After you install Anthos clusters on bare metal, Connect uses a deployment called Connect Agent to establish a connection between your clusters and your Google Cloud project, and to handle Kubernetes requests.
Connect allows you to connect any of your Kubernetes clusters to Google Cloud. This enables access to cluster and to workload management features, including a unified user interface, Cloud Console, to interact with your cluster.
The Connect Agent manages information about your account credentials, as well as the technical details of your connected cluster infrastructure and workloads, including resources, applications, and hardware.
This cluster service data is associated with your Google Cloud project and/or account. Google uses this data to maintain a control plane between your cluster and Google Cloud, to provide you with any Google Cloud services and features you request, including facilitating support, billing, providing updates, and to measure and improve the reliability, quality, capacity, and functionality of Connect and Google Cloud services available through Connect.
For more information on Connect, see the Connect overview
Managing clusters in Cloud Console
Cloud Console offers a central user interface for managing all of your Kubernetes clusters and their resources no matter where they are running. All of your resources are shown in a single dashboard, and it's easy to get visibility into your workloads across multiple Kubernetes clusters.
Cloud Console simplifies debugging, especially when your clusters are distributed across different environments and networks. Cloud Console allows you to quickly determine the workloads' health and allows you to make modifications to them as if they were all running in a single cloud.
You remain in control of what resources users can view and manipulate through the UI: your Kubernetes API server continues to perform authentication, authorization, and audit logging on all requests made via Cloud Console.
For more information, see Cloud Console.
Logging in to Anthos clusters in the Google Cloud Console
To log in to a cluster, perform the following steps:
Visit the Anthos clusters menu in Cloud Console.
From the list of clusters, click the Login button beside the registered cluster.
Choose how you'd like to log in:
- If you are using basic authentication, select Basic authentication, fill the Username and Password fields, and then click Login.
- If you are using a KSA token to log in, select Token, fill the Token field with the KSA's bearer token, and then click Login.
- If you are using OpenID Connect (OIDC), select OpenID Connect, then click Login.
If you authenticate successfully, you are able to inspect the cluster and get details about its nodes.
You can use the Google Cloud Console to sign in to registered clusters in three ways:
- Using basic authentication, which uses a username and a static password file. To learn more, refer to Static Password File.
- Using a bearer token. Many kinds of bearer tokens, as specified in Kubernetes Authentication, are supported. The easiest method is to create a Kubernetes service account (KSA) in the cluster, and use its bearer token to log in.
- Using an OpenID Connect (OIDC) provider.
Authorization checks are performed by the cluster's API server against the identity you use when you authenticate via Google Cloud Console.
All accounts logging in to a cluster need to hold at least the following Kubernetes RBAC roles in the cluster:
These roles provide read-only access to a cluster and details about their nodes. The roles do not provide access to all resources, so some features of Google Cloud Console may not be available; for instance, these roles do not allow access to Kubernetes Secrets or to Pod logs.
Accounts can be granted other RBAC permissions, such as via
cluster-admin, to do more within the cluster. For more information, see the