Version 1.3. This version is no longer supported as outlined in the Anthos version support policy. For the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware (GKE on-prem), upgrade to a supported version. You can find the most recent version here.

Updating the Connect Agent using a private registry

This topic explains how to update the Connect Agent if you use a private Docker registry. For information about Connect, see the product's documentation.


If you choose to register a user cluster with Google Cloud Console, a Kubernetes Deployment called the Connect Agent is created in the cluster. The Connect Agent establishes a long-lived, encrypted connection between the cluster and Cloud Console.

Sometimes Google updates the Connect Agent. If you use a private registry with your cluster, follow these instructions to update the Connect Agent.

Pull updated Connect Agent image

Pull the Connect Agent image from and push it into your registry:

docker pull
docker tag \
docker push [PRIVATE_REGISTRY_HOST]/gkeconnect/gkeconnect-gce:release

where [PRIVATE_REGISTRY_HOST] is the hostname or IP address of your private Docker registry.

Update user cluster registration

Update your user cluster's registration to Cloud Console:

gcloud container hub memberships register[USER_CLUSTER_NAME] \
  --context=[CLUSTER_CONTEXT] \
  --service-account-key-file=[CONNECT_SA_KEY_FILE] \
  --kubeconfig=[KUBECONFIG_PATH] \
  --docker-registry=[PRIVATE_REGISTRY_HOST] \
  --docker-credential-file=[DOCKER_CONFIG_PATH] \


  • [USER_CLUSTER_NAME] is the name of a registered user cluster, as it appears in Cloud Console.
  • [CLUSTER_CONTEXT] is the cluster's context as it appears in the kubeconfig file. To get this value, run kubectl config current-context.
  • [CONNECT_SA_KEY_FILE] is the path to the connect service account's JSON key file.
  • [KUBECONFIG_PATH] is the path to the user cluster's kubeconfig.
  • [DOCKER_CONFIG_PATH] is path to a JSON Docker config file.

    The config.json file you used in the docker commands from the previous section docker commands above might have additional unnecessary credentials. You might prefer to fetch credentials from your cluster, which ensures that you don't inadvertently put additional credentials in to your cluster:

    kubectl get secret regcred \
    -o jsonpath='{.data.\.dockerconfigjson}' -n gke-connect | \
    base64 -d \  # On BSD systems (like macOS), use base64 -D

    Pass the filepath of the created file as the value of the --docker-credential-file flag, in place of [DOCKER_CONFIG_PATH] above.

  • [PROJECT_ID] is the project ID of the project where the user cluster is registered. To learn how to list all projects in your organization, refer to Listing projects.