Security overview

When an application sends a request to an attached cluster through Connect, it must pass through three security checkpoints.

The request first goes to the Google Cloud API connectgateway.googleapis.com API, which verifies that the caller is authorized to use that API.
If authorized, the request is then passed to the connect gateway for Google Cloud IAM authorization.
If this succeeds, the request is passed to the connect gateway to the cluster's kube-api server for RBAC authorization.

If all of these checks are successful, then the cluster's kube-apiserver will serve the request.

See Grant IAM roles to users for instructions on granting IAM roles to cluster users with the Connect Gateway.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-08-06 UTC.

Security overview Stay organized with collections Save and categorize content based on your preferences.