CNE GCP Ready: Accessing the Kubernetes Cluster
Cloud Native Experience (CNE) GCP Ready provisions Google Kubernetes Engine (GKE) clusters as private clusters by default.
Because the Kubernetes API server does not expose a public endpoint, access is performed through Google Cloud Connect Gateway.
Prerequisites
Before connecting to the cluster:
-
Authenticate with Google Cloud.
gcloud auth login gcloud auth application-default login -
Verify that the following APIs are enabled in the GCP project:
connectgateway.googleapis.comgkehub.googleapis.com
Configure Access Permissions
Cluster access requires both Google Cloud IAM permissions and Kubernetes RBAC permissions.
Google Cloud IAM Roles
Assign the following IAM roles to the user or service account:
roles/gkehub.gatewayAdminroles/gkehub.viewer
Depending on the required access level, you can also use:
roles/gkehub.gatewayReaderroles/gkehub.gatewayEditor
Kubernetes RBAC
Some high-level Google Cloud roles map to Kubernetes administrative access automatically.
For example,
roles/container.admin- Project Owner
For least-privilege access, configure explicit Kubernetes RBAC bindings instead.
Example:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: gateway-user-admin
subjects:
- kind: User
name: user@example.com
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
Connect to the Cluster
-
List available fleet memberships:
gcloud container fleet memberships list -
Retrieve cluster credentials through Connect Gateway:
gcloud container fleet memberships get-credentials <membership-name> -
Verify cluster access:
kubectl get nodes
After authentication completes, your kubeconfig uses the Connect Gateway endpoint automatically.
Verify the Active Context
To verify the current Kubernetes context, run kubectl config current-context.
Contexts configured through Connect Gateway begin with connectgateway_.
For more information, see Connect Gateway and Connect Gateway Setup