Skip to main content
Version: Preview

Google GKE

Experimental
Creates:
AssetsLineageRun History

Configure in the UI

This plugin can be configured directly in the Marmot UI with a step-by-step wizard.

View Guide

The GKE plugin discovers namespaces, services, deployments, stateful sets, cron jobs, and pods from Google Kubernetes Engine clusters. It is the Kubernetes plugin's discovery engine with Google Cloud authentication, so the assets, lineage, and run history it produces are identical. See the Kubernetes plugin for details on what gets discovered and how resources are linked.

Authentication uses Google Cloud IAM: on each run the plugin mints a short-lived OAuth token from the Google credentials of wherever Marmot runs. There is no static token to store or rotate. This is the clean way to read a GKE cluster from a GCE instance, Cloud Run, or another Google Cloud workload.

Prerequisites

The identity Marmot runs as needs read access to the cluster, granted two ways:

First, a Google Cloud IAM role that allows connecting to the cluster (for example roles/container.viewer), so Google authorizes the token.

Second, a read-only Kubernetes RBAC role bound to that identity:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: marmot-discovery
rules:
- apiGroups: [""]
resources: ["namespaces", "services", "pods"]
verbs: ["get", "list"]
- apiGroups: ["apps"]
resources: ["deployments", "statefulsets", "replicasets"]
verbs: ["get", "list"]
- apiGroups: ["batch"]
resources: ["cronjobs", "jobs"]
verbs: ["get", "list"]
Google credentials

Credentials resolve from Application Default Credentials: Workload Identity, a Cloud Run or GCE service account, or GOOGLE_APPLICATION_CREDENTIALS. When Marmot runs outside Google Cloud, set credentials.credentials_json (or credentials.credentials_file) to a service account key.

Connecting to a cluster

Name the cluster and the plugin resolves its endpoint and CA certificate from the GKE management API. Set project_id, location, and cluster. This needs the container.clusters.get permission (included in roles/container.viewer).

project_id: "my-project"
location: "us-central1"
cluster: "autopilot-cluster-1"

Example Configuration


project_id: "my-project"
location: "us-central1"
cluster: "autopilot-cluster-1"
namespaces:
- "payments"
- "orders"
discover_pods: false
tags:
- "kubernetes"
- "${labels.team}"

The discovery options (namespaces, discover_*, cluster_name, tags, and so on) are the same as the Kubernetes plugin; see there for what each one does. The cluster name is used as the asset name prefix unless you set cluster_name.

Configuration

The following configuration options are available:

PropertyTypeRequiredDescription
annotations_to_metadataboolfalseInclude resource annotations in asset metadata
clusterstringtrueGKE cluster name
cluster_namestringfalseCluster name to prefix asset names with
credentialsGCPCredentialsfalseGCP credentials configuration
discover_cronjobsboolfalseDiscover cron jobs, with their recent job runs as run history
discover_deploymentsboolfalseDiscover deployments
discover_namespacesboolfalseDiscover namespaces
discover_podsboolfalseDiscover pods. Off by default because pods are short-lived and can flood the catalog
discover_servicesboolfalseDiscover services
discover_statefulsetsboolfalseDiscover stateful sets
exclude_namespaces[]stringfalseNamespaces to skip when discovering all namespaces
label_selectorstringfalseOnly discover namespaced resources matching this label selector (e.g. team=data)
labels_to_metadataboolfalseInclude resource labels in asset metadata
locationstringtrueCluster region or zone, for example us-central1
namespaces[]stringfalseNamespaces to discover. Empty or ["*"] means all namespaces
project_idstringtrueGCP project ID
tagsTagsConfigfalseTags to apply to discovered assets

Available Metadata

The metadata fields are the same as the Kubernetes plugin. Every asset also carries cloud (set to GKE), gcp_project, and gcp_location, so you can tell where a cluster lives without following lineage.