ContainerCluster

Property Value
Google Cloud Service Name Kubernetes Engine
Google Cloud Service Documentation /kubernetes-engine/docs/
Google Cloud REST Resource Name v1.projects.locations.clusters
Google Cloud REST Resource Documentation /kubernetes-engine/docs/reference/rest/v1/projects.locations.clusters
Config Connector Resource Short Names gcpcontainercluster
gcpcontainerclusters
containercluster
Config Connector Service Name container.googleapis.com
Config Connector Resource Fully Qualified Name containerclusters.container.cnrm.cloud.google.com
Can Be Referenced by IAMPolicy/IAMPolicyMember No

Custom Resource Definition Properties

Annotations

Fields
cnrm.cloud.google.com/project-id
cnrm.cloud.google.com/remove-default-node-pool

Spec

Schema

  addonsConfig:
    cloudrunConfig:
      disabled: boolean
      loadBalancerType: string
    configConnectorConfig:
      enabled: boolean
    dnsCacheConfig:
      enabled: boolean
    gcePersistentDiskCsiDriverConfig:
      enabled: boolean
    horizontalPodAutoscaling:
      disabled: boolean
    httpLoadBalancing:
      disabled: boolean
    istioConfig:
      auth: string
      disabled: boolean
    kalmConfig:
      enabled: boolean
    networkPolicyConfig:
      disabled: boolean
  authenticatorGroupsConfig:
    securityGroup: string
  clusterAutoscaling:
    autoProvisioningDefaults:
      minCpuPlatform: string
      oauthScopes:
      - string
      serviceAccountRef:
        external: string
        name: string
        namespace: string
    autoscalingProfile: string
    enabled: boolean
    resourceLimits:
    - maximum: integer
      minimum: integer
      resourceType: string
  clusterIpv4Cidr: string
  clusterTelemetry:
    type: string
  confidentialNodes:
    enabled: boolean
  databaseEncryption:
    keyName: string
    state: string
  datapathProvider: string
  defaultMaxPodsPerNode: integer
  defaultSnatStatus:
    disabled: boolean
  description: string
  enableBinaryAuthorization: boolean
  enableIntranodeVisibility: boolean
  enableKubernetesAlpha: boolean
  enableLegacyAbac: boolean
  enableShieldedNodes: boolean
  enableTpu: boolean
  initialNodeCount: integer
  ipAllocationPolicy:
    clusterIpv4CidrBlock: string
    clusterSecondaryRangeName: string
    servicesIpv4CidrBlock: string
    servicesSecondaryRangeName: string
  location: string
  loggingService: string
  maintenancePolicy:
    dailyMaintenanceWindow:
      duration: string
      startTime: string
    maintenanceExclusion:
    - endTime: string
      exclusionName: string
      startTime: string
    recurringWindow:
      endTime: string
      recurrence: string
      startTime: string
  masterAuth:
    clientCertificate: string
    clientCertificateConfig:
      issueClientCertificate: boolean
    clientKey: string
    clusterCaCertificate: string
    password:
      value: string
      valueFrom:
        secretKeyRef:
          key: string
          name: string
    username: string
  masterAuthorizedNetworksConfig:
    cidrBlocks:
    - cidrBlock: string
      displayName: string
  minMasterVersion: string
  monitoringService: string
  networkPolicy:
    enabled: boolean
    provider: string
  networkRef:
    external: string
    name: string
    namespace: string
  networkingMode: string
  nodeConfig:
    bootDiskKMSCryptoKeyRef:
      external: string
      name: string
      namespace: string
    diskSizeGb: integer
    diskType: string
    guestAccelerator:
    - count: integer
      type: string
    imageType: string
    kubeletConfig:
      cpuCfsQuota: boolean
      cpuCfsQuotaPeriod: string
      cpuManagerPolicy: string
    labels:
      string: string
    linuxNodeConfig:
      sysctls:
        string: string
    localSsdCount: integer
    machineType: string
    metadata:
      string: string
    minCpuPlatform: string
    oauthScopes:
    - string
    preemptible: boolean
    sandboxConfig:
      sandboxType: string
    serviceAccountRef:
      external: string
      name: string
      namespace: string
    shieldedInstanceConfig:
      enableIntegrityMonitoring: boolean
      enableSecureBoot: boolean
    tags:
    - string
    taint:
    - effect: string
      key: string
      value: string
    workloadMetadataConfig:
      nodeMetadata: string
  nodeLocations:
  - string
  nodeVersion: string
  notificationConfig:
    pubsub:
      enabled: boolean
      topicRef:
        external: string
        name: string
        namespace: string
  podSecurityPolicyConfig:
    enabled: boolean
  privateClusterConfig:
    enablePrivateEndpoint: boolean
    enablePrivateNodes: boolean
    masterGlobalAccessConfig:
      enabled: boolean
    masterIpv4CidrBlock: string
    peeringName: string
    privateEndpoint: string
    publicEndpoint: string
  releaseChannel:
    channel: string
  resourceID: string
  resourceUsageExportConfig:
    bigqueryDestination:
      datasetId: string
    enableNetworkEgressMetering: boolean
    enableResourceConsumptionMetering: boolean
  subnetworkRef:
    external: string
    name: string
    namespace: string
  verticalPodAutoscaling:
    enabled: boolean
  workloadIdentityConfig:
    identityNamespace: string
Fields

addonsConfig

Optional

object

The configuration for addons supported by GKE.

addonsConfig.cloudrunConfig

Optional

object

The status of the CloudRun addon. It is disabled by default. Set disabled = false to enable.

addonsConfig.cloudrunConfig.disabled

Required*

boolean

addonsConfig.cloudrunConfig.loadBalancerType

Optional

string

addonsConfig.configConnectorConfig

Optional

object

The of the Config Connector addon.

addonsConfig.configConnectorConfig.enabled

Required*

boolean

addonsConfig.dnsCacheConfig

Optional

object

The status of the NodeLocal DNSCache addon. It is disabled by default. Set enabled = true to enable.

addonsConfig.dnsCacheConfig.enabled

Required*

boolean

addonsConfig.gcePersistentDiskCsiDriverConfig

Optional

object

Whether this cluster should enable the Google Compute Engine Persistent Disk Container Storage Interface (CSI) Driver. Defaults to disabled; set enabled = true to enable.

addonsConfig.gcePersistentDiskCsiDriverConfig.enabled

Required*

boolean

addonsConfig.horizontalPodAutoscaling

Optional

object

The status of the Horizontal Pod Autoscaling addon, which increases or decreases the number of replica pods a replication controller has based on the resource usage of the existing pods. It ensures that a Heapster pod is running in the cluster, which is also used by the Cloud Monitoring service. It is enabled by default; set disabled = true to disable.

addonsConfig.horizontalPodAutoscaling.disabled

Required*

boolean

addonsConfig.httpLoadBalancing

Optional

object

The status of the HTTP (L7) load balancing controller addon, which makes it easy to set up HTTP load balancers for services in a cluster. It is enabled by default; set disabled = true to disable.

addonsConfig.httpLoadBalancing.disabled

Required*

boolean

addonsConfig.istioConfig

Optional

object

The status of the Istio addon.

addonsConfig.istioConfig.auth

Optional

string

The authentication type between services in Istio. Available options include AUTH_MUTUAL_TLS.

addonsConfig.istioConfig.disabled

Required*

boolean

The status of the Istio addon, which makes it easy to set up Istio for services in a cluster. It is disabled by default. Set disabled = false to enable.

addonsConfig.kalmConfig

Optional

object

Configuration for the KALM addon, which manages the lifecycle of k8s. It is disabled by default; Set enabled = true to enable.

addonsConfig.kalmConfig.enabled

Required*

boolean

addonsConfig.networkPolicyConfig

Optional

object

Whether we should enable the network policy addon for the master. This must be enabled in order to enable network policy for the nodes. To enable this, you must also define a network_policy block, otherwise nothing will happen. It can only be disabled if the nodes already do not have network policies enabled. Defaults to disabled; set disabled = false to enable.

addonsConfig.networkPolicyConfig.disabled

Required*

boolean

authenticatorGroupsConfig

Optional

object

Immutable. Configuration for the Google Groups for GKE feature.

authenticatorGroupsConfig.securityGroup

Required*

string

Immutable. The name of the RBAC security group for use with Google security groups in Kubernetes RBAC. Group name must be in format gke-security-groups@yourdomain.com.

clusterAutoscaling

Optional

object

Per-cluster configuration of Node Auto-Provisioning with Cluster Autoscaler to automatically adjust the size of the cluster and create/delete node pools based on the current needs of the cluster's workload. See the guide to using Node Auto-Provisioning for more details.

clusterAutoscaling.autoProvisioningDefaults

Optional

object

Contains defaults for a node pool created by NAP.

clusterAutoscaling.autoProvisioningDefaults.minCpuPlatform

Optional

string

Minimum CPU platform to be used by this instance. The instance may be scheduled on the specified or newer CPU platform. Applicable values are the friendly names of CPU platforms, such as Intel Haswell.

clusterAutoscaling.autoProvisioningDefaults.oauthScopes

Optional

list (string)

Scopes that are used by NAP when creating node pools.

clusterAutoscaling.autoProvisioningDefaults.oauthScopes.[]

Optional

string

clusterAutoscaling.autoProvisioningDefaults.serviceAccountRef

Optional

object

clusterAutoscaling.autoProvisioningDefaults.serviceAccountRef.external

Optional

string

The email of an IAMServiceAccount.

clusterAutoscaling.autoProvisioningDefaults.serviceAccountRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

clusterAutoscaling.autoProvisioningDefaults.serviceAccountRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

clusterAutoscaling.autoscalingProfile

Optional

string

Configuration options for the Autoscaling profile feature, which lets you choose whether the cluster autoscaler should optimize for resource utilization or resource availability when deciding to remove nodes from a cluster. Can be BALANCED or OPTIMIZE_UTILIZATION. Defaults to BALANCED.

clusterAutoscaling.enabled

Required*

boolean

Whether node auto-provisioning is enabled. Resource limits for cpu and memory must be defined to enable node auto-provisioning.

clusterAutoscaling.resourceLimits

Optional

list (object)

Global constraints for machine resources in the cluster. Configuring the cpu and memory types is required if node auto-provisioning is enabled. These limits will apply to node pool autoscaling in addition to node auto-provisioning.

clusterAutoscaling.resourceLimits.[]

Optional

object

clusterAutoscaling.resourceLimits.[].maximum

Optional

integer

Maximum amount of the resource in the cluster.

clusterAutoscaling.resourceLimits.[].minimum

Optional

integer

Minimum amount of the resource in the cluster.

clusterAutoscaling.resourceLimits.[].resourceType

Required*

string

The type of the resource. For example, cpu and memory. See the guide to using Node Auto-Provisioning for a list of types.

clusterIpv4Cidr

Optional

string

Immutable. The IP address range of the Kubernetes pods in this cluster in CIDR notation (e.g. 10.96.0.0/14). Leave blank to have one automatically chosen or specify a /14 block in 10.0.0.0/8. This field will only work for routes-based clusters, where ip_allocation_policy is not defined.

clusterTelemetry

Optional

object

clusterTelemetry.type

Required*

string

confidentialNodes

Optional

object

Immutable. Configuration for the confidential nodes feature, which makes nodes run on confidential VMs. Warning: This configuration can't be changed (or added/removed) after cluster creation without deleting and recreating the entire cluster.

confidentialNodes.enabled

Required*

boolean

Immutable. Whether Confidential Nodes feature is enabled for all nodes in this cluster.

databaseEncryption

Optional

object

Application-layer Secrets Encryption settings. The object format is {state = string, key_name = string}. Valid values of state are: "ENCRYPTED"; "DECRYPTED". key_name is the name of a CloudKMS key.

databaseEncryption.keyName

Optional

string

The key to use to encrypt/decrypt secrets.

databaseEncryption.state

Required*

string

ENCRYPTED or DECRYPTED.

datapathProvider

Optional

string

The desired datapath provider for this cluster. By default, uses the IPTables-based kube-proxy implementation.

defaultMaxPodsPerNode

Optional

integer

Immutable. The default maximum number of pods per node in this cluster. This doesn't work on "routes-based" clusters, clusters that don't have IP Aliasing enabled.

defaultSnatStatus

Optional

object

Whether the cluster disables default in-node sNAT rules. In-node sNAT rules will be disabled when defaultSnatStatus is disabled.

defaultSnatStatus.disabled

Required*

boolean

When disabled is set to false, default IP masquerade rules will be applied to the nodes to prevent sNAT on cluster internal traffic.

description

Optional

string

Immutable. Description of the cluster.

enableBinaryAuthorization

Optional

boolean

Enable Binary Authorization for this cluster. If enabled, all container images will be validated by Google Binary Authorization.

enableIntranodeVisibility

Optional

boolean

Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network.

enableKubernetesAlpha

Optional

boolean

Immutable. Whether to enable Kubernetes Alpha features for this cluster. Note that when this option is enabled, the cluster cannot be upgraded and will be automatically deleted after 30 days.

enableLegacyAbac

Optional

boolean

Whether the ABAC authorizer is enabled for this cluster. When enabled, identities in the system, including service accounts, nodes, and controllers, will have statically granted permissions beyond those provided by the RBAC configuration or IAM. Defaults to false.

enableShieldedNodes

Optional

boolean

Enable Shielded Nodes features on all nodes in this cluster. Defaults to false.

enableTpu

Optional

boolean

Immutable. Whether to enable Cloud TPU resources in this cluster.

initialNodeCount

Optional

integer

Immutable. The number of nodes to create in this cluster's default node pool. In regional or multi-zonal clusters, this is the number of nodes per zone. Must be set if node_pool is not set. If you're using google_container_node_pool objects with no default node pool, you'll need to set this to a value of at least 1, alongside setting remove_default_node_pool to true.

ipAllocationPolicy

Optional

object

Immutable. Configuration of cluster IP allocation for VPC-native clusters. Adding this block enables IP aliasing, making the cluster VPC-native instead of routes-based.

ipAllocationPolicy.clusterIpv4CidrBlock

Optional

string

Immutable. The IP address range for the cluster pod IPs. Set to blank to have a range chosen with the default size. Set to /netmask (e.g. /14) to have a range chosen with a specific netmask. Set to a CIDR notation (e.g. 10.96.0.0/14) from the RFC-1918 private networks (e.g. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to pick a specific range to use.

ipAllocationPolicy.clusterSecondaryRangeName

Optional

string

Immutable. The name of the existing secondary range in the cluster's subnetwork to use for pod IP addresses. Alternatively, cluster_ipv4_cidr_block can be used to automatically create a GKE-managed one.

ipAllocationPolicy.servicesIpv4CidrBlock

Optional

string

Immutable. The IP address range of the services IPs in this cluster. Set to blank to have a range chosen with the default size. Set to /netmask (e.g. /14) to have a range chosen with a specific netmask. Set to a CIDR notation (e.g. 10.96.0.0/14) from the RFC-1918 private networks (e.g. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to pick a specific range to use.

ipAllocationPolicy.servicesSecondaryRangeName

Optional

string

Immutable. The name of the existing secondary range in the cluster's subnetwork to use for service ClusterIPs. Alternatively, services_ipv4_cidr_block can be used to automatically create a GKE-managed one.

location

Required

string

Immutable. The location (region or zone) in which the cluster master will be created, as well as the default node location. If you specify a zone (such as us-central1-a), the cluster will be a zonal cluster with a single cluster master. If you specify a region (such as us-west1), the cluster will be a regional cluster with multiple masters spread across zones in the region, and with default node locations in those zones as well.

loggingService

Optional

string

The logging service that the cluster should write logs to. Available options include logging.googleapis.com(Legacy Stackdriver), logging.googleapis.com/kubernetes(Stackdriver Kubernetes Engine Logging), and none. Defaults to logging.googleapis.com/kubernetes.

maintenancePolicy

Optional

object

The maintenance policy to use for the cluster.

maintenancePolicy.dailyMaintenanceWindow

Optional

object

Time window specified for daily maintenance operations. Specify start_time in RFC3339 format "HH:MM”, where HH : [00-23] and MM : [00-59] GMT.

maintenancePolicy.dailyMaintenanceWindow.duration

Optional

string

maintenancePolicy.dailyMaintenanceWindow.startTime

Required*

string

maintenancePolicy.maintenanceExclusion

Optional

list (object)

Exceptions to maintenance window. Non-emergency maintenance should not occur in these windows.

maintenancePolicy.maintenanceExclusion.[]

Optional

object

maintenancePolicy.maintenanceExclusion.[].endTime

Required*

string

maintenancePolicy.maintenanceExclusion.[].exclusionName

Required*

string

maintenancePolicy.maintenanceExclusion.[].startTime

Required*

string

maintenancePolicy.recurringWindow

Optional

object

Time window for recurring maintenance operations.

maintenancePolicy.recurringWindow.endTime

Required*

string

maintenancePolicy.recurringWindow.recurrence

Required*

string

maintenancePolicy.recurringWindow.startTime

Required*

string

masterAuth

Optional

object

The authentication information for accessing the Kubernetes master. Some values in this block are only returned by the API if your service account has permission to get credentials for your GKE cluster. If you see an unexpected diff removing a username/password or unsetting your client cert, ensure you have the container.clusters.getCredentials permission.

masterAuth.clientCertificate

Optional

string

Base64 encoded public certificate used by clients to authenticate to the cluster endpoint.

masterAuth.clientCertificateConfig

Optional

object

Immutable. Whether client certificate authorization is enabled for this cluster.

masterAuth.clientCertificateConfig.issueClientCertificate

Required*

boolean

Immutable. Whether client certificate authorization is enabled for this cluster.

masterAuth.clientKey

Optional

string

Base64 encoded private key used by clients to authenticate to the cluster endpoint.

masterAuth.clusterCaCertificate

Optional

string

Base64 encoded public certificate that is the root of trust for the cluster.

masterAuth.password

Optional

object

The password to use for HTTP basic authentication when accessing the Kubernetes master endpoint.

masterAuth.password.value

Optional

string

Value of the field. Cannot be used if 'valueFrom' is specified.

masterAuth.password.valueFrom

Optional

object

Source for the field's value. Cannot be used if 'value' is specified.

masterAuth.password.valueFrom.secretKeyRef

Optional

object

Reference to a value with the given key in the given Secret in the resource's namespace.

masterAuth.password.valueFrom.secretKeyRef.key

Required*

string

Key that identifies the value to be extracted.

masterAuth.password.valueFrom.secretKeyRef.name

Required*

string

Name of the Secret to extract a value from.

masterAuth.username

Optional

string

The username to use for HTTP basic authentication when accessing the Kubernetes master endpoint. If not present basic auth will be disabled.

masterAuthorizedNetworksConfig

Optional

object

The desired configuration options for master authorized networks. Omit the nested cidr_blocks attribute to disallow external access (except the cluster node IPs, which GKE automatically whitelists).

masterAuthorizedNetworksConfig.cidrBlocks

Optional

list (object)

External networks that can access the Kubernetes cluster master through HTTPS.

masterAuthorizedNetworksConfig.cidrBlocks.[]

Optional

object

masterAuthorizedNetworksConfig.cidrBlocks.[].cidrBlock

Required*

string

External network that can access Kubernetes master through HTTPS. Must be specified in CIDR notation.

masterAuthorizedNetworksConfig.cidrBlocks.[].displayName

Optional

string

Field for users to identify CIDR blocks.

minMasterVersion

Optional

string

The minimum version of the master. GKE will auto-update the master to new versions, so this does not guarantee the current master version--use the read-only master_version field to obtain that. If unset, the cluster's version will be set by GKE to the version of the most recent official release (which is not necessarily the latest version).

monitoringService

Optional

string

The monitoring service that the cluster should write metrics to. Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting Available options include monitoring.googleapis.com(Legacy Stackdriver), monitoring.googleapis.com/kubernetes(Stackdriver Kubernetes Engine Monitoring), and none. Defaults to monitoring.googleapis.com/kubernetes.

networkPolicy

Optional

object

Configuration options for the NetworkPolicy feature.

networkPolicy.enabled

Required*

boolean

Whether network policy is enabled on the cluster.

networkPolicy.provider

Optional

string

The selected network policy provider. Defaults to PROVIDER_UNSPECIFIED.

networkRef

Optional

object

networkRef.external

Optional

string

The selfLink of a ComputeNetwork.

networkRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

networkRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

networkingMode

Optional

string

Immutable. Determines whether alias IPs or routes will be used for pod IPs in the cluster.

nodeConfig

Optional

object

Immutable.

nodeConfig.bootDiskKMSCryptoKeyRef

Optional

object

nodeConfig.bootDiskKMSCryptoKeyRef.external

Optional

string

The selfLink of a KMSCryptoKey.

nodeConfig.bootDiskKMSCryptoKeyRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

nodeConfig.bootDiskKMSCryptoKeyRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

nodeConfig.diskSizeGb

Optional

integer

Immutable.

nodeConfig.diskType

Optional

string

Immutable.

nodeConfig.guestAccelerator

Optional

list (object)

Immutable.

nodeConfig.guestAccelerator.[]

Optional

object

nodeConfig.guestAccelerator.[].count

Required*

integer

Immutable.

nodeConfig.guestAccelerator.[].type

Required*

string

Immutable.

nodeConfig.imageType

Optional

string

nodeConfig.kubeletConfig

Optional

object

nodeConfig.kubeletConfig.cpuCfsQuota

Optional

boolean

nodeConfig.kubeletConfig.cpuCfsQuotaPeriod

Optional

string

nodeConfig.kubeletConfig.cpuManagerPolicy

Required*

string

nodeConfig.labels

Optional

map (key: string, value: string)

Immutable.

nodeConfig.linuxNodeConfig

Optional

object

nodeConfig.linuxNodeConfig.sysctls

Required*

map (key: string, value: string)

nodeConfig.localSsdCount

Optional

integer

Immutable.

nodeConfig.machineType

Optional

string

Immutable.

nodeConfig.metadata

Optional

map (key: string, value: string)

Immutable.

nodeConfig.minCpuPlatform

Optional

string

Immutable.

nodeConfig.oauthScopes

Optional

list (string)

Immutable.

nodeConfig.oauthScopes.[]

Optional

string

nodeConfig.preemptible

Optional

boolean

Immutable.

nodeConfig.sandboxConfig

Optional

object

Immutable.

nodeConfig.sandboxConfig.sandboxType

Required*

string

nodeConfig.serviceAccountRef

Optional

object

nodeConfig.serviceAccountRef.external

Optional

string

The email of an IAMServiceAccount.

nodeConfig.serviceAccountRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

nodeConfig.serviceAccountRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

nodeConfig.shieldedInstanceConfig

Optional

object

Immutable.

nodeConfig.shieldedInstanceConfig.enableIntegrityMonitoring

Optional

boolean

Immutable.

nodeConfig.shieldedInstanceConfig.enableSecureBoot

Optional

boolean

Immutable.

nodeConfig.tags

Optional

list (string)

Immutable.

nodeConfig.tags.[]

Optional

string

nodeConfig.taint

Optional

list (object)

Immutable.

nodeConfig.taint.[]

Optional

object

nodeConfig.taint.[].effect

Required*

string

Immutable.

nodeConfig.taint.[].key

Required*

string

Immutable.

nodeConfig.taint.[].value

Required*

string

Immutable.

nodeConfig.workloadMetadataConfig

Optional

object

Immutable.

nodeConfig.workloadMetadataConfig.nodeMetadata

Required*

string

nodeLocations

Optional

list (string)

The list of zones in which the cluster's nodes are located. Nodes must be in the region of their regional cluster or in the same region as their cluster's zone for zonal clusters. If this is specified for a zonal cluster, omit the cluster's zone.

nodeLocations.[]

Optional

string

nodeVersion

Optional

string

notificationConfig

Optional

object

The notification config for sending cluster upgrade notifications

notificationConfig.pubsub

Required*

object

Notification config for Cloud Pub/Sub

notificationConfig.pubsub.enabled

Required*

boolean

Whether or not the notification config is enabled

notificationConfig.pubsub.topicRef

Optional

object

The PubSubTopic to send the notification to.

notificationConfig.pubsub.topicRef.external

Optional

string

The name of a PubSubTopic.

notificationConfig.pubsub.topicRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

notificationConfig.pubsub.topicRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

podSecurityPolicyConfig

Optional

object

Configuration for the PodSecurityPolicy feature.

podSecurityPolicyConfig.enabled

Required*

boolean

Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created.

privateClusterConfig

Optional

object

Configuration for private clusters, clusters with private nodes.

privateClusterConfig.enablePrivateEndpoint

Required*

boolean

Immutable. Enables the private cluster feature, creating a private endpoint on the cluster. In a private cluster, nodes only have RFC 1918 private addresses and communicate with the master's private endpoint via private networking.

privateClusterConfig.enablePrivateNodes

Optional

boolean

Immutable. When true, the cluster's private endpoint is used as the cluster endpoint and access through the public endpoint is disabled. When false, either endpoint can be used. This field only applies to private clusters, when enable_private_nodes is true.

privateClusterConfig.masterGlobalAccessConfig

Optional

object

Controls cluster master global access settings.

privateClusterConfig.masterGlobalAccessConfig.enabled

Required*

boolean

Whether the cluster master is accessible globally or not.

privateClusterConfig.masterIpv4CidrBlock

Optional

string

Immutable. The IP range in CIDR notation to use for the hosted master network. This range will be used for assigning private IP addresses to the cluster master(s) and the ILB VIP. This range must not overlap with any other ranges in use within the cluster's network, and it must be a /28 subnet. See Private Cluster Limitations for more details. This field only applies to private clusters, when enable_private_nodes is true.

privateClusterConfig.peeringName

Optional

string

The name of the peering between this cluster and the Google owned VPC.

privateClusterConfig.privateEndpoint

Optional

string

The internal IP address of this cluster's master endpoint.

privateClusterConfig.publicEndpoint

Optional

string

The external IP address of this cluster's master endpoint.

releaseChannel

Optional

object

Configuration options for the Release channel feature, which provide more control over automatic upgrades of your GKE clusters. Note that removing this field from your config will not unenroll it. Instead, use the "UNSPECIFIED" channel.

releaseChannel.channel

Required*

string

The selected release channel. Accepted values are: * UNSPECIFIED: Not set. * RAPID: Weekly upgrade cadence; Early testers and developers who requires new features. * REGULAR: Multiple per month upgrade cadence; Production users who need features not yet offered in the Stable channel. * STABLE: Every few months upgrade cadence; Production users who need stability above all else, and for whom frequent upgrades are too risky.

resourceID

Optional

string

Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default.

resourceUsageExportConfig

Optional

object

Configuration for the ResourceUsageExportConfig feature.

resourceUsageExportConfig.bigqueryDestination

Required*

object

Parameters for using BigQuery as the destination of resource usage export.

resourceUsageExportConfig.bigqueryDestination.datasetId

Required*

string

The ID of a BigQuery Dataset.

resourceUsageExportConfig.enableNetworkEgressMetering

Optional

boolean

Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic.

resourceUsageExportConfig.enableResourceConsumptionMetering

Optional

boolean

Whether to enable resource consumption metering on this cluster. When enabled, a table will be created in the resource export BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export. Defaults to true.

subnetworkRef

Optional

object

subnetworkRef.external

Optional

string

The selfLink of a ComputeSubnetwork.

subnetworkRef.name

Optional

string

Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names

subnetworkRef.namespace

Optional

string

Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/

verticalPodAutoscaling

Optional

object

Vertical Pod Autoscaling automatically adjusts the resources of pods controlled by it.

verticalPodAutoscaling.enabled

Required*

boolean

Enables vertical pod autoscaling.

workloadIdentityConfig

Optional

object

workloadIdentityConfig.identityNamespace

Required*

string

* Field is required when parent field is specified

Status

Schema

  conditions:
  - lastTransitionTime: string
    message: string
    reason: string
    status: string
    type: string
  endpoint: string
  instanceGroupUrls:
  - string
  labelFingerprint: string
  masterVersion: string
  operation: string
  selfLink: string
  servicesIpv4Cidr: string
  tpuIpv4CidrBlock: string
Fields
conditions

list (object)

Conditions represents the latest available observation of the resource's current state.

conditions.[]

object

conditions.[].lastTransitionTime

string

Last time the condition transitioned from one status to another.

conditions.[].message

string

Human-readable message indicating details about last transition.

conditions.[].reason

string

Unique, one-word, CamelCase reason for the condition's last transition.

conditions.[].status

string

Status is the status of the condition. Can be True, False, Unknown.

conditions.[].type

string

Type is the type of the condition.

endpoint

string

The IP address of this cluster's Kubernetes master.

instanceGroupUrls

list (string)

List of instance group URLs which have been assigned to the cluster.

instanceGroupUrls.[]

string

labelFingerprint

string

The fingerprint of the set of labels for this cluster.

masterVersion

string

The current version of the master in the cluster. This may be different than the min_master_version set in the config if the master has been updated by GKE.

operation

string

selfLink

string

Server-defined URL for the resource.

servicesIpv4Cidr

string

The IP address range of the Kubernetes services in this cluster, in CIDR notation (e.g. 1.2.3.4/29). Service addresses are typically put in the last /16 from the container CIDR.

tpuIpv4CidrBlock

string

The IP address range of the Cloud TPUs in this cluster, in CIDR notation (e.g. 1.2.3.4/29).

Sample YAML(s)

Routes Based Container Cluster

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: container.cnrm.cloud.google.com/v1beta1
  kind: ContainerCluster
  metadata:
    labels:
      availability: dev
      target-audience: development
    name: containercluster-sample-routesbased
  spec:
    description: A routes-based cluster confined to one zone configured for development.
    location: us-central1-a
    initialNodeCount: 1
    clusterTelemetry:
      type: SYSTEM_ONLY
    networkingMode: ROUTES
    clusterIpv4Cidr: 10.96.0.0/14
    masterAuthorizedNetworksConfig:
      cidrBlocks:
        - displayName: Trusted external network
          cidrBlock: 10.2.0.0/16
    addonsConfig:
      gcePersistentDiskCsiDriverConfig:
        enabled: true
      kalmConfig:
        enabled: true
      horizontalPodAutoscaling:
        disabled: true
      httpLoadBalancing:
        disabled: true

Vpc Native Container Cluster

  # Copyright 2020 Google LLC
  #
  # Licensed under the Apache License, Version 2.0 (the "License");
  # you may not use this file except in compliance with the License.
  # You may obtain a copy of the License at
  #
  #     http://www.apache.org/licenses/LICENSE-2.0
  #
  # Unless required by applicable law or agreed to in writing, software
  # distributed under the License is distributed on an "AS IS" BASIS,
  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  # See the License for the specific language governing permissions and
  # limitations under the License.
  
  apiVersion: container.cnrm.cloud.google.com/v1beta1
  kind: ContainerCluster
  metadata:
    labels:
      availability: high
      target-audience: production
    name: containercluster-sample-vpcnative
  spec:
    description: A large regional VPC-native cluster set up with special networking considerations.
    location: us-central1
    initialNodeCount: 1
    defaultMaxPodsPerNode: 16
    nodeLocations:
      - us-central1-a
      - us-central1-b
      - us-central1-c
      - us-central1-f
    workloadIdentityConfig:
      # Workload Identity supports only a single namespace based on your project name.
      # Replace ${PROJECT_ID?} below with your project ID.
      identityNamespace: ${PROJECT_ID?}.svc.id.goog
    networkingMode: VPC_NATIVE
    networkRef:
      name: containercluster-dep-vpcnative
    subnetworkRef:
      name: containercluster-dep-vpcnative
    ipAllocationPolicy:
      servicesSecondaryRangeName: servicesrange
      clusterSecondaryRangeName: clusterrange
    clusterAutoscaling:
      enabled: true
      autoscalingProfile: BALANCED
      resourceLimits:
      - resourceType: cpu
        maximum: 100
        minimum: 10
      - resourceType: memory
        maximum: 1000
        minimum: 100
    maintenancePolicy:
      dailyMaintenanceWindow:
        startTime: 00:00
    releaseChannel:
      channel: STABLE
    notificationConfig:
      pubsub:
        enabled: true
        topicRef:
          name: containercluster-dep-vpcnative
    enableBinaryAuthorization: true
    enableIntranodeVisibility: true
    enableShieldedNodes: true
    addonsConfig:
      networkPolicyConfig:
        disabled: false
      dnsCacheConfig:
        enabled: true
      configConnectorConfig:
        enabled: true
    networkPolicy:
      enabled: true
    podSecurityPolicyConfig:
      enabled: true
    verticalPodAutoscaling:
      enabled: true
  ---
  apiVersion: compute.cnrm.cloud.google.com/v1beta1
  kind: ComputeNetwork
  metadata:
    name: containercluster-dep-vpcnative
  spec:
    routingMode: REGIONAL
    autoCreateSubnetworks: false
  ---
  apiVersion: compute.cnrm.cloud.google.com/v1beta1
  kind: ComputeSubnetwork
  metadata:
    name: containercluster-dep-vpcnative
  spec:
    ipCidrRange: 10.2.0.0/16
    region: us-central1
    networkRef:
      name: containercluster-dep-vpcnative
    secondaryIpRange:
    - rangeName: servicesrange
      ipCidrRange: 10.3.0.0/16
    - rangeName: clusterrange
      ipCidrRange: 10.4.0.0/16
  ---
  apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
  kind: PubSubTopic
  metadata:
    name: containercluster-dep-vpcnative