Use Google GKE SSO with K8Studio

Confirm the Google identity model

GKE SSO usually means the user signs in to Google Cloud with a Google Workspace or Cloud Identity account. The kubeconfig then runs gke-gcloud-auth-plugin to get a short-lived token for that signed-in user.

Install the Google Cloud CLI

Install gcloud on the workstation where K8Studio runs. K8Studio will call the same local authentication tooling that kubectl uses.

# macOS
brew install --cask google-cloud-sdk

# Then initialize the CLI
gcloud init

Install the GKE auth plugin

The kubeconfig exec command needs gke-gcloud-auth-plugin. Without it, K8Studio and kubectl will fail with a spawn gke-gcloud-auth-plugin ENOENT error.

gcloud components install gke-gcloud-auth-plugin
gke-gcloud-auth-plugin --version

Login with your Google SSO account

Run the browser login and choose the Google account that should access the cluster. If your company uses Google Workspace SSO, this is where the corporate SSO flow happens.

gcloud auth login
gcloud auth list

Select the project

Set the project that contains the GKE cluster so later commands operate against the right environment.

gcloud config set project <project-id>
gcloud container clusters list

Grant Google Cloud IAM permissions

The user needs enough Google Cloud IAM permission to describe the GKE cluster and fetch credentials. For a minimal setup, grant a role that includes container.clusters.get, then handle Kubernetes permissions with RBAC.

gcloud projects add-iam-policy-binding <project-id> \
  --member="user:alice@example.com" \
  --role="roles/container.clusterViewer"

Grant Kubernetes RBAC

Authentication proves who the Google user is. RBAC decides what that user can do inside Kubernetes. Use the smallest Role or ClusterRole that matches the user's job.

kubectl create clusterrolebinding k8studio-gke-viewer \
  --clusterrole=view \
  --user=alice@example.com

Generate the GKE kubeconfig

Fetch cluster credentials. Modern GKE kubeconfigs use exec auth with gke-gcloud-auth-plugin instead of storing static credentials.

gcloud container clusters get-credentials <cluster-name> \
  --region <region-or-zone> \
  --project <project-id>

Check the exec plugin entry

Open the kubeconfig and confirm the user entry runs gke-gcloud-auth-plugin. If K8Studio cannot find the command, use an absolute path to the plugin.

kubectl config view --minify --raw

# Example user entry:
# users:
# - name: gke_<project>_<location>_<cluster>
#   user:
#     exec:
#       apiVersion: client.authentication.k8s.io/v1beta1
#       command: gke-gcloud-auth-plugin

Verify with kubectl first

Before testing K8Studio, prove the same kubeconfig can authenticate from the terminal. This separates cluster auth issues from UI issues.

kubectl get nodes
kubectl auth can-i list pods --all-namespaces

Add the kubeconfig to K8Studio

Open K8Studio, add the kubeconfig file or refresh the cluster list, select the GKE context, and connect. K8Studio should run the kubeconfig exec plugin and use the Google token returned by gcloud.

Test expired and logged-out states

Revoke or expire the local Google session, then reconnect. K8Studio should show a clear login or authentication error instead of silently failing.

gcloud auth revoke <account-email>

# Login again when you want to reconnect:
gcloud auth login