Connect and authenticate to your cluster
This page explains how to how to connect and authenticate to Anthos clusters on Azure .
You have multiple options to authenticate to Anthos clusters. The cluster
ClusterRole automatically for the user that created the cluster.
To login using Connect gateway,
gcloud container azure clusters get-credentials CLUSTER_NAME
To connect to your cluster on Azure from a device with direct connectivity to the cluster VPC you can use the following command:
gcloud container azure clusters get-credentials CLUSTER_NAME --private-endpoint
command. For more information, see Configure cluster access for kubectl.
Additional users logging in this way would need additional clusterroles provisioned.
All of these options below assume that Connect gateway or the user is able to connect to your cluster's control plane:
Google identity: The default authentication option provided by Anthos clusters on Azure without additional configuration. By default, the identity that creates the cluster has administrator access. To configure additional users, pass the
--admin-usersflag when you create a cluster.
For both authentication options, your cluster administrator needs to set up the cluster with their Google identity.
Google identity Authentication
You can authenticate to your cluster with your Google identity in the following ways:
Use kubectl with identity from the Google Cloud CLI
You can use the Google Cloud CLI to create a
the identity of the user authenticated with
gcloud login. You can then
kubectl to access the cluster.
For more information, see Configure cluster access for kubectl.
Use Google Cloud console
To set up access to the console using Google identity, see Setting up the Connect gateway.
For more information on authenticating to your cluster with OIDC, see Manage identity with Anthos Identity Service.
Connect to your cluster's control plane
All Anthos clusters on Azure are created in private subnets. All the underlying cluster infrastructure (for example, nodes and load balancer endpoints) is provisioned with private RFC 1918 IP addresses only.
To manage your cluster directly, you must be able to connect to the control plane load balancer of your cluster. If your cluster can't connect directly to your control plane but can make outbound connections, you can connect to the control plane through Connect gateway, a Google-hosted reverse proxy to your cluster. For more information, see Connect overview.
You can also connect through Azure's ExpressRoute service.