ContainerAttachedCluster
Property | Value |
---|---|
Google Cloud Service Name | Anthos Multi-Cloud |
Google Cloud Service Documentation | /anthos/clusters/docs/multi-cloud/attached |
Google Cloud REST Resource Name | v1.projects.locations.attachedClusters |
Google Cloud REST Resource Documentation | /anthos/clusters/docs/multi-cloud/reference/rest/v1/projects.locations.attachedClusters |
Config Connector Resource Short Names | gcpcontainerattachedcluster gcpcontainerattachedclusters containerattachedcluster |
Config Connector Service Name | gkemulticloud.googleapis.com |
Config Connector Resource Fully Qualified Name | containerattachedclusters.containerattached.cnrm.cloud.google.com |
Can Be Referenced by IAMPolicy/IAMPolicyMember | No |
Config Connector Default Average Reconcile Interval In Seconds | 600 |
Prerequisites
Before you can use this resource, you must prepare the target cluster so that the multi-cloud service can connect to the target cluster. To prepare the cluster, follow the steps to deploy an install-agent into the target cluster:
- Get the manifest yaml file for the install-agent:
gcloud container attached clusters generate-install-manifest my-cluster --location=GOOGLE_CLOUD_REGION --platform-version=PLATFORM_VERSION --output-file=manifest.yaml
Example command:
gcloud container attached clusters generate-install-manifest kcc-attached-cluster --location=us-west1 --platform-version=1.25.0-gke.5 --output-file=manifest.yaml
- Check out the target cluster and get the kubeconfig context:
Amazon Elastic Kubernetes Service cluster: aws eks update-kubeconfig --region $AWS_REGION --name $CLUSTER
Azure Kubernetes Service cluster: az aks get-credentials -n $CLUSTER -g $AZURE_RESOURCE_GROUP
export KUBECONFIG_CONTEXT=$(kubectl config current-context)
- Apply the
manifest.yaml
file to the target cluster:
(Optional if you used the previous command to switch context) kubectl use-context $KUBECONFIG_CONTEXT
kubectl apply -f manifest.yaml
You should see the following logs:
namespace/gke-install created
serviceaccount/gke-install-agent created
clusterrolebinding.rbac.authorization.k8s.io/multicloud-install-agent-admin created
deployment.apps/gke-multicloud-agent created
- Switch back to the Google Kubernetes Engine(GKE) cluster with Config Connector installed:
Run kubectl config get-contexts
to see all configured contexts. You should see at least two contexts:
one associated with the target cluster, and one associated with the GKE cluster with Config Connector installed.
Run kubectl config use-context GKE_CONTEXT
to switch back to the GKE context.
Custom Resource Definition Properties
Spec
Schema
annotations:
string: string
authorization:
adminUsers:
- string
binaryAuthorization:
evaluationMode: string
deletionPolicy: string
description: string
distribution: string
fleet:
membership: string
projectRef:
external: string
name: string
namespace: string
location: string
loggingConfig:
componentConfig:
enableComponents:
- string
monitoringConfig:
managedPrometheusConfig:
enabled: boolean
oidcConfig:
issuerUrl: string
jwks: string
platformVersion: string
projectRef:
external: string
kind: string
name: string
namespace: string
resourceID: string
Fields | |
---|---|
Optional |
Optional. Annotations on the cluster. This field has the same restrictions as Kubernetes annotations. The total size of all keys and values combined is limited to 256k. Key can have 2 segments: prefix (optional) and name (required), separated by a slash (/). Prefix must be a DNS subdomain. Name must be 63 characters or less, begin and end with alphanumerics, with dashes (-), underscores (_), dots (.), and alphanumerics between. |
Optional |
Optional. Configuration related to the cluster RBAC settings. |
Optional |
Optional. Users that can perform operations as a cluster admin. A managed ClusterRoleBinding will be created to grant the `cluster-admin` ClusterRole to the users. Up to ten admin users can be provided. For more info on RBAC, see https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles |
Optional |
|
Optional |
Optional. Binary Authorization configuration for this cluster. |
Optional |
Mode of operation for binauthz policy evaluation. If unspecified, defaults to DISABLED. Possible values: ["DISABLED", "PROJECT_SINGLETON_POLICY_ENFORCE"]. |
Optional |
Optional. Policy to determine what flags to send on delete. |
Optional |
Optional. A human readable description of this Attached cluster. Cannot be longer than 255 UTF-8 encoded bytes. |
Required |
Immutable. The Kubernetes distribution of the underlying attached cluster. Supported values: ["eks", "aks", "generic"]. |
Required |
Required. Fleet configuration. |
Optional |
Output only. The name of the managed Hub Membership resource associated to
this cluster.
Membership names are formatted as
`projects/ |
Required |
The id of the Fleet host project where this cluster will be registered. |
Optional |
The project of the fleet. Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`). |
Optional |
Name of the project resource. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
Optional |
Namespace of the project resource. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
Required |
Immutable. The location for the resource. |
Optional |
Optional. Logging configuration for this cluster. |
Optional |
The configuration of the logging components; |
Optional |
The components to be enabled. Possible values: ["SYSTEM_COMPONENTS", "WORKLOADS"]. |
Optional |
|
Optional |
Optional. Monitoring configuration for this cluster. |
Optional |
Enable Google Cloud Managed Service for Prometheus in the cluster. |
Optional |
Enable Managed Collection. |
Required |
Required. OpenID Connect (OIDC) discovery information of the target cluster. Kubernetes Service Account (KSA) tokens are JWT tokens signed by the cluster API server. This field indicates how GCP services validate KSA tokens in order to allow system workloads (such as GKE Connect and telemetry agents) to authenticate back to GCP. Both clusters with public and private issuer URLs are supported. Clusters with public issuers only need to specify the 'issuerUrl' field while clusters with private issuers need to provide both 'issuerUrl' and 'jwks'. |
Required |
Immutable. A JSON Web Token (JWT) issuer URI. `issuer` must start with `https://`. |
Optional |
Immutable, Optional. OIDC verification keys in JWKS format (RFC 7517). It contains a list of OIDC verification keys that can be used to verify OIDC JWTs. This field is required for cluster that doesn't have a publicly available discovery endpoint. When provided, it will be directly used to verify the OIDC JWT asserted by the IDP. |
Required |
Required. The platform version for the cluster (e.g. `1.30.0-gke.1`). |
Required |
The ID of the project in which the resource belongs. |
Optional |
The `projectID` field of a project, when not managed by Config Connector. |
Optional |
The kind of the Project resource; optional but must be `Project` if provided. |
Optional |
The `name` field of a `Project` resource. |
Optional |
The `namespace` field of a `Project` resource. |
Optional |
Immutable, Optional. The ContainerAttachedCluster name. If not given, the metadata.name will be used. |
Status
Schema
clusterRegion: string
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
createTime: string
errors:
- message: string
kubernetesVersion: string
observedGeneration: integer
observedState:
fleetMembership: string
reconciling: boolean
state: string
uid: string
updateTime: string
workloadIdentityConfig:
- identityProvider: string
issuerUri: string
workloadPool: string
Fields | |
---|---|
clusterRegion |
The region where this cluster runs. For EKS clusters, this is an AWS region. For AKS clusters, this is an Azure region. |
conditions |
Conditions represent the latest available observations of the object's current state. |
conditions[] |
|
conditions[].lastTransitionTime |
Last time the condition transitioned from one status to another. |
conditions[].message |
Human-readable message indicating details about last transition. |
conditions[].reason |
Unique, one-word, CamelCase reason for the condition's last transition. |
conditions[].status |
Status is the status of the condition. Can be True, False, Unknown. |
conditions[].type |
Type is the type of the condition. |
createTime |
The time at which this cluster was registered. |
errors |
A set of errors found in the cluster. |
errors[] |
|
errors[].message |
Human-friendly description of the error. |
kubernetesVersion |
The Kubernetes version of the cluster. |
observedGeneration |
ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource. |
observedState |
ObservedState is the state of the resource as most recently observed in GCP. |
observedState.fleetMembership |
Output only. The name of the managed Hub Membership resource associated to
this cluster.
Membership names are formatted as
`projects/ |
reconciling |
If set, there are currently changes in flight to the cluster. |
state |
The current state of the cluster. Possible values: STATE_UNSPECIFIED, PROVISIONING, RUNNING, RECONCILING, STOPPING, ERROR, DEGRADED. |
uid |
A globally unique identifier for the cluster. |
updateTime |
The time at which this cluster was last updated. |
workloadIdentityConfig |
Workload Identity settings. |
workloadIdentityConfig[] |
|
workloadIdentityConfig[].identityProvider |
The ID of the OIDC Identity Provider (IdP) associated to the Workload Identity Pool. |
workloadIdentityConfig[].issuerUri |
The OIDC issuer URL for this cluster. |
workloadIdentityConfig[].workloadPool |
The Workload Identity Pool associated to the cluster. |
Sample YAML(s)
Container Attached Cluster Basic
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: containerattached.cnrm.cloud.google.com/v1beta1
kind: ContainerAttachedCluster
metadata:
name: containerattachedcluster-sample-basic
spec:
# Replace ${ATTACHED_CLUSTER_NAME?} with the name of the underlying attached cluster
resourceID: ${ATTACHED_CLUSTER_NAME?}
location: us-west1
projectRef:
# Replace ${PROJECT_ID?} with your Google Cloud project id
external: ${PROJECT_ID?}
description: "Test attached cluster basic sample"
# Replace ${DISTRIBUTION?} with the Kubernetes distribution of the underlying attached cluster
# Supported values: "eks", "aks".
distribution: ${DISTRIBUTION?}
oidcConfig:
# Replace ${ISSUER_URL?} with the OIDC issuer URL of the underlying attached cluster
issuerUrl: ${ISSUER_URL?}
# Replace ${ATTACHED_CLUSTER_PLATFORM_VERSION?} with the platform version of the underlying attached cluster
platformVersion: ${ATTACHED_CLUSTER_PLATFORM_VERSION?}
fleet:
projectRef:
name: containerattachedcluster-dep-basic
---
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
name: containerattachedcluster-dep-basic
annotations:
cnrm.cloud.google.com/deletion-policy: abandon
spec:
# Replace ${PROJECT_ID?} with your Google Cloud project id
resourceID: ${PROJECT_ID?}
organizationRef:
# Replace ${ORG_ID?} with your Google Cloud ord id your project associates to
external: "${ORG_ID?}"
# Replace ${PROJECT_ID?} with your Google Cloud project id
name: ${PROJECT_ID?}
Container Attached Cluster Full
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: containerattached.cnrm.cloud.google.com/v1beta1
kind: ContainerAttachedCluster
metadata:
name: containerattachedcluster-sample-full
spec:
# Replace ${ATTACHED_CLUSTER_NAME?} with the name of the underlying attached cluster
resourceID: ${ATTACHED_CLUSTER_NAME?}
location: us-west1
projectRef:
# Replace ${PROJECT_ID?} with your Google Cloud project id
external: ${PROJECT_ID?}
description: "Test attached cluster full sample"
# Replace ${DISTRIBUTION?} with the Kubernetes distribution of the underlying attached cluster
# Supported values: "eks", "aks".
distribution: ${DISTRIBUTION?}
annotations:
label-one: "value-one"
authorization:
admin_users: [ "user1@example.com", "user2@example.com"]
oidcConfig:
# Replace ${ISSUER_URL?} with the OIDC issuer URL of the underlying attached cluster
issuerUrl: ${ISSUER_URL?}
# Replace ${ATTACHED_CLUSTER_PLATFORM_VERSION?} with the platform version of the underlying attached cluster
platformVersion: ${ATTACHED_CLUSTER_PLATFORM_VERSION?}
fleet:
projectRef:
name: containerattachedcluster-dep-full
loggingConfig:
componentConfig:
enableComponents: ["SYSTEM_COMPONENTS", "WORKLOADS"]
monitoringConfig:
managedPrometheusConfig:
enabled: true
---
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
name: containerattachedcluster-dep-full
annotations:
cnrm.cloud.google.com/deletion-policy: abandon
spec:
# Replace ${PROJECT_ID?} with your Google Cloud project id
resourceID: ${PROJECT_ID?}
organizationRef:
# Replace ${ORG_ID?} with your Google Cloud ord id your project associates to
external: "${ORG_ID?}"
# Replace ${PROJECT_ID?} with your Google Cloud project id
name: ${PROJECT_ID?}
Container Attached Cluster Ignore Errors
# Copyright 2023 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: containerattached.cnrm.cloud.google.com/v1beta1
kind: ContainerAttachedCluster
metadata:
name: containerattachedcluster-sample-ignore-errors
spec:
# Replace ${ATTACHED_CLUSTER_NAME?} with the name of the underlying attached cluster
resourceID: ${ATTACHED_CLUSTER_NAME?}
location: us-west1
projectRef:
# Replace ${PROJECT_ID?} with your Google Cloud project id
external: ${PROJECT_ID?}
description: "Test attached cluster ignore errors sample"
# Replace ${DISTRIBUTION?} with the Kubernetes distribution of the underlying attached cluster
# Supported values: "eks", "aks".
distribution: ${DISTRIBUTION?}
oidcConfig:
# Replace ${ISSUER_URL?} with the OIDC issuer URL of the underlying attached cluster
issuerUrl: ${ISSUER_URL?}
# Replace ${ATTACHED_CLUSTER_PLATFORM_VERSION?} with the platform version of the underlying attached cluster
platformVersion: ${ATTACHED_CLUSTER_PLATFORM_VERSION?}
fleet:
projectRef:
name: containerattachedcluster-dep-ignore-errors
deletionPolicy: "DELETE_IGNORE_ERRORS"
---
apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
kind: Project
metadata:
name: containerattachedcluster-dep-ignore-errors
annotations:
cnrm.cloud.google.com/deletion-policy: abandon
spec:
# Replace ${PROJECT_ID?} with your Google Cloud project id
resourceID: ${PROJECT_ID?}
organizationRef:
# Replace ${ORG_ID?} with your Google Cloud ord id your project associates to
external: "${ORG_ID?}"
# Replace ${PROJECT_ID?} with your Google Cloud project id
name: ${PROJECT_ID?}