When you register a cluster outside Google Cloud to your fleet, Google Cloud uses a Deployment called the Connect Agent to establish a connection between the cluster and your Google Cloud project, and to handle Kubernetes requests.
This enables access to cluster and to workload management features in Google Cloud, including a unified user interface, console, to interact with your cluster.
If your network is configured to allow outbound requests, you can configure the Connect Agent to traverse NATs, egress proxies, and firewalls to establish a long-lived, encrypted connection between your cluster's Kubernetes API server and your Google Cloud project. Once this connection is enabled, you can use your own credentials to log back into your clusters and access details about their Kubernetes resources. This effectively replicates the UI experience that is otherwise only available to GKE clusters.
After the connection is established, the Connect Agent software can exchange account credentials, technical details, and metadata about connected infrastructure and workloads necessary to manage them with Google Cloud, including the details of resources, applications, and hardware.
This cluster service data is associated with your Google Cloud project and account. Google uses this data to maintain a control plane between your cluster and Google Cloud, to provide you with any Google Cloud services and features you request, including facilitating support, billing, providing updates, and to measure and improve the reliability, quality, capacity, and functionality of Connect and Google Cloud services available through Connect.
You remain in control of what data is sent through Connect: your Kubernetes API server performs authentication, authorization, and audit logging on all requests via Connect. Google and users can access data or APIs via Connect after they have been authorized by the cluster administrator (for example, via RBAC); the cluster administrator can revoke that authorization.
Connect IAM roles
Identity and Access Management (IAM) allows users, groups, and service accounts to access Google Cloud APIs and to perform tasks within Google Cloud products.
You need to provide specific IAM roles to launch the Connect Agent and interact with your cluster using the Google Cloud console or Google Cloud CLI. These roles do not allow direct access to connected clusters.
Some of these roles allow you to access information about clusters, including:
- Cluster names
- Public keys
- IP addresses
- Identity providers
- Kubernetes versions
- Cluster size
- Other cluster metadata
Connect uses the following IAM roles:
|Role name||Role title||Description||Permissions|
||Hub Editor||Provides edit access to GKE Hub resources.||
Permissions for Google Cloud
Permissions for Hub
||Hub Viewer||Provide read-only access to Hub and related resources.||
Permissions for Google Cloud
Permissions for Hub
||GKE Connect Agent||Provides ability to establish new connections between external clusters and Google.||gkehub.endpoints.connect|
Logging in using Connect
Google Cloud provides multiple options for signing in to registered clusters from the Google Cloud console. Your available options depend on how your cluster admin has configured authentication:
- If the cluster has been set up to use the Connect gateway, you can log in using your Google Cloud identity, just like you do with GKE clusters on Google Cloud.
- If the cluster has been set up to use Anthos Identity Service with an OpenID Connect (OIDC) provider such as ADFS or Okta, or an LDAP provider, you can log in using an identity from that provider.
- You can log in using a bearer token. Many kinds of bearer tokens, as specified in Kubernetes Authentication, are supported. The easiest method is to create a Kubernetes service account (KSA) in the cluster, and use its bearer token to log in.
You can find out more about using these options in Log in to clusters from the console.
Authorization checks are performed by the cluster's API server against the identity you use when you authenticate via Google Cloud console.
All accounts logging in to a cluster need to hold at least the following Kubernetes RBAC roles in the cluster:
These roles provide read-only access to a cluster and details about their nodes. The roles do not provide access to all resources, so some features of Google Cloud console may not be available; for instance, these roles do not allow access to Kubernetes Secrets or to Pod logs.
Accounts can be granted other RBAC permissions, such as via
cluster-admin, to do more within the cluster. For more information, see the
Accesses via the Google Cloud console are audit logged on the cluster's API server.
Resource usage and requirements
Typically the Connect agent installed at registration uses 500m of CPU and 200Mi of memory. However, this usage can vary depending on the number of requests being made to the agent per second, and the size of those requests. These can be affected by a number of factors, including the size of the cluster, the number of users accessing the cluster via the console (the more users and/or workloads, the more requests), and the number of fleet-enabled features on the cluster.