> ## Documentation Index > Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt > Use this file to discover all available pages before exploring further. # Set up a Google Kubernetes Engine connector > C1 provides identity governance for Google Kubernetes Engine (GKE). Integrate your GKE cluster with C1 to run user access reviews (UARs) and manage Kubernetes RBAC roles and the GCP IAM role bindings on the cluster's project. **This connector is in beta.** This means it's undergoing ongoing testing and development while we gather feedback, validate functionality, and improve stability. Beta connectors are generally stable, but they may have limited feature support, incomplete error handling, or occasional issues. We recommend closely monitoring workflows that use this connector and contacting our Support team with any issues or feedback. **Important note on hosting:** To run in cloud-hosted mode, this connector requires network access to the Kubernetes API server of your GKE cluster. If this is not desirable or possible, you must run the connector in self-hosted mode. ## Capabilities | Resource | Sync | Provision | | :--------------- | :----------------------------------------------------------- | :-------- | | Accounts | | | | Groups | | | | Service Accounts | | | | Resource | Sync | Provision | | :-------------------- | :------------------------------------------------------------ | :------------------------------------------------------------ | | Cluster Roles | | | | GCP IAM Role Bindings | | | | Roles | | | This connector pulls account, group, and service account information from a GCP connector. The GCP connector must be configured for the **same GCP project** where the GKE cluster is located — using a GCP connector from a different project will cause identity resolution to fail during provisioning. You'll configure this relationship when setting up the connector. **Notes:** * **Cluster Roles** and **Roles** are Kubernetes RBAC resources scoped to the connected cluster. * **GCP IAM Role Bindings** are the IAM bindings from the GCP project where the cluster is located — only those assigned on that specific project, not all IAM roles across your organization. ## Before you begin This connector requires a working **GCP connector** to source user and group identities. If you have not already done so, set up the [GCP connector](https://docs.conductorone.com/docs/baton/google-cloud-platform) before you proceed. ## Gather GKE credentials To configure the GKE connector, you need a GCP service account. Follow the steps below to create one and obtain the required credentials. **For sync only**, the service account must have the following permissions at the project level where the cluster is located: * `container.clusterRoleBindings.get` * `container.clusterRoleBindings.list` * `container.clusterRoles.get` * `container.clusterRoles.list` * `container.clusters.get` * `container.namespaces.get` * `container.namespaces.list` * `container.roleBindings.get` * `container.roleBindings.list` * `container.roles.get` * `container.roles.list` * `container.serviceAccounts.get` * `container.serviceAccounts.list` * `resourcemanager.projects.getIamPolicy` **For provisioning (Grant/Revoke)**, the following additional permissions are required: * `container.clusterRoleBindings.create` * `container.clusterRoleBindings.update` * `container.clusterRoleBindings.delete` * `container.roleBindings.create` * `container.roleBindings.update` * `container.roleBindings.delete` * `resourcemanager.projects.setIamPolicy` In addition, provisioning Kubernetes RBAC roles (ClusterRoles and Roles) requires the service account to have **Kubernetes cluster-admin** privileges inside the cluster. This is because Kubernetes prevents granting permissions that the caller does not already hold. See the setup steps below for how to configure this. In the Google Cloud console, open the navigation menu and go to **API & Services** > **Credentials**. Click **+ Create credentials** > **Service account**. Enter a name and description for the service account, then click **Done**. You are redirected to the credentials page. Find your new service account in the list. Copy its email address (you will need it later), then click on the service account to open it. In the service account page, click the **Keys** tab. Click **Add Key** > **Create new key**. Select **JSON** as the key type and click **Create**. A JSON credentials file is downloaded to your computer. This is the file you provide to the connector. Grant the service account the required permissions by creating a custom IAM role with the sync permissions listed above and assigning it to the service account at the project level. If you also want to use provisioning (Grant/Revoke), extend the custom role with the additional provisioning permissions listed above. In the **Kubernetes Engine** section of the Google Cloud console, locate your cluster in the list. Note the **name** and **location** (region or zone) — you will need both when configuring the connector. **For provisioning only:** Grant the service account cluster-admin privileges inside the Kubernetes cluster. Kubernetes prevents granting permissions the caller does not already hold, so the service account must have cluster-admin access to manage RBAC bindings. Connect to your cluster and run: ```bash theme={"theme":{"light":"css-variables","dark":"css-variables"}} kubectl create clusterrolebinding baton-gke-cluster-admin \ --clusterrole=cluster-admin \ --user= ``` Replace `` with the **numeric ID** of the GCP service account (found in the `client_id` field of the service account JSON key file). If you are only using the connector for sync (read-only), you can skip this step. ## Configure the GKE connector Follow these instructions to use a built-in, no-code connector hosted by C1. In C1, navigate to **Integrations** > **Connectors** and click **Add connector**. Search for **Google Kubernetes Engine** and click **Add**. Choose how to set up the new GKE connector: * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1) * Add the connector to a managed app (select from the list of existing managed apps) * Create a new managed app Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed. If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process. Click **Next**. Find the **Settings** area of the page and click **Edit**. Enter the required configuration: * **Service Account Credentials JSON** (required): Upload the GCP service account JSON key file * **GKE Cluster Name** (required): The name of the GKE cluster to connect to * **GKE Cluster Location** (required): The location (region or zone) of the GKE cluster Click **Save**. The connector's label changes to **Syncing**, followed by **Connected**. You can view the logs to ensure that information is syncing. **Done.** Your GKE connector is now pulling access data into C1. Follow these instructions to use the [GKE](https://github.com/conductorone/baton-gke) connector, hosted and run in your own environment. When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests. ### Step 1: Set up a new GKE connector In C1, navigate to **Integrations** > **Connectors** > **Add connector**. Search for **Baton** and click **Add**. Choose how to set up the new GKE connector: * Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren't yet managed with C1) * Add the connector to a managed app (select from the list of existing managed apps) * Create a new managed app Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed. If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process. Click **Next**. In the **Settings** area of the page, click **Edit**. Click **Rotate** to generate a new Client ID and Secret. Carefully copy and save these credentials. We'll use them in Step 2. ### Step 2: Create Kubernetes configuration files Create two Kubernetes manifest files for your GKE connector deployment: #### Secrets configuration ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}} # baton-gke-secrets.yaml apiVersion: v1 kind: Secret metadata: name: baton-gke-secrets type: Opaque stringData: # C1 credentials BATON_CLIENT_ID: BATON_CLIENT_SECRET: # GKE credentials BATON_GKE_CREDENTIALS_JSON: BATON_GKE_CLUSTER_NAME: BATON_GKE_CLUSTER_LOCATION: # Optional: include if you want C1 to provision access using this connector BATON_PROVISIONING: true ``` #### Deployment configuration ```yaml expandable theme={"theme":{"light":"css-variables","dark":"css-variables"}} # baton-gke.yaml apiVersion: apps/v1 kind: Deployment metadata: name: baton-gke labels: app: baton-gke spec: selector: matchLabels: app: baton-gke template: metadata: labels: app: baton-gke baton: true baton-app: gke spec: containers: - name: baton-gke image: ghcr.io/conductorone/baton-gke:latest imagePullPolicy: IfNotPresent env: - name: BATON_HOST_ID value: baton-gke envFrom: - secretRef: name: baton-gke-secrets ``` ### Step 3: Deploy the connector Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files. Check that the connector data uploaded correctly. In C1, click **Applications**. On the **Managed apps** tab, locate and click the name of the application you added the GKE connector to. GKE data should be found on the **Entitlements** and **Accounts** tabs. **Done.** Your GKE connector is now pulling access data into C1.