The GKE On-Prem API is a Google Cloud-hosted API that lets you manage the
lifecycle of your on-premises clusters by using standard tools: the
Google Cloud console, the Google Cloud CLI, or Terraform. When you create a
cluster using one of these tools, the API stores metadata about your cluster's
state in the Google Cloud region that you specified when creating the cluster.
This metadata lets you manage the lifecycle of the cluster using the
standard tools. If you want to use these tools to view cluster details or manage
the lifecycle of clusters that were created using bmctl
, you must
enroll the clusters in the GKE On-Prem API.
Terminology
Enrolling a cluster lets you manage the cluster lifecycle by using the console, the gcloud CLI, or Terraform.
Enrolling a cluster is a separate process to registering a cluster to a fleet.
A fleet is a a logical grouping of Kubernetes clusters that you can manage
together. All Google Distributed Cloud clusters are registered to a fleet at cluster
creation time. When you create a cluster using bmctl, the cluster
is registered to the Google Cloud project that you specify in the
gkeConnect.projectID
field in the cluster configuration file. This project
is referred to as the
fleet host project.
To learn more about fleets, including uses cases, best practices, and examples,
see the Fleet management documentation.
View registered clusters
All your fleet clusters are displayed on the GKE Clusters pages in the console. This both gives you an overview of your entire fleet and, for Google Distributed Cloud, lets you see which clusters are managed by the GKE On-Prem API.
To view your fleet clusters:
-
In the console, go to the GKE clusters page.
Go to GKE clusters -
Select the Google Cloud project.
- If Bare metal is displayed in the Type column, the cluster is managed by the GKE On-Prem API.
- If External is displayed in the Type column, the cluster isn't managed by the GKE On-Prem API.
Requirements
- Only user and admin clusters can be enrolled with the GKE On-Prem API. Enrolling hybrid and standalone clusters isn't supported.
- Version 1.13 or higher.
Enrollment of user clusters created under custom namespaces isn't supported. The generated user cluster configuration file uses the default cluster namespace of the form
cluster-CLUSTER_NAME
. If you change the namespace when you create the cluster, attempts to enroll the cluster with the GKE On-Prem API are blocked.If you aren't a project owner, minimally, you must be granted the Identity and Access Management role
roles/gkeonprem.admin
on the project. For details on the permissions included in this role, see GKE on-prem roles in the IAM documentation.
Before you begin
Set up the gcloud CLI, if needed.
If you need to install the gcloud CLI, see the gcloud CLI documentation. Update the gcloud CLI components, if needed:
gcloud components update
Do the following steps to activate and use the GKE On-Prem API:
Enable the API in your project:
gcloud services enable \ --project PROJECT_ID \ gkeonprem.googleapis.com
Replace
PROJECT_ID
with the project ID of your fleet host project. This is the project ID that was configured in thegkeconnect
section of your cluster configuration file.If you get a
PERMISSION_DENIED
error, double check the project ID that you entered. If the project ID is correct, rungcloud auth login
to sign in to the Google Cloud CLI with the account that has access to the project.If this is the first time that you have enabled the GKE On-Prem API in your project, you need to initialize the API. You can do this by calling a gcloud CLI command that displays available versions that you can use to create a cluster:
gcloud container bare-metal clusters query-version-config \ --project=PROJECT_ID \ --location=REGION
Replace
REGION
withus-west1
or another supported region.
If your organization has set up an allowlist that lets traffic from Google APIs and other addresses pass through your proxy server, add the following to the allowlist:
gkeonprem.googleapis.com
gkeonprem.mtls.googleapis.com
These are the service names for the GKE On-Prem API.
Enroll a user cluster
gcloud CLI
Be sure to scroll over if needed to fill in the
ADMIN_CLUSTER_NAME
placeholder for the
--admin-cluster-membership
flag.
gcloud container bare-metal clusters enroll USER_CLUSTER_NAME \ --project=PROJECT_ID \ --admin-cluster-membership=projects/PROJECT_ID/locations/global/memberships/ADMIN_CLUSTER_NAME \ --location=REGION
Replace the following:
USER_CLUSTER_NAME
: The name of the user cluster that you want to enroll.PROJECT_ID
The project ID of your fleet host project.ADMIN_CLUSTER_NAME
: The admin cluster that manages the user cluster. The admin cluster name is the last segment of the fully-specified cluster name that uniquely identifies the cluster in Google Cloud.REGION
: The Google Cloud region in which the GKE On-Prem API runs and stores cluster metadata. Specifyus-west1
or another supported region. The region can't be changed after the cluster is enrolled.
bmctl
Do the following steps on your admin workstation.
Add the following section to the user cluster configuration file:
gkeOnPremAPI: enabled: true location: REGION
Replace
REGION
with the Google Cloud region in which the GKE On-Prem API runs and stores cluster metadata. Specifyus-west1
or another supported region. The region can't be changed after the cluster is enrolled.Update the cluster:
bmctl update cluster -c USER_CLUSTER_NAME \ --kubeconfig ADMIN_CLUSTER_KUBECONFIG
Replace the following:
USER_CLUSTER_NAME
: the name of the user cluster to update.ADMIN_CLUSTER_KUBECONFIG
: the path of the admin cluster kubeconfig file.
Enroll an admin cluster
gcloud CLI
Be sure to scroll over if needed to fill in the
ADMIN_CLUSTER_NAME
placeholder for the
--admin-cluster-membership
flag.
gcloud container bare-metal admin-clusters enroll ADMIN_CLUSTER_NAME \ --project=PROJECT_ID \ --admin-cluster-membership=projects/PROJECT_ID/locations/global/memberships/ADMIN_CLUSTER_NAME \ --location=REGION
Replace the following:
ADMIN_CLUSTER_NAME
: The name of the admin cluster that you want to enroll.PROJECT_ID
The project ID of your fleet host project.The
ADMIN_CLUSTER_NAME
andPROJECT_ID
are used to form the fully-specified cluster name for the--admin-cluster-membership
flag.REGION
: The Google Cloud region in which the GKE On-Prem API runs and stores cluster metadata. Specifyus-west1
or another supported region. The region can't be changed after the cluster is enrolled.
bmctl
Do the following steps on your admin workstation.
Add the following section to the admin cluster configuration file:
gkeOnPremAPI: enabled: true location: REGION
Replace
REGION
with the Google Cloud region in which the GKE On-Prem API runs and stores cluster metadata. Specifyus-west1
or another supported region. The region can't be changed after the cluster is enrolled.Update the cluster:
bmctl update cluster -c ADMIN_CLUSTER_NAME \ --kubeconfig ADMIN_CLUSTER_KUBECONFIG
Replace the following:
ADMIN_CLUSTER_NAME
: the name of the admin cluster to update.ADMIN_CLUSTER_KUBECONFIG
: the path of the admin cluster kubeconfig file.
Get information about your cluster
After the cluster is enrolled, you can use the following commands to get information about your clusters:
User cluster
- To describe a user cluster:
gcloud container bare-metal clusters describe USER_CLUSTER_NAME \ --project=PROJECT_ID \ --location=REGION
- To list your user clusters:
gcloud container bare-metal clusters list \ --project=PROJECT_ID \ --location=-
When you set --location=-
, that means to list all clusters in all
regions. If you need to scope down the list, set --location
to the region
you specified when you enrolled the cluster.
Admin cluster
- To describe an admin cluster:
gcloud container bare-metal admin-clusters describe ADMIN_CLUSTER_NAME \ --project=PROJECT_ID \ --location=REGION
- To list your admin clusters:
gcloud container bare-metal admin-clusters list \ --project=PROJECT_ID \ --location=-
When you set --location=-
, that means to list all clusters in all
regions. If you need to scope down the list, set --location
to the region
you specified when you enrolled the cluster.
Connect to the cluster
After the cluster is enrolled with the GKE On-Prem API, you need to choose and configure an authentication method so that you can manage the cluster from the Google Cloud console. The authentication method that you select also controls access to the cluster from the command line. For more information, see the following: