Fleets (formerly known as environs) let you manage multiple Kubernetes clusters across cloud and on-premises environments.
Fleet-enabled components, also called "features," are Google-hosted services that provide functionality across a group of clusters. For example, Anthos Config Management allows you to apply consistent policy across all the clusters in a fleet.
In order to use these features, they must be authorized through role-based access control to perform their functions on clusters. The Feature Authorizer automatically sets and updates permissions for fleet-enabled features, which saves you from having to set feature permissions manually on every cluster, especially when Google releases feature updates.
When you register a cluster,
the manifest applied to the cluster contains a
that gives the Feature Authorizer a
cluster-admin role on the cluster,
and the role is attached to a service account named
For more information about Feature Authorizer and the RBAC
it sets on Google Cloud controllers, see
What uses Connect.
You can see the status of fleet-enabled features in the Google Cloud Console. You can also disable (and re-enable) some features there as well.
When you disable a fleet-enabled feature in your project, Feature
Authorizer deletes the corresponding
ClusterRoleBinding for the feature, which removes
the feature's ability to operate on the cluster.
Viewing Feature Authorizer in audit logs
To view Feature Authorizer activity in Google Kubernetes Engine audit logs:
Open the Log Viewer in the Google Cloud Console.
Run the following advanced query, replacing the variables:
resource.type="k8s_cluster" resource.labels.cluster_name="cluster-name" resource.labels.location="cluster-location" protoPayload.authenticationInfo.principalEmail="system:serviceaccount:gke-connect:connect-agent-sa" protoPayload.authenticationInfo.authoritySelector="firstname.lastname@example.org"
For non-GKE clusters, find out where the Kubernetes audit logs are stored, and run a similar query.
Disabling Feature Authorizer (not recommended)
There's no real need to disable Feature Authorizer. The only reliable way to
disable Feature Authorizer is by removing the
cluster-admin role from it,
which could cause features to stop working or work improperly. Therefore,
disabling Feature Authorizer is not recommended.