Version 1.6. This version is no longer supported as outlined in the Anthos version support policy. For the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware (GKE on-prem), upgrade to a supported version. You can find the most recent version here.

Using multiple Google Cloud projects

This document shows how to use separate Google Cloud projects for different aspects of Anthos clusters on VMware (GKE on-prem).

The instructions here are complete. For a shorter introduction to using a Cloud project, see Google Cloud project (quickstart).

Before you begin

Install Cloud SDK.

Cluster configuration files

The admin cluster and user cluster configuration files have several fields where you can specify a Cloud project ID:

stackdriver:
  projectID: ""
...
gkeConnect:
  projectID: ""
...
usageMetering:
  bigQueryProjectID: ""
...
cloudAuditLogging:
  projectID: ""

The idea is that you can have one project for managing your cluster from the Google Cloud Console, another project for viewing logs and metrics, and so on. The one exception is that your audit logging project must be the same as your connect project.

You do not have to use separate project IDs. For example, you could use the same project for both managing and logging. If you like, you can use the same project for everything.

Enabling services in a Cloud project

Each of your Cloud projects must have certain services enabled. For example, your connect project must have these services enabled:

cloudresourcemanager.googleapis.com
container.googleapis.com
gkeconnect.googleapis.com
gkehub.googleapis.com
serviceusage.googleapis.com
iam.googleapis.com

To enable services in a project, you must have certain permissions on the Cloud project. For details, see the required permissions for services.enable in Access control.

If you have the required permissions, you can enable the services yourself. Otherwise, someone else in your organization must enable the services for you.

Connect project

When you create a user cluster, Anthos clusters on VMware uses Connect to register the cluster with a Cloud project of your choice. After your cluster is registered, you can view and manage your cluster in this project in the Google Cloud Console.

Connect uses a Deployment called the Connect Agent to establish a connection between your user cluster and your Cloud project.

In your user cluster configuration file, set gkecConnect.projectID to the ID of the Cloud project where you want to view and manage your cluster.

Enabling APIs in your connect project

To enable the required APIs in your connect project:

Linux and macOS

gcloud services enable --project [PROJECT_ID] \
    cloudresourcemanager.googleapis.com \
    container.googleapis.com \
    gkeconnect.googleapis.com \
    gkehub.googleapis.com \
    serviceusage.googleapis.com \
    iam.googleapis.com

where [PROJECT_ID] is the ID of your connect project.

Windows

gcloud services enable --project [PROJECT_ID] ^
    cloudresourcemanager.googleapis.com ^
    container.googleapis.com ^
    gkeconnect.googleapis.com ^
    gkehub.googleapis.com ^
    serviceusage.googleapis.com ^
    iam.googleapis.com ^
    cloudresourcemanager.googleapis.com

where [PROJECT_ID] is the ID of your connect project.

Granting roles to service accounts on your connect project

Your connect-register service account and your connect-agent service account must be granted certain roles on your connect project.

For details see Connect-register service account and Connect-agent service account.

Logging-monitoring project

In a user cluster, logging and metrics agents collect data and make it available to Cloud Logging and Cloud Monitoring. To view logs and metrics from your cluster, you must specify an associated Cloud project.

In your user cluster configuration file, set stackdriver.projectID to the ID of the Cloud project that you want to associate with logging and monitoring. This is the project where you will view the cluster's logs and metrics.

Enabling APIs in your logging-monitoring project

To enable the required APIs in your logging-monitoring project:

Linux and macOS

gcloud services enable --project [PROJECT_ID] \
    stackdriver.googleapis.com \
    monitoring.googleapis.com \
    logging.googleapis.com \
    serviceusage.googleapis.com \
    iam.googleapis.com \
    cloudresourcemanager.googleapis.com

where [PROJECT_ID] is the ID of your logging-monitoring project.

Windows

gcloud services enable --project [PROJECT_ID] ^
    stackdriver.googleapis.com ^
    monitoring.googleapis.com ^
    logging.googleapis.com ^
    serviceusage.googleapis.com ^
    iam.googleapis.com ^
    cloudresourcemanager.googleapis.com

where [PROJECT_ID] is the ID of your logging-monitoring project.

Granting roles to service accounts on your logging-monitoring project

Your logging-monitoring service account must be granted certain roles on your logging-monitoring project.

For details, see Logging-monitoring service account.

Audit logging project

If you enable Cloud Audit Logs for a cluster, the audit log entries from the cluster's Kubernetes API server are sent to Google Cloud.

The project where your view audit logs is called your audit logging project. Your audit logging project must be the same as your connect project.

In the cluster configuration file, set cloudAuditLogging.projectID to the ID of your connect project.

Enabling APIs in your audit logging project

To enable the required APIs in your audit logging project:

Linux and macOS

gcloud services enable --project [PROJECT_ID] \
    anthosgke.googleapis.com \
    anthosaudit.googleapis.com \
    serviceusage.googleapis.com \
    iam.googleapis.com \
    cloudresourcemanager.googleapis.com

where [PROJECT_ID] is the ID of your audit logging project.

Windows

gcloud services enable --project [PROJECT_ID] ^
    anthosgke.googleapis.com ^
    anthosaudit.googleapis.com ^
    serviceusage.googleapis.com ^
    iam.googleapis.com ^
    cloudresourcemanager.googleapis.com

where [PROJECT_ID] is the ID of your audit logging project.

Granting roles to service accounts on your audit logging project

Your audit logging service account must be granted certain roles on your audit logging project.

For details, see Audit logging service account.

Parent project of your component access service account

Before you create a cluster, you must have a service account that Anthos clusters on VMware can use to download components from Container Registry. This service account is called your component access service account.

The Cloud project where you created your component access service account is called the parent of your component access service account. This project can be the same as one of the projects that you specify in your cluster configuration files, or it can be different from all of the projects that you specify in your configuration files. For more information about service accounts and parent projects see Understanding service accounts and Cloud projects.

To enable the required APIs for the parent project of your component access service account:

Linux and macOS

gcloud services enable --project [PROJECT_ID] \
    serviceusage.googleapis.com \
    iam.googleapis.com \
    cloudresourcemanager.googleapis.com

where [PROJECT_ID] is the ID of the parent project of your component access service account.

Windows

gcloud services enable --project [PROJECT_ID] ^
    serviceusage.googleapis.com ^
    iam.googleapis.com ^
    cloudresourcemanager.googleapis.com

where [PROJECT_ID] is the ID of the parent project of your component access service account.

Usage metering project

If you enable GKE usage metering for a user cluster, Anthos clusters on VMware stores usage data in a BigQuery dataset that is associated with a Cloud project of your choice.

In your user cluster configuration file, set usageMetering.bigQueryProjectID to the ID of the Cloud project where you want to store usage data.

Enabling APIs in your usage metering project

To enable the required APIs in your usage metering project:

Linux and macOS

gcloud services enable --project [PROJECT_ID] \
    bigquery.googleapis.com \
    serviceusage.googleapis.com \
    iam.googleapis.com \
    cloudresourcemanager.googleapis.com

where [PROJECT_ID] is the ID of your usage metering project.

Windows

gcloud services enable --project [PROJECT_ID] ^
    bigquery.googleapis.com ^
    serviceusage.googleapis.com ^
    iam.googleapis.com ^
    cloudresourcemanager.googleapis.com

where [PROJECT_ID] is the ID of your usage metering project.

Granting roles to service accounts on your usage metering project

Your usage metering service account must be granted certain roles on your usage metering project.

For details see usage metering service account.

What's next

Create service accounts and keys.