Using multiple Google Cloud projects

This document shows how to associate one or more Google Cloud projects with an GKE Enterprise cluster on VMware.

The instructions here are complete. For a shorter introduction to using a Google Cloud project, see Set up minimal infrastructure.

Before you begin

Install Google Cloud CLI.

Fleet host project

Every admin cluster must be registered to a fleet. And every user cluster managed by an admin cluster must be registered to the same fleet as the admin cluster.

When an admin or user cluster is registered to a fleet, it is associated with a fleet host project. An admin cluster and all the user clusters it manages have the same fleet host project. In the Google Cloud console, in the fleet host project, you can see and manage your admin and user clusters.

To specify a fleet host project for an admin cluster, enter a project ID in the gkeConnect.projectID field of the admin cluster configuration file.

If you use the gkectl command-line tool to create a user cluster, enter a project ID in the gkeConnect.projectID field of the user cluster configuration file.

If you include the stackdriver, cloudAuditLogging, and gkeOnPremAPI sections in the configuration files, note the following requirements for new clusters:

  • The ID in gkeConnect.projectID must be the same as the ID set in stackdriver.projectID and cloudAuditLogging.projectID.

  • The same Google Cloud region must be set in stackdriver.clusterLocation and cloudAuditLogging.clusterLocation. Additionally, if gkeOnPremAPI.enabled is true, the same region must be set in gkeOnPremAPI.location.

If the project IDs and regions aren't the same, cluster creation fails.

If you use the Google Cloud console to create a user cluster, the current Google Cloud project automatically becomes the fleet host project.

Enable APIs in your fleet host project

Linux and macOS

Enable the required APIs in your fleet host project:

gcloud services enable --project FLEET_HOST_PROJECT_ID \
    anthos.googleapis.com \
    container.googleapis.com \
    gkehub.googleapis.com \
    gkeconnect.googleapis.com \
    connectgateway.googleapis.com \
    stackdriver.googleapis.com \
    monitoring.googleapis.com \
    logging.googleapis.com \
    opsconfigmonitoring.googleapis.com \
    serviceusage.googleapis.com \
    iam.googleapis.com \
    cloudresourcemanager.googleapis.com

If you want to manage the lifecycle of user clusters in the Google Cloud console, the Google Cloud CLI, or Terraform, enable these additional APIs in your fleet host project:

gcloud services enable --project FLEET_HOST_PROJECT_ID \
    gkeonprem.googleapis.com \
    anthosaudit.googleapis.com \
    storage.googleapis.com

Windows

Enable the required APIs in your fleet host project:

gcloud services enable --project FLEET_HOST_PROJECT_ID ^
    anthos.googleapis.com ^
    container.googleapis.com ^
    gkehub.googleapis.com ^
    gkeconnect.googleapis.com ^
    connectgateway.googleapis.com ^
    stackdriver.googleapis.com ^
    monitoring.googleapis.com ^
    logging.googleapis.com ^
    opsconfigmonitoring.googleapis.com ^
    serviceusage.googleapis.com ^
    iam.googleapis.com ^
    cloudresourcemanager.googleapis.com

If you want to manage the lifecycle of user clusters in the Google Cloud console, the Google Cloud CLI, or Terraform, enable these additional APIs in your fleet host project:

gcloud services enable --project FLEET_HOST_PROJECT_ID ^
    gkeonprem.googleapis.com ^
    anthosaudit.googleapis.com ^
    storage.googleapis.com

View logs and metrics in your fleet host project

If you want to view cluster logs and metrics in the Google Cloud console, enter the ID of your fleet host project in the stackdriver.projectID field of your admin and user cluster configuration files.

This stackdriver section is required by default. That is, if you don't fill in the stackdriver section, you must include the --skip-validation-stackdriver flag when you run gkectl create.

You cannot enter any other project ID in the stackdriver.projectID field. If you enter a value, it must be the ID of your fleet host project.

If you choose to view cluster logs and metrics in the Google Cloud console, enable the these APIs in your fleet host project:

Linux and macOS

gcloud services enable --project FLEET_HOST_PROJECT_ID \
    stackdriver.googleapis.com \
    monitoring.googleapis.com \
    logging.googleapis.com \
    opsconfigmonitoring.googleapis.com \
    serviceusage.googleapis.com \
    iam.googleapis.com \
    cloudresourcemanager.googleapis.com

Windows

gcloud services enable --project FLEET_HOST_PROJECT_ID ^
    stackdriver.googleapis.com ^
    monitoring.googleapis.com ^
    logging.googleapis.com ^
    opsconfigmonitoring.googleapis.com ^
    serviceusage.googleapis.com ^
    iam.googleapis.com ^
    cloudresourcemanager.googleapis.com

View audit logs in your fleet host project

If you want to view audit logs and in the Google Cloud console, enter the ID of your fleet host project in the cloudAuditLogging.projectID field of your admin and user cluster configuration files.

You cannot enter any other project ID in the cloudAuditLogging.projectID field. If you enter a value, it must be the ID of your fleet host project.

If you choose to view audit logs in the Google Cloud console, enable these APIs in your fleet host project:

Linux and macOS

gcloud services enable --project FLEET_HOST_PROJECT_ID \
    anthosaudit.googleapis.com \
    serviceusage.googleapis.com \
    iam.googleapis.com \
    cloudresourcemanager.googleapis.com

Windows

gcloud services enable --project FLEET_HOST_PROJECT_ID ^
    anthosaudit.googleapis.com ^
    serviceusage.googleapis.com ^
    iam.googleapis.com ^
    cloudresourcemanager.googleapis.com

Granting roles to service accounts on your fleet host project

Your connect-register service account must be granted certain roles on your fleet host project. For details see Connect-register service account.

Your logging-monitoring service account must be granted certain roles on your fleet host project. For details, see Logging-monitoring service account.

Your audit logging service account must be granted certain roles on your fleet host project. For details, see Audit logging service account.

Usage metering project

If you enable GKE usage metering for a user cluster, Google Distributed Cloud stores usage data in a BigQuery dataset that is associated with a Google Cloud project of your choice. This Google Cloud project is called your usage metering project.

Your usage metering project can be the same as your fleet host project, or it can be different.

To enable usage metering, in your user cluster configuration file, set usageMetering.bigQueryProjectID to the ID of your usage metering project.

If you choose to enable usage metering, enable these APIs in your usage metering project:

Linux and macOS

gcloud services enable --project USAGE_METERING_PROJECT_ID] \
    bigquery.googleapis.com \
    serviceusage.googleapis.com \
    iam.googleapis.com \
    cloudresourcemanager.googleapis.com

Windows

gcloud services enable --project USAGE_METERING_PROJECT_ID ^
    bigquery.googleapis.com ^
    serviceusage.googleapis.com ^
    iam.googleapis.com ^
    cloudresourcemanager.googleapis.com

Granting roles to service accounts on your usage metering project

Your usage metering service account must be granted certain roles on your usage metering project.

For details see usage metering service account.

Parent project of your component access service account

Before you create a cluster, you must have a service account that Google Distributed Cloud can use to download components from Container Registry. This service account is called your component access service account.

The Google Cloud project where you created your component access service account is called the parent of your component access service account. This project can be the same as one of the projects that you specify in your cluster configuration files, or it can be different from all of the projects that you specify in your configuration files. For more information about service accounts and parent projects see Understanding service accounts and Google Cloud projects.

To enable the required APIs for the parent project of your component access service account:

Linux and macOS

gcloud services enable --project [PROJECT_ID] \
    serviceusage.googleapis.com \
    iam.googleapis.com \
    cloudresourcemanager.googleapis.com

where [PROJECT_ID] is the ID of the parent project of your component access service account.

Windows

gcloud services enable --project [PROJECT_ID] ^
    serviceusage.googleapis.com ^
    iam.googleapis.com ^
    cloudresourcemanager.googleapis.com

where [PROJECT_ID] is the ID of the parent project of your component access service account.

What's next

Create service accounts and keys.