Share sole-tenant node groups

Shared sole-tenant node groups are similar to local sole-tenant node groups. For example, shared node groups cost the same, consume the same quota, and reside under a parent project in the resource hierarchy.

The difference between shared node groups and local node groups is that other projects in your organization can provision virtual machine (VM) instances in the shared node groups.

Sharing a node group across multiple projects or an organization can help you do the following:

• Consolidate node groups that you manage into a single project and then share those nodes with other projects or the entire organization

• Decrease costs by deleting nodes after consolidating VMs from various projects into underutilized node groups

• Manage sole-tenant nodes with a single team

• Share sole-tenant nodes with smaller projects and retain security and access control boundaries between those projects

• Perform a live migration between node groups within the same project

• Improve the utilization of your node groups and reduce the number of reserved maintenance nodes when using the Migrate within node group maintenance policy

The following diagram shows a node group that is shared with other projects so that other departments that manage VMs in those projects can provision VMs in a shared node group.

Utilization benefits of shared node groups

The following table compares projects that use local node groups with projects that use shared node groups. Notice that vCPU underutilization decreases in projects that use shared node groups.

Settings for sharing node groups

Compute Engine uses the following settings for sharing node groups and provisioning VMs in the shared node groups:

• A share setting that you configure when you create or update the sole-tenant node group. To specify whether to share the node group with other projects or with the entire organization, use the gcloud CLI settings (--share-setting, --share-with) or REST settings (shareSetting, shareWith).

• A default compute.googleapis.com/project node affinity label that you use when you provision a VM in a shared node group by using node affinity labels. For information about the other default node affinity labels, see Default affinity labels.

Maintenance policy considerations

When a node group uses the Migrate within node group maintenance policy, Compute Engine reserves at least 1 node for live migration events, so the node group must have at least 2 nodes. You can't schedule VMs on the reserved node, so node groups with this maintenance policy often have lower overall utilization. This makes workloads that require the Migrate within node group maintenance policy good candidates for node group sharing, as they often see the greatest benefit from improved utilization.

IAM roles and permissions

Keep in mind the following information about IAM roles and permissions when you share a node group:

• If a node group is shared with a project, any user that can create VMs in the listed projects or in the organization can provision VMs from those projects onto the shared node group without any changes to IAM roles or permissions.

• The compute.soleTenantViewer IAM role lets you list and view node groups (gcloud CLI / REST). You cannot modify node groups with this role. Any user with this role or with permissions to list node groups, regardless of the IAM permissions on the VM, can view the project ID, name, machine type, and information about local SSDs and GPUs for all VMs in the node group.

Limitations

• Compliance regime limitations:

  • Regardless of the IAM permissions on the VM, any user with permissions to list node groups can view the project ID, name, and machine type for all VMs in the node group. Thus, due to risk of cross-project information disclosure, projects that have VMs provisioned in shared node groups should be under the same compliance regime.

• Google Cloud console limitations:

  • If you don't have permission to view VMs on the shared node group, those VMs won't appear on the VM list on the Sole-tenant nodes page in the Google Cloud console.
  • After modifying the sharing settings on the Sole-tenant node groups page, the Shared with setting is not updated in the UI. To see the updated Shared with setting, go to the Sole-tenant nodes page.
  • After sharing a node group with all projects within an organization or with selected projects within an organization, you can only see the shared node group from its owning project; you can't see the shared node group from the projects it has been shared with. To provision a VM on the shared node group, from the project that the node group is shared with, go to the VM instances page, and then modify the sole tenancy node affinity labels.

• Sharing limitations:

  • You must update the sharing settings from the project that owns the node group.
  • You can specify a maximum of 100 projects when you use the projects share setting.
  • You cannot share node groups between organizations. For example, if you migrate a project that contains a shared node group from one organization to another, you must also migrate all projects that have VMs running in that shared node group.
  • You cannot perform live migration between projects while using shared sole-tenant node groups. For more information, see Manually live migrate VMs.

Pricing

VMs in shared node groups don't incur additional charges, and there are no additional charges for sharing node groups. For more information about sole-tenant node pricing, see Sole-tenant node pricing.

Before you begin

• Before creating a sole-tenant node group, create a sole-tenant node template.
• Before provisioning VMs in a sole-tenant node, check your quota. Depending on the number and size of nodes that you reserve, you might need to request additional quota.
• If you haven't already, then set up authentication. Authentication is the process by which your identity is verified for access to Google Cloud services and APIs. To run code or samples from a local development environment, you can authenticate to Compute Engine by selecting one of the following options:
  

  Select the tab for how you plan to use the samples on this page:

  Console

  When you use the Google Cloud console to access Google Cloud services and APIs, you don't need to set up authentication.

  gcloud

  1. Install the Google Cloud CLI, then initialize it by running the following command:

     gcloud init

  2. Set a default region and zone.

  REST

  To use the REST API samples on this page in a local development environment, you use the credentials you provide to the gcloud CLI.

  Install the Google Cloud CLI, then initialize it by running the following command:

  gcloud init

  For more information, see Authenticate for using REST in the Google Cloud authentication documentation.

Create a new node group and share it

To create a new node group and share it with other projects or with the entire organization, use the Google Cloud console, gcloud CLI, or REST.

gcloud compute sole-tenancy node-groups create NODE_GROUP \
    --zone=ZONE \
    --node-template=NODE_TEMPLATE \
    --target-size=SIZE \
    --share-setting=SHARE_SETTING \
    --share-with=PROJECTS

POST https://compute.googleapis.com/compute/v1/projects/PROJECT/zones/ZONE/nodeGroups

{
  ...
  "name": NODE_GROUP,
  "nodeTemplate": NODE_TEMPLATE,
  "size": SIZE,
  "shareSettings": {
    "shareType": SHARE_TYPE,
    "projectMap": {
      string: {
        "projectId": PROJECTS
      },
    }
  }
  ...
}

Provision a sole-tenant VM in a shared node group

To provision a sole-tenant VM in a shared node group, use the Google Cloud console, gcloud CLI, or REST.

gcloud compute instances create VM_NAME \
    --machine-type=MACHINE_TYPE \
    --node-group=NODE_GROUP \
    --node-project=NODE_PROJECT

gcloud compute instances create VM_NAME \
    --machine-type=MACHINE_TYPE \
    --node-affinity-file=NODE_AFFINITY_FILE

POST https://compute.googleapis.com/compute/v1/projects/PROJECT/zones/ZONE/instances

{
  ...
  "name": VM_NAME,
  "machineType": MACHINE_TYPE,
  "scheduling": {
    ...
    "nodeAffinities": [
      {
        "key": KEY,
        "operator": OPERATOR,
        "values": [
          VALUE
        ]
      }
    ],
    ...
  },
  ...
}

View the sharing settings of a node group

To view the sharing settings of a node group, use the Google Cloud console, gcloud CLI, or REST.

gcloud compute sole-tenancy node-groups describe NODE_GROUP

GET https://compute.googleapis.com/compute/v1/projects/PROJECT/zones/ZONE/nodeGroups

Share an existing node group

To share an existing node group with other projects or the entire organization, use the Google Cloud console, gcloud CLI, or REST.

gcloud compute sole-tenancy node-groups update NODE_GROUP \
    --zone=ZONE \
    --share-setting=SHARE_SETTING \
    --share-with=PROJECTS

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT/zones/ZONE/nodeGroups/NODE_GROUP

{
  "shareSettings": {
    "shareType": SHARE_TYPE,
    "projectMap": {
      string: {
        "projectId": PROJECTS
      },
    }
  }
}

Stop sharing a node group

To stop sharing a node group with other projects or the entire organization, use the gcloud CLI or REST.

gcloud compute sole-tenancy node-groups update NODE_GROUP \
    --zone=ZONE \
    --share-setting=local

PATCH https://compute.googleapis.com/compute/v1/projects/PROJECT/zones/ZONE/nodeGroups/NODE_GROUP

{
  "shareSettings": {
    "shareType": LOCAL
  }
}

Delete a shared node group from the owning project

To delete a shared node group from the owning project, use the Google Cloud console, gcloud CLI, or REST. Before deleting a node group, stop all VMs that are running in the node group.

gcloud compute sole-tenancy node-groups delete NODE_GROUP

DELETE https://compute.googleapis.com/compute/v1/projects/PROJECT/zones/ZONE/nodeGroups/NODE_GROUP