C1 provides identity governance for Google Kubernetes Engine (GKE). Integrate your GKE cluster with C1 to run user access reviews (UARs) and manage Kubernetes RBAC roles and the GCP IAM role bindings on the cluster’s project.
Use this file to discover all available pages before exploring further.
This connector is in beta. This means it’s undergoing ongoing testing and development while we gather feedback, validate functionality, and improve stability. Beta connectors are generally stable, but they may have limited feature support, incomplete error handling, or occasional issues.We recommend closely monitoring workflows that use this connector and contacting our Support team with any issues or feedback.
This connector pulls account, group, and service account information from a GCP connector. The GCP connector must be configured for the same GCP project where the GKE cluster is located — using a GCP connector from a different project will cause identity resolution to fail during provisioning. You’ll configure this relationship when setting up the connector.Notes:
Cluster Roles and Roles are Kubernetes RBAC resources scoped to the connected cluster.
GCP IAM Role Bindings are the IAM bindings from the GCP project where the cluster is located — only those assigned on that specific project, not all IAM roles across your organization.
This connector requires a working GCP connector to source user and group identities. If you have not already done so, set up the GCP connector before you proceed.
To configure the GKE connector, you need a GCP service account. Follow the steps below to create one and obtain the required credentials.
The service account must have the following permissions at the project level where the cluster is located:
container.clusterRoleBindings.get
container.clusterRoleBindings.list
container.clusterRoles.get
container.clusterRoles.list
container.clusters.get
container.namespaces.get
container.namespaces.list
container.roleBindings.get
container.roleBindings.list
container.roles.get
container.roles.list
container.serviceAccounts.get
container.serviceAccounts.list
resourcemanager.projects.getIamPolicy
1
In the Google Cloud console, open the navigation menu and go to API & Services > Credentials.
2
Click + Create credentials > Service account.
3
Enter a name and description for the service account, then click Done.
4
You are redirected to the credentials page. Find your new service account in the list. Copy its email address (you will need it later), then click on the service account to open it.
5
In the service account page, click the Keys tab.
6
Click Add Key > Create new key.
7
Select JSON as the key type and click Create. A JSON credentials file is downloaded to your computer. This is the file you provide to the connector.
8
Grant the service account the required permissions by creating a custom IAM role with all the permissions listed above and assigning it to the service account at the project level.
9
In the Kubernetes Engine section of the Google Cloud console, locate your cluster in the list. Note the name and location (region or zone) — you will need both when configuring the connector.
Follow these instructions to use a built-in, no-code connector hosted by C1.Cloud-hosted connector not currently available.
Follow these instructions to use the GKE connector, hosted and run in your own environment.When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with C1, automatically syncing and uploading data at regular intervals. This data is immediately available in the C1 UI for access reviews and access requests.
In C1, navigate to Integrations > Connectors > Add connector.
2
Search for Baton and click Add.
3
Choose how to set up the new GKE connector:
Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with C1)
Add the connector to a managed app (select from the list of existing managed apps)
Create a new managed app
4
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of C1 users. Setting multiple owners is allowed.If you choose someone else, C1 will notify the new connector owner by email that their help is needed to complete the setup process.
5
Click Next.
6
In the Settings area of the page, click Edit.
7
Click Rotate to generate a new Client ID and Secret.Carefully copy and save these credentials. We’ll use them in Step 2.
Create a namespace in which to run C1 connectors (if desired), then apply the secret config and deployment config files.
2
Check that the connector data uploaded correctly. In C1, click Applications. On the Managed apps tab, locate and click the name of the application you added the GKE connector to. GKE data should be found on the Entitlements and Accounts tabs.
That’s it! Your GKE connector is now pulling access data into C1.
