title: “Set up a Google Kubernetes Engine connector”
og:title: “Set up a Google Kubernetes Engine connector”
description: “C1 provides identity governance for Google Kubernetes Engine (GKE). Integrate your GKE cluster with C1 to run user access reviews (UARs) and manage Kubernetes RBAC roles and the GCP IAM role bindings on the cluster’s project.”
og:description: “C1 provides identity governance for Google Kubernetes Engine (GKE). Integrate your GKE cluster with C1 to run user access reviews (UARs) and manage Kubernetes RBAC roles and the GCP IAM role bindings on the cluster’s project.”
sidebarTitle: “Google Kubernetes Engine”
This connector is in beta. This means it’s undergoing ongoing testing and development while we gather feedback, validate functionality, and improve stability. Beta connectors are generally stable, but they may have limited feature support, incomplete error handling, or occasional issues.We recommend closely monitoring workflows that use this connector and contacting our Support team with any issues or feedback.
Important note on hosting: To run in cloud-hosted mode, this connector requires network access to the Kubernetes API server of your GKE cluster. If this is not desirable or possible, you must run the connector in self-hosted mode.
This connector pulls account, group, and service account information from a GCP connector. The GCP connector must be configured for the same GCP project where the GKE cluster is located — using a GCP connector from a different project will cause identity resolution to fail during provisioning. You’ll configure this relationship when setting up the connector.Notes:
Cluster Roles and Roles are Kubernetes RBAC resources scoped to the connected cluster.
GCP IAM Role Bindings are the IAM bindings from the GCP project where the cluster is located — only those assigned on that specific project, not all IAM roles across your organization.
This connector requires a working GCP connector to source user and group identities. If you have not already done so, set up the GCP connector before you proceed.
To configure the GKE connector, you need a GCP service account. Follow the steps below to create one and obtain the required credentials.
For sync only, the service account must have the following permissions at the project level where the cluster is located:
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.get
container.namespaces.get
container.namespaces.list
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.serviceAccounts.get
container.serviceAccounts.list
resourcemanager.projects.getIamPolicy
For provisioning (Grant/Revoke), the following additional permissions are required:
container.clusterRoleBindings.create
container.clusterRoleBindings.update
container.clusterRoleBindings.delete
container.roleBindings.create
container.roleBindings.update
container.roleBindings.delete
resourcemanager.projects.setIamPolicy
In addition, provisioning Kubernetes RBAC roles (ClusterRoles and Roles) requires the service account to have Kubernetes cluster-admin privileges inside the cluster. This is because Kubernetes prevents granting permissions that the caller does not already hold. See the setup steps below for how to configure this.
1
In the Google Cloud console, open the navigation menu and go to API & Services > Credentials.
2
Click + Create credentials > Service account.
3
Enter a name and description for the service account, then click Done.
4
You are redirected to the credentials page. Find your new service account in the list. Copy its email address (you will need it later), then click on the service account to open it.
5
In the service account page, click the Keys tab.
6
Click Add Key > Create new key.
7
Select JSON as the key type and click Create. A JSON credentials file is downloaded to your computer. This is the file you provide to the connector.
8
Grant the service account the required permissions by creating a custom IAM role with the sync permissions listed above and assigning it to the service account at the project level.If you also want to use provisioning (Grant/Revoke), extend the custom role with the additional provisioning permissions listed above.
9
In the Kubernetes Engine section of the Google Cloud console, locate your cluster in the list. Note the name and location (region or zone) — you will need both when configuring the connector.
10
For provisioning only: Grant the service account cluster-admin privileges inside the Kubernetes cluster. Kubernetes prevents granting permissions the caller does not already hold, so the service account must have cluster-admin access to manage RBAC bindings.Connect to your cluster and run:
Replace <service-account-numeric-id> with the numeric ID of the GCP service account (found in the client_id field of the service account JSON key file).If you are only using the connector for sync (read-only), you can skip this step.
Follow these instructions to use a built-in, no-code connector hosted by C1.
1
In C1, navigate to Integrations > Connectors and click Add connector.
2
Search for Google Kubernetes Engine and click Add.
3
Choose how to set up the new GKE connector:
Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with C1)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app
4
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
5
Click Next.
6
Find the Settings area of the page and click Edit.
7
Enter the required configuration:
Service Account Credentials JSON (required): Upload the GCP service account JSON key file
GKE Cluster Name (required): The name of the GKE cluster to connect to
GKE Cluster Location (required): The location (region or zone) of the GKE cluster
8
Click Save.
9
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.
That’s it! Your GKE connector is now pulling access data into C1.
Follow these instructions to use the GKE connector, hosted and run in your own environment.When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.
In C1, navigate to Integrations > Connectors > Add connector.
2
Search for Baton and click Add.
3
Choose how to set up the new GKE connector:
Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with C1)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app
4
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
5
Click Next.
6
In the Settings area of the page, click Edit.
7
Click Rotate to generate a new Client ID and Secret.Carefully copy and save these credentials. We’ll use them in Step 2.
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
2
Check that the connector data uploaded correctly. In C1, click Applications. On the Managed apps tab, locate and click the name of the application you added the GKE connector to. GKE data should be found on the Entitlements and Accounts tabs.
That’s it! Your GKE connector is now pulling access data into C1.
