{"id":689,"date":"2026-04-15T00:53:49","date_gmt":"2026-04-15T00:53:49","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/google-cloud-gke-attached-clusters-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-distributed-hybrid-and-multicloud\/"},"modified":"2026-04-15T00:53:49","modified_gmt":"2026-04-15T00:53:49","slug":"google-cloud-gke-attached-clusters-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-distributed-hybrid-and-multicloud","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/google-cloud-gke-attached-clusters-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-distributed-hybrid-and-multicloud\/","title":{"rendered":"Google Cloud GKE Attached Clusters Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Distributed, hybrid, and multicloud"},"content":{"rendered":"\n

Category<\/h2>\n\n\n\n

Distributed, hybrid, and multicloud<\/p>\n\n\n\n

1. Introduction<\/h2>\n\n\n\n

GKE Attached Clusters is a Google Cloud capability that lets you connect (\u201cattach\u201d) existing Kubernetes clusters\u2014running outside Google Cloud\u2014so you can manage them from Google Cloud with a consistent fleet (multi-cluster) experience.<\/p>\n\n\n\n

In simple terms: if you already have Kubernetes in another environment (for example, on-premises or another cloud), GKE Attached Clusters helps you bring that cluster under Google Cloud\u2019s management umbrella without rebuilding it as a GKE cluster.<\/p>\n\n\n\n

Technically, GKE Attached Clusters integrates external Kubernetes clusters into a Google Cloud fleet<\/em> (formerly commonly referred to under Anthos \/ GKE Enterprise branding). It registers the cluster with Google Cloud control-plane services and installs agents in the cluster to enable secure connectivity, policy management, observability, and governance workflows. The Kubernetes control plane and worker nodes continue to run where they are; Google Cloud provides centralized management and \u201csingle pane of glass\u201d capabilities.<\/p>\n\n\n\n

The problem it solves is operational fragmentation in Distributed, hybrid, and multicloud<\/em> Kubernetes estates: different clusters, different tooling, inconsistent governance, and limited visibility. GKE Attached Clusters offers a standardized way to organize, secure, and operate those clusters using Google Cloud\u2019s platform APIs and fleet model.<\/p>\n\n\n\n

\n

Naming note (important): Google has used the Anthos brand historically for multi-cluster\/hybrid management. Many features now live under GKE Enterprise \/ fleet management terminology in Google Cloud documentation. The feature name GKE Attached Clusters<\/strong> remains the key concept for attaching external clusters. Verify the latest branding and packaging in official docs if you are aligning procurement, licensing, or architecture standards.<\/p>\n<\/blockquote>\n\n\n\n

\n\n\n\n

2. What is GKE Attached Clusters?<\/h2>\n\n\n\n

Official purpose<\/h3>\n\n\n\n

GKE Attached Clusters is designed to attach and manage Kubernetes clusters that are not running as native Google Kubernetes Engine (GKE) clusters<\/strong>. This allows Google Cloud to treat those clusters as members of a fleet<\/strong>, enabling consistent management workflows.<\/p>\n\n\n\n

Official docs entry points (start here and follow current links):\n– https:\/\/cloud.google.com\/kubernetes-engine\/docs\/concepts\/attached-clusters\n– Fleet concepts (terminology and model): https:\/\/cloud.google.com\/kubernetes-engine\/docs\/concepts\/fleet<\/p>\n\n\n\n

Core capabilities<\/h3>\n\n\n\n

At a high level, GKE Attached Clusters enables you to:<\/p>\n\n\n\n

    \n
  • Register external clusters<\/strong> into a Google Cloud project as fleet memberships.<\/li>\n
  • Establish secure connectivity<\/strong> between Google Cloud and the external cluster using Google-managed control services plus in-cluster agents.<\/li>\n
  • Centralize governance and operations<\/strong> (for example, policy, config, and observability), depending on what fleet features you enable and your licensing\/edition.<\/li>\n<\/ul>\n\n\n\n

    Major components<\/h3>\n\n\n\n

    While exact components and naming can evolve, the architecture generally includes:<\/p>\n\n\n\n

      \n
    • Google Cloud project<\/strong>: The administrative boundary where fleets and memberships live.<\/li>\n
    • Fleet \/ GKE Hub<\/strong>: The fleet resource model in Google Cloud that organizes clusters as memberships.<\/li>\n
    • Membership<\/strong>: A representation of an external cluster inside the fleet.<\/li>\n
    • In-cluster agents<\/strong>: Components installed into the attached cluster to authenticate, maintain connectivity, and report state to Google Cloud.<\/li>\n
    • Connect Gateway (optional but common)<\/strong>: A Google Cloud capability that provides API server access to the cluster through Google Cloud, typically without requiring inbound connectivity to the cluster. (Verify current docs for the exact \u201cConnect Gateway\u201d setup path and prerequisites.)<\/li>\n<\/ul>\n\n\n\n

      Service type<\/h3>\n\n\n\n

      GKE Attached Clusters is a managed control-plane integration<\/strong> \/ fleet management<\/strong> capability rather than a compute service. You continue to pay for and operate the actual cluster compute where it runs (on-prem or other clouds). Google Cloud provides management-plane services, APIs, and (depending on configuration) governance and observability features.<\/p>\n\n\n\n

      Scope (project\/region)<\/h3>\n\n\n\n
        \n
      • Fleet resources are typically project-scoped<\/strong> in Google Cloud.<\/li>\n
      • Many fleet resources are organized by locations<\/strong> in the Google Cloud API model (often \u201cglobal\u201d or a chosen region, depending on the API and feature).\n Because these details can change and vary by feature, verify the required location (global vs regional)<\/strong> for your particular attached cluster workflow in the current documentation:\n https:\/\/cloud.google.com\/kubernetes-engine\/docs\/concepts\/attached-clusters<\/li>\n<\/ul>\n\n\n\n

        How it fits into the Google Cloud ecosystem<\/h3>\n\n\n\n

        GKE Attached Clusters is part of Google Cloud\u2019s Distributed, hybrid, and multicloud<\/em> strategy:<\/p>\n\n\n\n

          \n
        • Use GKE<\/strong> for clusters running on Google Cloud.<\/li>\n
        • Use GKE Attached Clusters<\/strong> to bring non-GKE clusters into the same fleet<\/strong> model.<\/li>\n
        • Use fleet capabilities for cross-cluster policy, identity, observability, and standardization.<\/li>\n
        • Integrate with Google Cloud security, IAM, logging\/monitoring, and governance tooling.<\/li>\n<\/ul>\n\n\n\n
          \n\n\n\n

          3. Why use GKE Attached Clusters?<\/h2>\n\n\n\n

          Business reasons<\/h3>\n\n\n\n
            \n
          • Reduce operational overhead<\/strong> across multiple Kubernetes platforms by standardizing management patterns.<\/li>\n
          • Avoid forced migrations<\/strong>: attach existing clusters instead of replatforming immediately.<\/li>\n
          • Centralize governance<\/strong> (policy and compliance reporting) across environments.<\/li>\n
          • Improve auditability<\/strong> through consistent inventory and access patterns.<\/li>\n<\/ul>\n\n\n\n

            Technical reasons<\/h3>\n\n\n\n
              \n
            • Fleet-based multi-cluster management<\/strong>: organize clusters, apply policies, and manage configuration consistently.<\/li>\n
            • Unified access patterns<\/strong>: with Connect Gateway (where applicable), you can access cluster APIs without opening inbound firewall rules to the Kubernetes API server.<\/li>\n
            • Standardized observability<\/strong>: integrate logs\/metrics patterns across clusters (exact integrations depend on features you enable).<\/li>\n<\/ul>\n\n\n\n

              Operational reasons<\/h3>\n\n\n\n
                \n
              • Inventory and lifecycle visibility<\/strong>: know what clusters exist, where they are, and their posture.<\/li>\n
              • Consistent RBAC and access controls<\/strong>: map Google Cloud IAM identities to cluster access models (implementation details vary\u2014verify current docs).<\/li>\n
              • Operational consistency<\/strong>: align naming, namespaces, labels, and policy across environments.<\/li>\n<\/ul>\n\n\n\n

                Security\/compliance reasons<\/h3>\n\n\n\n
                  \n
                • Central governance controls<\/strong> can help enforce baseline policies (for example, allowed images, required labels, network policy expectations).<\/li>\n
                • Audit logging at the management layer<\/strong>: see who registered clusters, changed memberships, or modified fleet-level settings.<\/li>\n
                • Reduced attack surface<\/strong> when access paths rely on outbound connections and managed gateways rather than inbound API exposure (verify for your environment).<\/li>\n<\/ul>\n\n\n\n

                  Scalability\/performance reasons<\/h3>\n\n\n\n
                    \n
                  • Scales operationally<\/strong>, not by adding compute: you can manage more clusters without centralizing workloads.<\/li>\n
                  • Enables patterns like multi-cluster deployments<\/strong> and standard config across environments.<\/li>\n<\/ul>\n\n\n\n

                    When teams should choose it<\/h3>\n\n\n\n

                    Choose GKE Attached Clusters when:\n– You have existing Kubernetes clusters<\/strong> outside Google Cloud (on-prem or other clouds) you want to manage centrally.\n– You want fleet governance<\/strong> across a hybrid\/multicloud estate.\n– You need an incremental path: attach now, migrate later (or never), while still standardizing operations.<\/p>\n\n\n\n

                    When teams should not choose it<\/h3>\n\n\n\n

                    Avoid or reconsider GKE Attached Clusters when:\n– You can standardize on native GKE<\/strong> quickly and don\u2019t need to manage external clusters.\n– Your environment cannot support the required agent connectivity<\/strong> (for example, strict egress restrictions without an approved path).\n– Your compliance requirements prohibit installing third-party management agents into clusters.\n– You expect Google Cloud to manage cluster upgrades or node lifecycle for you\u2014attached<\/strong> generally means the cluster lifecycle remains your responsibility.<\/p>\n\n\n\n

                    \n\n\n\n

                    4. Where is GKE Attached Clusters used?<\/h2>\n\n\n\n

                    Industries<\/h3>\n\n\n\n
                      \n
                    • Financial services (hybrid governance, audit controls)<\/li>\n
                    • Healthcare (compliance-driven operations)<\/li>\n
                    • Retail\/e-commerce (multi-region, multi-platform expansion)<\/li>\n
                    • Manufacturing\/industrial (on-prem edge + central governance)<\/li>\n
                    • SaaS and technology (multi-cloud deployments and customer requirements)<\/li>\n
                    • Public sector (data residency and segmented environments)<\/li>\n<\/ul>\n\n\n\n

                      Team types<\/h3>\n\n\n\n
                        \n
                      • Platform engineering (internal developer platforms)<\/li>\n
                      • SRE\/operations (fleet reliability and standardization)<\/li>\n
                      • Security engineering (policy, posture, audit)<\/li>\n
                      • Cloud center of excellence (CCoE) (governance, standards)<\/li>\n
                      • DevOps teams (CI\/CD and deployment patterns across clusters)<\/li>\n<\/ul>\n\n\n\n

                        Workloads<\/h3>\n\n\n\n
                          \n
                        • Customer-facing microservices already running on EKS\/AKS\/on-prem Kubernetes<\/li>\n
                        • Regulated workloads with data locality constraints<\/li>\n
                        • Low-latency on-prem workloads that still need centralized policy<\/li>\n
                        • Batch and event-driven workloads distributed across environments<\/li>\n
                        • Edge-adjacent workloads that must remain local but centrally governed<\/li>\n<\/ul>\n\n\n\n

                          Architectures<\/h3>\n\n\n\n
                            \n
                          • Hybrid (on-prem + Google Cloud)<\/li>\n
                          • Multicloud (AWS + Azure + Google Cloud governance)<\/li>\n
                          • Multi-cluster, multi-region active\/active patterns<\/li>\n
                          • Segmented clusters per compliance boundary with centralized governance<\/li>\n<\/ul>\n\n\n\n

                            Real-world deployment contexts<\/h3>\n\n\n\n
                              \n
                            • Enterprises that acquired companies with different Kubernetes stacks<\/li>\n
                            • Organizations mid-migration from on-prem to cloud<\/li>\n
                            • Teams standardizing policy and observability across business units<\/li>\n
                            • Central security teams enforcing common controls across clusters<\/li>\n<\/ul>\n\n\n\n

                              Production vs dev\/test usage<\/h3>\n\n\n\n
                                \n
                              • Production<\/strong>: most common when you need governance, access control, and inventory at scale across environments.<\/li>\n
                              • Dev\/test<\/strong>: useful to standardize cluster baselines and provide consistent developer access patterns, but consider cost\/licensing and operational overhead relative to simply running dev clusters in GKE.<\/li>\n<\/ul>\n\n\n\n
                                \n\n\n\n

                                5. Top Use Cases and Scenarios<\/h2>\n\n\n\n

                                Below are realistic scenarios where GKE Attached Clusters is commonly used. Each scenario assumes you already have Kubernetes clusters outside Google Cloud.<\/p>\n\n\n\n

                                1) Centralized cluster inventory and ownership tracking<\/h3>\n\n\n\n
                                  \n
                                • Problem<\/strong>: Teams spin up clusters across environments; nobody has an authoritative inventory.<\/li>\n
                                • Why this fits<\/strong>: Attached clusters become fleet memberships\u2014an organized inventory in Google Cloud.<\/li>\n
                                • Example<\/strong>: A company discovers 40+ Kubernetes clusters across subsidiaries; they attach them to a single fleet and apply ownership labels and access controls.<\/li>\n<\/ul>\n\n\n\n

                                  2) Consistent policy enforcement across hybrid clusters<\/h3>\n\n\n\n
                                    \n
                                  • Problem<\/strong>: Different clusters enforce different security controls; audits are painful.<\/li>\n
                                  • Why this fits<\/strong>: Fleet governance features can enforce consistent policies across attached clusters (feature availability depends on licensing and setup\u2014verify).<\/li>\n
                                  • Example<\/strong>: Security requires \u201cno privileged pods\u201d across all clusters; policy is enforced centrally and reported consistently.<\/li>\n<\/ul>\n\n\n\n

                                    3) Standardized baseline configuration (namespaces, RBAC, resource quotas)<\/h3>\n\n\n\n
                                      \n
                                    • Problem<\/strong>: Every cluster is configured differently; onboarding and troubleshooting are slow.<\/li>\n
                                    • Why this fits<\/strong>: Use fleet configuration tooling (for example, GitOps-based config management where applicable) to standardize.<\/li>\n
                                    • Example<\/strong>: Platform team standardizes \u201cdev\/stage\/prod\u201d namespaces and quota templates across 12 clusters.<\/li>\n<\/ul>\n\n\n\n

                                      4) Secure kubectl access without exposing Kubernetes API servers publicly<\/h3>\n\n\n\n
                                        \n
                                      • Problem<\/strong>: Remote operators need kubectl access, but exposing API servers increases risk.<\/li>\n
                                      • Why this fits<\/strong>: Connect Gateway (where applicable) can provide controlled access through Google Cloud.<\/li>\n
                                      • Example<\/strong>: On-prem clusters remain behind firewalls; SREs access them via Google Cloud\u2019s gateway with IAM-based controls.<\/li>\n<\/ul>\n\n\n\n

                                        5) Hybrid observability roll-up (logs and metrics consistency)<\/h3>\n\n\n\n
                                          \n
                                        • Problem<\/strong>: Observability is fragmented between clouds and tools.<\/li>\n
                                        • Why this fits<\/strong>: Fleet + Google Cloud observability integrations can standardize telemetry (verify which signals and agents you\u2019ll use).<\/li>\n
                                        • Example<\/strong>: Operations team uses consistent dashboards and alerting policies for workloads running on-prem and in cloud clusters.<\/li>\n<\/ul>\n\n\n\n

                                          6) Gradual migration path to GKE<\/h3>\n\n\n\n
                                            \n
                                          • Problem<\/strong>: You want to move to GKE, but cannot migrate immediately.<\/li>\n
                                          • Why this fits<\/strong>: Attach clusters now to unify operations; migrate workloads later.<\/li>\n
                                          • Example<\/strong>: A bank attaches VMware-based clusters and adopts consistent policy; later migrates selected workloads to GKE in phases.<\/li>\n<\/ul>\n\n\n\n

                                            7) Multi-cluster policy for software supply chain controls<\/h3>\n\n\n\n
                                              \n
                                            • Problem<\/strong>: Enforcing image signing\/allowlists across clusters is inconsistent.<\/li>\n
                                            • Why this fits<\/strong>: Central policy can restrict images or enforce provenance patterns (implementation depends on your policy stack\u2014verify).<\/li>\n
                                            • Example<\/strong>: Only images from approved Artifact Registry repositories are allowed across all attached clusters.<\/li>\n<\/ul>\n\n\n\n

                                              8) Organizational governance and segmentation<\/h3>\n\n\n\n
                                                \n
                                              • Problem<\/strong>: Business units need autonomy, but central security needs governance.<\/li>\n
                                              • Why this fits<\/strong>: Fleet membership structure supports grouping and consistent governance.<\/li>\n
                                              • Example<\/strong>: Each BU maintains its cluster; central team enforces baseline policy and auditing.<\/li>\n<\/ul>\n\n\n\n

                                                9) Disaster recovery and operational readiness across environments<\/h3>\n\n\n\n
                                                  \n
                                                • Problem<\/strong>: DR drills fail because clusters differ and runbooks aren\u2019t consistent.<\/li>\n
                                                • Why this fits<\/strong>: Consistent management plane and policy improve standardization.<\/li>\n
                                                • Example<\/strong>: DR readiness checks validate baseline controls across attached clusters before quarterly audits.<\/li>\n<\/ul>\n\n\n\n

                                                  10) M&A integration of Kubernetes estates<\/h3>\n\n\n\n
                                                    \n
                                                  • Problem<\/strong>: Post-acquisition, the company has clusters on different clouds with inconsistent management.<\/li>\n
                                                  • Why this fits<\/strong>: Attach acquired clusters to a fleet and apply standard controls.<\/li>\n
                                                  • Example<\/strong>: A SaaS company acquires another running AKS; they attach it and align policy and access.<\/li>\n<\/ul>\n\n\n\n

                                                    11) Edge-adjacent or factory clusters with central governance<\/h3>\n\n\n\n
                                                      \n
                                                    • Problem<\/strong>: Factory\/on-prem clusters must run locally but need central oversight.<\/li>\n
                                                    • Why this fits<\/strong>: Attach for governance and remote access workflows.<\/li>\n
                                                    • Example<\/strong>: Manufacturing plants run Kubernetes for local workloads; security enforces common policy centrally.<\/li>\n<\/ul>\n\n\n\n

                                                      12) Controlled rollout of platform standards (labels, annotations, network policies)<\/h3>\n\n\n\n
                                                        \n
                                                      • Problem<\/strong>: Enforcing standards across many clusters is manual and error-prone.<\/li>\n
                                                      • Why this fits<\/strong>: Fleet-level configuration\/policy patterns reduce drift.<\/li>\n
                                                      • Example<\/strong>: Platform team enforces mandatory labels for cost allocation and ownership across all clusters.<\/li>\n<\/ul>\n\n\n\n
                                                        \n\n\n\n

                                                        6. Core Features<\/h2>\n\n\n\n
                                                        \n

                                                        Note: Feature availability can depend on your Google Cloud edition\/subscription (often associated with GKE Enterprise) and on the attached cluster type (on-prem vs other cloud vs distribution). Always confirm current feature support in official documentation:\nhttps:\/\/cloud.google.com\/kubernetes-engine\/docs\/concepts\/attached-clusters<\/p>\n<\/blockquote>\n\n\n\n

                                                        Feature 1: Attach\/register external Kubernetes clusters into a fleet<\/h3>\n\n\n\n
                                                          \n
                                                        • What it does<\/strong>: Represents an external cluster as a fleet membership in Google Cloud.<\/li>\n
                                                        • Why it matters<\/strong>: Creates a consistent management boundary and inventory.<\/li>\n
                                                        • Practical benefit<\/strong>: Centralized view of clusters, grouping, and management workflows.<\/li>\n
                                                        • Limitations\/caveats<\/strong>: Supported Kubernetes distributions and versions can be constrained. Verify supported platforms and versions.<\/li>\n<\/ul>\n\n\n\n

                                                          Feature 2: Secure connectivity via in-cluster agents<\/h3>\n\n\n\n
                                                            \n
                                                          • What it does<\/strong>: Installs agents in the attached cluster to establish secure communication to Google Cloud services.<\/li>\n
                                                          • Why it matters<\/strong>: Enables management without requiring inbound access to the cluster from the internet.<\/li>\n
                                                          • Practical benefit<\/strong>: Easier security posture\u2014often relies on outbound connectivity from the cluster.<\/li>\n
                                                          • Limitations\/caveats<\/strong>: Requires egress to Google endpoints; may require proxies\/firewall allowlists.<\/li>\n<\/ul>\n\n\n\n

                                                            Feature 3: Fleet-based organization and governance model<\/h3>\n\n\n\n
                                                              \n
                                                            • What it does<\/strong>: Organizes clusters as part of a fleet with consistent metadata and policy attachment points.<\/li>\n
                                                            • Why it matters<\/strong>: Standardizes operations at scale.<\/li>\n
                                                            • Practical benefit<\/strong>: You can reason about clusters using fleet membership, labels, and policies.<\/li>\n
                                                            • Limitations\/caveats<\/strong>: The fleet model is powerful, but it\u2019s another layer to manage\u2014plan roles, naming, and lifecycle carefully.<\/li>\n<\/ul>\n\n\n\n

                                                              Feature 4: Access via Connect Gateway (commonly used)<\/h3>\n\n\n\n
                                                                \n
                                                              • What it does<\/strong>: Provides a way to access the Kubernetes API server through Google Cloud (where supported).<\/li>\n
                                                              • Why it matters<\/strong>: Avoids exposing the Kubernetes API publicly or via complex VPN paths for each operator.<\/li>\n
                                                              • Practical benefit<\/strong>: Centralized access patterns and audit-friendly workflows.<\/li>\n
                                                              • Limitations\/caveats<\/strong>: Requires correct IAM and RBAC mapping; latency depends on network; verify any limitations for large API requests.<\/li>\n<\/ul>\n\n\n\n

                                                                Feature 5: Centralized policy and configuration patterns (fleet features)<\/h3>\n\n\n\n
                                                                  \n
                                                                • What it does<\/strong>: Enables consistent configuration and policy across clusters (for example, GitOps-based config sync and policy control, depending on your setup).<\/li>\n
                                                                • Why it matters<\/strong>: Reduces drift and improves compliance.<\/li>\n
                                                                • Practical benefit<\/strong>: Enforce baseline security and platform configuration across all attached clusters.<\/li>\n
                                                                • Limitations\/caveats<\/strong>: Requires careful change management; misconfigured policy can block deployments across many clusters.<\/li>\n<\/ul>\n\n\n\n

                                                                  Feature 6: Observability integrations (logs\/metrics\/event workflows)<\/h3>\n\n\n\n
                                                                    \n
                                                                  • What it does<\/strong>: Integrates fleet clusters with Google Cloud observability patterns.<\/li>\n
                                                                  • Why it matters<\/strong>: Supports consistent SRE operations across hybrid\/multicloud.<\/li>\n
                                                                  • Practical benefit<\/strong>: Central dashboards, alerting, and troubleshooting patterns (depending on enabled features).<\/li>\n
                                                                  • Limitations\/caveats<\/strong>: You may still rely on local telemetry stacks; costs can increase with log\/metric volume; verify supported integrations.<\/li>\n<\/ul>\n\n\n\n

                                                                    Feature 7: IAM-integrated administration (management plane)<\/h3>\n\n\n\n
                                                                      \n
                                                                    • What it does<\/strong>: Uses Google Cloud IAM for who can view\/register\/manage attached clusters and fleet resources.<\/li>\n
                                                                    • Why it matters<\/strong>: Standard access governance and auditing.<\/li>\n
                                                                    • Practical benefit<\/strong>: Centralized control, separation of duties, and audit logs.<\/li>\n
                                                                    • Limitations\/caveats<\/strong>: IAM controls the management plane; Kubernetes RBAC still applies inside clusters\u2014plan both layers.<\/li>\n<\/ul>\n\n\n\n

                                                                      Feature 8: Consistent labeling\/metadata for cost allocation and ownership<\/h3>\n\n\n\n
                                                                        \n
                                                                      • What it does<\/strong>: Lets you apply fleet membership labels and organize clusters by environment\/team\/app.<\/li>\n
                                                                      • Why it matters<\/strong>: Strong governance and operational clarity.<\/li>\n
                                                                      • Practical benefit<\/strong>: Enables standardized reporting and delegation models.<\/li>\n
                                                                      • Limitations\/caveats<\/strong>: Taxonomy must be designed; inconsistent labels reduce value.<\/li>\n<\/ul>\n\n\n\n
                                                                        \n\n\n\n

                                                                        7. Architecture and How It Works<\/h2>\n\n\n\n

                                                                        High-level architecture<\/h3>\n\n\n\n

                                                                        GKE Attached Clusters bridges two worlds:<\/p>\n\n\n\n

                                                                          \n
                                                                        1. Your external Kubernetes cluster environment<\/strong> (on-prem or another cloud) where the Kubernetes API server, nodes, and workloads run.<\/li>\n
                                                                        2. Google Cloud management plane<\/strong> where fleet resources and management services live.<\/li>\n<\/ol>\n\n\n\n

                                                                          The attachment process typically:\n– Creates a fleet membership in Google Cloud.\n– Installs agents into the cluster (via kubectl<\/code> or a provided installer workflow).\n– Establishes secure communication from the cluster to Google Cloud services.<\/p>\n\n\n\n

                                                                          Control flow vs data flow<\/h3>\n\n\n\n
                                                                            \n
                                                                          • Control plane \/ management traffic<\/strong>: cluster agents communicate cluster state and receive management directives.<\/li>\n
                                                                          • Application data plane traffic<\/strong>: your workloads still communicate as they normally do inside your network. GKE Attached Clusters does not \u201cproxy\u201d your application traffic by default; it focuses on management and governance.<\/li>\n<\/ul>\n\n\n\n

                                                                            Integrations with related services<\/h3>\n\n\n\n

                                                                            Common related services and concepts include:\n– Fleet \/ GKE Hub<\/strong> (membership model)\n– Google Cloud IAM<\/strong> (access control)\n– Cloud Audit Logs<\/strong> (who changed what in Google Cloud)\n– Cloud Logging \/ Cloud Monitoring<\/strong> (telemetry, depending on configuration)\n– Policy and config tooling<\/strong> (for example, Anthos Config Management \/ Config Sync and Policy Controller\u2014verify current product names and packaging in docs)\n– Google Cloud Service Mesh<\/strong> (optional, where supported, for standardized service-to-service security and telemetry\u2014verify compatibility for attached clusters)<\/p>\n\n\n\n

                                                                            Dependency services<\/h3>\n\n\n\n

                                                                            At minimum, expect dependencies such as:\n– Google Cloud APIs for Kubernetes\/fleet management (enablement required)\n– A Google Cloud project with billing enabled (required for many management features)\n– Network egress from attached clusters to Google endpoints<\/p>\n\n\n\n

                                                                            Security\/authentication model (conceptual)<\/h3>\n\n\n\n
                                                                              \n
                                                                            • Google Cloud IAM<\/strong> controls who can register, view, and administer fleet and attached cluster resources in the project.<\/li>\n
                                                                            • In-cluster agents<\/strong> authenticate to Google Cloud using credentials configured at install time (exact credential mechanism varies by workflow; verify in docs).<\/li>\n
                                                                            • Kubernetes RBAC<\/strong> still governs in-cluster actions; fleet features often integrate with Kubernetes identities but do not replace Kubernetes RBAC.<\/li>\n<\/ul>\n\n\n\n

                                                                              Networking model<\/h3>\n\n\n\n
                                                                                \n
                                                                              • Typically outbound<\/strong> connections from the attached cluster to Google Cloud endpoints.<\/li>\n
                                                                              • Optional gateway-based access for administrators.<\/li>\n
                                                                              • Private networking (VPN\/Interconnect) may be used in regulated environments, but isn\u2019t always required for management connectivity if outbound internet egress is allowed and properly controlled.<\/li>\n<\/ul>\n\n\n\n

                                                                                Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n
                                                                                  \n
                                                                                • Decide early whether you want:<\/li>\n
                                                                                • Centralized logging\/metrics in Google Cloud<\/li>\n
                                                                                • A split model (local observability + centralized inventory\/policy)<\/li>\n
                                                                                • Establish governance:<\/li>\n
                                                                                • Who can attach clusters?<\/li>\n
                                                                                • Required labels\/tags<\/li>\n
                                                                                • Baseline policies<\/li>\n
                                                                                • Audit requirements and retention<\/li>\n<\/ul>\n\n\n\n

                                                                                  Simple architecture diagram (conceptual)<\/h3>\n\n\n\n
                                                                                  flowchart LR\n  subgraph External[\"External Environment (on-prem \/ other cloud)\"]\n    K8s[\"Kubernetes Cluster\"]\n    Agents[\"GKE Attached Cluster Agents\\n(in-cluster)\"]\n    K8s --- Agents\n  end\n\n  subgraph GCP[\"Google Cloud Project\"]\n    Fleet[\"Fleet (GKE Hub)\"]\n    APIs[\"Google Cloud APIs\\n(Management services)\"]\n    IAM[\"Cloud IAM + Audit Logs\"]\n  end\n\n  Agents -- \"Outbound secure connection\" --> APIs\n  APIs --> Fleet\n  IAM --- Fleet\n<\/code><\/pre>\n\n\n\n
                                                                                  Production-style architecture diagram (hybrid operations)<\/h3>\n\n\n\n
                                                                                  flowchart TB\n  subgraph Ops[\"Operations & Governance (Google Cloud)\"]\n    IAM[\"IAM (Admins, SREs, SecOps)\"]\n    Audit[\"Cloud Audit Logs\"]\n    Fleet[\"Fleet \/ Memberships\"]\n    Policy[\"Policy & Config (fleet features)\\n(verify exact components)\"]\n    Obs[\"Cloud Monitoring \/ Logging\\n(optional)\"]\n    Gateway[\"Connect Gateway (optional)\"]\n  end\n\n  subgraph EnvA[\"On-Prem DC\"]\n    OnPremCluster[\"Kubernetes Cluster A\"]\n    OnPremAgents[\"Agents\"]\n    OnPremCluster --- OnPremAgents\n    OnPremNet[\"Corporate network\\nFW\/Proxy\/VPN\"]\n    OnPremAgents --- OnPremNet\n  end\n\n  subgraph EnvB[\"Other Cloud\"]\n    OtherCluster[\"Kubernetes Cluster B\"]\n    OtherAgents[\"Agents\"]\n    OtherCluster --- OtherAgents\n  end\n\n  IAM --> Fleet\n  Fleet --> Policy\n  Fleet --> Obs\n  IAM --> Gateway\n  Audit --- IAM\n  Audit --- Fleet\n\n  OnPremNet -- \"Outbound allowlist to Google endpoints\\n(or private connectivity)\" --> Fleet\n  OtherAgents -- \"Outbound secure connection\" --> Fleet\n  Gateway -- \"Admin kubectl\/API access\\n(where supported)\" --> OnPremCluster\n  Gateway -- \"Admin kubectl\/API access\\n(where supported)\" --> OtherCluster\n<\/code><\/pre>\n\n\n\n
                                                                                  \n\n\n\n
                                                                                  8. Prerequisites<\/h2>\n\n\n\n
                                                                                  Because attached clusters involve multiple environments, prerequisites span Google Cloud plus your external Kubernetes environment.<\/p>\n\n\n\n
                                                                                  Google Cloud account\/project requirements<\/h3>\n\n\n\n
                                                                                    \n
                                                                                  • A Google Cloud account<\/strong> with access to create\/manage projects.<\/li>\n
                                                                                  • A Google Cloud project<\/strong> with billing enabled<\/strong>.<\/li>\n
                                                                                  • Ability to enable required APIs (details vary; see \u201cStep-by-step\u201d section).<\/li>\n<\/ul>\n\n\n\n
                                                                                    Permissions \/ IAM roles<\/h3>\n\n\n\n
                                                                                    For a beginner lab, the simplest is:\n– Project Owner<\/strong> on the Google Cloud project (broad, not least-privilege).<\/p>\n\n\n\n
                                                                                    For production, use least privilege. Exact role names can vary by feature and may evolve, so verify official IAM guidance<\/strong> for:\n– Fleet \/ GKE Hub administration\n– Attached clusters administration\n– Connect Gateway usage (if used)\n– Observability\/policy tooling (if enabled)<\/p>\n\n\n\n
                                                                                    Start here and follow the IAM sections:\n– https:\/\/cloud.google.com\/kubernetes-engine\/docs\/concepts\/attached-clusters\n– Fleet concepts: https:\/\/cloud.google.com\/kubernetes-engine\/docs\/concepts\/fleet<\/p>\n\n\n\n
                                                                                    Billing requirements<\/h3>\n\n\n\n
                                                                                      \n
                                                                                    • Billing must be enabled for the project.<\/li>\n
                                                                                    • Some fleet features may require a subscription\/edition (often associated with GKE Enterprise<\/strong>). Verify licensing requirements<\/strong> for your intended features:<\/li>\n
                                                                                    • GKE Enterprise pricing page: https:\/\/cloud.google.com\/kubernetes-engine\/enterprise\/pricing<\/li>\n<\/ul>\n\n\n\n
                                                                                      CLI\/SDK\/tools needed<\/h3>\n\n\n\n
                                                                                        \n
                                                                                      • Google Cloud CLI (gcloud<\/code>)<\/strong>: https:\/\/cloud.google.com\/sdk\/docs\/install<\/li>\n
                                                                                      • kubectl<\/strong> matching your Kubernetes cluster version policy: https:\/\/kubernetes.io\/docs\/tasks\/tools\/<\/li>\n
                                                                                      • Access to your external environment tooling:<\/li>\n
                                                                                      • If on AWS\/Azure: their respective CLIs (optional).<\/li>\n
                                                                                      • For on-prem: direct kubectl<\/code> access to the cluster.<\/li>\n<\/ul>\n\n\n\n
                                                                                        Region availability<\/h3>\n\n\n\n
                                                                                          \n
                                                                                        • Attached cluster management is a Google Cloud service. Availability can depend on your Google Cloud org policies and service availability.\nVerify the supported locations<\/strong> in official docs for the attached clusters API and fleet features you plan to use.<\/li>\n<\/ul>\n\n\n\n
                                                                                          Quotas\/limits<\/h3>\n\n\n\n
                                                                                          Quotas and limits can apply to:\n– Number of fleet memberships per project\/org\n– API request quotas\n– Logging\/monitoring ingestion quotas (if enabled)\nBecause these change, verify quotas in the Google Cloud console<\/strong> under IAM & Admin \u2192 Quotas<\/strong> and relevant docs.<\/p>\n\n\n\n
                                                                                          Prerequisite services<\/h3>\n\n\n\n
                                                                                          Typically required:\n– Google Cloud APIs for Kubernetes\/fleet management (enable in tutorial).\nOptionally:\n– Cloud Logging\/Monitoring APIs (if you centralize telemetry)\n– Policy\/config tools APIs (if enabled)<\/p>\n\n\n\n
                                                                                          \n\n\n\n
                                                                                          9. Pricing \/ Cost<\/h2>\n\n\n\n
                                                                                          \n
                                                                                          Pricing changes over time and can be edition-based or contract-based. Do not rely on blogs for exact numbers. Use the official pricing page and calculator.<\/p>\n<\/blockquote>\n\n\n\n
                                                                                          Current pricing model (how to think about it)<\/h3>\n\n\n\n
                                                                                          With GKE Attached Clusters, costs usually fall into two buckets:<\/p>\n\n\n\n
                                                                                            \n
                                                                                          1. \n
                                                                                            Google Cloud management costs<\/strong>\n   – Fleet management and enterprise features may be packaged under GKE Enterprise<\/strong> (formerly Anthos in many contexts).\n   – Pricing is often subscription\/edition-based<\/strong> and may be per vCPU<\/strong> for managed clusters under the subscription model.\nVerify current SKUs and licensing<\/strong>:\n   – Official pricing: https:\/\/cloud.google.com\/kubernetes-engine\/enterprise\/pricing<\/p>\n<\/li>\n
                                                                                          2. \n
                                                                                            External cluster infrastructure costs<\/strong>\n   – Compute, storage, and networking where the cluster runs (on-prem hardware, AWS\/Azure bills, colocation, etc.).\n   – Kubernetes operational costs you already bear: node OS patching, cluster upgrades, backups, etc.<\/p>\n<\/li>\n<\/ol>\n\n\n\n
                                                                                            Pricing dimensions to expect<\/h3>\n\n\n\n
                                                                                            Depending on what you enable, costs may be driven by:<\/p>\n\n\n\n
                                                                                              \n
                                                                                            • Number of vCPUs<\/strong> (if your licensing is per-vCPU under GKE Enterprise\u2014verify)<\/li>\n
                                                                                            • Number of clusters\/memberships<\/strong> (some features can be cluster-count based\u2014verify)<\/li>\n
                                                                                            • Telemetry volume<\/strong>:<\/li>\n
                                                                                            • Log ingestion (GB\/day)<\/li>\n
                                                                                            • Metric ingestion (time series)<\/li>\n
                                                                                            • Traces (if enabled)<\/li>\n
                                                                                            • Network egress<\/strong>:<\/li>\n
                                                                                            • External cluster \u2192 Google Cloud endpoints (internet egress on your side)<\/li>\n
                                                                                            • Google Cloud \u2192 external services (less common for management, but possible)<\/li>\n
                                                                                            • Policy\/config tooling<\/strong>:<\/li>\n
                                                                                            • Usually minimal direct \u201cper request\u201d costs, but may add operational overhead and compute usage in-cluster.<\/li>\n<\/ul>\n\n\n\n
                                                                                              Free tier<\/h3>\n\n\n\n
                                                                                              Google Cloud free tiers typically apply to specific services (Logging has limited free allocation, etc.), but there is no universal free tier that covers enterprise fleet management<\/strong>. Check:\n– https:\/\/cloud.google.com\/free\n– Service-specific free allocations (Logging\/Monitoring) in their pricing pages<\/p>\n\n\n\n
                                                                                              Hidden or indirect costs<\/h3>\n\n\n\n
                                                                                                \n
                                                                                              • Operational overhead<\/strong>: agents, version compatibility work, change management for policy rollout.<\/li>\n
                                                                                              • Connectivity<\/strong>: corporate proxies, allowlisting, private networking, potential egress charges.<\/li>\n
                                                                                              • Observability<\/strong>: centralizing logs from many clusters can quickly become a top cost driver if not filtered.<\/li>\n<\/ul>\n\n\n\n
                                                                                                Network\/data transfer implications<\/h3>\n\n\n\n
                                                                                                  \n
                                                                                                • Outbound traffic from external clusters to Google endpoints may incur:<\/li>\n
                                                                                                • Cloud egress charges in AWS\/Azure<\/li>\n
                                                                                                • Corporate network costs<\/li>\n
                                                                                                • Centralized logging\/metrics can also increase outbound traffic.<\/li>\n<\/ul>\n\n\n\n
                                                                                                  How to optimize cost<\/h3>\n\n\n\n
                                                                                                    \n
                                                                                                  • Start with inventory + limited access<\/strong> before enabling all governance\/observability features.<\/li>\n
                                                                                                  • Filter logs at source; avoid shipping noisy debug logs centrally.<\/li>\n
                                                                                                  • Use sampling for traces.<\/li>\n
                                                                                                  • Right-size retention periods for logs and metrics.<\/li>\n
                                                                                                  • Attach only clusters that benefit from fleet governance\u2014avoid attaching ephemeral dev clusters unless you need it.<\/li>\n<\/ul>\n\n\n\n
                                                                                                    Example low-cost starter estimate (conceptual)<\/h3>\n\n\n\n
                                                                                                    A low-cost starter setup typically includes:\n– One small external cluster (existing dev cluster)\n– Attachment to a fleet\n– Minimal observability (or none centralized)\n– A small number of users accessing via gateway<\/p>\n\n\n\n
                                                                                                    Costs to consider:\n– External cluster infra (dominant in many cases)\n– Any GKE Enterprise licensing\/subscription (verify applicable minimums)\n– Minimal logging\/monitoring if enabled<\/p>\n\n\n\n
                                                                                                    Because licensing and regional SKUs vary, use the official calculator<\/strong>:\n– https:\/\/cloud.google.com\/products\/calculator<\/p>\n\n\n\n
                                                                                                    Example production cost considerations<\/h3>\n\n\n\n
                                                                                                    In production, plan for:\n– GKE Enterprise subscription sizing (if required)\n– Logging\/Monitoring ingestion at scale\n– Multiple clusters and environments\n– Dedicated connectivity (VPN\/Interconnect) in regulated environments\n– Staff time for policy design, rollout, and incident management<\/p>\n\n\n\n
                                                                                                    \n\n\n\n
                                                                                                    10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n
                                                                                                    This lab focuses on a practical, low-risk goal: attach an existing Kubernetes cluster (that you already operate) to Google Cloud as an attached cluster<\/strong>, verify it appears as a fleet membership, access it through Google Cloud (where supported), deploy a sample workload, and then detach\/clean up.<\/p>\n\n\n\n
                                                                                                    Because external environments vary widely, the lab is written to be executable<\/strong> without guessing provider-specific commands: the core attachment step uses the Google Cloud Console flow<\/strong>, which generates an install\/registration command tailored to your environment.<\/p>\n\n\n\n
                                                                                                    Objective<\/h3>\n\n\n\n
                                                                                                    Attach an existing Kubernetes cluster to Google Cloud using GKE Attached Clusters<\/strong>, verify fleet membership, optionally use Connect Gateway to run kubectl<\/code>, deploy a sample app, and clean up.<\/p>\n\n\n\n
                                                                                                    Lab Overview<\/h3>\n\n\n\n
                                                                                                    You will:<\/p>\n\n\n\n
                                                                                                      \n
                                                                                                    1. Prepare a Google Cloud project (billing, APIs).<\/li>\n
                                                                                                    2. Choose or prepare an external Kubernetes cluster you can administer (kubectl<\/code> admin access).<\/li>\n
                                                                                                    3. Register the cluster as a GKE Attached Cluster<\/strong> using the Google Cloud Console-generated steps.<\/li>\n
                                                                                                    4. Validate:\n   – Cluster shows up in Google Cloud as an attached cluster\/fleet membership\n   – You can view basic cluster details\n   – (Optional) You can access the cluster API via Google Cloud (Connect Gateway)<\/li>\n
                                                                                                    5. Deploy a small workload and confirm it runs.<\/li>\n
                                                                                                    6. Detach\/unregister and clean up.<\/li>\n<\/ol>\n\n\n\n
                                                                                                      Step 1: Prepare your Google Cloud project<\/h3>\n\n\n\n
                                                                                                      1) In the Google Cloud Console, select or create a project:\n– https:\/\/console.cloud.google.com\/projectcreate<\/p>\n\n\n\n
                                                                                                      2) Ensure billing is enabled for the project:\n– https:\/\/console.cloud.google.com\/billing<\/p>\n\n\n\n
                                                                                                      3) Install and initialize gcloud<\/code> (local machine) or open Cloud Shell:\n– Cloud Shell: https:\/\/console.cloud.google.com\/?cloudshell=true\n– Install SDK: https:\/\/cloud.google.com\/sdk\/docs\/install<\/p>\n\n\n\n
                                                                                                      4) Set your project:<\/p>\n\n\n\n
                                                                                                      gcloud config set project PROJECT_ID\n<\/code><\/pre>\n\n\n\n
                                                                                                      Expected outcome<\/strong>: gcloud<\/code> commands run against your chosen project.<\/p>\n\n\n\n
                                                                                                      Step 2: Enable required Google Cloud APIs<\/h3>\n\n\n\n
                                                                                                      Enable the key APIs typically required for attached clusters and fleet management.<\/p>\n\n\n\n
                                                                                                      In Cloud Shell or your terminal:<\/p>\n\n\n\n
                                                                                                      gcloud services enable \\\n  container.googleapis.com \\\n  gkehub.googleapis.com \\\n  connectgateway.googleapis.com \\\n  cloudresourcemanager.googleapis.com \\\n  iam.googleapis.com \\\n  serviceusage.googleapis.com\n<\/code><\/pre>\n\n\n\n
                                                                                                      Notes:\n– Some environments\/features may require additional APIs. If the console attachment wizard requests additional APIs, enable them as prompted.\n– API names can change; if any API fails to enable, search the exact API name shown in the error in the console \u201cAPIs & Services\u201d.<\/p>\n\n\n\n
                                                                                                      Expected outcome<\/strong>: APIs show as enabled in:\n– https:\/\/console.cloud.google.com\/apis\/dashboard<\/p>\n\n\n\n
                                                                                                      Step 3: Confirm you have an external Kubernetes cluster you can administer<\/h3>\n\n\n\n
                                                                                                      You need:\n– A running Kubernetes cluster outside GKE<\/strong> (on-prem or another cloud).\n– Cluster-admin privileges for installation steps.\n– Outbound network access from the cluster environment to required Google endpoints (or an approved proxy path).<\/p>\n\n\n\n
                                                                                                      Verification (from a workstation that can reach the cluster API):<\/p>\n\n\n\n
                                                                                                      kubectl version --short\nkubectl get nodes\nkubectl auth can-i '*' '*' --all-namespaces\n<\/code><\/pre>\n\n\n\n
                                                                                                      Expected outcome<\/strong>:\n– You can list nodes.\n– Your identity can create cluster-scoped resources (the can-i<\/code> check should return yes<\/code> for broad permissions). If it returns no<\/code>, you\u2019ll need a cluster-admin role binding.<\/p>\n\n\n\n
                                                                                                      Step 4: Start the \u201cAttach cluster\u201d workflow in Google Cloud Console<\/h3>\n\n\n\n
                                                                                                      1) Open the attached clusters page (navigate via console search for \u201cAttached clusters\u201d or use docs to find the correct console entry). A common starting point:\n– Kubernetes Engine in console: https:\/\/console.cloud.google.com\/kubernetes<\/p>\n\n\n\n
                                                                                                      2) Find Attached clusters<\/strong> and choose Register \/ Attach cluster<\/strong>.<\/p>\n\n\n\n
                                                                                                      3) Select the environment type for your external cluster (options vary by release\u2014examples may include on-prem or specific cloud-managed Kubernetes).\nDo not guess<\/strong>: select the exact type matching your cluster and follow the wizard.<\/p>\n\n\n\n
                                                                                                      4) Provide:\n– A cluster name (Google Cloud resource name for the attached cluster)\n– Location (as required by the wizard\u2014often \u201cglobal\u201d or a region)\n– Your fleet settings (if prompted)<\/p>\n\n\n\n
                                                                                                      5) The wizard will present:\n– Prerequisite checks<\/strong> (APIs, permissions)\n– A generated set of commands\/manifests to run against your cluster to install required agents and register it.<\/p>\n\n\n\n
                                                                                                      Expected outcome<\/strong>: You reach a step that provides installation commands tailored to your environment.<\/p>\n\n\n\n
                                                                                                      Step 5: Install the agents and register the cluster (run the generated commands)<\/h3>\n\n\n\n
                                                                                                      On a machine where kubectl<\/code> is configured to talk to the external cluster, run exactly the commands generated by the console wizard<\/strong>.<\/p>\n\n\n\n
                                                                                                      This often includes:\n– Creating a namespace for agents\n– Creating service accounts \/ secrets (or other auth materials)\n– Applying Kubernetes manifests\n– Running a gcloud<\/code> registration command and\/or applying a \u201cconnect agent\u201d manifest<\/p>\n\n\n\n
                                                                                                      Because command formats and flags can change, copy\/paste from the console wizard rather than relying on static examples.<\/p>\n\n\n\n
                                                                                                      Expected outcome<\/strong>:\n– The console shows the cluster registration progressing.\n– Agents are installed in the cluster (you will see pods in a system namespace created by the wizard).<\/p>\n\n\n\n
                                                                                                      To confirm agent pods are running, list pods in relevant namespaces. The wizard will tell you which namespace(s) to check; common patterns include a dedicated namespace for connect\/fleet agents.<\/p>\n\n\n\n
                                                                                                      Example command (namespace name will vary\u2014use the wizard\u2019s namespace):<\/p>\n\n\n\n
                                                                                                      kubectl get pods -A | grep -iE \"connect|gke|hub|fleet\"\n<\/code><\/pre>\n\n\n\n
                                                                                                      Step 6: Verify the cluster appears in Google Cloud<\/h3>\n\n\n\n
                                                                                                      In Google Cloud Console:\n– Navigate to the attached clusters\/fleet memberships view.\n– Confirm the cluster status is Ready \/ Connected<\/strong> (wording varies).<\/p>\n\n\n\n
                                                                                                      From gcloud<\/code>, you can also list fleet memberships (command group names may evolve). If gcloud<\/code> suggests a command via autocompletion, follow it. Example pattern to try:<\/p>\n\n\n\n
                                                                                                      gcloud container fleet memberships list\n<\/code><\/pre>\n\n\n\n
                                                                                                      If that command is not available in your installed gcloud<\/code> components, update components:<\/p>\n\n\n\n
                                                                                                      gcloud components update\n<\/code><\/pre>\n\n\n\n
                                                                                                      Then retry. If still missing, use the console for verification.<\/p>\n\n\n\n
                                                                                                      Expected outcome<\/strong>:\n– The cluster is visible in Google Cloud as an attached cluster\/fleet membership.\n– Status indicates connectivity.<\/p>\n\n\n\n
                                                                                                      Step 7 (Optional): Access the cluster via Google Cloud (Connect Gateway)<\/h3>\n\n\n\n
                                                                                                      If your organization enables Connect Gateway for attached clusters, the console typically provides a \u201cConnect\u201d button or a command to retrieve credentials.<\/p>\n\n\n\n
                                                                                                      Because the exact gcloud get-credentials<\/code> command has changed across releases and products, use the console-provided<\/strong> command for your cluster.<\/p>\n\n\n\n
                                                                                                      Once configured, verify access:<\/p>\n\n\n\n
                                                                                                      kubectl get namespaces\nkubectl get nodes\n<\/code><\/pre>\n\n\n\n
                                                                                                      Expected outcome<\/strong>:\n– You can run kubectl<\/code> commands via the Google Cloud-mediated access path (if enabled).<\/p>\n\n\n\n
                                                                                                      If Connect Gateway is not enabled\/available for your cluster type, you can still validate the attachment by viewing status in Google Cloud and continuing to use your existing kubeconfig path.<\/p>\n\n\n\n
                                                                                                      Step 8: Deploy a sample workload and verify it runs<\/h3>\n\n\n\n
                                                                                                      Deploy a small, safe workload (nginx) into a dedicated namespace:<\/p>\n\n\n\n
                                                                                                      kubectl create namespace attached-lab\nkubectl -n attached-lab create deployment web --image=nginx:stable\nkubectl -n attached-lab expose deployment web --port=80 --type=ClusterIP\nkubectl -n attached-lab rollout status deployment\/web\nkubectl -n attached-lab get pods -o wide\nkubectl -n attached-lab get svc web\n<\/code><\/pre>\n\n\n\n
                                                                                                      Expected outcome<\/strong>:\n– Deployment becomes available.\n– One or more pods are Running.<\/p>\n\n\n\n
                                                                                                      Optional: Port-forward to test locally (from the machine running kubectl<\/code>):<\/p>\n\n\n\n
                                                                                                      kubectl -n attached-lab port-forward svc\/web 8080:80\n<\/code><\/pre>\n\n\n\n
                                                                                                      Then in another terminal:<\/p>\n\n\n\n
                                                                                                      curl -I http:\/\/localhost:8080\n<\/code><\/pre>\n\n\n\n
                                                                                                      Expected outcome<\/strong>: HTTP 200 response headers from nginx.<\/p>\n\n\n\n
                                                                                                      Validation<\/h3>\n\n\n\n
                                                                                                      Use this checklist:<\/p>\n\n\n\n
                                                                                                        \n
                                                                                                      • In Google Cloud Console:<\/li>\n
                                                                                                      • Cluster appears under attached clusters \/ fleet memberships<\/li>\n
                                                                                                      • Status is connected\/ready<\/li>\n
                                                                                                      • \n
                                                                                                        (If available) you can see cluster metadata and basic health<\/p>\n<\/li>\n
                                                                                                      • \n
                                                                                                        In Kubernetes:<\/p>\n<\/li>\n
                                                                                                      • Agent pods are running (in the namespace(s) created by the wizard)<\/li>\n
                                                                                                      • Sample workload pods are running in attached-lab<\/code><\/li>\n<\/ul>\n\n\n\n
                                                                                                        Commands:<\/p>\n\n\n\n
                                                                                                        kubectl -n attached-lab get all\nkubectl get pods -A | head\nkubectl get events -A --sort-by=.lastTimestamp | tail -n 30\n<\/code><\/pre>\n\n\n\n
                                                                                                        Troubleshooting<\/h3>\n\n\n\n
                                                                                                        Common problems and fixes:<\/p>\n\n\n\n
                                                                                                        1) Cluster shows \u201cNot connected\u201d \/ \u201cPending\u201d<\/strong>\n– Cause: egress blocked from cluster to required Google endpoints.\n– Fix:\n  – Confirm DNS resolution and outbound HTTPS (443) from nodes\/pods.\n  – If using a proxy, ensure agent components are configured to use it (follow official docs for proxy configuration\u2014do not guess).\n  – Check firewall allowlists.<\/p>\n\n\n\n
                                                                                                        2) Agent pods CrashLoopBackOff<\/strong>\n– Cause: missing permissions, wrong cluster version, incompatible admission policies, or network restrictions.\n– Fix:\n  – Inspect logs:\n    bash\n    kubectl -n <agent-namespace> logs <pod-name> --previous\n    kubectl -n <agent-namespace> describe pod <pod-name><\/code>\n  – Confirm Kubernetes version compatibility per docs.\n  – Temporarily relax restrictive policies that block the agent pods (for example, PodSecurity) and then re-harden after.<\/p>\n\n\n\n
                                                                                                        3) kubectl<\/code> works locally but not via Google Cloud gateway<\/strong>\n– Cause: IAM\/RBAC mapping not configured, gateway not enabled, or org policy restrictions.\n– Fix:\n  – Use the console \u201cConnect\u201d guidance for the exact command.\n  – Confirm your Google identity has the necessary roles to use the gateway and the cluster grants RBAC permissions to that identity mapping.\n  – Check fleet feature enablement.<\/p>\n\n\n\n
                                                                                                        4) Console wizard commands fail<\/strong>\n– Cause: stale token, wrong kube context, or insufficient cluster-admin permissions.\n– Fix:\n  – Ensure kubectl config current-context<\/code> is the correct cluster.\n  – Confirm you are cluster-admin for install step.\n  – Re-run wizard to regenerate commands.<\/p>\n\n\n\n
                                                                                                        Cleanup<\/h3>\n\n\n\n
                                                                                                        Clean up in this order to avoid orphaned memberships or agents:<\/p>\n\n\n\n
                                                                                                        1) Delete the sample workload:<\/p>\n\n\n\n
                                                                                                        kubectl delete namespace attached-lab\n<\/code><\/pre>\n\n\n\n
                                                                                                        2) In Google Cloud Console:\n– Detach\/unregister the attached cluster (use the attached clusters page).\n– Confirm the membership is removed or marked as deleted.<\/p>\n\n\n\n
                                                                                                        3) Remove agents from the external cluster\nThe console\/docs usually provide an uninstall manifest or command sequence. Use the official uninstall steps<\/strong> for your cluster type to avoid leaving CRDs\/namespaces behind.<\/p>\n\n\n\n
                                                                                                        4) Optional: delete the Google Cloud project if this was a dedicated lab project.<\/p>\n\n\n\n
                                                                                                        gcloud projects delete PROJECT_ID\n<\/code><\/pre>\n\n\n\n
                                                                                                        \n\n\n\n
                                                                                                        11. Best Practices<\/h2>\n\n\n\n
                                                                                                        Architecture best practices<\/h3>\n\n\n\n
                                                                                                          \n
                                                                                                        • Design a fleet taxonomy<\/strong>: define naming, labels, environments (dev\/stage\/prod), and ownership metadata.<\/li>\n
                                                                                                        • Separate duties<\/strong>: use separate projects or separate fleets (where supported) for production vs non-production.<\/li>\n
                                                                                                        • Standardize cluster baselines<\/strong>: ensure minimum Kubernetes versions, required addons, and consistent node OS policies across all attached clusters.<\/li>\n<\/ul>\n\n\n\n
                                                                                                          IAM\/security best practices<\/h3>\n\n\n\n
                                                                                                            \n
                                                                                                          • Use least privilege<\/strong>:<\/li>\n
                                                                                                          • Separate roles for \u201cattach\/register clusters\u201d vs \u201cview cluster inventory\u201d vs \u201coperate workloads\u201d.<\/li>\n
                                                                                                          • Use dedicated service accounts for automation; avoid personal credentials for cluster registration.<\/li>\n
                                                                                                          • Enforce MFA and conditional access for administrators where possible (Google Cloud identity controls).<\/li>\n
                                                                                                          • Review Cloud Audit Logs for fleet and attachment actions.<\/li>\n<\/ul>\n\n\n\n
                                                                                                            Cost best practices<\/h3>\n\n\n\n
                                                                                                              \n
                                                                                                            • Treat centralized logging as a budget item:<\/li>\n
                                                                                                            • Filter noisy namespaces<\/li>\n
                                                                                                            • Reduce retention for debug logs<\/li>\n
                                                                                                            • Prefer metrics over logs for common SLO signals<\/li>\n
                                                                                                            • Attach only clusters that need centralized governance; avoid attaching short-lived ephemeral clusters unless required.<\/li>\n
                                                                                                            • If GKE Enterprise licensing applies, right-size<\/strong> your licensed footprint and confirm how vCPU counts are measured (verify in official pricing).<\/li>\n<\/ul>\n\n\n\n
                                                                                                              Performance best practices<\/h3>\n\n\n\n
                                                                                                                \n
                                                                                                              • Keep management traffic separate from application traffic where possible.<\/li>\n
                                                                                                              • Avoid making fleet policies overly chatty or frequently reconciling large configs across many clusters.<\/li>\n
                                                                                                              • Use regional endpoints and approved egress paths to minimize latency for management operations.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                Reliability best practices<\/h3>\n\n\n\n
                                                                                                                  \n
                                                                                                                • Plan for management-plane outages<\/strong> vs cluster-plane outages<\/strong>:<\/li>\n
                                                                                                                • The external cluster should keep running workloads even if management connectivity is temporarily impaired.<\/li>\n
                                                                                                                • Document runbooks for:<\/li>\n
                                                                                                                • Attachment failures<\/li>\n
                                                                                                                • Agent upgrades<\/li>\n
                                                                                                                • Connectivity troubleshooting<\/li>\n
                                                                                                                • Back up critical cluster resources and etcd as appropriate for your distribution (GKE Attached Clusters does not automatically back up your external cluster).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                  Operations best practices<\/h3>\n\n\n\n
                                                                                                                    \n
                                                                                                                  • Standardize:<\/li>\n
                                                                                                                  • Namespaces<\/li>\n
                                                                                                                  • Resource quotas\/limits<\/li>\n
                                                                                                                  • Pod security controls<\/li>\n
                                                                                                                  • Network policies (where applicable)<\/li>\n
                                                                                                                  • Establish an SRE \u201cgolden signals\u201d approach per cluster and per workload.<\/li>\n
                                                                                                                  • Use change management for fleet policy updates\u2014treat them as high blast-radius changes.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                    Governance\/tagging\/naming best practices<\/h3>\n\n\n\n
                                                                                                                      \n
                                                                                                                    • Use consistent naming conventions:<\/li>\n
                                                                                                                    • env-region-platform-team-clusterNN<\/code><\/li>\n
                                                                                                                    • Apply labels such as:<\/li>\n
                                                                                                                    • env=prod|staging|dev<\/code><\/li>\n
                                                                                                                    • owner=team-name<\/code><\/li>\n
                                                                                                                    • data_classification=restricted|internal|public<\/code><\/li>\n
                                                                                                                    • platform=onprem|aws|azure<\/code><\/li>\n
                                                                                                                    • Document ownership and escalation paths in a centralized registry.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                      \n\n\n\n
                                                                                                                      12. Security Considerations<\/h2>\n\n\n\n
                                                                                                                      Identity and access model<\/h3>\n\n\n\n
                                                                                                                        \n
                                                                                                                      • Google Cloud IAM<\/strong> governs management-plane actions:<\/li>\n
                                                                                                                      • Who can attach\/detach clusters<\/li>\n
                                                                                                                      • Who can view memberships<\/li>\n
                                                                                                                      • Who can enable fleet features<\/li>\n
                                                                                                                      • Kubernetes RBAC<\/strong> governs in-cluster actions:<\/li>\n
                                                                                                                      • Who can create pods, modify services, access secrets, etc.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                        Best practice:\n– Treat \u201cfleet admin\u201d as a sensitive role; tightly control who can register clusters because attachment installs privileged agents and changes cluster state.<\/p>\n\n\n\n
                                                                                                                        Encryption<\/h3>\n\n\n\n
                                                                                                                          \n
                                                                                                                        • Management-plane API calls are over TLS.<\/li>\n
                                                                                                                        • In-cluster communication is governed by Kubernetes and your CNI\/service mesh if used.<\/li>\n
                                                                                                                        • Secrets in the cluster should be protected with Kubernetes best practices (encryption at rest in etcd if available, restricted RBAC, secret rotation). GKE Attached Clusters does not automatically fix weak secret handling in your cluster.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                          Network exposure<\/h3>\n\n\n\n
                                                                                                                            \n
                                                                                                                          • Prefer outbound-only<\/strong> connectivity where possible.<\/li>\n
                                                                                                                          • Avoid exposing the Kubernetes API server publicly. If you must, lock it down with IP allowlists, private endpoints, and strong auth.<\/li>\n
                                                                                                                          • If using Connect Gateway, ensure you understand:<\/li>\n
                                                                                                                          • Which identities can access it<\/li>\n
                                                                                                                          • How it maps to Kubernetes RBAC<\/li>\n
                                                                                                                          • What auditing is available<\/li>\n<\/ul>\n\n\n\n
                                                                                                                            Secrets handling<\/h3>\n\n\n\n
                                                                                                                              \n
                                                                                                                            • Do not store long-lived credentials in plain manifests.<\/li>\n
                                                                                                                            • Use a secrets manager suitable for your environment.<\/li>\n
                                                                                                                            • Rotate any credentials created during registration if your security policy requires it (follow official guidance for credential rotation).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                              Audit\/logging<\/h3>\n\n\n\n
                                                                                                                                \n
                                                                                                                              • Enable and retain:<\/li>\n
                                                                                                                              • Google Cloud Audit Logs for fleet\/attached cluster operations<\/li>\n
                                                                                                                              • Kubernetes audit logs on the external cluster if required for compliance (varies by distribution)<\/li>\n
                                                                                                                              • Build alerts for:<\/li>\n
                                                                                                                              • New cluster attachment events<\/li>\n
                                                                                                                              • Changes to fleet policies<\/li>\n
                                                                                                                              • Unexpected changes in agent namespaces<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                Compliance considerations<\/h3>\n\n\n\n
                                                                                                                                  \n
                                                                                                                                • Data residency: understand where management metadata is stored and processed.<\/li>\n
                                                                                                                                • Regulated environments may require private connectivity and strict egress controls.<\/li>\n
                                                                                                                                • Ensure agent installation is approved by security\/compliance.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                  Common security mistakes<\/h3>\n\n\n\n
                                                                                                                                    \n
                                                                                                                                  • Allowing broad \u201cowner\u201d permissions to too many users.<\/li>\n
                                                                                                                                  • Attaching clusters without a clear ownership model.<\/li>\n
                                                                                                                                  • Enabling gateway access without tightening Kubernetes RBAC.<\/li>\n
                                                                                                                                  • Centralizing all logs without filtering (exfiltration risk + cost).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                    Secure deployment recommendations<\/h3>\n\n\n\n
                                                                                                                                      \n
                                                                                                                                    • Start with a pilot fleet:<\/li>\n
                                                                                                                                    • 1\u20132 non-production clusters<\/li>\n
                                                                                                                                    • Minimal features enabled<\/li>\n
                                                                                                                                    • Perform a security review of:<\/li>\n
                                                                                                                                    • Agent permissions<\/li>\n
                                                                                                                                    • Network egress rules<\/li>\n
                                                                                                                                    • IAM roles and conditional access<\/li>\n
                                                                                                                                    • Roll out baseline policies gradually with staged enforcement.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                      \n\n\n\n
                                                                                                                                      13. Limitations and Gotchas<\/h2>\n\n\n\n
                                                                                                                                      Because attached clusters span environments, limitations often come from compatibility, networking, and lifecycle responsibilities.<\/p>\n\n\n\n
                                                                                                                                      Known limitations (typical)<\/h3>\n\n\n\n
                                                                                                                                        \n
                                                                                                                                      • Lifecycle ownership remains with you<\/strong>: upgrades, node patching, and cluster operations are still your responsibility.<\/li>\n
                                                                                                                                      • Platform\/version compatibility<\/strong>: only certain Kubernetes distributions\/versions may be supported.<\/li>\n
                                                                                                                                      • Feature parity<\/strong>: not all GKE features apply to attached clusters.<\/li>\n
                                                                                                                                      • Network dependency<\/strong>: agents require reliable outbound connectivity to Google endpoints (or approved private\/proxy paths).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                        Quotas<\/h3>\n\n\n\n
                                                                                                                                          \n
                                                                                                                                        • Limits on number of memberships per project\/fleet may apply.<\/li>\n
                                                                                                                                        • API quotas apply for fleet and management endpoints.\nVerify in:<\/li>\n
                                                                                                                                        • Google Cloud console quotas<\/li>\n
                                                                                                                                        • Attached clusters documentation<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                          Regional constraints<\/h3>\n\n\n\n
                                                                                                                                            \n
                                                                                                                                          • Some fleet resources use a specific \u201clocation\u201d concept (often global).<\/li>\n
                                                                                                                                          • Some features are regional or have limited availability by location.\nVerify in official docs for your setup.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                            Pricing surprises<\/h3>\n\n\n\n
                                                                                                                                              \n
                                                                                                                                            • Observability ingestion costs can dominate.<\/li>\n
                                                                                                                                            • Enterprise licensing\/subscription costs can be significant at scale.<\/li>\n
                                                                                                                                            • Cross-cloud egress charges can add up (external cluster sending telemetry to Google Cloud).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                              Compatibility issues<\/h3>\n\n\n\n
                                                                                                                                                \n
                                                                                                                                              • Strict admission policies (PodSecurity, OPA\/Gatekeeper, Kyverno) may block agent components until allowlisted.<\/li>\n
                                                                                                                                              • Network policies or proxy restrictions can break agent communication.<\/li>\n
                                                                                                                                              • Custom CNI behavior can impact telemetry\/agent connectivity.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                Operational gotchas<\/h3>\n\n\n\n
                                                                                                                                                  \n
                                                                                                                                                • If you detach incorrectly, you may leave:<\/li>\n
                                                                                                                                                • orphaned namespaces<\/li>\n
                                                                                                                                                • CRDs<\/li>\n
                                                                                                                                                • lingering IAM\/service-account bindings<\/li>\n
                                                                                                                                                • If cluster credentials rotate, agent access may need updating (follow official guidance).<\/li>\n
                                                                                                                                                • Over-centralizing policy changes can create large blast radius.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                  Migration challenges<\/h3>\n\n\n\n
                                                                                                                                                    \n
                                                                                                                                                  • Attaching a cluster is not the same as migrating workloads to GKE.<\/li>\n
                                                                                                                                                  • Differences in load balancers, storage classes, and ingress controllers remain.<\/li>\n
                                                                                                                                                  • Plan workload portability separately (Helm\/Kustomize, CI\/CD, IaC).<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                    Vendor-specific nuances<\/h3>\n\n\n\n
                                                                                                                                                      \n
                                                                                                                                                    • On managed Kubernetes services in other clouds, some cluster-level settings are controlled by that provider and cannot be changed freely.<\/li>\n
                                                                                                                                                    • In on-prem clusters, your corporate network constraints may be the biggest blocker.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                      \n\n\n\n
                                                                                                                                                      14. Comparison with Alternatives<\/h2>\n\n\n\n
                                                                                                                                                      GKE Attached Clusters is one option in a broader hybrid\/multicloud toolkit.<\/p>\n\n\n\n
                                                                                                                                                      \n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                      Option<\/th>\nBest For<\/th>\nStrengths<\/th>\nWeaknesses<\/th>\nWhen to Choose<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                      GKE Attached Clusters (Google Cloud)<\/strong><\/td>\nManaging existing non-GKE Kubernetes with Google Cloud fleet governance<\/td>\nCentral fleet model, consistent governance patterns, Google Cloud IAM\/Audit integration<\/td>\nRequires agents + connectivity; external cluster lifecycle remains yours; licensing may apply<\/td>\nYou already run Kubernetes elsewhere and want centralized governance in Google Cloud<\/td>\n<\/tr>\n
                                                                                                                                                      Native GKE (Google Cloud)<\/strong><\/td>\nRunning Kubernetes on Google Cloud<\/td>\nFully managed GKE experience, deep integration, simpler ops<\/td>\nRequires migrating workloads; not for clusters that must remain external<\/td>\nYou can run workloads in Google Cloud and want managed Kubernetes<\/td>\n<\/tr>\n
                                                                                                                                                      GKE on AWS \/ GKE on Azure (Google Cloud)<\/strong><\/td>\nRunning Google-managed Kubernetes distributions in other clouds (where offered)<\/td>\nMore consistent \u201cGKE-like\u201d experience across clouds<\/td>\nDifferent from \u201cattached\u201d; may require new clusters; availability\/packaging varies<\/td>\nYou want GKE-managed clusters in other clouds rather than attaching existing clusters<\/td>\n<\/tr>\n
                                                                                                                                                      Google Distributed Cloud (Google Cloud)<\/strong><\/td>\nOn-prem\/edge environments needing Google-managed platform components<\/td>\nDesigned for on-prem\/edge; consistent Google platform approach<\/td>\nRequires adopting that platform; not just \u201cattach existing\u201d<\/td>\nYou are building\/standardizing on Google\u2019s on-prem offering<\/td>\n<\/tr>\n
                                                                                                                                                      Azure Arc-enabled Kubernetes (Microsoft Azure)<\/strong><\/td>\nManaging external Kubernetes with Azure governance<\/td>\nAzure-native governance and policy model<\/td>\nLocks into Azure management plane<\/td>\nYour management plane strategy is Azure-centric<\/td>\n<\/tr>\n
                                                                                                                                                      Amazon EKS Anywhere \/ AWS systems management tools<\/strong><\/td>\nManaging on-prem clusters with AWS patterns<\/td>\nAWS-centric hybrid story<\/td>\nAWS management plane dependency<\/td>\nYour strategy is AWS-centric<\/td>\n<\/tr>\n
                                                                                                                                                      Rancher (SUSE)<\/strong><\/td>\nMulti-cluster Kubernetes management across environments<\/td>\nStrong multi-cluster UI, broad distro support, self-managed control<\/td>\nYou operate the management plane; security\/HA is on you<\/td>\nYou want vendor-neutral(ish) self-managed multi-cluster management<\/td>\n<\/tr>\n
                                                                                                                                                      Open-source GitOps + observability stack<\/strong><\/td>\nTeams that want full control and portability<\/td>\nMaximum control and vendor neutrality<\/td>\nHigh operational burden; integration is DIY<\/td>\nYou have strong platform engineering capacity and want to avoid vendor control planes<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                      \n\n\n\n
                                                                                                                                                      15. Real-World Example<\/h2>\n\n\n\n
                                                                                                                                                      Enterprise example: Financial services hybrid governance<\/h3>\n\n\n\n
                                                                                                                                                      Problem<\/strong>\nA bank runs Kubernetes clusters:\n– On-prem (data residency and latency)\n– In another cloud (legacy teams)\nThey need consistent governance, auditability, and reduced risk without a forced migration.<\/p>\n\n\n\n
                                                                                                                                                      Proposed architecture<\/strong>\n– Attach all external clusters as GKE Attached Clusters<\/strong> into a Google Cloud fleet.\n– Use Google Cloud IAM for centralized access control to fleet resources.\n– Enable fleet-level policy\/config management (where licensed and supported) to enforce:\n  – baseline pod security requirements\n  – required labels\/annotations\n  – restricted registries\n– Use Connect Gateway (if approved) to avoid exposing K8s APIs.\n– Centralize key operational telemetry (select logs\/metrics) into Google Cloud for uniform dashboards.<\/p>\n\n\n\n
                                                                                                                                                      Why this service was chosen<\/strong>\n– The bank can keep clusters where they must run but still standardize governance and auditing.\n– Incremental rollout: attach a few clusters first, then expand.\n– Strong alignment with a Google Cloud-centered governance model.<\/p>\n\n\n\n
                                                                                                                                                      Expected outcomes<\/strong>\n– Auditable inventory of clusters and ownership.\n– Reduced configuration drift.\n– Faster incident response due to consistent access and visibility.\n– Clear path to migrate selected workloads to GKE later, without blocking governance improvements today.<\/p>\n\n\n\n
                                                                                                                                                      Startup\/small-team example: Multicloud customer requirement<\/h3>\n\n\n\n
                                                                                                                                                      Problem<\/strong>\nA startup runs workloads primarily on Google Cloud but has a customer requiring deployment into the customer\u2019s existing Kubernetes environment (another cloud or on-prem). The startup needs visibility and consistent operational processes without building a custom management plane.<\/p>\n\n\n\n
                                                                                                                                                      Proposed architecture<\/strong>\n– Customer environment cluster is attached as a GKE Attached Cluster<\/strong> into a dedicated Google Cloud project\/fleet.\n– Use strict IAM controls and per-customer segmentation.\n– Minimal policy controls: enforce image repository allowlist and baseline resource constraints.\n– Use centralized alerts for only critical signals to limit telemetry costs.<\/p>\n\n\n\n
                                                                                                                                                      Why this service was chosen<\/strong>\n– Avoid building a bespoke multi-cluster management system.\n– Maintain consistent operational workflow across customer-hosted and Google-hosted clusters.<\/p>\n\n\n\n
                                                                                                                                                      Expected outcomes<\/strong>\n– Standardized deployments and operational access.\n– Reduced onboarding time for new customer environments.\n– Clear governance boundaries for customer-specific clusters.<\/p>\n\n\n\n
                                                                                                                                                      \n\n\n\n
                                                                                                                                                      16. FAQ<\/h2>\n\n\n\n
                                                                                                                                                      1) What exactly is \u201cattached\u201d in GKE Attached Clusters?<\/strong>\nThe external Kubernetes cluster is registered into a Google Cloud fleet as a membership, and agents are installed into the cluster to enable secure communication and management features. The cluster continues to run in its original environment.<\/p>\n\n\n\n
                                                                                                                                                      2) Does attaching a cluster move my workloads to Google Cloud?<\/strong>\nNo. Workloads and nodes remain where they are. Attaching is about management and governance, not migration.<\/p>\n\n\n\n
                                                                                                                                                      3) Do I need to open inbound firewall ports to my Kubernetes API server?<\/strong>\nOften you can avoid inbound exposure because agents typically use outbound connections. If you use Connect Gateway, admin access can be mediated through Google Cloud. Verify your specific cluster type and docs.<\/p>\n\n\n\n
                                                                                                                                                      4) Is GKE Attached Clusters the same as GKE on AWS\/Azure?<\/strong>\nNo. GKE on AWS\/Azure refers to running Google-managed Kubernetes distributions in those clouds (where offered). Attached clusters typically refer to registering existing clusters for management.<\/p>\n\n\n\n
                                                                                                                                                      5) What Kubernetes distributions are supported?<\/strong>\nSupport varies by release and offering. Check the official \u201cattached clusters\u201d documentation for the supported platforms and versions:\nhttps:\/\/cloud.google.com\/kubernetes-engine\/docs\/concepts\/attached-clusters<\/p>\n\n\n\n
                                                                                                                                                      6) Who should be allowed to attach clusters?<\/strong>\nOnly a tightly controlled platform\/security admin group. Attaching installs agents and creates a management trust relationship\u2014treat it as a high-privilege action.<\/p>\n\n\n\n
                                                                                                                                                      7) Do I still need Kubernetes RBAC if I use Google Cloud IAM?<\/strong>\nYes. IAM controls Google Cloud resources and management-plane permissions. Kubernetes RBAC still governs actions inside the cluster.<\/p>\n\n\n\n
                                                                                                                                                      8) Can I use kubectl<\/code> from Google Cloud Console to access an attached cluster?<\/strong>\nIn many cases, yes via Connect Gateway or console-provided connection methods, but availability depends on configuration and cluster type. Follow the console \u201cConnect\u201d guidance for your cluster.<\/p>\n\n\n\n
                                                                                                                                                      9) What happens if the attached cluster loses internet access?<\/strong>\nWorkloads keep running, but management connectivity and fleet status updates may degrade. Plan for intermittent connectivity and define operational runbooks.<\/p>\n\n\n\n
                                                                                                                                                      10) Can I centrally enforce policies across attached clusters?<\/strong>\nOften yes via fleet policy\/config features, but licensing and compatibility matter. Verify which policy tools are supported for your cluster type.<\/p>\n\n\n\n
                                                                                                                                                      11) Do attached clusters automatically upgrade Kubernetes versions?<\/strong>\nGenerally no. Attached cluster lifecycle remains your responsibility. You must plan and execute upgrades in the external environment.<\/p>\n\n\n\n
                                                                                                                                                      12) Is there a cost per attached cluster?<\/strong>\nPricing is commonly tied to GKE Enterprise licensing\/subscription and telemetry usage rather than a simple per-cluster fee, but it can vary. Check:\nhttps:\/\/cloud.google.com\/kubernetes-engine\/enterprise\/pricing<\/p>\n\n\n\n
                                                                                                                                                      13) Can I attach clusters across multiple Google Cloud projects?<\/strong>\nYes, fleets and memberships are organized per project. Many organizations use separate projects for prod vs non-prod or per business unit.<\/p>\n\n\n\n
                                                                                                                                                      14) Can I detach a cluster safely?<\/strong>\nYes, but follow official detach\/uninstall steps to remove agents and avoid leaving orphaned resources. Always test detach in non-prod first.<\/p>\n\n\n\n
                                                                                                                                                      15) What\u2019s the first \u201cquick win\u201d after attaching?<\/strong>\nA common quick win is central inventory + standardized access<\/strong> (and possibly gateway-based access) before rolling out broad policy enforcement.<\/p>\n\n\n\n
                                                                                                                                                      16) Does attaching affect my application traffic?<\/strong>\nTypically no. Attaching focuses on management-plane traffic. Your application network paths remain the same unless you also deploy mesh or other network components.<\/p>\n\n\n\n
                                                                                                                                                      17) Can I use this for edge clusters?<\/strong>\nPotentially, as long as connectivity and support requirements are met. Many edge environments attach for governance, but you must validate network and support constraints.<\/p>\n\n\n\n
                                                                                                                                                      \n\n\n\n
                                                                                                                                                      17. Top Online Resources to Learn GKE Attached Clusters<\/h2>\n\n\n\n
                                                                                                                                                      \n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
                                                                                                                                                      Resource Type<\/th>\nName<\/th>\nWhy It Is Useful<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                      Official documentation<\/td>\nGKE Attached clusters overview<\/td>\nPrimary source for supported platforms, architecture, and setup steps: https:\/\/cloud.google.com\/kubernetes-engine\/docs\/concepts\/attached-clusters<\/td>\n<\/tr>\n
                                                                                                                                                      Official documentation<\/td>\nFleet concepts<\/td>\nExplains the fleet model, memberships, and multi-cluster management: https:\/\/cloud.google.com\/kubernetes-engine\/docs\/concepts\/fleet<\/td>\n<\/tr>\n
                                                                                                                                                      Official documentation<\/td>\nGKE documentation home<\/td>\nEntry point for related GKE topics and current navigation: https:\/\/cloud.google.com\/kubernetes-engine\/docs<\/td>\n<\/tr>\n
                                                                                                                                                      Official pricing<\/td>\nGKE Enterprise pricing<\/td>\nLicensing\/subscription information (verify SKUs and requirements): https:\/\/cloud.google.com\/kubernetes-engine\/enterprise\/pricing<\/td>\n<\/tr>\n
                                                                                                                                                      Pricing tool<\/td>\nGoogle Cloud Pricing Calculator<\/td>\nBuild scenario-based estimates: https:\/\/cloud.google.com\/products\/calculator<\/td>\n<\/tr>\n
                                                                                                                                                      Official documentation<\/td>\nCloud SDK (gcloud) install<\/td>\nRequired tooling for many workflows: https:\/\/cloud.google.com\/sdk\/docs\/install<\/td>\n<\/tr>\n
                                                                                                                                                      Official documentation<\/td>\nCloud Audit Logs<\/td>\nUnderstand audit events for changes in Google Cloud: https:\/\/cloud.google.com\/logging\/docs\/audit<\/td>\n<\/tr>\n
                                                                                                                                                      Official documentation<\/td>\nCloud Logging pricing<\/td>\nEstimate ingestion\/retention costs if centralizing logs: https:\/\/cloud.google.com\/logging\/pricing<\/td>\n<\/tr>\n
                                                                                                                                                      Official documentation<\/td>\nCloud Monitoring pricing<\/td>\nUnderstand metrics cost model: https:\/\/cloud.google.com\/monitoring\/pricing<\/td>\n<\/tr>\n
                                                                                                                                                      Official documentation<\/td>\nAnthos Config Management \/ Config Sync docs<\/td>\nIf using GitOps\/policy tooling (verify current product naming): https:\/\/cloud.google.com\/anthos-config-management\/docs<\/td>\n<\/tr>\n
                                                                                                                                                      Official docs \/ learning<\/td>\nGoogle Cloud Architecture Center<\/td>\nReference architectures (search for fleet\/hybrid Kubernetes patterns): https:\/\/cloud.google.com\/architecture<\/td>\n<\/tr>\n
                                                                                                                                                      Official videos<\/td>\nGoogle Cloud Tech YouTube channel<\/td>\nProduct overviews and deep dives (search for fleet\/attached clusters): https:\/\/www.youtube.com\/@googlecloudtech<\/td>\n<\/tr>\n
                                                                                                                                                      Trusted community<\/td>\nKubernetes docs (kubectl, RBAC, networking)<\/td>\nFoundational Kubernetes knowledge used in all attached cluster operations: https:\/\/kubernetes.io\/docs\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                      \n\n\n\n
                                                                                                                                                      18. Training and Certification Providers<\/h2>\n\n\n\n
                                                                                                                                                      \n\n\n\n\n\n\n\n\n
                                                                                                                                                      Institute<\/th>\nSuitable Audience<\/th>\nLikely Learning Focus<\/th>\nMode<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                      DevOpsSchool.com<\/td>\nDevOps engineers, SREs, platform teams<\/td>\nDevOps, Kubernetes, CI\/CD, cloud operations; may include Google Cloud topics<\/td>\nCheck website<\/td>\nhttps:\/\/www.devopsschool.com<\/td>\n<\/tr>\n
                                                                                                                                                      ScmGalaxy.com<\/td>\nBeginners to intermediate engineers<\/td>\nSoftware configuration management, DevOps fundamentals, tooling<\/td>\nCheck website<\/td>\nhttps:\/\/www.scmgalaxy.com<\/td>\n<\/tr>\n
                                                                                                                                                      CLoudOpsNow.in<\/td>\nCloud engineers, ops teams<\/td>\nCloud operations, automation, monitoring practices<\/td>\nCheck website<\/td>\nhttps:\/\/www.cloudopsnow.in<\/td>\n<\/tr>\n
                                                                                                                                                      SreSchool.com<\/td>\nSREs, reliability engineers, platform teams<\/td>\nSRE practices, observability, incident management, reliability engineering<\/td>\nCheck website<\/td>\nhttps:\/\/www.sreschool.com<\/td>\n<\/tr>\n
                                                                                                                                                      AiOpsSchool.com<\/td>\nOps teams, SREs, architects<\/td>\nAIOps concepts, automation, monitoring analytics<\/td>\nCheck website<\/td>\nhttps:\/\/www.aiopsschool.com<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                      \n\n\n\n
                                                                                                                                                      19. Top Trainers<\/h2>\n\n\n\n
                                                                                                                                                      \n\n\n\n\n\n\n\n
                                                                                                                                                      Platform\/Site<\/th>\nLikely Specialization<\/th>\nSuitable Audience<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                      RajeshKumar.xyz<\/td>\nDevOps\/Kubernetes\/cloud training content (verify offerings)<\/td>\nEngineers seeking guided training<\/td>\nhttps:\/\/www.rajeshkumar.xyz<\/td>\n<\/tr>\n
                                                                                                                                                      devopstrainer.in<\/td>\nDevOps tooling and practices (verify specific curriculum)<\/td>\nBeginners to intermediate DevOps learners<\/td>\nhttps:\/\/www.devopstrainer.in<\/td>\n<\/tr>\n
                                                                                                                                                      devopsfreelancer.com<\/td>\nFreelance DevOps help\/training platform (verify services)<\/td>\nTeams seeking flexible support<\/td>\nhttps:\/\/www.devopsfreelancer.com<\/td>\n<\/tr>\n
                                                                                                                                                      devopssupport.in<\/td>\nDevOps support and training (verify offerings)<\/td>\nOperations teams and engineers<\/td>\nhttps:\/\/www.devopssupport.in<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                      \n\n\n\n
                                                                                                                                                      20. Top Consulting Companies<\/h2>\n\n\n\n
                                                                                                                                                      \n\n\n\n\n\n\n
                                                                                                                                                      Company<\/th>\nLikely Service Area<\/th>\nWhere They May Help<\/th>\nConsulting Use Case Examples<\/th>\nWebsite URL<\/th>\n<\/tr>\n<\/thead>\n
                                                                                                                                                      cotocus.com<\/td>\nCloud\/DevOps consulting (verify scope)<\/td>\nArchitecture, migration planning, Kubernetes operations<\/td>\nFleet governance rollout, hybrid connectivity review, operational runbooks<\/td>\nhttps:\/\/www.cotocus.com<\/td>\n<\/tr>\n
                                                                                                                                                      DevOpsSchool.com<\/td>\nDevOps consulting and training services<\/td>\nDevOps process implementation, CI\/CD, Kubernetes enablement<\/td>\nPlatform engineering enablement, policy rollout planning, observability cost optimization<\/td>\nhttps:\/\/www.devopsschool.com<\/td>\n<\/tr>\n
                                                                                                                                                      DEVOPSCONSULTING.IN<\/td>\nDevOps consulting (verify scope)<\/td>\nToolchain integration, automation, operations<\/td>\nMulti-cluster standardization, security hardening, incident response playbooks<\/td>\nhttps:\/\/www.devopsconsulting.in<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n
                                                                                                                                                      \n\n\n\n
                                                                                                                                                      21. Career and Learning Roadmap<\/h2>\n\n\n\n
                                                                                                                                                      What to learn before GKE Attached Clusters<\/h3>\n\n\n\n
                                                                                                                                                      1) Kubernetes fundamentals<\/strong>\n– Pods, Deployments, Services, Ingress\n– RBAC, namespaces, admission controls\n– Basic networking (CNI concepts), DNS, service discovery<\/p>\n\n\n\n
                                                                                                                                                      2) Google Cloud fundamentals<\/strong>\n– Projects, IAM, service accounts\n– VPC concepts, logging\/monitoring basics\n– Cloud Audit Logs and governance basics<\/p>\n\n\n\n
                                                                                                                                                      3) Hybrid\/multicloud basics<\/strong>\n– Network connectivity patterns (egress control, proxies, VPN)\n– Identity federation concepts (where applicable)<\/p>\n\n\n\n
                                                                                                                                                      What to learn after GKE Attached Clusters<\/h3>\n\n\n\n
                                                                                                                                                        \n
                                                                                                                                                      • Fleet governance tooling (policy and config management) and staged rollouts<\/li>\n
                                                                                                                                                      • Advanced observability cost management (logs\/metrics\/traces strategy)<\/li>\n
                                                                                                                                                      • Service mesh (Google Cloud Service Mesh) if you need consistent mTLS and telemetry (verify support for attached clusters)<\/li>\n
                                                                                                                                                      • Multi-cluster deployment strategies (GitOps, progressive delivery)<\/li>\n
                                                                                                                                                      • Security posture management for Kubernetes (benchmarks, supply chain, runtime security)<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                        Job roles that use it<\/h3>\n\n\n\n
                                                                                                                                                          \n
                                                                                                                                                        • Platform Engineer \/ Platform Architect<\/li>\n
                                                                                                                                                        • SRE \/ Site Reliability Engineer<\/li>\n
                                                                                                                                                        • Cloud Architect (hybrid\/multicloud)<\/li>\n
                                                                                                                                                        • DevOps Engineer<\/li>\n
                                                                                                                                                        • Security Engineer (cloud\/k8s governance)<\/li>\n
                                                                                                                                                        • Operations Engineer for enterprise Kubernetes platforms<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                          Certification path (if available)<\/h3>\n\n\n\n
                                                                                                                                                          Google Cloud certifications frequently relevant to this space include:\n– Professional Cloud Architect\n– Professional Cloud DevOps Engineer\n– Associate Cloud Engineer\nFor Kubernetes-specific depth, consider:\n– CNCF CKA\/CKAD\/CKS (vendor-neutral)<\/p>\n\n\n\n
                                                                                                                                                          GKE Attached Clusters itself is usually part of broader fleet\/hybrid platform skills rather than a stand-alone certification topic.<\/p>\n\n\n\n
                                                                                                                                                          Project ideas for practice<\/h3>\n\n\n\n
                                                                                                                                                          1) Attach two non-GKE clusters (dev + stage) and define a fleet taxonomy.\n2) Implement a GitOps repo for baseline namespaces and quotas across clusters.\n3) Create an access model: IAM group \u2192 gateway access \u2192 Kubernetes RBAC bindings.\n4) Build an observability budget:\n   – limit log ingestion with filters\n   – define SLO-based metrics and alerts\n5) Disaster recovery drill runbook for attached clusters (connectivity loss, agent failures, detach\/reattach).<\/p>\n\n\n\n
                                                                                                                                                          \n\n\n\n
                                                                                                                                                          22. Glossary<\/h2>\n\n\n\n
                                                                                                                                                            \n
                                                                                                                                                          • Attached cluster<\/strong>: A Kubernetes cluster running outside Google Cloud that is registered into Google Cloud for management via GKE Attached Clusters.<\/li>\n
                                                                                                                                                          • Fleet<\/strong>: A logical grouping of Kubernetes clusters managed together in Google Cloud using fleet memberships.<\/li>\n
                                                                                                                                                          • Membership<\/strong>: The representation of a cluster inside a fleet (the object that links a real cluster to Google Cloud).<\/li>\n
                                                                                                                                                          • Agent<\/strong>: In-cluster software component installed to enable secure communication and management capabilities with Google Cloud.<\/li>\n
                                                                                                                                                          • Connect Gateway<\/strong>: A Google Cloud capability (where supported) that enables access to a cluster\u2019s Kubernetes API through Google Cloud.<\/li>\n
                                                                                                                                                          • IAM (Identity and Access Management)<\/strong>: Google Cloud\u2019s system for managing who can do what on which resources.<\/li>\n
                                                                                                                                                          • Kubernetes RBAC<\/strong>: Kubernetes\u2019 Role-Based Access Control, controlling in-cluster permissions.<\/li>\n
                                                                                                                                                          • Control plane<\/strong>: The Kubernetes API server and controllers that manage cluster state.<\/li>\n
                                                                                                                                                          • Data plane<\/strong>: Worker nodes and workload traffic (your application runtime traffic).<\/li>\n
                                                                                                                                                          • Hybrid cloud<\/strong>: Architecture spanning on-prem and cloud environments.<\/li>\n
                                                                                                                                                          • Multicloud<\/strong>: Architecture spanning multiple cloud providers.<\/li>\n
                                                                                                                                                          • Observability<\/strong>: Logging, monitoring, tracing, and alerting that help you understand system behavior.<\/li>\n
                                                                                                                                                          • Policy enforcement<\/strong>: Mechanisms (admission control\/policy engines) that restrict or validate Kubernetes resources.<\/li>\n
                                                                                                                                                          • GitOps<\/strong>: Managing infrastructure and application configuration using Git as the source of truth with automated reconciliation.<\/li>\n<\/ul>\n\n\n\n
                                                                                                                                                            \n\n\n\n
                                                                                                                                                            23. Summary<\/h2>\n\n\n\n
                                                                                                                                                            GKE Attached Clusters (Google Cloud) is a fleet management capability in the Distributed, hybrid, and multicloud<\/strong> category that lets you attach existing Kubernetes clusters running outside Google Cloud and manage them centrally.<\/p>\n\n\n\n
                                                                                                                                                            It matters because many organizations already run Kubernetes across on-prem and other clouds. GKE Attached Clusters provides a practical path to improve inventory, access control, governance, and operational consistency without forcing an immediate migration<\/strong>.<\/p>\n\n\n\n
                                                                                                                                                            Cost-wise, plan for two major drivers: your external cluster infrastructure costs and Google Cloud management\/enterprise licensing plus any centralized telemetry ingestion. Security-wise, treat cluster attachment as a privileged operation, design IAM and Kubernetes RBAC carefully, and validate egress\/network requirements early.<\/p>\n\n\n\n
                                                                                                                                                            Use GKE Attached Clusters when you need centralized governance across external Kubernetes clusters and want Google Cloud as the management plane. If you\u2019re fully on Google Cloud and can standardize on native GKE, native GKE may be simpler.<\/p>\n\n\n\n
                                                                                                                                                            Next step: read the official attached clusters documentation and run a pilot with one non-production cluster to validate connectivity, IAM\/RBAC mapping, and your organization\u2019s governance model:\nhttps:\/\/cloud.google.com\/kubernetes-engine\/docs\/concepts\/attached-clusters<\/p>\n","protected":false},"excerpt":{"rendered":"
                                                                                                                                                            Distributed, hybrid, and multicloud<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60,51],"tags":[],"class_list":["post-689","post","type-post","status-publish","format-standard","hentry","category-distributed-hybrid-and-multicloud","category-google-cloud"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/689","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=689"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/689\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=689"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=689"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=689"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}