Anthos shared responsibility

Running a business-critical application on Anthos requires multiple parties to carry different responsibilities. While not an exhaustive list, this topic lists the roles and responsibilities for each Anthos clusters product for both Google and the customer.

GKE on Google Cloud

Google's responsibilities

Customer's responsibilities

  • Maintain your workloads, including your application code, build files, container images, data, Role-based access control (RBAC)/IAM policy, and containers and pods that you are running.
  • Enroll clusters in auto-upgrade (default) or upgrade clusters to supported versions.
  • Monitor the cluster and applications and respond to any alerts and incidents.
  • Provide Google with environmental details when requested for troubleshooting purposes.

Anthos clusters on VMware (GKE on-prem)

Google's responsibilities

  • Maintain and distribute the Anthos clusters on VMware software package including Kubernetes, vCenter and F5 controllers, Ingress controller, Connect, Logging, and Monitoring agents, and the gkectl command line tool.

  • Maintain and distribute the Ubuntu admin workstation and node machine images including regular patching and security fixes.

  • Continually scan components with the Container Analysis API and patch known vulnerabilities.

  • Notify users of available upgrades for Anthos clusters on VMware, and producing upgrade scripts for the previous version; Anthos clusters on VMware supports sequential upgrades only (1.2 → 1.3 → 1.4 only and not 1.2 → 1.4).

  • Provide Google Cloud integrations for Connect and Google Cloud's operations suite.

  • Troubleshoot, provide workarounds, and correct the root cause of any issues related to Google-provided components.

Customer's responsibilities

  • Overall system administration for on-premises clusters.

  • Maintain your workloads, including your application code, build files, container images, data, Role-based access control (RBAC)/IAM policy, and containers and pods that you are running.

  • Operate, maintain, and patch infrastructure, including networks, servers, storage, and connectivity to Google Cloud.

  • Operate, maintain, and patch vSphere and network load balancers.

  • Maintain support contracts with VMware and F5 (if deployed).

  • Upgrade Anthos clusters on VMware to a supported version on a regular basis.

  • Deploy and test your workloads on updated node machine images. Deploy and test updated admin workstation images in your environment. Raise concerns to Google through Cloud Customer Care.

  • Monitor clusters and applications and respond to any incidents.

  • Ensure Logging and Monitoring agents are deployed to clusters. Without logs, support is available on a best-effort basis.

  • Provide Google with environmental details (for example, network configuration) when requested for troubleshooting purposes.

Anthos clusters on bare metal

Google's responsibilities

  • Maintain and distribute the Anthos clusters on bare metal software package including Kubernetes, Ingress controller, Connect and Logging and Monitoring agents, and the bmctl command line tool.

  • Continually scan components with the Container Analysis API and patch known vulnerabilities.

  • Notify users of available upgrades for Anthos clusters on bare metal, and produce upgrade instructions for the previous version; Anthos clusters on bare metal supports sequential upgrades between minor versions and patch releases (1.2 → 1.3 → 1.4 only and not 1.2 → 1.4).

  • Provide Google Cloud integrations for Connect and Google Cloud's operations suite.

  • Troubleshoot, provide workarounds, and correct the root cause of any issues related to Google-provided components.

Customer's responsibilities

  • Provide overall system administration for clusters.

  • Maintain your workloads, including your application code, build files, container images, data, RBAC/IAM policy, and containers and pods that you are running.

  • Operate, maintain, and patch infrastructure, including networks, servers, storage, and connectivity to Google Cloud.

  • Maintain support contracts with vendors.

  • Upgrade Anthos clusters on bare metal to a supported version on a regular basis.

  • Deploy and test your workloads on updated node machine images. Deploy and test updated Admin workstation images in your environment. Raise concerns to Google through Cloud Customer Care.

  • Monitor clusters and applications and respond to any incidents.

  • Ensure Logging and Monitoring agents are deployed to clusters. Without logs, support is available on a best-effort basis.

  • Provide Google with environmental details (for example, network configuration) when requested for troubleshooting purposes.

Anthos clusters on AWS (GKE on AWS) (multi-cloud)

Google's responsibilities

  • Maintain and distribute the Anthos clusters on AWS software package including Kubernetes, base images, the AWS integration features, the Ingress controller, the Connect agent, and the anthos-gke command line tool.

  • Continually scan components with the Container Analysis API and patch known vulnerabilities.

  • Maintain and distribute the management service, control plane, and node pool machine images, including regular patching and security fixes.

  • Notify users of available upgrades for Anthos clusters on AWS, and produce upgrade instructions for the previous version. Anthos clusters on AWS supports sequential upgrades only (1.2 → 1.3 → 1.4 only and not 1.2 → 1.4).

  • Provide Google Cloud integrations for Connect and Google Cloud's operations suite.

  • Troubleshoot, provide workarounds, and correct the root cause of any issues related to Google-provided components.

Customer's responsibilities

  • Provide overall system administration for Anthos clusters on AWS clusters. For example, configuring them to work within the corporate VPC environment.

  • Maintain your workloads, including your application code, build files, container images, data, RBAC/IAM policy, and containers and pods that you are running.

  • Operate and maintain the AWS environment, including networking configuration, and connectivity to Google Cloud.

  • Maintain support contracts with AWS.

  • Upgrade Anthos clusters on AWS to a supported version on a regular basis.

  • Monitor clusters and applications and respond to any incidents.

  • Ensure Logging and Monitoring agents are deployed to clusters. Without logs, support is available on a best-effort basis.

  • Provide Google with environmental details (for example, AWS VPC configuration) when requested for troubleshooting purposes.

Anthos attached clusters

Google's responsibilities

  • Provide a list of supported Kubernetes distributions and versions.

  • Notify users of available upgrades for Anthos components, and produce upgrade instructions for the previous version. Anthos supports sequential upgrades only (1.2 → 1.3 → 1.4 only and not 1.2 → 1.4).

  • Provide Google Cloud integrations for Connect and Google Cloud's operations suite.

  • Troubleshooting, providing workarounds, and correcting the root cause of any issues related to Google-provided components.

Customer's responsibilities

  • Provide a modern Kubernetes platform that meets Google's specifications. The platform includes, but is not limited to: hardware, OS, Kubernetes API server, VPC configuration, and other attributes.

  • Maintain your workloads, including your application code, build files, container images, data, RBAC/IAM policy, and containers and pods that you are running.

  • Operate, maintain, and patch infrastructure, including networks, servers, storage, and connectivity to Google Cloud.

  • Operate, maintain, and patch any infrastructure needed to run cluster.

  • Maintain support contracts with third-parties. For example: networking, container orchestration, computing resource, and storage vendors.

  • Upgrade Kubernetes to a supported version on a regular basis.

  • Monitor clusters and applications and respond to any incidents.

  • Keep your clusters connected to Google services.

  • Provide Google with environmental details (for example, network configuration) when requested for troubleshooting purposes.

What's next