Add a Google Kubernetes Engine Cluster

Last modified on September 28, 2022

This guide describes how to manage access to an Google Kubernetes Engine (GKE) cluster. Adding a GKE cluster takes place in the strongDM Admin UI, Google Cloud Console, and Google Developers Console.


Before you begin, ensure that the GKE endpoint you are connecting is accessible from one of your strongDM gateways or relays. See our guide on Gateways for more information.


  1. Log in to the Admin UI and go to Infrastructure > Clusters.

  2. Click Add cluster.

  3. On the dialog that appears, set the following configuration properties:

    Google Kubernetes Engine Cluster Setup in Admin UI
    Google Kubernetes Engine Cluster Setup in Admin UI
    1. Display Name: Enter a meaningful name for this resource, such as gke-sandbox. This name displays throughout strongDM. Do not include special characters like quotes (") or angle brackets (< or >).

    2. Cluster Type: Select Google Kubernetes Engine.

    3. Endpoint: Enter the endpoint of the GKE cluster, such as It’s imperative that this endpoint can be reached from the gateway or relay. To verify this, hop on the gateway or relay server, and from a command prompt, type nc -z <YOUR_ENDPOINT> 443. If your gateway or relay can connect to this hostname, you can proceed.

    4. Port Override: After a resource is created, the port override is automatically generated. A value between 1024-59999 is assigned as long as it is not used by another resource. You can optionally overwrite it with your own preferred port later in the Port Overrides settings. Note that after specifying the port override number, you must also update the kubectl configuration. See section Port Overrides for more information.

    5. Server CA: Enter the Server CA, which is available under the Show Credentials link just to the right of the endpoint in the Google Cloud Platform console.

      GKE Cloud Console
      GKE Cloud Console

    6. Service Account Key: Enter a service account key in JSON format. You can generate this key in the Google Developers Console. When generating this key, ensure it is associated with a user having the appropriate level of access to the cluster for your use case. Once generated, upload the key using the button below the Service Account Key box.

      GKE Private Key Generation
      GKE Private Key Generation
    7. Healthcheck Namespace (Optional): If enabled for your organization, this field allows you to specify the namespace used for the resource healthcheck. The supplied credentials must have the rights to perform one of the following kubectl commands in the specified namespace: get pods, get deployments, or describe. If not specified, the namespace is set to default.

    8. Authentication (Required): Select either Leased Credential (the default model to access the cluster) or Remote Identities (to use the Remote Identities of strongDM users to access the cluster).

    9. Healthcheck Username (Required): If Authentication is set to Remote Identities, enter the username that should be used to verify strongDM’s connection to it. Note that the username must already exist on the target cluster.

    10. Resource Tags (Optional): Assign resource tags to this cluster by entering key-value pairs in the format <KEY>=<VALUE>.

  4. Click create.

The Admin UI updates and shows your new server in a green or yellow state. Green indicates a successful connection. If it is yellow, click the pencil icon to the right of the server to reopen the Connection Details screen. Then click Diagnostics to determine where the connection is failing.

If any errors occur, please copy them into an email and send them to