Connect overview

Connect allows you to connect any of your Kubernetes clusters to Google Cloud. This enables access to cluster and to workload management features, including a unified user interface, Cloud Console, to interact with your cluster.

If your network is configured to allow outbound requests, you can configure the Connect Agent to traverse NATs, egress proxies, and firewalls to establish a long-lived, encrypted connection between your cluster's Kubernetes API server and your Google Cloud project. Once this connection is enabled, you can use your own credentials to log back into your clusters and access details about their Kubernetes resources. This effectively replicates the UI experience that is otherwise only available to GKE clusters.

After the connection is established, the Connect Agent software can exchange account credentials, technical details, and metadata about connected infrastructure and workloads necessary to manage them with Google Cloud, including the details of resources, applications, and hardware.

This cluster service data is associated with your Google Cloud project and account. Google uses this data to maintain a control plane between your cluster and Google Cloud, to provide you with any Google Cloud services and features you request, including facilitating support, billing, providing updates, and to measure and improve the reliability, quality, capacity, and functionality of Connect and Google Cloud services available through Connect.

You remain in control of what data is sent through Connect: your Kubernetes API server performs authentication, authorization, and audit logging on all requests via Connect. Google and users can access data or APIs via Connect after they have been authorized by the cluster administrator (for example, via RBAC); the cluster administrator can revoke that authorization.

Connect Agent

Connect uses a Deployment called the Connect Agent to establish a connection between your clusters and your Google Cloud project, and to handle Kubernetes requests.

Connect IAM roles

Identity and Access Management (IAM) allows users, groups, and service accounts to access Google Cloud APIs and to perform tasks within Google Cloud products.

You need to provide specific IAM roles to launch the Connect Agent and interact with your cluster using the Google Cloud Console or Cloud SDK. These roles do not allow direct access to connected clusters.

Some of these roles allow you to access information about clusters, including:

  • Cluster names
  • Public keys
  • IP addresses
  • Identity providers
  • Kubernetes versions
  • Cluster size
  • Other cluster metadata

Connect uses the following IAM roles:

Role name Role title Description Permissions
roles/gkehub.admin Hub Admin Provides full access to Hub and their related resources.

Permissions for Google Cloud

  • resourcemanager.projects.get
  • resourcemanager.projects.list

Permissions for Hub

  • gkehub.memberships.list
  • gkehub.memberships.get
  • gkehub.memberships.create
  • gkehub.memberships.update
  • gkehub.memberships.delete
  • gkehub.memberships.generateConnectManifest
  • gkehub.memberships.getIamPolicy
  • gkehub.memberships.setIamPolicy
  • gkehub.locations.list
  • gkehub.locations.get
  • gkehub.operations.list
  • gkehub.operations.get
  • gkehub.operations.cancel
  • gkehub.features.list
  • gkehub.features.get
  • gkehub.features.create
  • gkehub.features.update
  • gkehub.features.delete
  • gkehub.features.getIamPolicy
  • gkehub.features.setIamPolicy
roles/gkehub.viewer Hub Viewer Provide read-only access to Hub and related resources.

Permissions for Google Cloud

  • resourcemanager.projects.get
  • resourcemanager.projects.list

Permissions for Hub

  • gkehub.memberships.list
  • gkehub.memberships.get
  • gkehub.memberships.generateConnectManifest
  • gkehub.memberships.getIamPolicy
  • gkehub.locations.list
  • gkehub.locations.get
  • gkehub.operations.list
  • gkehub.operations.get
  • gkehub.features.list
  • gkehub.features.get
  • gkehub.features.getIamPolicy
roles/gkehub.connect GKE Connect Agent Provides ability to establish new connections between external clusters and Google. gkehub.endpoints.connect

Logging in using Connect

Authentication

Google Cloud provides multiple options for signing in to registered clusters from the Google Cloud Console. Your available options depend on how your cluster admin has configured authentication:

  1. If the cluster has been set up to use the Connect gateway, you can log in using your Google Cloud identity, just like you do with GKE clusters on Google Cloud.
  2. If the cluster has been set up to use Anthos Identity Service with an OpenID Connect (OIDC) provider such as ADFS or Okta, or an LDAP provider, you can log in using an identity from that provider.
  3. You can log in using a bearer token. Many kinds of bearer tokens, as specified in Kubernetes Authentication, are supported. The easiest method is to create a Kubernetes service account (KSA) in the cluster, and use its bearer token to log in.

You can find out more about using these options in Log in to clusters from the Cloud Console.

Authorization

Authorization checks are performed by the cluster's API server against the identity you use when you authenticate via Google Cloud Console.

All accounts logging in to a cluster need to hold at least the following Kubernetes RBAC roles in the cluster:

These roles provide read-only access to a cluster and details about their nodes. The roles do not provide access to all resources, so some features of Google Cloud Console may not be available; for instance, these roles do not allow access to Kubernetes Secrets or to Pod logs.

Accounts can be granted other RBAC permissions, such as via edit or cluster-admin, to do more within the cluster. For more information, see the RBAC documentation.

Auditing

Accesses via the Google Cloud Console are audit logged on the cluster's API server.