Manage fleet-level features

Fleets allow you to manage Anthos features (sometimes referred to as Anthos components) across multiple clusters at once. This allows you to, for example, apply a common set of policies or create a single-service mesh across your fleet of clusters. This page provides an overview of how you can manage features for your fleet. For more information about configuring and using individual features, see their documentation.

If you have enabled the entire Anthos platform by enabling the Anthos API, and hence have access to the Anthos pages in the Google Cloud console, you can do some feature management through the console. All fleet users can manage features by using the command line. Some preview feature management commands are available only as part of the beta and alpha Google Cloud SDK components. You may need to install these components to use these commands.

You can learn more about how fleet-level feature management on your clusters works "under the hood" in Feature authorization.

Fleet-level features

You can manage the following features at fleet level:

Note that this list does not include all features that use or require fleets. For example, fleet workload identity relies on clusters being members of a fleet but does not require configuration at fleet level, and Anthos Service Mesh requires fleet membership for all control plane and setup options.

If you have enabled the entire Anthos platform, you are entitled to use all fleet features as part of your Anthos entitlement. If you are a GKE on Google Cloud user who wants to pay for and use available features separately, see the relevant documentation and pricing page for any charges you might incur by using the feature (some features are included in basic GKE pricing). You can find out more about which features are available in which environments in the Deployment Options page.

Configure fleet features

To use a feature at fleet level, you enable the feature for your fleet and then configure it for your fleet members. Some configuration (or other additional setup) is generally required to actually use the feature with your clusters and workloads.

Console

To enable a feature for your fleet:

  1. In your fleet host project, go to the Anthos Features page.
  2. Click ENABLE in the row for the feature you want to enable.
  3. Click the Enable... button in the details panel that displays.

gcloud

Each fleet-level feature has its own enable command. For example, to enable Anthos Service Mesh for your fleet, run the following command in your fleet host project:

gcloud container fleet mesh enable

See the Google Cloud SDK reference documentation (and its beta and alpha equivalents) for a complete list of commands, or the individual feature documentation sets for more details.

The configuration steps you follow next depend on the feature.

View fleet feature status

To view the status of fleet-level features for your fleet, do the following in your fleet host project:

Console

Go to the Anthos Features page. Enabled features are listed as Enabled in the Features list.

If you click the DETAILS button for an enabled feature, a details panel displays showing the status of the feature on your fleet's clusters. For some features, this panel also provides links to configure or update the feature.

gcloud

Run the following command to list all currently enabled features:

gcloud container fleet features list

Disable a fleet-level feature

To disable a feature at fleet level, do the following in your fleet host project.

Console

  1. In your fleet host project, go to the Anthos Features page.
  2. Click DETAILS in the row for the feature you want to disable.
  3. Click the Disable... button in the details panel that displays.

gcloud

Each fleet-level feature has its own disable command. For example, to disable Anthos Service Mesh for your fleet, run the following command in your fleet host project:

gcloud container fleet mesh disable

See the Google Cloud SDK reference documentation (and its beta and alpha equivalents) for a complete list of commands, or the individual feature documentation sets for more details.

See the relevant feature documentation for expected behavior after you disable a feature for your fleet. In many cases the relevant configuration still exists on your cluster but you are no longer able to centrally manage the feature using fleet commands or the Google Cloud console.

Feature authorization

In order to manage features at fleet level, they must be authorized through role-based access control to perform their functions on clusters. Google Cloud uses a service called Feature Authorizer that automatically sets and updates permissions for fleet-enabled features, which saves you from having to set feature permissions manually on every cluster, especially when Google releases feature updates.

When you register a cluster, the manifest applied to the cluster contains a ClusterRoleBinding that gives the Feature Authorizer a cluster-admin role on the cluster, and the role is attached to a service account named service-project-number@gcp-sa-gkehub.iam.gserviceaccount.com.

When you disable a fleet-enabled feature in your project, Feature Authorizer deletes the corresponding ClusterRole and ClusterRoleBinding for the feature, which removes the feature's ability to operate on the cluster.

View Feature Authorizer in audit logs

To view Feature Authorizer activity in Google Kubernetes Engine audit logs:

  1. Open the Logs Explorer in the Google Cloud console.

    Go to the Logs page

  2. Run the following advanced query, replacing the variables:

    resource.type="k8s_cluster"
    resource.labels.cluster_name="cluster-name"
    resource.labels.location="cluster-location"
    protoPayload.authenticationInfo.principalEmail="system:serviceaccount:gke-connect:connect-agent-sa"
    protoPayload.authenticationInfo.authoritySelector="service-project-number@gcp-sa-gkehub.iam.gserviceaccount.com"
    

For non-GKE clusters, find out where the Kubernetes audit logs are stored, and run a similar query.