Work with clusters from the Google Cloud console

After they have been added to your fleet, all clusters appear in the Google Cloud console. The Google Cloud console offers a central user interface for managing all your Kubernetes clusters and their resources, no matter where they are running. All your resources are shown in a single dashboard, and it's easy to get visibility into your workloads across multiple Kubernetes clusters.

For GKE clusters on Google Cloud, you don't need to do anything else to see cluster details such as nodes and workloads, provided you have been granted the relevant permissions. You can find out more about working with Google Cloud clusters in the Google Cloud console in the GKE documentation.

However, if your fleet includes clusters outside Google Cloud, your platform administrator needs to set up authentication so that you can log in to these clusters and view their details in the Google Cloud console. You need to know which authentication method your platform administrator has set up so that you can log in to the Google Cloud console. Ask your platform administrator which of the following authentication methods have been configured:

Required roles

If you are not a project owner, you must have the following Identity and Access Management roles at minimum to view clusters in the Google Cloud console:

  • roles/container.viewer. This role lets users view the GKE Clusters page and other container resources in the Google Cloud console. For details about the permissions included in this role, or to grant a role with read/write permissions, see Kubernetes Engine roles in the IAM documentation.

  • roles/gkehub.viewer. This role lets users view clusters outside Google Cloud in the Google Cloud console. For details about the permissions included in this role, or to grant a role with read/write permissions, see GKE Hub roles in the IAM documentation.

View registered clusters

After you register a cluster to your project fleet, it appears in the Google Cloud console in the GKE Clusters list. However, to see more details such as nodes and workloads for any cluster outside Google Cloud, you need to log in and authenticate to the cluster. Clusters that require login show an orange warning triangle and prompt you to log in. The following example shows the GKE Clusters page with two clusters outside Google Cloud that require login.

Screenshot of Google Kubernetes Engine clusters list

After you log in to the cluster, you can select the cluster and view cluster details, just like a GKE on Google Cloud cluster.

Log in using your Google Cloud identity

If your cluster is configured to use your Google Cloud identity, follow these steps to log in:

  1. In the GKE Clusters page in the Google Cloud console, click Actions next to the registered cluster, then click Login.

    Go to GKE Clusters

  2. Select Use your Google identity to log in.

  3. Click Login.

Log in using OpenID Connect (OIDC)

Note that while GKE Identity Service also supports LDAP identity providers, login using the Google Cloud console is supported for OIDC providers only.

If your cluster is configured to use an OIDC identity provider with GKE Identity Service, follow these steps to log in:

  1. In the GKE Clusters page in the Google Cloud console, click Actions next to the registered cluster, then click Login.

    Go to GKE Clusters

  2. Select Authenticate with identity provider configured for the cluster. You are redirected to your identity provider, where you might need to log in or consent to the Google Cloud console accessing your account.

  3. Click Login.

Log in using third-party identity and the Connect gateway

If your cluster is configured to use third-party identity with the Connect gateway, you can log in to the cluster with your third-party identity in the Google Cloud workforce identity federation console, also known as the console (federated). Login from the regular Google Cloud console is not supported.

Follow these steps to log in:

  1. Go to the Google Cloud workforce identity federation console, enter your provider ID, and sign in using your identity provider. Your platform administrator should provide you with all the details you need to sign in. To learn more about how this is set up, see Set up user access to the console (federated).
  2. In the GKE Clusters page in the Google Cloud console, click Actions next to the registered cluster, then click Login.

    Go to GKE Clusters

  3. Select Use your third-party identity provider to log in.

  4. Click Login.

Log in using a bearer token

If your cluster is configured to use a Kubernetes service account's bearer token, follow these steps:

  1. In the GKE Clusters page in the Google Cloud console, click Actions next to the registered cluster, then click Login.

    Go to GKE Clusters

  2. Select Token, and then fill in the Token field with the KSA's bearer token.

  3. Click Login.

Auditing

Accesses via the Google Cloud console are audit logged on the cluster's API server.

What's next

Learn more about: