Version 1.11. This version is no longer supported. For more information, see the version support policy. For information about how to upgrade to version 1.12, see Upgrading Anthos on bare metal in the 1.12 documentation.

Available supported versions: 1.28 | 1.16 | 1.15

Manage clusters with the Anthos UI

Connect overview

After you install GKE on Bare Metal, Connect uses a deployment called Connect Agent to establish a connection between your clusters and your Google Cloud project, and to handle Kubernetes requests.

Connect allows you to connect any of your Kubernetes clusters to Google Cloud. This enables access to cluster and to workload management features, including a unified user interface, Google Cloud console, to interact with your cluster.

The Connect Agent manages information about your account credentials, as well as the technical details of your connected cluster infrastructure and workloads, including resources, applications, and hardware.

This cluster service data is associated with your Google Cloud project and/or account. Google uses this data to maintain a control plane between your cluster and Google Cloud, to provide you with any Google Cloud services and features you request, including facilitating support, billing, providing updates, and to measure and improve the reliability, quality, capacity, and functionality of Connect and Google Cloud services available through Connect.

For more information on Connect, see the Connect overview

Manage clusters in Google Cloud console

Google Cloud console offers a central user interface for managing all of your Kubernetes clusters and their resources no matter where they are running. All of your resources are shown in a single dashboard, and it's easy to get visibility into your workloads across multiple Kubernetes clusters.

Google Cloud console simplifies debugging, especially when your clusters are distributed across different environments and networks. Google Cloud console allows you to quickly determine the workloads' health and allows you to make modifications to them as if they were all running in a single cloud.

You remain in control of what resources users can view and manipulate through the UI: your Kubernetes API server continues to perform authentication, authorization, and audit logging on all requests made via Google Cloud console.

Authentication

Your registered clusters need to be set up with one of the following authentication methods so that you can log in to a cluster from the Google Cloud console:

Google identity: This option lets users log in using their Google Cloud identity. Use this option if users already have access to Google Cloud with a Google identity. To set up access to the Google Cloud console using Google identity, see Setting up the Connect gateway.
OpenID Connect (OIDC): If your cluster is configured to use an OIDC identity provider, you can use this to authenticate to the cluster from the Google Cloud console. You can find out how to set up OIDC for your clusters in the following guides:
- Configure clusters for GKE Identity Service with OIDC: This guide shows you how to set up OIDC authentication on a cluster by cluster basis.
- Set up GKE Identity Service for a fleet: This option lets you set up OIDC at the fleet level.
Bearer token: If the preceding Google-provided solutions aren't suitable for your organization, you can set up authentication using a Kubernetes service account and using its bearer token to log in. For details, see Set up using a bearer token.

Log in to Anthos clusters in the Google Cloud console

To log in to a cluster, perform the following steps:

Visit the GKE clusters menu in Google Cloud console.

Visit the GKE on Bare Metal menu
From the list of clusters, click the Login button beside the registered cluster.
Choose how you'd like to log in:
1. If you are using Google identity, select Use your Google identity to log in, fill the Username and Password fields, and then click Login.
2. If you are using a KSA token to log in, select Token, fill the Token field with the KSA's bearer token, and then click Login.
3. If you are using OpenID Connect (OIDC), select OpenID Connect, then click Login.

If you authenticate successfully, you are able to inspect the cluster and get details about its nodes.

Authorization

Authorization checks are performed by the cluster's API server against the identity you use when you authenticate via Google Cloud console.

All accounts logging in to a cluster need to hold at least the following Kubernetes RBAC roles in the cluster:

These roles provide read-only access to a cluster and details about their nodes. The roles do not provide access to all resources, so some features of Google Cloud console may not be available; for instance, these roles do not allow access to Kubernetes Secrets or to Pod logs.

Accounts can be granted other RBAC permissions, such as via edit or cluster-admin, to do more within the cluster. For more information, see the RBAC documentation.