Anthos clusters on VMware (GKE on-prem) user clusters created using
configured to work with the GKE On-Prem API, which is the
Google Cloud-hosted API that gets enabled automatically when you create user
clusters in the Google Cloud console. In order to use the console to
manage user clusters created using
gkectl, you need to configure the cluster
gkectl enroll cluster command.
The user cluster must meet the following requirements:
- Version 1.11 or higher.
- Registered with a fleet, which is done automatically when the cluster is created as of version 1.8.
If your organization has set up an allowlist that lets traffic from Google APIs and other addresses pass through your proxy server, add the following to the allowlist:
Enroll a user cluster
Create the following service account to authorize
gkectlto enroll the cluster:
gcloud iam service-accounts create enrollment-sa \ --project PROJECT_ID
PROJECT_IDwith the ID of the fleet host project. This must be the same Cloud project that your admin cluster is registered to.
Create a JSON key for your enrollment-sa service account:
gcloud iam service-accounts keys create enrollment-key.json \ --iam-account SERVICE_ACCOUNT_EMAIL
Replace SERVICE_ACCOUNT_EMAIL with the email address of your enrollment-sa service account. It should be of the form:
gkeonprem.adminrole to your enrollment service account:
gcloud projects add-iam-policy-binding PROJECT_ID \ --member "serviceAccount:SERVICE_ACCOUNT_EMAIL" \ --role "roles/gkeonprem.admin"
PROJECT_IDwith the ID of the fleet host project.
Set up your application default credentials to use the enrollment service account. This lets commands use the service account when making requests.
gkectl enroll clustercommand. Replace the following:
- CLUSTER_NAME with the name of the user cluster.
- ADMIN_CLUSTER_KUBECONFIG with the path of your admin
gkectl enroll cluster --cluster-name=CLUSTER_NAME \ --kubeconfig ADMIN_CLUSTER_KUBECONFIG