Add a Google Kubernetes Engine Cluster
Last modified on September 28, 2022
This guide describes how to manage access to an Google Kubernetes Engine (GKE) cluster. Adding a GKE cluster takes place in the strongDM Admin UI, Google Cloud Console, and Google Developers Console.
Before you begin, ensure that the GKE endpoint you are connecting is accessible from one of your strongDM gateways or relays. See our guide on Gateways for more information.
Log in to the Admin UI and go to Infrastructure > Clusters.
Click Add cluster.
On the dialog that appears, set the following configuration properties:
Display Name: Enter a meaningful name for this resource, such as
gke-sandbox. This name displays throughout strongDM. Do not include special characters like quotes (") or angle brackets (< or >).
Cluster Type: Select Google Kubernetes Engine.Some Kubernetes management interfaces, such as Visual Studio Code, do not function properly with cluster names containing spaces. If you run into problems, please choose a name without spaces for this field.
Endpoint: Enter the endpoint of the GKE cluster, such as
184.108.40.206. It’s imperative that this endpoint can be reached from the gateway or relay. To verify this, hop on the gateway or relay server, and from a command prompt, type
nc -z <YOUR_ENDPOINT> 443. If your gateway or relay can connect to this hostname, you can proceed.
Port Override: After a resource is created, the port override is automatically generated. A value between 1024-59999 is assigned as long as it is not used by another resource. You can optionally overwrite it with your own preferred port later in the Port Overrides settings. Note that after specifying the port override number, you must also update the kubectl configuration. See section Port Overrides for more information.
Server CA: Enter the Server CA, which is available under the Show Credentials link just to the right of the endpoint in the Google Cloud Platform console.
Service Account Key: Enter a service account key in JSON format. You can generate this key in the Google Developers Console. When generating this key, ensure it is associated with a user having the appropriate level of access to the cluster for your use case. Once generated, upload the key using the button below the Service Account Key box.When your users connect to this cluster, they have exactly the rights permitted by this Google Service Account key. See this Google document for more information.
Healthcheck Namespace (Optional): If enabled for your organization, this field allows you to specify the namespace used for the resource healthcheck. The supplied credentials must have the rights to perform one of the following
kubectlcommands in the specified namespace:
get deployments, or
describe. If not specified, the namespace is set to
Authentication (Required): Select either Leased Credential (the default model to access the cluster) or Remote Identities (to use the Remote Identities of strongDM users to access the cluster).
Healthcheck Username (Required): If Authentication is set to Remote Identities, enter the username that should be used to verify strongDM’s connection to it. Note that the username must already exist on the target cluster.
Resource Tags (Optional): Assign resource tags to this cluster by entering key-value pairs in the format
The Admin UI updates and shows your new server in a green or yellow state. Green indicates a successful connection. If it is yellow, click the pencil icon to the right of the server to reopen the Connection Details screen. Then click Diagnostics to determine where the connection is failing.
If any errors occur, please copy them into an email and send them to email@example.com.