Registering a cluster

This page describes how to manually register your Kubernetes clusters with Google Cloud.

Before you begin

Before you register your Kubernetes clusters with Google Cloud for the first time, complete the following Network, Google Cloud, and Kubernetes prerequisites:

  1. Ensure network connectivity. If you are registering a GKE cluster running on Google Cloud, you have this by default.

  2. Google Cloud configurations

  3. Kubernetes configurations

Register a cluster

gcloud

Register a GKE on Google Cloud cluster

While registering the cluster, you can configure the Connect Agent to either use Workload Identity or use a Google Cloud Service Account.

Registering a cluster using Workload Identity (recommended)

  1. Run either of the following commands to register the cluster:

    gcloud beta container hub memberships register MEMBERSHIP_NAME \
       --gke-uri=GKE_URI \
       --enable-workload-identity
    

    or

    gcloud beta container hub memberships register MEMBERSHIP_NAME \
       --gke-cluster=GKE_CLUSTER \
       --enable-workload-identity
    

    Replace the following:

    • MEMBERSHIP_NAME: the membership name that you choose to uniquely represent the cluster being registered on the Hub.
    • GKE_URI: the URI of the GKE cluster, for example: https://container.googleapis.com/projects/my-gke-project/locations/us-central1-a/clusters/my-gke-cluster. You can obtain the URI by running gcloud container clusters list --uri.
    • GKE_CLUSTER: the location/name of the GKE cluster from the current project. The location can be a zone or a region, for example: us-central1-a/my-gke-cluster.
  2. Run the following command to grant the required Google Cloud IAM permissions for Connect Agent:

    gcloud projects add-iam-policy-binding \
       HUB_PROJECT_ID \
       --member "serviceAccount:HUB_PROJECT_ID.hub.id.goog[gke-connect/connect-agent-sa]" \
       --role "roles/gkehub.connect"
    

Registering a cluster using Service Account

Run either of the following commands:

gcloud container hub memberships register MEMBERSHIP_NAME \
   --gke-uri=GKE_URI \
   --service-account-key-file=SERVICE_ACCOUNT_KEY_PATH

or

gcloud container hub memberships register MEMBERSHIP_NAME \
   --gke-cluster=GKE_CLUSTER \
   --service-account-key-file=SERVICE_ACCOUNT_KEY_PATH

Replace the following:

  • MEMBERSHIP_NAME: the membership name that you choose to uniquely represent the cluster being registered on the Hub.
  • SERVICE_ACCOUNT_KEY_PATH: the local filepath to the service account's private key JSON file downloaded as part of Prerequisites. This service account key is stored as a secret named creds-gcp in the gke-connect namespace.
  • GKE_URI: the URI of the GKE cluster, for example: https://container.googleapis.com/projects/my-gke-project/locations/us-central1-a/clusters/my-gke-cluster. You can obtain the URI by running gcloud container clusters list --uri.
  • GKE_CLUSTER: the location/name of the GKE cluster from the current project. The location can be a zone or a region, for example: us-central1-a/my-gke-cluster.

Register a non-GKE, GKE on AWS, or GKE on-prem cluster

Run the following command:

 gcloud container hub memberships register MEMBERSHIP_NAME \
   --context=KUBECONFIG_CONTEXT \
   --kubeconfig=KUBECONFIG_PATH \
   --service-account-key-file=SERVICE_ACCOUNT_KEY_PATH

Replace the following:

  • MEMBERSHIP_NAME: the membership name that you choose and that is used to uniquely represent the cluster being registered on the Hub.
  • SERVICE_ACCOUNT_KEY_PATH: the local filepath to the service account's private key JSON file downloaded as part of Prerequisites. This service account key is stored as a secret named creds-gcp in the gke-connect namespace.
  • KUBECONFIG_CONTEXT: the cluster context of the cluster being registered as it appears in the kubeconfig file. You can get this value from the command line by running kubectl config current-context.
  • KUBECONFIG_PATH: the local filepath where your kubeconfig containing an entry for the cluster being registered is stored. This defaults to $KUBECONFIG if that environment variable is set; otherwise, this defaults to $HOME/.kube/config.

Console

Register an Anthos on Google Cloud cluster

These instructions apply to GKE clusters on Google Cloud in projects that have enabled Anthos.

To register a cluster:

  1. In the Google Cloud Console, go to the Anthos Clusters page. This page shows all your registered clusters.

    Go to the Anthos Clusters page

  2. Click Register existing cluster.

  3. Click Register next to the unregistered cluster that you want to add to your environ.

  4. Specify the service account that you want to use when registering the cluster. We recommend keeping the default behavior and creating a new service account.

    • If you select Create a new service account:
      • Specify a Service account ID to identify your new service account.
      • Choose if you want to download its service account key as a JSON file. We recommend keeping the default behavior and downloading the key because you won't be able to download it later.
    • If you select Use existing service account, paste in the account's service account key in JSON format.
  5. Optional: Specify a new membership name for your cluster. By default, a cluster's membership name is its current name. However, if your cluster's name is not unique within your project, you must specify a new unique membership name because all clusters require a unique identifier within their environ.

  6. To register your cluster, click Submit.

Register any other cluster

These instructions apply to non-GKE, GKE on AWS, GKE on-prem, and any other GKE clusters.

To register a cluster:

  1. In the Google Cloud Console, go to the Anthos Clusters page. This page shows all your registered clusters.

    Go to the Anthos Clusters page

  2. Click Register existing cluster.

  3. Click Add external cluster.

  4. Enter the name of the cluster that you want to register in the Cluster name field.

  5. Optional: Add Google Cloud labels to your cluster.

  6. Click Generate registration command.

  7. In Cloud Shell or wherever you have saved your service account credentials, edit and run the gcloud command that is displayed on the page. You need to specify the following values:

    • The CLUSTER_CONTEXT is the cluster's context as it appears in the kubeconfig file. You can get this value from the command line by running kubectl config current-context.
    • The KUBECONFIG_PATH is the local filepath where your kubeconfig file is stored. This defaults to $KUBECONFIG if that environment variable is set; otherwise, it defaults to $HOME/.kube/config.
    • The LOCAL_KEY_PATH is the path to your service account key file.

    Running this command deploys the Connect Agent in your user cluster. When the Connect Agent connects to Google Cloud and your cluster is registered, a success message is displayed on the page.

  8. Click Set labels, or click Skip if you didn't set any labels.

Advanced registration options (command line only)

Download the Connect Agent manifest

To download the Connect Agent installation manifest without deploying the agent, for example if you want to examine or edit the manifest before installation, pass in the --manifest-output-file flag to the gcloud container hub memberships register command. For example:

--manifest-output-file=[MANIFEST_FILE_PATH]

where [MANIFEST_FILE_PATH] is the local filepath where you want the Connect Agent installation manifest to be stored.

Using this option will not deploy the Connect Agent into the cluster. To deploy the Connect Agent, manually apply the downloaded manifest to your cluster.

Using a proxy server

To configure a proxy server, pass in the --proxy flag to gcloud container hub memberships register command. For example:

--proxy=[URL]

where [URL] is the proxy address.

The Connect Agent supports CONNECT-based HTTP and HTTPS proxies only, and accepts IP addresses and hostnames. Be sure to specify the protocol corresponding to the proxy type in the URL. For example, to pass in an HTTPS hostname:

--proxy=https://mycorpproxy.com:443

Unless you specify otherwise, Connect Agent uses port 3128 for the proxy.

If your proxy requires authorization, ensure that you pass in your credentials, such as:

--proxy=http://user:password@10.10.10.10:8888

Installing Connect Agent in a cluster with Windows and Linux nodes

The Connect Agent has to run on a Linux node. If you are installing in a mixed cluster with both Linux and Windows nodes, you can ensure that the Connect Agent is deployed on to a Linux node by adding an appropriate node selector to the deployment definition.

Run the following command to update the deployment with the appropriate node selector:

kubectl patch deployment \
$(kubectl get deployment -o=jsonpath={.items[*].metadata.name} -n gke-connect) \
-p '{"spec":{"template":{"spec":{"nodeSelector":{"kubernetes.io/os":"linux"}}}}}' -n gke-connect

To validate that the update succeeded run the following command:

kubectl get deployment -o=jsonpath={.items[].spec.template.spec.nodeSelector} -n gke-connect

The command should return:

{"kubernetes.io/os":"linux"}

What's next