Add a Google Kubernetes Engine Cluster

This guide will show you how to manage access to an Google Kubernetes Engine (GKE) cluster. You will be adding a GKE cluster in the strongDM Admin UI, Google Cloud Console, and Google Developers Console.


Before you begin, ensure that the GKE endpoint you are connecting is accessible from one of your strongDM Gateways or Relays. See our guide on Gateways for more information.


  1. Log in to the Admin UI and select Clusters on the left-hand navigation.

  2. In the upper right-hand section of the screen, click add cluster.

  3. On the dialog that appears, set the following configuration properties:

    Google Kubernetes Engine Cluster Setup in Admin UI
    Google Kubernetes Engine Cluster Setup in Admin UI

    1. Display Name: Enter a meaningful name for this cluster (e.g., “gke-sandbox”). This name will show up in the Admin UI.

    2. Cluster Type: Select Google Kubernetes Engine.

      Some Kubernetes management interfaces, such as Visual Studio Code, do not function properly with cluster names containing spaces. If you run into problems, please choose a name without spaces for this field.

    3. Endpoint: Enter the endpoint of the GKE cluster (e.g., It's imperative that this endpoint can be reached from the Gateway/Relay. To verify this, hop on the Gateway/Relay server, and from a command prompt, type: $ nc -z <YOUR_ENDPOINT> 443. If your Gateway or Relay can connect to this hostname, you will be able to proceed.

    4. Server CA: Enter the Server CA, which is available under the Show Credentials link just to the right of the endpoint in the Google Cloud Platform console.

      GKE Cloud Console
      GKE Cloud Console

    5. Service Account Key: Enter a Service Account Key in JSON format. You can generate this key on the Google Developers Console. When generating this key, ensure it is associated with a user with the appropriate level of access to the cluster for your use case. Once generated, upload the key using the button below the Service Account Key box.

      When your users connect to this cluster, they will have exactly the rights permitted by this Google Service Account key. See this Google document for more information.

      GKE Private Key Generation
      GKE Private Key Generation
    6. Healthcheck Namespace: If enabled for your organization, this property allows you to specify the namespace used for the resource healthcheck. If you do not specify a namespace, this property defaults to default.

    7. Resource Tags (Optional): Assign resource tags to this cluster by entering key-value pairs in the format <KEY>=<VALUE>.

  4. Click create. The Admin UI will update and show your new server in a green or yellow state. Green indicates a successful connection. If it is yellow, click the pencil icon to the right of the server to re-open the Connection Details screen. Then click Diagnostics to determine where the connection is failing.

If any errors occur, please copy them into an email and send to

Add an EKS Cluster
Add a Kubernetes Cluster