GCP GKE

CloudQuery Platform supports integration with Google Kubernetes Engine (GKE). To sync GKE clusters, configure a service account with the Kubernetes Engine Viewer role.

Prerequisites

A CloudQuery Platform account with admin access
An existing GCP integration configured in CloudQuery Platform (this creates the service account referenced below)
One or more GKE clusters running in your GCP project
The Kubernetes Engine Viewer role assigned to the service account

To assign the Kubernetes Engine Viewer role:

Open the GCP IAM page
Find the service account you created in the GCP integration setup guide
Click Edit and add the Kubernetes Engine Viewer role
Click Save

You also need the JSON key file for the service account. If you didn’t save it from the GCP integration setup, create a new key from the service account’s Keys tab.

Creating the K8s integration

Navigate to Data Pipelines → Integrations in CloudQuery Platform.
Click Create Integration and select K8s.
Select Google Cloud Platform (GCP GKE) from the Cloud provider dropdown.

Cluster configuration

For each GKE cluster, fill in the following fields:

Cluster name — the name of your GKE cluster as shown in the GCP console.
GCP Project ID — the GCP project ID that contains the cluster.
Location (Region) — the region or zone hosting the cluster (e.g. us-central1 or us-central1-a).
Service Account Key JSON — the full contents of the service account JSON key file.

To sync multiple GKE clusters, click Add cluster and repeat the configuration for each cluster.

To add clusters from a different cloud provider (AWS or Azure), create a separate K8s integration.

Click Test Connection to verify access.

Optional: adding permissions to read cluster secrets

By default, the Kubernetes Engine Viewer role does not allow reading cluster secrets. To sync secrets, either:

Assign the Kubernetes Engine Admin role to the service account, or
Create a custom role with the container.secrets.list permission

What gets synced

The Kubernetes integration syncs cluster resources across all standard Kubernetes API groups. Some of the most commonly used tables include:

Category	Tables	Description
Workloads	`k8s_core_pods`, `k8s_apps_deployments`, `k8s_apps_stateful_sets`	Pods, Deployments, StatefulSets
Networking	`k8s_core_services`, `k8s_networking_ingresses`	Services, Ingresses
Configuration	`k8s_core_config_maps`, `k8s_core_secrets`	ConfigMaps, Secrets
Cluster	`k8s_core_nodes`, `k8s_core_namespaces`	Nodes, Namespaces
RBAC	`k8s_rbac_roles`, `k8s_rbac_cluster_roles`	Roles, ClusterRoles

See the full K8s table list for all available tables.

Verify the integration

After your first sync completes, open the SQL Console and run these queries to confirm Kubernetes data arrived:


-- Count synced pods
SELECT count(*) FROM k8s_core_pods


-- List namespaces
SELECT DISTINCT namespace FROM k8s_core_pods


-- View deployments
SELECT namespace, name FROM k8s_apps_deployments LIMIT 10


-- Check nodes
SELECT name FROM k8s_core_nodes

You can also browse your Kubernetes resources in the Asset Inventory under the Containers category.

Troubleshooting

Issue	Cause	Fix
Permission denied	Missing Kubernetes Engine Viewer role	Verify the service account has the Kubernetes Engine Viewer role on the project containing the cluster.
Invalid JSON key	Malformed or expired key	Verify the full JSON key was pasted correctly. If the key has been deleted, create a new one from the GCP console.
Cluster not found	Wrong project ID or location	Verify the GCP Project ID and Location match the cluster’s settings in the GCP console. For zonal clusters, use the full zone (e.g. `us-central1-a`), not the region.
Missing secrets data	Insufficient permissions	The Kubernetes Engine Viewer role cannot read secrets. Assign the Kubernetes Engine Admin role or a custom role with `container.secrets.list`.

Next steps

Set up a sync to schedule when your cluster data is fetched
Browse synced resources in the Asset Inventory
Run advanced queries in the SQL Console
See the K8s integration documentation for full table reference