- GKE Connect connects GKE On-Prem and other Kubernetes clusters to Google Cloud Platform (GCP).
- This enables access to cluster and workload management features via a unified user interface.
- To connect GKE On-Prem and other Kubernetes clusters residing outside of GCP project, Google provides a "Connect agent," a Kubernetes Deployment resource that runs in clusters.
- Connect Agent can be configured to traverse NATs, egress proxies, and firewalls to establish a long-lived, encrypted connection between a cluster's Kubernetes API server and a GCP project.
- Authorized users can login to clusters, access details about their resources, projects, and clusters, and manage cluster infrastructure and workloads whether they are running on Google's hardware or elsewhere.
- The Connect agent reaches out to Google to establish a connection to the project.
- Connect Agent software can exchange account credentials, technical details, and metadata about connected infrastructure and workloads necessary to manage them with GCP, including the details of resources, applications, and hardware.
- Cluster service data is associated with a GCP project and/or account.
- Google uses this data to maintain a control plane between clusters and GCP, to provide access to any GCP services and features requested.
- Users remain in control of data sent through Connect.
- Kubernetes API server performs authentication, authorization, and audit logging on all requests via Connect.
- Google and users can access data or APIs via Connect after they have been authorized by the cluster administrator using RBAC.
- The cluster administrator can revoke authorization.
- Kubernetes clusters and their API servers do not need public or externally exposed IPs.