The Anthos On-Prem API is a Google Cloud-hosted API that lets you manage the
lifecycle of your on-premises clusters by using standard tools: the
Google Cloud console, the Google Cloud CLI, or Terraform. When you create a
cluster using one of these tools, the API stores metadata about your cluster's
state in the Google Cloud region that you specified when creating the cluster.
This metadata lets you manage the lifecycle of the cluster using the
standard tools. If you want to use these tools to view cluster details or manage
the lifecycle of clusters that were created using gkectl, you must
enroll the clusters in the Anthos On-Prem API.
Terminology
Enrolling a cluster lets you manage the cluster lifecycle by using the console, the gcloud CLI, or Terraform.
Enrolling a cluster is a separate process to registering a cluster to a fleet.
A fleet is a a logical grouping of Kubernetes clusters that you can manage
together. All Google Distributed Cloud clusters are registered to a fleet at cluster
creation time. When you create a cluster using gkectl, the cluster
is registered to the Google Cloud project that you specify in the
gkeConnect.projectID field in the cluster configuration file. This project
is referred to as the
fleet host project.
To learn more about fleets, including uses cases, best practices, and examples,
see the Fleet management documentation.
View registered clusters
All your fleet clusters are displayed on the GKE Clusters pages in the console. This both gives you an overview of your entire fleet and, for Google Distributed Cloud, lets you see which clusters are managed by the Anthos On-Prem API.
To view your fleet clusters:
-
In the console, go to the GKE clusters page.
Go to GKE clusters -
Select the Google Cloud project.
- If VMware is displayed in the Type column, the cluster is managed by the Anthos On-Prem API.
- If External is displayed in the Type column, the cluster isn't managed by the Anthos On-Prem API.
Requirements
- User clusters must be version 1.11 or higher.
- Admin clusters must be version 1.13 or higher.
If your organization has set up an allowlist that lets traffic from Google APIs and other addresses pass through your proxy server, add the following to the allowlist:
- gkeonprem.googleapis.com
- gkeonprem.mtls.googleapis.com
These are the service names for the Anthos On-Prem API.
If you aren't a project owner, minimally, you must be granted the Identity and Access Management role
roles/gkeonprem.adminon the project. For details on the permissions included in this role, see GKE on-prem roles in the IAM documentation.
Enroll a cluster
To enroll a cluster for management by the Anthos On-Prem API:
Ensure that you have the latest version of the gcloud CLI. Update the gcloud CLI components, if needed:
gcloud components updateEnable the Anthos On-Prem API in your the fleet host project:
gcloud services enable \ --project FLEET_HOST_PROJECT_ID \ gkeonprem.googleapis.comReplace
FLEET_HOST_PROJECT_IDwith the project ID of your fleet host project. This is the project ID that was configured in thegkeconnectsection of your admin cluster configuration file or user cluster configuration file.Enroll the cluster with the Anthos On-Prem API:
User cluster
Be sure to scroll over if needed to fill in the
ADMIN_CLUSTER_NAMEplaceholder for the--admin-cluster-membershipflag.gcloud container vmware clusters enroll USER_CLUSTER_NAME \ --project=FLEET_HOST_PROJECT_ID \ --admin-cluster-membership=projects/FLEET_HOST_PROJECT_ID/locations/global/memberships/ADMIN_CLUSTER_NAME \ --location=LOCATION
Replace the following:
USER_CLUSTER_NAME: The name of the user cluster that you want to enroll.FLEET_HOST_PROJECT_IDThe project ID of your fleet host project.ADMIN_CLUSTER_NAME: The admin cluster that manages the user cluster. The admin cluster name is the last segment of the fully-specified cluster name that uniquely identifies the cluster in Google Cloud.LOCATION: The Google Cloud region in which the Anthos On-Prem API runs. Specifyus-west1or another supported region. The region can't be changed after the cluster is enrolled. In addition to setting the region where the Anthos On-Prem API runs, this is the region in which the following is stored:- The cluster metadata that the Anthos On-Prem API needs to manage the cluster lifecycle
- The Cloud Logging and Cloud Monitoring data of system components
- The Admin Audit log created by Cloud Audit Logs
Admin cluster
gcloud container vmware admin-clusters enroll ADMIN_CLUSTER_NAME \ --project=FLEET_HOST_PROJECT_ID \ --admin-cluster-membership=projects/FLEET_HOST_PROJECT_ID/locations/global/memberships/ADMIN_CLUSTER_NAME \ --location=LOCATION
Replace the following:
ADMIN_CLUSTER_NAME: The name of the admin cluster that you want to enroll.FLEET_HOST_PROJECT_IDThe project ID of your fleet host project.The
ADMIN_CLUSTER_NAMEandFLEET_HOST_PROJECT_IDare used to form the fully-specified cluster name for the--admin-cluster-membershipflag.LOCATION: The Google Cloud region in which the Anthos On-Prem API runs. Specifyus-west1or another supported region. The region can't be changed after the cluster is enrolled. In addition to setting the region where the Anthos On-Prem API runs, this is the region in which the following is stored:- The cluster metadata that the Anthos On-Prem API needs to manage the cluster lifecycle
- The Cloud Logging and Cloud Monitoring data of system components
- The Admin Audit log created by Cloud Audit Logs
After the cluster is enrolled, you can use the following commands to get information about your clusters:
User cluster
- To describe a user cluster:
gcloud container vmware clusters describe USER_CLUSTER_NAME \ --project=FLEET_HOST_PROJECT_ID \ --location=LOCATION
- To list your user clusters:
gcloud container vmware clusters list \ --project=FLEET_HOST_PROJECT_ID \ --location=LOCATION
Admin cluster
- To describe an admin cluster:
gcloud container vmware admin-clusters describe ADMIN_CLUSTER_NAME \ --project=FLEET_HOST_PROJECT_ID \ --location=LOCATION
- To list your admin clusters:
gcloud container vmware admin-clusters list \ --project=FLEET_HOST_PROJECT_ID \ --location=LOCATION
Connect to the cluster
After the cluster is enrolled in the Anthos On-Prem API, you need to choose and configure an authentication method so that you can manage the cluster from the Google Cloud console. The authentication method that you select also controls access to the cluster from the command line. For more information, see the following: