Work with clusters from the Google Cloud console

After they have been added to your fleet, all clusters appear in the Google Cloud console. The Google Cloud console offers a central user interface for managing all your Kubernetes clusters and their resources, no matter where they are running. All your resources are shown in a single dashboard, and it's easy to get visibility into your workloads across multiple Kubernetes clusters.

For GKE clusters on Google Cloud, you don't need to do anything else to see cluster details such as nodes and workloads, provided you have been granted the relevant permissions. You can find out more about working with Google Cloud clusters in the Google Cloud console in the GKE documentation.

However, if your fleet includes clusters outside Google Cloud, your platform administrator needs to set up authentication so that you can log in to these clusters and view their details in the Google Cloud console. You need to know which authentication method your platform administrator has set up so that you can log in to the Google Cloud console. Ask your platform administrator which of the following authentication methods have been configured:

• Google identity
• Anthos Identity Service with OIDC
• Bearer token

Required roles

If you are not a project owner, you must have the following Identity and Access Management roles at minimum to view clusters in the Google Cloud console:

• roles/container.viewer. This role lets users view the GKE Clusters page and other container resources in the Google Cloud console. For details about the permissions included in this role, or to grant a role with read/write permissions, see Kubernetes Engine roles in the IAM documentation.

• roles/gkehub.viewer. This role lets users view clusters outside Google Cloud in the Google Cloud console. For details about the permissions included in this role, or to grant a role with read/write permissions, see GKE Hub roles in the IAM documentation.

View registered clusters

After you register a cluster to your project fleet, it appears in the Google Cloud console in the GKE Clusters list and (if you have enabled the entire Anthos platform) in the Anthos Clusters list. However, to see more details such as nodes and workloads for any cluster outside Google Cloud, you need to log in and authenticate to the cluster. Clusters that require login show an orange warning triangle and prompt you to log in. The following example shows the GKE Clusters page with two clusters outside Google Cloud that require login.

After you log in to an Anthos cluster, you can select the cluster and view cluster details, just like a GKE on Google Cloud cluster.

Log in using your Google Cloud identity

If your cluster is configured to use your Google Cloud identity, follow these steps to log in:

1. In the Google Cloud console, either:

   • In the GKE Clusters page, click more_vert Actions next to the registered cluster, then click Login.

     Go to GKE Clusters

   or:

   • In the Anthos Clusters page, select the cluster you want to log in to in the list of clusters, then click Login in the information panel that displays.

     Go to Anthos Clusters

2. Select Use your Google identity to log in.

3. Click Login.

Log in using OpenID Connect (OIDC)

If your cluster is configured to use an OIDC identity provider, follow these steps to log in:

1. In the Google Cloud console, either:

   • In the GKE Clusters page, click more_vertActions next to the registered cluster, then click Login.

     Go to GKE Clusters

   or:

   • In the Anthos Clusters page, select the cluster you want to log in to in the list of clusters, then click Login in the information panel that displays.

     Go to Anthos Clusters

2. Select Authenticate with identity provider configured for the cluster. You are redirected to your identity provider, where you might need to log in or consent to the Google Cloud console accessing your account.

3. Click Login.

Log in using a bearer token

If your cluster is configured to use a Kubernetes service account's bearer token, follow these steps:

1. In the Google Cloud console, either:

   • In the GKE Clusters page, click more_vertActions next to the registered cluster, then click Login.

     Go to GKE Clusters

   or:

   • In the Anthos Clusters page, select the cluster you want to log in to in the list of clusters, then click Login in the information panel that displays.

     Go to Anthos Clusters

2. Select Token, and then fill in the Token field with the KSA's bearer token.

3. Click Login.

Auditing

Accesses via the Google Cloud console are audit logged on the cluster's API server.

What's next

Learn more about:

• Working with clusters in the Google Cloud console in the GKE documentation
• Viewing cluster status and resource utilization in the Google Cloud console with the Anthos overview
• Setting up authentication to fleet clusters in Secure your fleet

• Connecting to fleet clusters from the command line:

  • Setting up the Connect gateway
  • Accessing clusters with Anthos Identity Service.

• Managing fleet-level features