Setting up Anthos attached clusters

This page shows you how to attach conformant Kubernetes clusters to Anthos. Attaching clusters lets you view your existing Kubernetes clusters in the Google Cloud Console along with your Anthos clusters, and enable a subset of Anthos features on them, including configuration with Anthos Config Management.

Prerequisites

You can attach any conformant Kubernetes cluster to Anthos and view it in the Cloud Console with your Anthos clusters.

The following cluster types and versions have been validated by Google, including the use of additional supported Anthos features:

  • Amazon Elastic Kubernetes Service (Amazon EKS) on Kubernetes versions 1.18, 1.19, 1.20
  • Microsoft Azure Kubernetes Service (Microsoft AKS) on Kubernetes versions 1.18, 1.19, 1.20
  • Red Hat OpenShift Kubernetes Engine (OKE) version 4.6, 4.7
  • Red Hat OpenShift Container Platform (OCP) version 4.6, 4.7
  • Rancher Kubernetes Engine (RKE) version 1.2.4, 1.2.5, 1.2.6
  • KIND version 0.10

Before you start

  1. Sign in to your Google Cloud account. If you're new to Google Cloud, create an account to evaluate how our products perform in real-world scenarios. New customers also get $300 in free credits to run, test, and deploy workloads.

  2. In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  3. Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

  4. Enable the Anthos API.

    Enable the API

  5. Install and initialize the Cloud SDK.

  6. In the Google Cloud Console, on the project selector page, select or create a Google Cloud project.

    Go to project selector

  7. Make sure that billing is enabled for your Cloud project. Learn how to confirm that billing is enabled for your project.

  8. Enable the Anthos API.

    Enable the API

  9. Install and initialize the Cloud SDK.
  10. Check the Connect prerequisites to ensure that you have the relevant permissions and enabled APIs to register a cluster. See the Attached cluster prerequisites section for any special setup steps you may need for your cluster type.

Registering attached clusters

You must register all clusters that you want to use with Anthos with your project's fleet. A fleet (formerly known as an environ) provides a unified way to view and manage multiple clusters and their workloads as part of Google Cloud. You can find out more about fleets and the functionality that they enable in our Fleets guide.

After you have registered clusters in your Anthos project, you can browse and manage all your registered clusters through the Anthos Clusters page in the Cloud Console. You are entitled to enable and use Anthos features on these clusters, and you can enable some Anthos features across your fleet from the Anthos Features page. Anthos charges apply only to your registered clusters.

Set up identity

All attached clusters require an identity for the Connect Agent to use when authenticating to Google. If your cluster meets the requirements, you can register it with fleet Workload Identity enabled for authentication. Clusters with this feature enabled use identities from the fleet-wide fleet workload identity pool. You can find out more about fleet Workload Identity in About fleet Workload Identity.

If you can't use fleet Workload Identity, registering an attached cluster requires a Google Cloud service account for authentication. We recommend creating a new service account for each cluster you want to attach. To create a service account for a cluster with the appropriate roles, follow the instructions in Creating a Google Cloud service account with gcloud. After you have created your service account, you can use the JSON file with the service account's credentials (key file) to register your cluster, as described in the next section.

Register your cluster

gcloud

Run the following command:

 gcloud container hub memberships register MEMBERSHIP_NAME \
   --context=KUBECONFIG_CONTEXT \
   --kubeconfig=KUBECONFIG_PATH \
   --service-account-key-file=SERVICE_ACCOUNT_KEY_PATH

Replace the following:

  • MEMBERSHIP_NAME: the membership name that you choose and that is used to uniquely represent the cluster being registered to the fleet.
  • SERVICE_ACCOUNT_KEY_PATH: the local filepath to the service account's private key JSON file downloaded as part of Prerequisites. This service account key is stored as a secret named creds-gcp in the gke-connect namespace.
  • KUBECONFIG_CONTEXT: the cluster context of the cluster being registered as it appears in the kubeconfig file. You can get this value from the command line by running kubectl config current-context.
  • KUBECONFIG_PATH: the local filepath where your kubeconfig containing an entry for the cluster being registered is stored. This defaults to $KUBECONFIG if that environment variable is set; otherwise, this defaults to $HOME/.kube/config.

Register an attached cluster with fleet Workload Identity

To register an attached cluster with fleet Workload Identity enabled, run one of the following commands. For more information on which attached cluster types can use this feature and any additional requirements, see Attached cluster prerequisites.

kind, OpenShift clusters:

 gcloud container hub memberships register MEMBERSHIP_NAME \
   --context=KUBECONFIG_CONTEXT \
   --kubeconfig=KUBECONFIG_PATH \
   --enable-workload-identity \
   --has-private-issuer

EKS clusters:

  1. Get the OIDC provider URL for your cluster and ensure it is publicly visible. If no provider exists, follow the instructions in Create an IAM OIDC provider for your cluster then run the command again.

    aws eks describe-cluster --name MEMBERSHIP_NAME --query "cluster.identity.oidc.issuer" --output text

  2. Run the following command, replacing OIDC_URL with the URL returned by the previous command:

     gcloud container hub memberships register MEMBERSHIP_NAME \
  --context=KUBECONFIG_CONTEXT \
  --kubeconfig=KUBECONFIG_PATH \
  --enable-workload-identity \
  --public-issuer-url=OIDC_URL

Console

Generate a registration command

You can use the Cloud Console to help generate a gcloud registration command to register your cluster (with a service account only).

To register a cluster:

  1. In the Google Cloud Console, go to the Anthos Clusters page. This page shows all your registered clusters.

    Go to the Anthos Clusters page

  2. Click Register existing cluster.

  3. Click Add external cluster.

  4. Enter the name of the cluster that you want to register in the Cluster name field.

  5. Optional: Add Google Cloud labels to your cluster.

  6. Click Generate registration command.

  7. In Cloud Shell or wherever you have saved your service account credentials, edit and run the gcloud command that is displayed on the page. You need to specify the following values:

    • The CLUSTER_CONTEXT is the cluster's context as it appears in the kubeconfig file. You can get this value from the command line by running kubectl config current-context.
    • The KUBECONFIG_PATH is the local filepath where your kubeconfig file is stored. This defaults to $KUBECONFIG if that environment variable is set; otherwise, it defaults to $HOME/.kube/config.
    • The LOCAL_KEY_PATH is the path to your service account key file.

    Running this command deploys the Connect Agent in your user cluster. When the Connect Agent connects to Google Cloud and your cluster is registered, a success message is displayed on the page.

  8. Click Set labels, or click Skip if you didn't set any labels.

Enabling Anthos features on attached clusters

After you register your clusters, you can enable available Anthos features on them for your applications. These features are supported only on our validated cluster types. You can see the current feature versions supported on these types in Version and upgrade support.

The following guides show you how to enable supported features on your clusters:

For complete documentation sets for all Anthos components, including tutorials, reference material, and more, see Anthos components.

Accessing attached clusters

After you register an attached cluster, it appears in the GKE and Anthos clusters pages in the Google Cloud Console. However, to see more details such as nodes and workloads, you need to log in and authenticate to the cluster. To log in to your attached clusters from the Cloud Console, follow the instructions in Logging in to clusters from the Cloud Console.

To access attached clusters from the command line, see Connecting to registered clusters with the Connect gateway.

To authenticate to attached clusters using your existing third-party identity provider (EKS on AWS clusters only, preview feature), see Setting up Anthos Identity Service for a fleet and Accessing clusters with Anthos Identity Service.

What's next?