file flag to the gcloud container fleet memberships register command. For example:

--manifest-output-file=[MANIFEST_FILE_PATH]

where [MANIFEST_FILE_PATH] is the local filepath where you want the Connect Agent installation manifest to be stored.

Using this option will not deploy the Connect Agent into the cluster. To deploy the Connect Agent, manually apply the downloaded manifest to your cluster.

Using a proxy server

To configure a proxy server, pass in the --proxy flag to gcloud container fleet memberships register command. For example:

--proxy=[URL]

where [URL] is the proxy address.

The Connect Agent supports CONNECT-based HTTP and HTTPS proxies only, and accepts IP addresses and hostnames. Be sure to specify the protocol corresponding to the proxy type in the URL. For example, to pass in an HTTPS hostname:

--proxy=https://mycorpproxy.com:443

Unless you specify otherwise, Connect Agent uses port 3128 for the proxy.

If your proxy requires authorization, ensure that you pass in your credentials, such as:

--proxy=http://user:password@10.10.10.10:8888

Installing Connect Agent in a cluster with Windows and Linux nodes

The Connect Agent has to run on a Linux node. If you are installing in a mixed cluster with both Linux and Windows nodes, you can ensure that the Connect Agent is deployed on to a Linux node by adding an appropriate node selector to the deployment definition.

Run the following command to update the deployment with the appropriate node selector:

kubectl patch deployment \
$(kubectl get deployment -o=jsonpath='{.items[*].metadata.name}' -n gke-connect) \
-p '{"spec":{"template":{"spec":{"nodeSelector":{"kubernetes.io/os":"linux"}}}}}' -n gke-connect

To validate that the update succeeded run the following command:

kubectl get deployment -o=jsonpath='{.items[].spec.template.spec.nodeSelector}' -n gke-connect

The command should return:

{"kubernetes.io/os":"linux"}

Troubleshooting

If you run into any problems during this setup, see the fleet creation troubleshooting guide.

Enable GKE Enterprise features on attached clusters

After you register your clusters, you can enable available GKE Enterprise features on them for your applications. These features are supported only on our validated cluster types. You can see the current feature versions supported on these types in Version and upgrade support.

The following guides show you how to enable supported features on your clusters:

For complete documentation sets for all GKE Enterprise components, including tutorials, reference material, and more, see GKE Enterprise components.

Access attached clusters

After you register an attached cluster, it appears in the GKE and Anthos clusters pages in the Google Cloud console. However, to see more details such as nodes and workloads, you need to log in and authenticate to the cluster. To log in to your attached clusters from the Google Cloud console, follow the instructions in Logging in to clusters from the Google Cloud console. Depending on the authentication method you choose, note that you or a platform admin may need to do some additional setup before you or other users are able to log in to the cluster.

To access attached clusters from the command line using a Google Cloud identity, see Connecting to registered clusters with the Connect gateway.

To authenticate to attached clusters using your existing third-party identity provider (EKS on AWS clusters only, preview feature), see Setting up GKE Identity Service for a fleet and Accessing clusters with GKE Identity Service.

What's next?