Connect overview

Connect allows you to connect any of your Kubernetes clusters to Google Cloud. This enables access to cluster and to workload management features, including a unified user interface, Cloud Console, to interact with your cluster.

If your network is configured to allow outbound requests, you can configure the Connect Agent to traverse NATs, egress proxies, and firewalls to establish a long-lived, encrypted connection between your cluster's Kubernetes API server and your Google Cloud project. Once this connection is enabled, you can use your own credentials to log back into your clusters and access details about their Kubernetes resources. This effectively replicates the UI experience that is otherwise only available to GKE clusters.

After the connection is established, the Connect Agent software can exchange account credentials, technical details, and metadata about connected infrastructure and workloads necessary to manage them with Google Cloud, including the details of resources, applications, and hardware.

This cluster service data is associated with your Google Cloud project and/or account. Google uses this data to maintain a control plane between your cluster and Google Cloud, to provide you with any Google Cloud services and features you request, including facilitating support, billing, providing updates, and to measure and improve the reliability, quality, capacity, and functionality of Connect and Google Cloud services available through Connect.

You remain in control of what data is sent through Connect: your Kubernetes API server performs authentication, authorization, and audit logging on all requests via Connect. Google and users can access data or APIs via Connect after they have been authorized by the cluster administrator (for example, via RBAC); the cluster administrator can revoke that authorization.

Connect Agent

Connect uses a Deployment called the Connect Agent to establish a connection between your clusters and your Google Cloud project, and to handle Kubernetes requests.

Connect IAM roles

Identity and Access Management (IAM) provides authenticated project members permissions to call Google Cloud APIs and to perform tasks within Google Cloud products. IAM grants roles to users, groups, and service accounts.

None of these roles directly allow access to connected clusters. If you're registering a cluster to be viewed via the Google Cloud, you need the credentials and permissions within the cluster to launch the Connect Agent. If you are accessing a cluster via the Google Cloud, you need the credentials and permissions within the cluster to provide to Google Cloud.

Some of these roles allow you to access information about clusters, including:

  • Cluster names.
  • Public keys.
  • IP addresses.
  • Identity providers.
  • Kubernetes versions.
  • Cluster size.
  • Other cluster metadata.

Connect uses the following IAM roles:

Role name Role title Description Permissions
roles/gkehub.admin Hub Admin Provides full access to Hub and their related resources.

Permissions for Google Cloud

  • resourcemanager.projects.get
  • resourcemanager.projects.list

Permissions for Hub

  • gkehub.memberships.list
  • gkehub.memberships.get
  • gkehub.memberships.create
  • gkehub.memberships.update
  • gkehub.memberships.delete
  • gkehub.memberships.generateConnectManifest
  • gkehub.memberships.getIamPolicy
  • gkehub.memberships.setIamPolicy
  • gkehub.locations.list
  • gkehub.locations.get
  • gkehub.operations.list
  • gkehub.operations.get
  • gkehub.operations.cancel
  • gkehub.features.list
  • gkehub.features.get
  • gkehub.features.create
  • gkehub.features.update
  • gkehub.features.delete
  • gkehub.features.getIamPolicy
  • gkehub.features.setIamPolicy
roles/gkehub.viewer Hub Viewer Provide read-only access to Hub and related resources.

Permissions for Google Cloud

  • resourcemanager.projects.get
  • resourcemanager.projects.list

Permissions for Hub

  • gkehub.memberships.list
  • gkehub.memberships.get
  • gkehub.memberships.generateConnectManifest
  • gkehub.memberships.getIamPolicy
  • gkehub.locations.list
  • gkehub.locations.get
  • gkehub.operations.list
  • gkehub.operations.get
  • gkehub.features.list
  • gkehub.features.get
  • gkehub.features.getIamPolicy
roles/gkehub.connect GKE Connect Agent Provides ability to establish new connections between external clusters and Google. gkehub.endpoints.connect

Logging in using Connect

Authentication

Currently, you can log in to registered clusters via Google Cloud Console in three ways:

  1. Using basic authentication, which uses a username and a static password file. To learn more, refer to Static Password File.
  2. Using a bearer token. Many kinds of bearer tokens, as specified in Kubernetes Authentication, are supported. The easiest method is to create a Kubernetes service account (KSA) in the cluster, and use its bearer token to log in.
  3. Using an OpenID Connect (OIDC) provider.

Authorization

Authorization checks are performed by the cluster's API server against the identity you use when you authenticate via Google Cloud Console.

All accounts logging in to a cluster need to hold at least the following Kubernetes RBAC roles in the cluster:

These roles provide read-only access to a cluster and details about their nodes. The roles do not provide access to all resources, so some features of Google Cloud Console may not be available; for instance, these roles do not allow access to Kubernetes Secrets or to Pod logs.

Accounts can be granted other RBAC permissions, such as via edit or cluster-admin, to do more within the cluster. For more information, see the RBAC documentation.

Auditing

Accesses via the Google Cloud Console are audit logged on the cluster's API server.