Version 1.3. This version is no longer supported. For more information see the version support policy.

Using multiple Google Cloud projects

This page shows how to use separate Google Cloud projects for different aspects of GKE on-prem.

The GKE on-prem configuration file has several fields where you can specify a Google Cloud project ID:

...
usercluster:
  usagemetering:
    bigqueryprojectid: ""
...
gkeconnect:
  projectid: ""
...
stackdriver:
  projectid: ""
...
cloudauditlogging:
  projectid: ""

The idea is that you can have one project for connecting to GKE on-prem, another project for logging and monitoring, and so on.

You do not have to use separate project IDs. For example, you could use the same project for both connecting and logging. If you like, you can use the same project for everything.

Usage metering project

If you enable GKE usage metering for a user cluster, GKE on-prem stores usage data in a BigQuery dataset that is associated with a Google Cloud project of your choice.

In your GKE on-prem configuration file, set usercluster.usagemetering.bigqueryprojectid to the ID of the Google Cloud project where you want to store usage data.

Enabling APIs in your usage metering project

To enable the required APIs in your usage metering project:

Linux and macOS

gcloud services enable --project [PROJECT_ID] \
    bigquery.googleapis.com \
    serviceusage.googleapis.com \
    iam.googleapis.com \
    cloudresourcemanager.googleapis.com

where [PROJECT_ID] is the ID of your usage metering project.

Windows

gcloud services enable --project [PROJECT_ID] ^
    bigquery.googleapis.com ^
    serviceusage.googleapis.com ^
    iam.googleapis.com ^
    cloudresourcemanager.googleapis.com

where [PROJECT_ID] is the ID of your usage metering project.

Granting roles to service accounts on your usage metering project

Your usage metering service account must be granted certain roles on your usage metering project.

For details see usage metering service account.

Connect project

When you create a user cluster, GKE on-prem uses Connect to register the cluster with a Google Cloud project of your choice. After the cluster is registered, you can use Google Cloud console to manage the cluster.

Connect uses a Deployment called the Connect Agent to establish a connection between your GKE on-prem cluster and your Google Cloud project.

In the GKE on-prem configuration file, set gkeconnect.projectid to the ID of the Google Cloud project where you want your cluster to be registered.

Enabling APIs in your connect project

To enable the required APIs in your connect project:

Linux and macOS

gcloud services enable --project [PROJECT_ID] \
    cloudresourcemanager.googleapis.com \
    container.googleapis.com \
    gkeconnect.googleapis.com \
    gkehub.googleapis.com \
    serviceusage.googleapis.com \
    iam.googleapis.com \
    cloudresourcemanager.googleapis.com

where [PROJECT_ID] is the ID of your connect project.

Windows

gcloud services enable --project [PROJECT_ID] ^
    cloudresourcemanager.googleapis.com ^
    container.googleapis.com ^
    gkeconnect.googleapis.com ^
    gkehub.googleapis.com ^
    serviceusage.googleapis.com ^
    iam.googleapis.com ^
    cloudresourcemanager.googleapis.com

where [PROJECT_ID] is the ID of your connect project.

Granting roles to service accounts on your connect project

Your connect-register service account and your connect-agent service account must be granted certain roles on your connect project.

For details see Connect-register service account and Connect-agent service account.

Logging-monitoring project

Cloud Logging and Cloud Monitoring collect data from your GKE on-prem cluster and make it available to Google Cloud. To view logs and metrics from your cluster, you must specify an associated Google Cloud project.

In the GKE on-prem configuration file, set stackdriver.projectid to the ID of the Google Cloud project that you want to associate with logging and monitoring.

Enabling APIs in your logging-monitoring project

To enable the required APIs in your logging-monitoring project:

Linux and macOS

gcloud services enable --project [PROJECT_ID] \
    stackdriver.googleapis.com \
    monitoring.googleapis.com \
    logging.googleapis.com \
    serviceusage.googleapis.com \
    iam.googleapis.com \
    cloudresourcemanager.googleapis.com

where [PROJECT_ID] is the ID of your connect project.

Windows

gcloud services enable --project [PROJECT_ID] ^
    stackdriver.googleapis.com ^
    monitoring.googleapis.com ^
    logging.googleapis.com ^
    serviceusage.googleapis.com ^
    iam.googleapis.com ^
    cloudresourcemanager.googleapis.com

where [PROJECT_ID] is the ID of your connect project.

Granting roles to service accounts on your logging-monitoring project

Your logging-monitoring service account must be granted certain roles on your logging-monitoring project.

For details, see Logging-monitoring service account.

Audit logging project

If you enable Cloud Audit Logs for GKE on-prem, the audit log entries from your cluster's Kubernetes API server are sent to Google Cloud. You can view the audit log entries in a Google Cloud project of your choice.

In the GKE on-prem configuration file, set cloudauditlogging.projectid to the ID of the Google Cloud project where you want to view audit logs.

Enabling APIs in your audit logging project

To enable the required APIs in your audit logging project:

Linux and macOS

gcloud services enable --project [PROJECT_ID] \
    anthosgke.googleapis.com \
    serviceusage.googleapis.com \
    iam.googleapis.com \
    cloudresourcemanager.googleapis.com

where [PROJECT_ID] is the ID of your audit logging project.

Windows

gcloud services enable --project [PROJECT_ID] ^
    anthosgke.googleapis.com ^
    serviceusage.googleapis.com ^
    iam.googleapis.com ^
    cloudresourcemanager.googleapis.com

where [PROJECT_ID] is the ID of your audit logging project.

Granting roles to service accounts on your audit logging project

Your audit logging service account must be granted certain roles on your audit logging project.

For details, see Audit logging service account.

Parent project of your allowlisted service account

To install GKE on-prem, you must have an GKE Enterprise subscription. And if you have an GKE Enterprise subscription, you have already done the following:

Created a Google Cloud project.
In your Google Cloud project, created a service account and arranged for your service account to be allowlisted. This service account is called your allowlisted service account.

The Google Cloud project where you created your allowlisted service account is called the parent of your allowlisted service account. This project can be the same as one of the projects that you specify in your GKE on-prem configuration file, or it can be different from all of the projects that you specify in your configuration file.

To enable the required APIs for the parent project of your allowlisted service account::

Linux and macOS

gcloud services enable --project [PROJECT_ID] \
    serviceusage.googleapis.com \
    iam.googleapis.com \
    cloudresourcemanager.googleapis.com

where [PROJECT_ID] is the ID of the parent project of your allowlisted service account.

Windows

gcloud services enable --project [PROJECT_ID] ^
    serviceusage.googleapis.com ^
    iam.googleapis.com ^
    cloudresourcemanager.googleapis.com

where [PROJECT_ID] is the ID of the parent project of your allowlisted service account.

What's next

Learn about service accounts and keys for GKE on-prem.