Register a GKE cluster to your fleet

This page shows you how to add a GKE cluster on Google Cloud to your fleet. Depending on your project and use case, you can use the Google Cloud console, Terraform, Config Connector, or the Google Cloud CLI for registration.

Before you begin

Ensure that you have followed the general prerequisites for registering a cluster.

Depending on your use case, GKE cluster registrations may also require the following:

If you are registering a cluster with fleet Workload Identity enabled (recommended), ensure GKE Workload Identity is enabled on the cluster.
If you are registering a cluster to a fleet in a different project (also known as cross-project registration), ensure you have set up the necessary permissions.
If you are registering a private cluster with public endpoint access disabled or limited to authorized networks, ensure that the machine on which you want to run the gcloud registration command has access to the cluster's external endpoint, or add the external IP of that machine to the cluster's authorized networks.
If you are registering a cluster by using Terraform or Config Connector, ensure that you have set up a Google Cloud service account for the tool and configured it so that the tool can authenticate to Google Cloud:
- Set up a service account for Terraform
- Set up a service account for Config Connector
If you are registering a cluster by using the Google Cloud CLI, you need to set up an identity for the Connect Agent to use when authenticating to Google Cloud, as the agent is currently installed with all gcloud registrations. This can be Workload Identity, as described above, or you can choose to create a Google service account.

Register your cluster

As you saw in the prerequisites, we recommend registering your GKE clusters with fleet Workload Identity enabled, which provides a consistent way for applications to authenticate to Google Cloud APIs and services. You can find out more about the advantages of enabling fleet Workload Identity in Use fleet Workload Identity. All of the following options allow you to enable fleet Workload Identity if required.

The simplest and quickest way to register a GKE cluster in a project with the Anthos platform enabled is to register it from the Anthos clusters page in the Google Cloud console. Using this approach immediately lets you view your cluster as part of your fleet in the console, and use fleet-enabled features such as Anthos Config Management.

Note: If you choose this option, be aware that registering from the Google Cloud console does not install the Connect Agent on your cluster. Because of this, it does not allow you to use the Connect gateway as this depends on the Connect Agent. If you need to install the Connect Agent on a GKE cluster, follow the instructions below to register a cluster using Google Cloud CLI.
You can create and register a GKE cluster (with or without enabling the entire Anthos platform) by using Terraform or Config Connector.
You can register a GKE cluster (with or without enabling the entire Anthos platform) by using the Google Cloud CLI. Registering by using Google Cloud CLI installs the Connect Agent on your cluster, allowing you to use the Connect gateway to standardize authentication across environments with Google IDs.

To register a GKE cluster:

Console

To register a cluster:

(Optional) If you want your registered cluster to use fleet Workload Identity (recommended), ensure that GKE Workload Identity is enabled on the cluster. Clusters with GKE Workload Identity automatically have fleet Workload Identity enabled when you register them from the Google Cloud console.
In the Google Cloud console, go to the Anthos Clusters page. This page shows all your registered clusters.

Go to the Anthos Clusters page
Click Register existing cluster.
Click Register next to the unregistered cluster that you want to add to your fleet.

Terraform

You can register GKE clusters with Terraform using the google-beta provider. You can find a complete reference for the gke_hub_membership resource used to configure registration in the terraform registry.

Ensure that you have created a service account for Terraform to use as described in the prerequisites before following these instructions.

Register a GKE cluster

To register the cluster, use the following blocks in your configuration.

Specify the google-beta provider as a required provider, as in the following snippet. The version should be above 3.62.0.
```
terraform {
  required_providers {
    google-beta = {
      source = "hashicorp/google-beta"
      version = "3.67.0"
    }
  }
}
```
This provider is required if you want to use gke_hub_membership.
Set the following default values for the provider:
```
provider "google-beta" {
  credentials = file("SERVICE_ACCOUNT_KEY_PATH")
  project = "PROJECT_ID"
}
```
Replace the following:
- SERVICE_ACCOUNT_KEY_PATH: the local filepath to the service account's private key JSON file downloaded as part of Prerequisites. This service account key is stored as a secret named creds-gcp in the gke-connect namespace. This service account key enables Terraform to access your Google Cloud account.
- PROJECT_ID: the default project that you choose to provision your Terraform resources.
Create a GKE cluster (optional)

If you want to register an existing cluster, skip this step.
```
resource "google_container_cluster" "TF_CLUSTER_RESOURCE_NAME" {
  provider = google-beta
  name               = "CLUSTER_NAME"
  location           = "ZONE"
  initial_node_count = 1
}
```
Replace the following:
- TF_CLUSTER_RESOURCE_NAME: the name that you choose to uniquely identify the Terraform google_container_cluster resource created by this block.
- CLUSTER_NAME: the name that you choose to uniquely represent the cluster you created.
- ZONE: the default zone that you choose to provision your GKE cluster resource. For example: us-central1-a.
Register a membership for the GKE cluster.
```
resource "google_gke_hub_membership" "TF_MEMBERSHIP_RESOURCE_NAME" {
  provider = google-beta
  project = "FLEET_PROJECT_ID"
  membership_id = "MEMBERSHIP_NAME"
  endpoint {
    gke_cluster {
     resource_link = "//container.googleapis.com/CLUSTER_RESOURCE_NAME"
    }
  }
}
```
Replace the following:
- TF_MEMBERSHIP_RESOURCE_NAME: the name that you choose to uniquely identify the Terraform google_gke_hub_membership resource created by this block.
- FLEET_PROJECT_ID: If this is not set, the cluster's membership will be created in the default project you specified earlier (PROJECT_ID). Set this field if you want to register the GKE cluster to a fleet in a different project.
- MEMBERSHIP_NAME: the membership name that you choose to uniquely represent the cluster in the fleet.
- CLUSTER_RESOURCE_NAME: the Google Cloud resource name for the GKE cluster. For example: projects/my-project/zones/us-west1-a/clusters/my-cluster. If the cluster is provisioned with Terraform, this is ${google_container_cluster.TF_CLUSTER_RESOURCE_NAME.id}.

Enable Workload Identity on a registered GKE cluster

Enabling Workload Identity uses the same configuration as registering a cluster, with the following additional steps.

Enable GKE Workload Identity by adding the following in the relevant google_container_cluster resource block. You need to do this for both new and existing clusters.
```
workload_identity_config {
  identity_namespace = "PROJECT_ID.svc.id.goog"
}
```
Replace the following:
- PROJECT_ID: the default project that you choose to provision your Terraform resources.
Enable Fleet Workload Identity by adding the following in the relevant google_gke_hub_membership resource block.
```
authority {
  issuer = "https://container.googleapis.com/v1/CLUSTER_RESOURCE_NAME"
}
```
Replace the following:
- CLUSTER_RESOURCE_NAME: the Google Cloud resource for the GKE cluster. For example: projects/my-project/zones/us-west1-a/clusters/my-cluster. If the cluster is provisioned with Terraform, this is ${google_container_cluster.TF_CLUSTER_RESOURCE_NAME.id}.

Config Connector

If you have the Config Connector add-on installed, you can use Config Connector to register GKE clusters. Ensure that you have a version of Config Connector above 1.47.0 and that you have created a service account as described in the prerequisites.

You can find a complete reference for the GKEHubMembership resource in the Config Connector Reference.

Register a GKE cluster

To register the cluster, first specify where you want to create your resources, following the instructions in the Config Connector guide. Then create a YAML file to register and (optionally) create a cluster, as follows:

Create and register a GKE cluster

Create a GKE cluster, as in the following simple example:
```
apiVersion: container.cnrm.cloud.google.com/v1beta1
kind: ContainerCluster
metadata:
  name: CLUSTER_NAME
spec:
  location: LOCATION
  initialNodeCount: 1
```
Replace the following:
- CLUSTER_NAME: the name that you chose to uniquely represent the cluster you created with Config Connector.
- LOCATION: the zone or region that you chose to provision your GKE cluster resource. For example: us-central1-a.
For a complete list of options when creating a GKE cluster with Config Connector, see the Config Connector documentation.
Register a membership for the GKE cluster.
```
apiVersion: gkehub.cnrm.cloud.google.com/v1beta1
kind: GKEHubMembership
metadata:
  name: MEMBERSHIP_NAME
spec:
  location: global
  endpoint:
    gkeCluster:
      resourceRef:
        name: CLUSTER_NAME
```
Replace the following:
- MEMBERSHIP_NAME: the membership name that you chose to uniquely represent the cluster being registered to the fleet.
- CLUSTER_NAME: the name that you chose to uniquely represent the cluster you created with Config Connector.

Register the cluster in a different project

Add the following to the metadata field of the GKEHubMembership resource to register a cluster to a fleet in another project.

   metadata:
     annotations:
       cnrm.cloud.google.com/project-id: FLEET_PROJECT_ID

Replace the following:

FLEET_PROJECT_ID: the fleet host project you chose to register the GKE cluster.

Register an existing cluster

Use the following configuration if you want to register any existing cluster, regardless of how it was created. In this case you need to specify the full resource name of the cluster so that Config Connector can find it. Replace the resourceRef field of the GKEHubMembership resource with:

   resourceRef:
     external: //container.googleapis.com/CLUSTER_RESOURCE_NAME

Replace the following:

CLUSTER_RESOURCE_NAME: the Google Cloud resource name for the GKE cluster. For example: projects/my-project/zones/us-west1-a/clusters/my-cluster.

If the cluster was created with Config Connector you don't need to specify the fully qualified cluster name.

Enable Workload Identity on a registered GKE cluster

Enabling Workload Identity uses the same configuration as registering a cluster, with the following additional steps.

Enable GKE Workload Identity by adding the following in the spec field of ContainerCluster resource. You need to do this for both new and existing clusters.
```
spec:
  workloadIdentityConfig:
    identityNamespace: PROJECT_ID.svc.id.goog
```
Replace the following:
- PROJECT_ID: the default project you chose through namespace annotation to create your GKE cluster resource.
Enable fleet Workload Identity by adding the following in the spec field of GKEHubMembership resource block.
```
spec:
  authority:
    issuer: https://container.googleapis.com/v1/projects/PROJECT_ID/locations/LOCATION/clusters/CLUSTER_NAME
}
```
Replace the following:
- PROJECT_ID: the default project you chose through namespace annotation to create your GKE cluster resource.
- LOCATION: the zone or region that you chose to provision your GKE cluster resource. For example: us-central1-a.
- CLUSTER_NAME: the name that you chose to uniquely represent the cluster you created.

gcloud

Registering a cluster with gcloud requires the gcloud CLI version 281.0.0 or higher

Registering the cluster from the command line installs the Connect Agent on the cluster. Depending on the registration option you choose, the agent can either use fleet Workload Identity or a Google Cloud service account for authentication to Google Cloud.

Register a GKE cluster with fleet Workload Identity (recommended)

Ensure that the cluster has GKE Workload Identity enabled, following the instructions in our prerequisites.
Run either of the following commands to register the cluster:
```
gcloud container fleet memberships register MEMBERSHIP_NAME \
 --gke-uri=GKE_URI \
 --enable-workload-identity
```
or
```
gcloud container fleet memberships register MEMBERSHIP_NAME \
 --gke-cluster=GKE_CLUSTER \
 --enable-workload-identity
```
Replace the following:
- MEMBERSHIP_NAME: the membership name that you choose to uniquely represent the cluster being registered to the fleet.
- GKE_URI: the URI of the GKE cluster, for example: https://container.googleapis.com/v1/projects/my-gke-project/locations/us-central1-a/clusters/my-gke-cluster. You can obtain the URI by running gcloud container clusters list --uri.
- GKE_CLUSTER: the location/name of the GKE cluster from the current project. The location can be a zone or a region, for example: us-central1-a/my-gke-cluster.

Register a GKE cluster with a Service Account

Ensure that you have created a service account for use by the Connect Agent, as described in our prerequisites.
Run either of the following commands:
```
gcloud container fleet memberships register MEMBERSHIP_NAME \
 --gke-uri=GKE_URI \
 --service-account-key-file=SERVICE_ACCOUNT_KEY_PATH
```
or
```
gcloud container fleet memberships register MEMBERSHIP_NAME \
 --gke-cluster=GKE_CLUSTER \
 --service-account-key-file=SERVICE_ACCOUNT_KEY_PATH
```
Replace the following:
- MEMBERSHIP_NAME: the membership name that you choose to uniquely represent the cluster being registered to the fleet.
- SERVICE_ACCOUNT_KEY_PATH: the local filepath to the service account's private key JSON file downloaded as part of Prerequisites. This service account key is stored as a secret named creds-gcp in the gke-connect namespace.
- GKE_URI: the URI of the GKE cluster, for example: https://container.googleapis.com/v1/projects/my-gke-project/locations/us-central1-a/clusters/my-gke-cluster. You can obtain the URI by running gcloud container clusters list --uri.
- GKE_CLUSTER: the location/name of the GKE cluster from the current project. The location can be a zone or a region, for example: us-central1-a/my-gke-cluster.

Troubleshooting

If you run into any problems during this setup, see our troubleshooting guide.

What's next?

Validate successful cluster registration and get other fleet membership details, as described in Get fleet membership status
Set up authentication to registered clusters:
- With Google Cloud
- With third-party identity
Log in to a cluster from the Google Cloud console