Google Kubernetes Engine Deployment
Note (Gateway New Chart):The Gateway new chart docs is now available here.
This page includes only Google Kubernetes Engine (GKE)-specific delta steps.
Review the Kubernetes Helm deployment page first, then apply the GKE changes in this guide.
Scope
This guide assumes that the baseline Helm deployment flow is complete, including:
- Helm chart setup
- base
values.yamlpreparation - installation and upgrade flow
- Gateway admin and permission model
This page focuses on GKE workload identity and GKE-specific values.yaml changes.
Prerequisites
Complete all baseline prerequisites from the main Helm deployment page, and add:
- A GCP authentication method in Akeyless.
- GKE workload identity setup as documented in the GKE workload identity guide.
- A Kubernetes ServiceAccount mapped to the target Google service account.
GKE Identity Delta
Set the Gateway auth type to gcp and provide your GCP Access ID:
globalConfig:
gatewayAuth:
gatewayAccessId: <GCP Access ID>
gatewayAccessType: gcp
allowedAccessPermissions: {}Set ServiceAccount annotations for workload identity:
serviceAccount:
create: false
serviceAccountName: <GKE ServiceAccount Name>
annotations:
iam.gke.io/gcp-service-account: <GCP Service Account>
nodeSelector:
iam.gke.io/gke-metadata-server-enabled: "true"
Info:For Autopilot clusters, omit
nodeSelector. Autopilot rejects this selector because all nodes already use workload identity.
Validation Delta
After deployment, validate GKE workload identity integration:
-
Confirm pod health:
kubectl get pods -n <namespace> -
Confirm ServiceAccount annotations:
kubectl get sa <GKE ServiceAccount Name> -n <namespace> -o yaml -
Validate Gateway login and management endpoint connectivity.
Related Tasks
- For shared Helm install and upgrade commands, use the main Kubernetes Helm deployment page.
- For advanced chart settings, use Advanced Kubernetes Configuration.
- For TLS configuration, use Configuring TLS.
Updated about 7 hours ago