This document shows how to use separate Google Cloud projects for different aspects of Google Distributed Cloud.
The instructions here are complete. For a shorter introduction to using a Google Cloud project, see Google Cloud project (quickstart).
Before you begin
Cluster configuration files
The admin cluster and user cluster configuration files have several fields where you can specify a Google Cloud project ID:
stackdriver: projectID: "" ... gkeConnect: projectID: "" ... usageMetering: bigQueryProjectID: "" ... cloudAuditLogging: projectID: ""
The idea is that you can have one project for managing your cluster from the Google Cloud console, another project for viewing logs and metrics, and so on. The one exception is that your audit logging project must be the same as your connect project.
You do not have to use separate project IDs. For example, you could use the same project for both managing and logging. If you like, you can use the same project for everything.
Enabling services in a Google Cloud project
Each of your Google Cloud projects must have certain services enabled. For example, your connect project must have these services enabled:
cloudresourcemanager.googleapis.com container.googleapis.com gkeconnect.googleapis.com gkehub.googleapis.com serviceusage.googleapis.com iam.googleapis.com
To enable services in a project, you must have certain permissions on the
Google Cloud project. For details, see the required permissions for
services.enable
in Access control.
If you have the required permissions, you can enable the services yourself. Otherwise, someone else in your organization must enable the services for you.
Connect project
When you create a user cluster, Google Distributed Cloud uses Connect to register the cluster with a Google Cloud project of your choice. After your cluster is registered, you can view and manage your cluster in this project in the Google Cloud console.
Connect uses a Deployment called the Connect Agent to establish a connection between your user cluster and your Google Cloud project.
In your user cluster configuration file, set gkecConnect.projectID
to
the ID of the Google Cloud project where you want to view and manage your
cluster.
Enabling APIs in your connect project
To enable the required APIs in your connect project:
Linux and macOS
gcloud services enable --project [PROJECT_ID] \ cloudresourcemanager.googleapis.com \ container.googleapis.com \ gkeconnect.googleapis.com \ gkehub.googleapis.com \ serviceusage.googleapis.com \ iam.googleapis.com
where [PROJECT_ID] is the ID of your connect project.
Windows
gcloud services enable --project [PROJECT_ID] ^ cloudresourcemanager.googleapis.com ^ container.googleapis.com ^ gkeconnect.googleapis.com ^ gkehub.googleapis.com ^ serviceusage.googleapis.com ^ iam.googleapis.com ^ cloudresourcemanager.googleapis.com
where [PROJECT_ID] is the ID of your connect project.
Granting roles to service accounts on your connect project
Your connect-register service account and your connect-agent service account must be granted certain roles on your connect project.
For details see Connect-register service account and Connect-agent service account.
Logging-monitoring project
In a user cluster, logging and metrics agents collect data and make it available to Cloud Logging and Cloud Monitoring. To view logs and metrics from your cluster, you must specify an associated Google Cloud project.
In your user cluster configuration file, set stackdriver.projectID
to
the ID of the Google Cloud project that you want to associate with logging
and monitoring. This is the project where you will view the cluster's logs and
metrics.
Enabling APIs in your logging-monitoring project
To enable the required APIs in your logging-monitoring project:
Linux and macOS
gcloud services enable --project [PROJECT_ID] \ stackdriver.googleapis.com \ monitoring.googleapis.com \ logging.googleapis.com \ serviceusage.googleapis.com \ iam.googleapis.com \ cloudresourcemanager.googleapis.com
where [PROJECT_ID] is the ID of your logging-monitoring project.
Windows
gcloud services enable --project [PROJECT_ID] ^ stackdriver.googleapis.com ^ monitoring.googleapis.com ^ logging.googleapis.com ^ serviceusage.googleapis.com ^ iam.googleapis.com ^ cloudresourcemanager.googleapis.com
where [PROJECT_ID] is the ID of your logging-monitoring project.
Granting roles to service accounts on your logging-monitoring project
Your logging-monitoring service account must be granted certain roles on your logging-monitoring project.
For details, see Logging-monitoring service account.
Audit logging project
If you enable Cloud Audit Logs for a cluster, the audit log entries from the cluster's Kubernetes API server are sent to Google Cloud.
The project where your view audit logs is called your audit logging project. Your audit logging project must be the same as your connect project.
In the cluster configuration file, set
cloudAuditLogging.projectID
to the ID of your connect project.
Enabling APIs in your audit logging project
To enable the required APIs in your audit logging project:
Linux and macOS
gcloud services enable --project [PROJECT_ID] \ anthosgke.googleapis.com \ anthosaudit.googleapis.com \ serviceusage.googleapis.com \ iam.googleapis.com \ cloudresourcemanager.googleapis.com
where [PROJECT_ID] is the ID of your audit logging project.
Windows
gcloud services enable --project [PROJECT_ID] ^ anthosgke.googleapis.com ^ anthosaudit.googleapis.com ^ serviceusage.googleapis.com ^ iam.googleapis.com ^ cloudresourcemanager.googleapis.com
where [PROJECT_ID] is the ID of your audit logging project.
Granting roles to service accounts on your audit logging project
Your audit logging service account must be granted certain roles on your audit logging project.
For details, see Audit logging service account.
Parent project of your component access service account
Before you create a cluster, you must have a service account that Google Distributed Cloud can use to download components from Container Registry. This service account is called your component access service account.
The Google Cloud project where you created your component access service account is called the parent of your component access service account. This project can be the same as one of the projects that you specify in your cluster configuration files, or it can be different from all of the projects that you specify in your configuration files. For more information about service accounts and parent projects see Understanding service accounts and Google Cloud projects.
To enable the required APIs for the parent project of your component access service account:
Linux and macOS
gcloud services enable --project [PROJECT_ID] \ serviceusage.googleapis.com \ iam.googleapis.com \ cloudresourcemanager.googleapis.com
where [PROJECT_ID] is the ID of the parent project of your component access service account.
Windows
gcloud services enable --project [PROJECT_ID] ^ serviceusage.googleapis.com ^ iam.googleapis.com ^ cloudresourcemanager.googleapis.com
where [PROJECT_ID] is the ID of the parent project of your component access service account.
Usage metering project
If you enable GKE usage metering for a user cluster, Google Distributed Cloud stores usage data in a BigQuery dataset that is associated with a Google Cloud project of your choice.
In your
user cluster configuration file,
set usageMetering.bigQueryProjectID
to the ID of the Google Cloud project
where you want to store usage data.
Enabling APIs in your usage metering project
To enable the required APIs in your usage metering project:
Linux and macOS
gcloud services enable --project [PROJECT_ID] \ bigquery.googleapis.com \ serviceusage.googleapis.com \ iam.googleapis.com \ cloudresourcemanager.googleapis.com
where [PROJECT_ID] is the ID of your usage metering project.
Windows
gcloud services enable --project [PROJECT_ID] ^ bigquery.googleapis.com ^ serviceusage.googleapis.com ^ iam.googleapis.com ^ cloudresourcemanager.googleapis.com
where [PROJECT_ID] is the ID of your usage metering project.
Granting roles to service accounts on your usage metering project
Your usage metering service account must be granted certain roles on your usage metering project.
For details see usage metering service account.
What's next
Create service accounts and keys.