GKE attached clusters lets you view your existing Kubernetes clusters in the Google Cloud console along with your GKE clusters, and enable several GKE Enterprise features on them, including centralized configuration control with Config Sync.
Supported Kubernetes clusters
You can attach any conformant Kubernetes cluster that includes x86 nodes to your fleet and view it in the Google Cloud console with your GKE clusters.
The following cluster types and versions have been validated by Google. For information on the GKE Enterprise features that are supported on attached clusters, see Anthos components and multi-cloud support.
| Attached cluster types | Kubernetes versions |
|---|---|
| Red Hat OpenShift Kubernetes Engine (OKE) 4.9, 4.10 | 1.23, 1.24 |
| Red Hat OpenShift Container Platform (OCP) 4.9, 4.10 | 1.23, 1.24 |
| Rancher Kubernetes Engine (RKE) 1.3.8 | 1.23, 1.24 |
| KIND 0.12 | 1.23, 1.24 |
| K3s 1.20 | 1.20 |
| K3d 4.4.3 | 1.20 |
Before you start
- Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.
-
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Anthos API.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init -
In the Google Cloud console, on the project selector page, select or create a Google Cloud project.
-
Make sure that billing is enabled for your Google Cloud project.
-
Enable the Anthos API.
- Install the Google Cloud CLI.
-
To initialize the gcloud CLI, run the following command:
gcloud init - Check the fleet registration prerequisites to ensure that you have the relevant permissions and enabled APIs to register a cluster.
- See the Before you begin guide for specific requirements for attaching clusters outside Google Cloud, including any special setup steps you may need for your cluster type.
Register attached clusters
You must register all clusters that you want to use with GKE Enterprise to your project's fleet. A fleet provides a way to logically group and normalize Kubernetes clusters, making administration of infrastructure easier. Clusters in the same fleet can be browsed and managed together in the Google Cloud console, and many GKE Enterprise and Google Cloud components use fleet concepts such as identity sameness and namespace sameness to simplify working with multiple clusters. You can find out much more about fleets and the functionality that they enable in our Fleet management guide.
You are entitled to enable and use GKE Enterprise features on these clusters, and you can manage some GKE Enterprise features at fleet level from the GKE features page. GKE Enterprise charges apply only to your registered clusters.
Set up identity
All attached clusters require an identity for the Connect Agent to use when authenticating to Google. If your cluster meets the requirements, you can register it with fleet Workload Identity enabled for authentication. Clusters with this feature enabled use identities from a fleet-wide fleet workload identity pool. You can find out more about how fleet Workload Identity works and the advantages of using it in Use fleet Workload Identity.
If you can't use fleet Workload Identity, registering an attached cluster
requires a Google Cloud service account for
authentication. We recommend creating a new service account for each cluster you
want to attach. To create a service account for a cluster with the appropriate
roles, follow the instructions in
Creating a Google Cloud service account with gcloud.
After you have created your service account, you can use the JSON file with the
service account's credentials (key file) to register your cluster, as described
in the next section.
Register your cluster
We recommend getting your cluster's membership status after you register it to ensure that it is properly connected to Google Cloud. See our troubleshooting guide if you have any issues with your registration.
gcloud
Run the following command:
gcloud container fleet memberships register MEMBERSHIP_NAME \ --context=KUBECONFIG_CONTEXT \ --kubeconfig=KUBECONFIG_PATH \ --service-account-key-file=SERVICE_ACCOUNT_KEY_PATH
Replace the following:
- MEMBERSHIP_NAME: the membership name that you choose and that is used to uniquely represent the cluster being registered to the fleet.
- SERVICE_ACCOUNT_KEY_PATH: the local filepath to the
service account's private key JSON file downloaded as part of Prerequisites.
This service account key is stored as a secret named
creds-gcpin thegke-connectnamespace. - KUBECONFIG_CONTEXT: the cluster context of the cluster being registered
as it appears in the kubeconfig file. You can get this value from the command
line by running
kubectl config current-context. - KUBECONFIG_PATH: the local filepath where your
kubeconfig containing an entry for the cluster being registered is stored.
This defaults to
$KUBECONFIGif that environment variable is set; otherwise, this defaults to$HOME/.kube/config.
Register an attached cluster with fleet Workload Identity
To register an attached cluster with fleet Workload Identity enabled, run the following command. For more information about which attached cluster types can use this feature and any additional requirements, see Attached cluster prerequisites.
gcloud container fleet memberships register MEMBERSHIP_NAME \ --context=KUBECONFIG_CONTEXT \ --kubeconfig=KUBECONFIG_PATH \ --enable-workload-identity \ --has-private-issuer
Console
Generate a registration command
You can use the Google Cloud console to help generate a gcloud
registration command to register your cluster (with a service account only).
To register a cluster:
In the Google Cloud console, go to the Google Kubernetes Engine clusters overview page.
Click Register existing cluster.
Click Add external cluster.
Enter the name of the cluster that you want to register in the Cluster name field.
Optional: Add Google Cloud labels to your cluster.
Click Generate registration command.
In Cloud Shell or wherever you have saved your service account credentials, edit and run the
gcloudcommand that is displayed on the page. You need to specify the following values:- The CLUSTER_CONTEXT is the cluster's context as it appears in the kubeconfig file. You can get this value from the command line by running
kubectl config current-context. - The KUBECONFIG_PATH is the local filepath where your kubeconfig file is stored. This defaults to
$KUBECONFIGif that environment variable is set; otherwise, it defaults to$HOME/.kube/config. - The LOCAL_KEY_PATH is the path to your service account key file.
Running this command deploys the Connect Agent in your user cluster. When the Connect Agent connects to Google Cloud and your cluster is registered, a success message is displayed on the page.
- The CLUSTER_CONTEXT is the cluster's context as it appears in the kubeconfig file. You can get this value from the command line by running
Click Set labels, or click Skip if you didn't set any labels.
Advanced registration options (command line only)
Download the Connect Agent manifest
To download the Connect Agent installation manifest without deploying the agent, for example if you want to examine or edit the manifest before installation, pass in the --manifest-output-file flag to the
gcloud container fleet memberships register command. For example:
--manifest-output-file=[MANIFEST_FILE_PATH]
where [MANIFEST_FILE_PATH] is the local filepath where you want the Connect Agent installation manifest to be stored.
Using this option will not deploy the Connect Agent into the cluster. To deploy the Connect Agent, manually apply the downloaded manifest to your cluster.
Using a proxy server
To configure a proxy server, pass in the --proxy flag to
gcloud container fleet memberships register command. For example:
--proxy=[URL]
where [URL] is the proxy address.
The Connect Agent supports CONNECT-based HTTP and HTTPS proxies only, and accepts IP addresses and hostnames. Be sure to specify the protocol corresponding to the proxy type in the URL. For example, to pass in an HTTPS hostname:
--proxy=https://mycorpproxy.com:443
Unless you specify otherwise, Connect Agent uses port 3128 for the proxy.
If your proxy requires authorization, ensure that you pass in your credentials, such as:
--proxy=http://user:password@10.10.10.10:8888
Installing Connect Agent in a cluster with Windows and Linux nodes
The Connect Agent has to run on a Linux node. If you are installing in a mixed cluster with both Linux and Windows nodes, you can ensure that the Connect Agent is deployed on to a Linux node by adding an appropriate node selector to the deployment definition.
Run the following command to update the deployment with the appropriate node selector:
kubectl patch deployment \
$(kubectl get deployment -o=jsonpath='{.items[*].metadata.name}' -n gke-connect) \
-p '{"spec":{"template":{"spec":{"nodeSelector":{"kubernetes.io/os":"linux"}}}}}' -n gke-connect
To validate that the update succeeded run the following command:
kubectl get deployment -o=jsonpath='{.items[].spec.template.spec.nodeSelector}' -n gke-connect
The command should return:
{"kubernetes.io/os":"linux"}
Troubleshooting
If you run into any problems during this setup, see the fleet creation troubleshooting guide.
Enable GKE Enterprise features on attached clusters
After you register your clusters, you can enable available GKE Enterprise features on them for your applications. These features are supported only on our validated cluster types. You can see the current feature versions supported on these types in Version and upgrade support.
The following guides show you how to enable supported features on your clusters:
Cloud Service Mesh 1.11 and later supports Amazon EKS:
Configuration and policy management:
For complete documentation sets for all GKE Enterprise components, including tutorials, reference material, and more, see GKE Enterprise components.
Access attached clusters
After you register an attached cluster, it appears in the GKE and Anthos clusters pages in the Google Cloud console. However, to see more details such as nodes and workloads, you need to log in and authenticate to the cluster. To log in to your attached clusters from the Google Cloud console, follow the instructions in Logging in to clusters from the Google Cloud console. Depending on the authentication method you choose, note that you or a platform admin may need to do some additional setup before you or other users are able to log in to the cluster.
To access attached clusters from the command line using a Google Cloud identity, see Connecting to registered clusters with the Connect gateway.
To authenticate to attached clusters using your existing third-party identity provider (EKS on AWS clusters only, preview feature), see Setting up GKE Identity Service for a fleet and Accessing clusters with GKE Identity Service.