gcloud beta container hub memberships register - register a cluster with a fleet

gcloud beta container hub memberships register(MEMBERSHIP_NAME :--location=LOCATION)(--gke-cluster=LOCATION/CLUSTER_NAME    |--gke-uri=GKE_URI    | [--context=CONTEXT :--kubeconfig=KUBECONFIG])[--install-connect-agent][--internal-ip][--manifest-output-file=MANIFEST_OUTPUT_FILE][--proxy=PROXY][--service-account-key-file=SERVICE_ACCOUNT_KEY_FILE    | [--enable-workload-identity :--has-private-issuer |--public-issuer-url=PUBLIC_ISSUER_URL]][GCLOUD_WIDE_FLAG …]

1.CreatingaFleetMembershipresourcecorrespondingtothecluster.2.Addingin-clusterKubernetesResourcesthatmaketheclusterexclusivetoonefleet.3.InstallingtheConnectagentintothiscluster(optionalforGKE).

A successful registration implies that the cluster is now exclusive to a singleFleet. If the cluster is already registered to another Fleet, the registrationwill not be successful.

To register a GKE cluster, use--gke-cluster or--gke-uri flag (no--kubeconfig flag is required).Connect agent will not be installed by default for GKE clusters. To install it,specify--install-connect-agent. The default value for--location is the same as the cluster's region or zone, can bespecified asglobal.

Anthos clusters on VMware, bare metal, AWS, and Azure are registered with afleet when the clusters are created. To register Amazon EKS clusters, seeAttachyour EKS cluster. To regiser Microsoft Azure clusters, seeAttachyour AKS cluster.

To register a third-party cluster, use --context flag (with an optional--kubeconfig flag). Connect agent will always be installed for these clusters.

If Connect agent is to be installed, its authentication needs to be configuredby--enable-workload-identity or--service-account-key-file. For the latter case, the correspondingservice account must have been grantedgkehub.connect permissions.For more information about Connect agent, go to:https://cloud.google.com/anthos/multicluster-management/connect/overview/

Rerunning this command against the same cluster with the same MEMBERSHIP_NAMEand target fleet is successful, and will upgrade the Connect agent if it issupposed to be installed and a newer version is available. Rerunning with--enable-workload-identity ensures that Workload Identity isenabled on the cluster.

gcloudbetacontainerhubmembershipsregistermy-cluster--context=my-cluster-context--kubeconfig=/home/user/custom_kubeconfig--service-account-key-file=/tmp/keyfile.json

Register a non-GKE cluster referenced from the default kubeconfig file, andinstall the Connect agent:

gcloudbetacontainerhubmembershipsregistermy-cluster--context=my-cluster-context--service-account-key-file=/tmp/keyfile.json

Register a non-GKE cluster, and install a specific version of the Connect agent:

gcloudbetacontainerhubmembershipsregistermy-cluster--context=my-cluster-context--version=gkeconnect_20190802_02_00--service-account-key-file=/tmp/keyfile.json

Register a non-GKE cluster and output a manifest that can be used to install theConnect agent by kubectl:

gcloudbetacontainerhubmembershipsregistermy-cluster--context=my-cluster-context--manifest-output-file=/tmp/manifest.yaml--service-account-key-file=/tmp/keyfile.json

Register a GKE cluster referenced from a GKE URI:

gcloudbetacontainerhubmembershipsregistermy-cluster--gke-uri=my-cluster-gke-uri

Register a GKE cluster referenced from a GKE URI, and install the Connect agentusing service account key file:

gcloudbetacontainerhubmembershipsregistermy-cluster--gke-uri=my-cluster-gke-uri--install-connect-agent--service-account-key-file=/tmp/keyfile.json

Register a GKE cluster and output a manifest that can be used to install theConnect agent by kubectl:

gcloudbetacontainerhubmembershipsregistermy-cluster--gke-uri=my-cluster-gke-uri--enable-workload-identity--install-connect-agent--manifest-output-file=/tmp/manifest.yaml

Register a GKE cluster first, and install the Connect agent later.

gcloudbetacontainerhubmembershipsregistermy-cluster--gke-cluster=my-cluster-region-or-zone/my-cluster

gcloudbetacontainerhubmembershipsregistermy-cluster--gke-cluster=my-cluster-region-or-zone/my-cluster--install-connect-agent--enable-workload-identity

Register a GKE cluster, and install a specific version of the Connect agent:

gcloudbetacontainerhubmembershipsregistermy-cluster--gke-cluster=my-cluster-region-or-zone/my-cluster--install-connect-agent--version=20220819-00-00--service-account-key-file=/tmp/keyfile.json

Register a GKE cluster and output a manifest that can be used to install theConnect agent:

gcloudbetacontainerhubmembershipsregistermy-cluster--gke-uri=my-cluster-gke-uri--install-connect-agent--manifest-output-file=/tmp/manifest.yaml--service-account-key-file=/tmp/keyfile.json

Membership resource - The group of arguments defining a membership. Thearguments in this group can be used to specify the attributes of this resource.(NOTE) Some attributes are not given arguments in this group but can be set inother ways.

To set theproject attribute:

• provide the argumentMEMBERSHIP_NAME on the command line with afully specified name;
• provide the argument--project on the command line;
• set the propertycore/project.

This must be specified.

MEMBERSHIP_NAME

ID of the membership or fully qualified identifier for the membership.

To set themembership attribute:

• provide the argumentMEMBERSHIP_NAME on the command line.

This positional argument must be specified if any of the other arguments in thisgroup are specified.

--location=LOCATION

The location for the membership resource, e.g.us-central1. If notspecified, defaults toglobal. Not supported for GKE clusters,whose membership location will be the location of the cluster.To set thelocation attribute:

• provide the argumentMEMBERSHIP_NAME on the command line with afully specified name;
• provide the argument--location on the command line;
• set the propertygkehub/location.

Cluster identifier.

Exactly one of these must be specified:

--gke-cluster=LOCATION/CLUSTER_NAME

The location/name of the GKE cluster. The location can be a zone or a region fore.gus-central1-a/my-cluster.

--gke-uri=GKE_URI

The URI of a GKE cluster that you want to register to Hub; for example,'https://container.googleapis.com/v1/projects/my-project/locations/us-central1-a/clusters/my-cluster'.To obtain the URI, you can run 'gcloud container clusters list --uri'. Note thatthis should only be provided if the cluster being registered is a GKE cluster.The service will validate the provided URI to confirm that it maps to a validGKE cluster."

Non-GKE cluster identifier.

--context=CONTEXT

The cluster context as it appears in the kubeconfig file. You can get this valuefrom the command line by running command:kubectl configcurrent-context.

This flag argument must be specified if any of the other arguments in this groupare specified.

--kubeconfig=KUBECONFIG

The kubeconfig file containing an entry for the cluster. Defaults to $KUBECONFIGif it is set in the environment, otherwise defaults to $HOME/.kube/config.

--install-connect-agent

If set to True for a GKE cluster, Connect agent will be installed in thecluster. No-op for Non-GKE clusters, where Connect agent will always beinstalled.

--internal-ip

Whether to use the internal IP address of the cluster endpoint.

--manifest-output-file=MANIFEST_OUTPUT_FILE

The full path of the file into which the Connect agent installation manifestshould be stored. If this option is provided, then the manifest will be writtento this file and will not be deployed into the cluster by gcloud, and it willneed to be deployed manually.

--proxy=PROXY

The proxy address in the format of http[s]://{hostname}. The proxy must supportthe HTTP CONNECT method in order for this connection to succeed.

At most one of these can be specified:

--service-account-key-file=SERVICE_ACCOUNT_KEY_FILE

The JSON file of a Google Cloud service account private key. This serviceaccount key is stored as a secret namedcreds-gcp in gke-connect namespace. Toupdate thecreds-gcp secret in gke-connectnamespace with a new service account key file, run the following command:

kubectl delete secret creds-gcp -n gke-connect

kubectl create secret generic creds-gcp -n gke-connect--from-file=creds-gcp.json=/path/to/file

Workload Identity

--enable-workload-identity

Enable Workload Identity when registering the cluster with a fleet. Ensure thatGKE Workload Identity is enabled on your GKE cluster, it is a requirement forusing Workload Identity with memberships. Refer to theEnable GKE WorkloadIdentity section inhttps://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#enable--service_account_key_file flag should not be set if this is set.

This flag argument must be specified if any of the other arguments in this groupare specified.

At most one of these can be specified:

--has-private-issuer

Set to true for clusters where no publicly-routable OIDC discovery endpoint forthe Kubernetes service account token issuer exists.

When set to true, the gcloud command-line tool will read the private issuer URLand JSON Web Key Set (JWKS) (public keys) for validating service account tokensfrom the cluster's API server and upload both when creating the Membership.Google Cloud Platform will then use the JWKS, instead of a public OIDC endpoint,to validate service account tokens issued by this cluster. Note the JWKSestablishes the uniqueness of issuers in this configuration, but issuer claimsin tokens are still compared to the issuer URL associated with the Membershipwhen validating tokens.

Note the cluster's OIDC discovery endpoints (KUBE-API-ADDRESS/.well-known/openid-configuration andKUBE-API-ADDRESS/openid/v1/jwks) must still benetwork-accessible to the gcloud client running this command.

--public-issuer-url=PUBLIC_ISSUER_URL

Skip auto-discovery and register the cluster with this issuer URL. Use thisoption when the OpenID Provider Configuration and associated JSON Web Key Setfor validating the cluster's service account JWTs are served at a publicendpoint different from the cluster API server. Requires--enable-workload-identity.

Run$gcloud help for details.