Version 1.6. This version is no longer supported as outlined in the Anthos version support policy. For the latest patches and updates for security vulnerabilities, exposures, and issues impacting Anthos clusters on VMware (GKE on-prem), upgrade to a supported version. You can find the most recent version here.

Creating a user cluster

This page shows how to create a user cluster for Anthos clusters on VMware (GKE on-prem).

The instructions here are complete. For a shorter introduction to creating a user cluster, see Create a user cluster (quickstart).

Before you begin

Create an admin cluster.

Get an SSH connection to your admin workstation

Get an SSH connection to your admin workstation.

Recall that gkeadm activated your component access service account on the admin workstation.

Do all the remaining steps in this topic on your admin workstation in the home directory.

Credentials configuration file

When you used gkeadm to create your admin workstation, you filled in a credentials configuration file named credential.yaml. This file holds the username and password for your vCenter server.

Admin cluster configuration file

When gkeadm created your admin workstation, it generated a configuration file named user-cluster.yaml. This configuration file is for creating your user cluster.

Filling in your configuration file


Set the name field to a name of your choice for the user cluster.


This field is already filled in for you.


The values you set in the vCenter section of your admin cluster configuration file are global. That is, they apply to your admin cluster and your user clusters.

For each user cluster that you create, you have the option of overriding some of the global vCenter values.

If you want to override any of the global vCenter values, fill in the relevant fields in the vCenter section of your user cluster configuration file.


Set network.ipMode.type to the same value that you set in your admin cluster configuration file: either "dhcp" or "static".

If you set ipMode.type to "static", create an IP block file that provides the static IP addresses for the nodes in your user cluster. Then set network.ipMode.ipBlockFilePath to the path of your IP block file.

Provide values for the remaining fields in the network section.

Regardless of whether you rely on a DHCP server or specify a list of static IP addresses, you need enough IP addresses to satisfy the following:

  • The nodes in your user cluster

  • An additional node in the user cluster to be used temporarily during upgrades

As mentioned previously, if you want to use static IP addresses, then you need to provide an IP block file. Here is an example of an IP block file with six hosts. This is enough addresses for a cluster that has five nodes and an occasional sixth node for upgrades:

  - netmask:
    - ip:
      hostname: user-host1
    - ip:
      hostname: user-host2
    - ip:
      hostname: user-host3
    - ip:
      hostname: user-host4
    - ip:
      hostname: user-host5
    - ip:
      hostname: user-host6


Set aside a VIP for the Kubernetes API server of your user cluster. Set aside another VIP for the ingress service of your user cluster. Provide your VIPs as values for loadBalancer.vips.controlPlaneVIP and loadBalancer.vips.ingressVIP.

Set loadBalancer.kind to the same value that you set in your admin cluster configuration file: "ManualLB", "F5BigIP", or "Seesaw". Then fill in the corresponding section: manualLB, f5BigIP, or seesaw.


If the network that will have your user cluster nodes is behind a proxy server, fill in the proxy section.


Fill in the masterNode section.


Fill in the nodePools section.


Set antiAffinityGroups.enabled to true or false.


If you want to use OpenID Connect (OIDC) to authenticate users, fill in the authentication.oidc section.

If you want to provide an additional serving certificate for your user cluster's vCenter server, fill in the authentication.sni section.


Fill in the stackdriver section.


Fill in the gkeConnect section.


Set cloudRun.enabled to true or false.


If you want to enable usage metering for your cluster, then fill in the usageMetering section.


If you want to integrate the audit logs from your cluster's Kubernetes API server with Cloud Audit Logs, fill in the cloudAuditLogging section.

Validating your configuration file

After you've filled in your user cluster configuration file, run gkectl check-config to verify that the file is valid:

gkectl check-config --kubeconfig [ADMIN_CLUSTER_KUBECONFIG] --config [CONFIG_PATH]


  • [ADMIN_CLUSTER_KUBECONFIG] is the path of the kubeconfig file for your admin cluster.

  • [CONFIG_PATH] is the path of your user cluster configuration file.

If the command returns any failure messages, fix the issues and validate the file again.

If you want to skip the more time-consuming validations, pass the --fast flag. To skip individual validations, use the --skip-validation-xxx flags. To learn more about the check-config command, see Running preflight checks.

Creating a Seesaw load balancer for your user cluster

If you have chosen to use the bundled Seesaw load balancer, do the step in this section. Otherwise, skip this section.

Create and configure the VMs for your Seesaw load balancer:

gkectl create loadbalancer --kubeconfig [ADMIN_CLUSTER_KUBECONFIG] --config [CONFIG_PATH]


  • [ADMIN_CLUSTER_KUBECONFIG] is the path of the kubeconfig file for your admin cluster.

  • [CONFIG_PATH] is the path of your user cluster configuration file.

Creating the user cluster

Create the user cluster:

gkectl create cluster --kubeconfig [ADMIN_CLUSTER_KUBECONFIG]  \
  --config [CONFIG_PATH] --skip-validation-all


  • [CONFIG_PATH] is the path of your user cluster configuration file.

  • [ADMIN_CLUSTER_KUBECONFIG] is the path of the kubeconfig file for your admin cluster.

The gkectl create cluster command creates a kubeconfig file named [USER_CLUSTER_NAME]-kubeconfig in the current directory. You will need this kubeconfig file later to interact with your user cluster.

Do not use the --skip-validation-all flag if you did not previously validate your user cluster configuration file.

Verifying that your user cluster is running

Verify that your user cluster is running:

kubectl get nodes --kubeconfig [USER_CLUSTER_KUBECONFIG]

where [USER_CLUSTER_KUBECONFIG] is the path of your kubeconfig file.

The output shows the user cluster nodes.


See Troubleshooting cluster creation and upgrade.

What's next