This document shows how to associate one or more Google Cloud projects with a cluster in GKE on VMware.
The instructions here are complete. For a shorter introduction to using a Google Cloud project, see Set up minimal infrastructure.
Before you begin
Fleet host project
Every admin cluster must be registered to a fleet. And every user cluster managed by an admin cluster must be registered to the same fleet as the admin cluster.
When an admin or user cluster is registered to a fleet, it is associated with a fleet host project. An admin cluster and all the user clusters it manages have the same fleet host project. In the Google Cloud console, in the fleet host project, you can see and manage your admin and user clusters.
Choose a Google Cloud project to serve as your fleet host project. You can choose an existing project, or you can create a new one. Make a note of the project ID. You need the ID of your fleet host project in the steps that follow.
Enable APIs in your fleet host project
In your fleet host project, enable the required APIs:
Linux and macOS
Enable the following APIs in your fleet host project:
gcloud services enable --project FLEET_HOST_PROJECT_ID \
anthos.googleapis.com \
container.googleapis.com \
gkehub.googleapis.com \
gkeconnect.googleapis.com \
connectgateway.googleapis.com \
monitoring.googleapis.com \
kubernetesmetadata.googleapis.com \
logging.googleapis.com \
opsconfigmonitoring.googleapis.com \
serviceusage.googleapis.com \
iam.googleapis.com \
cloudresourcemanager.googleapis.com
If you want to manage the lifecycle of clusters in the Google Cloud console, the Google Cloud CLI, or Terraform, enable these additional APIs in your fleet host project:
gcloud services enable --project FLEET_HOST_PROJECT_ID \
gkeonprem.googleapis.com \
anthosaudit.googleapis.com \
storage.googleapis.com
Windows
Enable the following APIs in your fleet host project:
gcloud services enable --project FLEET_HOST_PROJECT_ID ^
anthos.googleapis.com ^
container.googleapis.com ^
gkehub.googleapis.com ^
gkeconnect.googleapis.com ^
connectgateway.googleapis.com ^
monitoring.googleapis.com ^
kubernetesmetadata.googleapis.com ^
logging.googleapis.com ^
opsconfigmonitoring.googleapis.com ^
serviceusage.googleapis.com ^
iam.googleapis.com ^
cloudresourcemanager.googleapis.com
If you want to manage the lifecycle of user clusters in the Google Cloud console, the Google Cloud CLI, or Terraform, enable these additional APIs in your fleet host project:
gcloud services enable --project FLEET_HOST_PROJECT_ID ^
gkeonprem.googleapis.com ^
anthosaudit.googleapis.com ^
storage.googleapis.com
Grant roles to service accounts on your fleet host project
Your connect-register service account must be granted certain roles on your fleet host project. For details see Connect-register service account.
Your logging-monitoring service account must be granted certain roles on your fleet host project. For details, see Logging-monitoring service account.
Your audit logging service account must be granted certain roles on your fleet host project. For details, see Audit logging service account.
Register a cluster to a fleet
You register a cluster to a fleet when you create the cluster. The details of registration depend on what tool you use to create the cluster:
| Tool | How to register |
|---|---|
gkectl | Fill in the gkeConnect.projectID field in the cluster configuration file. |
| Google Cloud console | The cluster is automatically registered. The Google Cloud project that you use to create the cluster becomes the fleet host project. |
| Terraform | Fill in the project_id field in the
.tfvars file. |
| gcloud CLI | When you call gcloud container vmware clusters create, provide a value for --project. |
Usage metering project
If you enable usage metering for a user cluster, GKE on VMware stores usage data in a BigQuery dataset that is associated with a Google Cloud project of your choice. This Google Cloud project is called your usage metering project.
Your usage metering project can be the same as your fleet host project, or it can be different.
If you choose to enable usage metering, enable these APIs in your usage metering project:
Linux and macOS
gcloud services enable --project USAGE_METERING_PROJECT_ID] \
bigquery.googleapis.com \
serviceusage.googleapis.com \
iam.googleapis.com \
cloudresourcemanager.googleapis.com
Windows
gcloud services enable --project USAGE_METERING_PROJECT_ID ^
bigquery.googleapis.com ^
serviceusage.googleapis.com ^
iam.googleapis.com ^
cloudresourcemanager.googleapis.com
Grant roles to service accounts on your usage metering project
Your usage metering service account must be granted certain roles on your usage metering project.
For details see usage metering service account.
Parent project of your component access service account
Before you create a cluster, you must have a service account that GKE on VMware can use to download components from Container Registry. This service account is called your component access service account.
The Google Cloud project where you created your component access service account is called the parent of your component access service account. This project can be the same as your fleet host project, or it can be different. For more information about service accounts and parent projects see Understanding service accounts and Google Cloud projects.
To enable the required APIs for the parent project of your component access service account:
Linux and macOS
gcloud services enable --project [PARENT_PROJECT_ID] \
serviceusage.googleapis.com \
iam.googleapis.com \
cloudresourcemanager.googleapis.com
Windows
gcloud services enable --project [PARENT_PROJECT_ID] ^
serviceusage.googleapis.com ^
iam.googleapis.com ^
cloudresourcemanager.googleapis.com
What's next
Create service accounts and keys.