Anthos Connect

1. Overview

  • GKE Connect connects GKE On-Prem and other Kubernetes clusters to Google Cloud Platform (GCP). 
  • This enables access to cluster and workload management features via a unified user interface.
  • To connect GKE On-Prem and other Kubernetes clusters residing outside of GCP project, Google provides a "Connect agent," a Kubernetes Deployment resource that runs in clusters. 
  • Connect Agent can be configured to traverse NATs, egress proxies, and firewalls to establish a long-lived, encrypted connection between a cluster's Kubernetes API server and a GCP project. 
  • Authorized users can login to clusters, access details about their resources, projects, and clusters, and manage cluster infrastructure and workloads whether they are running on Google's hardware or elsewhere.
  • The Connect agent reaches out to Google to establish a connection to the project. 
  • Connect Agent software can exchange account credentials, technical details, and metadata about connected infrastructure and workloads necessary to manage them with GCP, including the details of resources, applications, and hardware.
  • Cluster service data is associated with a GCP project and/or account. 
  • Google uses this data to maintain a control plane between clusters and GCP, to provide access to any GCP services and features requested.
  • Users  remain in control of data sent through Connect.
  • Kubernetes API server performs authentication, authorization, and audit logging on all requests via Connect. 
  • Google and users can access data or APIs via Connect after they have been authorized by the cluster administrator using RBAC.
  • The cluster administrator can revoke authorization.
  • Kubernetes clusters and their API servers do not need public or externally exposed IPs.