Fleets let you manage enterprise and other fleet-enabled features acrossmultiple clusters at the same time. This lets you, for example, apply a common set ofpolicies or create a single-service mesh across your fleet of clusters. Thispage provides an overview of how you can manage features for your fleet. Formore information about configuring and using individual features, see theirdocumentation.

If you've enabled Google Kubernetes Engine, you canmanage features in the Google Cloud console. All fleet users can manage featuresusing the command line.

Some features let you create fleet-level default feature configuration for yourfleet clusters. For example, you can ensure that every cluster you createin your fleet has Policy Controller installed and configured.

You can learn more about how fleet-level feature management on your clustersworks "under the hood" in theFeature authorizationsection.

Fleet-level features

You can manage the following features at fleet level:

• ManagedCloud Service Mesh
• Security posture
• Config Sync
• Policy Controller
• GKE Identity Service
• Multi Cluster Ingress
• Multi-cluster Services (GKE clusters only)
• Continuous validation for Binary Authorization

This list does not include all features that use or require fleets. For example,fleet Workload Identity Federationrelies on clusters being members of a fleet but does not require configurationat fleet level, and Cloud Service Mesh requires fleet membership for all controlplane and setup options.

You can find out moreabout which features are available in which environments in theDeploymentoptions page.

Set up fleet-level features

The following sections describe how you can enable and configure fleet-levelfeatures.

To use a fleet-level feature, in most cases youenable the feature for your fleet andconfigure it for your fleet members. Some configuration (or otheradditional setup) is generally required to actually use the feature with yourclusters and workloads.

You can createfleet-default cluster configurations for some features, meaning that anynew clusters you create in your fleet will be created with your specifiedsettings for that feature already configured.

Enable features with fleet-level defaults

You can create fleet-level default settingsfor your GKE clusters for some features.After creating these settings, any GKE clusterthat youregister during cluster creationis automatically configured with your fleet-level configurations. So, forexample, if you set up defaults for Policy Controller, each new cluster you create in your fleet will haveyour specified version of Policy Controller installed, with your specified policybundles and other settings. Fleet default settings are not automatically applied toexistingfleet member clusters, although you can sync existing clusters to your default settings byusing the Google Cloud console.

The general process for enabling features with fleet-level defaults is as follows:

Not all features support fleet default configuration using all of these options. For detailed instructions on how to set up fleet defaults for each supported feature, see the following documentation:

• Cloud Service Mesh
• Config Sync
• Policy Controller
• Security posture
• GKE Identity Service (command line only)
• Continuous validation for Binary Authorization (preview, command line only)

Enable and configure fleet features on individual clusters

As an alternative to fleet default configuration, you can choose to configure fleet features separately on individual clusters. This might be a good option if:

• You want to configure an existing cluster to use a feature.
• You want to use services where fleet default configuration is not available, or not available using your chosen tool.

Enable features

Note that this step is not required for all features. See the guide for your chosen feature for more details.

gcloudcontainerfleetidentity-serviceenable

To learn how to check if a feature has already been enabled and view other feature status, seeView fleet feature status.

Configure individual clusters

The configuration steps you follow depend on the feature. See the following guidesfor more information:

• Cloud Service Mesh
• Security posture:
  • Automatically audit workloads for configuration issues
  • Automatically scan workloads for known vulnerabilities
• Config Sync
• Policy Controller
• GKE Identity Service
• Multi Cluster Ingress

View fleet feature status

The easiest way to view fleet feature status is by using theFeature Manager dashboard in the Google Cloud console.

Go to Feature Manager

For supported features, this page displays how many of your fleet clusters have the following status:

• Have this feature enabled
• Have this feature enabled successfully
• Have a warning for this feature
• Have an error for this feature

You can also see whetherfleet default settings have been configured for the feature, and how many fleet member clusters have these settings. For enabled features, you can click through to a detail page that lists the clusters using the feature, and, if configured, lets you select and sync clusters to your fleet default settings.

For features that can't be configured using this page (listed underManage other enterprise-ready features), you can see whether the feature has been enabled for your fleet, and view a details panel that shows how many clusters have the feature installed and other relevant information.

View feature status using gcloud

gcloudcontainerfleetfeatureslist

Disable a fleet-level feature

To disable a feature at fleet level, do the following in your fleet host project.

gcloudcontainerfleetmeshdisable

For expected behavior after you disable a feature for your fleet, see therelevant feature documentation. In many cases, the relevant configuration stillexists on your cluster but you are no longer able to centrally manage thefeature using fleet commands or the Google Cloud console.

Feature authorization

In order to manage features at fleet-level, they must be authorized throughrole-based access control to perform their functions on clusters. Google Clouduses a service called Feature Authorizer that automatically sets and updatespermissions for fleet-enabled features, which saves you from having to setfeature permissions manually on every cluster, especially when Google releasesfeature updates.

When youregister a cluster,the manifest applied to the cluster contains aClusterRoleBinding that gives the Feature Authorizer acluster-admin role on the cluster,and the role is attached to a service account namedservice-project-number@gcp-sa-gkehub.iam.gserviceaccount.com.

When you disable a fleet-enabled feature in your project, FeatureAuthorizer deletes the correspondingClusterRole andClusterRoleBinding for the feature, which removesthe feature's ability to operate on the cluster.

View Feature Authorizer in audit logs

To view Feature Authorizer activity in GKEaudit logs:

1. Open Logs Explorer in the Google Cloud console.

   Go to the Logs page

2. Run the following advanced query:

   resource.type="k8s_cluster"resource.labels.cluster_name="CLUSTER_NAME"resource.labels.location="CLUSTER_LOCATION"protoPayload.authenticationInfo.principalEmail="system:serviceaccount:gke-connect:connect-agent-sa"protoPayload.authenticationInfo.authoritySelector="service-PROJECT_NUMBER@gcp-sa-gkehub.iam.gserviceaccount.com"

   Replace the following:

   • CLUSTER_NAME: the name of the cluster that you wantto view the logs for.
   • CLUSTER_LOCATION: the Google Cloud location thatthe cluster was created in.
   • PROJECT_NUMBER: the Google Cloud project number forthe project that owns the cluster.

For non-GKE clusters, find out where theKubernetes audit logs are stored, and run a similar query.