ZPC offers insight into your Google Kubernetes Engines (GKE) clusters. ZPC provides a script for you to download and run on your GKE clusters. The script enables ZPC APIs to access and collect GKE cluster configuration metadata. The script allowlists the ZPC IP address in the GKE cluster's Control plane authorized networks property.

If the GKE cluster is public, and has the Control plane authorized networks property disabled, the cluster is automatically be onboarded on ZPC.

Prerequisites

Before you onboard GKE clusters, you need to:

• Make sure the Kubernetes Engine API is enabled on the GCP service account project and the onboarded project.
• Make sure the service account has the viewer role to collect GKE configuration metadata.

Onboarding GKE Clusters in a single GCP account

To onboard GKE clusters in a single GCP account on ZPC:

1. In the ZPC Admin Portal, go to Administration > Cloud Accounts.
2. Click the Accounts tab.
3. Click the Actions icon, then select the Add Kubernetes Cluster button for a GCP account.

See image.

4. On the Cluster Selection page, you can view and search for the following GKE cluster details available on the selected GKE account:
   • Cluster Name: Name of the GKE cluster.
   • Region: Region of the GKE cluster.
   • Kubernetes Version: Current Kubernetes version running on the cluster.
   • Status: Onboarding status of the cluster (Success, Pending, or Failure).
   • Private Cluster: View whether the cluster is private or public.
   • Control Plane Authorized Networks: View whether the kubernetes cluster has authorized networks enabled or disabled.
   • Private Endpoint Enabled: View the endpoint access type.

   ZPC cannot onboard clusters with private only endpoint access. ZPC also needs you to allowlist your CloudShell IP address if you're onboarding a public and private cluster.

5. Select clusters you want to onboard, then click Next.

See image.

If you have selected public clusters, they are automatically onboarded to ZPC. Hybrid clusters require you to run a bash script on the clusters for ZPC to communicate and collect metadata.

6. On the Cluster Access page, click Download the bash script.
7. Click Log in to the GCP cloud console and execute the bash script.
8. After the script is deployed, in the ZPC Admin Portal, click Finish.

See image.

Onboarding GKE clusters in a GCP organization

You can choose to onboard GKE clusters from multiple account belonging to a single GCP organization. To onboard GKE clusters in a GCP organization on ZPC:

1. In the ZPC Admin Portal, go to Administration > Cloud Accounts.
2. Click the Organizations tab.
3. Click the Actions icon, then select the Add Kubernetes Cluster button for a GCP organization.

See image.

4. On the Cluster Selection page, you can view and search for the following GKE cluster details available on the selected GCP organization:
   • Cluster Name: Name of the GKE cluster.
   • Region: Region of the GKE cluster.
   • Kubernetes Version: Current Kubernetes version running on the cluster.
   • Status: Onboarding status of the cluster (Success, Pending, or Failure).
   • Private Cluster: View whether the cluster is private or public.
   • Control Plane Authorized Networks: View whether the kubernetes cluster has authorized networks enabled or disabled.
   • Private Endpoint Enabled: View the endpoint access type.

   ZPC cannot onboard clusters with private only endpoint access. ZPC also needs you to allowlist your CloudShell IP address if you're onboarding a public and private cluster.

5. Select clusters you want to onboard, then click Next.

See image.

If you have selected public clusters, they are automatically onboarded to ZPC. Hybrid clusters require you to run a bash script on the clusters for ZPC to communicate and collect metadata.

6. On the Cluster Access page, click Download the bash script.
7. Click Log in to the GCP cloud console and execute the bash script.
8. After the script is deployed, in the ZPC Admin Portal, click Finish.

See image.