A cluster is the foundation of Google Kubernetes Engine (GKE): the Kubernetes objects that represent your containerized applications all run on top of a cluster.
The following diagram provides an overview of the architecture for a zonal cluster in GKE:
The control plane runs the control plane processes, including the Kubernetes API server, scheduler, and core resource controllers. The lifecycle of the control plane is managed by GKE when you create or delete a cluster. This includes upgrades to the Kubernetes version running on the control plane, which GKE performs automatically, or manually at your request if you prefer to upgrade earlier than the automatic schedule.
Control plane and the Kubernetes API
The control plane is the unified endpoint for your cluster. You interact
with the cluster through Kubernetes API calls, and the control plane runs
the Kubernetes API Server process to handle those requests. You can make
Kubernetes API calls directly via HTTP/gRPC, or indirectly, by running commands
from the Kubernetes command-line client (
kubectl) or by interacting with the UI
in the Cloud Console.
The API server process is the hub for all communication for the cluster. All internal cluster processes (such as the cluster nodes, system and components, application controllers) act as clients of the API server; the API server is the single "source of truth" for the entire cluster.
Control plane and node interaction
The control plane decides what runs on all of the cluster's nodes. The control plane schedules workloads, like containerized applications, and manages the workloads' lifecycle, scaling, and upgrades. The control plane also manages network and storage resources for those workloads.
The control plane and nodes communicate using Kubernetes APIs.
Control plane interactions with Artifact Registry and Container Registry
When you create or update a cluster, container images for the Kubernetes
software running on the control plane (and nodes) are pulled from the
Artifact Registry or the
gcr.io Container Registry. An outage affecting these
registries might cause the following types of failures:
- Creating new clusters fail during the outage.
- Upgrading clusters fail during the outage.
- Disruptions to workloads might occur even without user intervention, depending on the specific nature and duration of the outage.
In the event of a regional outage of the
pkg.dev Artifact Registry or the
Container Registry, Google might redirect requests to a zone or region not affected
by the outage.
To check the current status of Google Cloud services, go to the Google Cloud status dashboard.
A cluster typically has one or more nodes, which are the worker machines that run your containerized applications and other workloads. The individual machines are Compute Engine VM instances that GKE creates on your behalf when you create a cluster.
Each node is managed from the control plane, which receives updates on each node's self-reported status. You can exercise some manual control over node lifecycle, or you can have GKE perform automatic repairs and automatic upgrades on your cluster's nodes.
A node runs the services necessary to support the containers that make up
your cluster's workloads. These include the runtime and the Kubernetes
node agent (
kubelet), which communicates with the control plane and is
responsible for starting and running containers scheduled on the node.
In GKE, there are also a number of special containers that run as per-node agents to provide functionality such as log collection and intra-cluster network connectivity.
Node machine type
Node OS images
Each node runs a specialized OS image for running your containers. You can specify which OS image your clusters and node pools use.
Minimum CPU platform
When you create a cluster or node pool, you can specify a baseline minimum CPU platform for its nodes. Choosing a specific CPU platform can be advantageous for advanced or compute-intensive workloads. For more information, refer to Minimum CPU Platform.
Node allocatable resources
Some of a node's resources are required to run the GKE and Kubernetes node components necessary to make that node function as part of your cluster. For this reason, you might notice a disparity between your node's total resources (as specified in the machine type documentation) and the node's allocatable resources in GKE.
Because larger machine types tend to run more containers (and by extension, more Pods), the amount of resources that GKE reserves for Kubernetes components scales upward for larger machines. Windows Server nodes also require more resources than a typical Linux node. The nodes need the extra resources to account for running the Windows OS and for the Windows Server components that can't run in containers.
You can request resources for your Pods or limit their resource usage. To learn how to request or limit resource usage for Pods, refer to Managing Resources for Containers.
To inspect the node-allocatable resources available in a cluster, run the
following command, replacing
NODE_NAME with the name
of the node you want to inspect:
kubectl describe node NODE_NAME | grep Allocatable -B 7 -A 6
The returned output contains
Allocatable fields with
measurements for ephemeral storage, memory, and CPU.
To determine how much memory is available for Pods, you must also consider the eviction threshold. GKE reserves an additional 100 MiB of memory on each node for kubelet eviction.
Allocatable memory and CPU resources
Allocatable resources are calculated in the following way:
ALLOCATABLE = CAPACITY - RESERVED - EVICTION-THRESHOLD
For memory resources, GKE reserves the following:
- 255 MiB of memory for machines with less than 1 GiB of memory
- 25% of the first 4 GiB of memory
- 20% of the next 4 GiB of memory (up to 8 GiB)
- 10% of the next 8 GiB of memory (up to 16 GiB)
- 6% of the next 112 GiB of memory (up to 128 GiB)
- 2% of any memory above 128 GiB
For CPU resources, GKE reserves the following:
- 6% of the first core
- 1% of the next core (up to 2 cores)
- 0.5% of the next 2 cores (up to 4 cores)
- 0.25% of any cores above 4 cores
Allocatable local ephemeral storage resources
Beginning in GKE version 1.10, you can manage your local ephemeral storage resources as you do your CPU and memory resources. To learn how to make your Pods specify ephemeral storage requests and limits and to see how they are acted on, see Local ephemeral storage in the Kubernetes documentation.
GKE typically configures its nodes with a single file system and periodic scanning. Ephemeral storage can also be backed by local SSDs. In either case, a portion of the file system is reserved for kubelet use. The remaining portion, called allocatable local ephemeral storage, is available for use as ephemeral storage resources.
The amount of the file system reserved for kubelet and other system components is given by:
EVICTION-THRESHOLD + SYSTEM-RESERVATION
Ephemeral storage backed by boot disk
By default, ephemeral storage is backed by the node boot disk. In this case, the eviction threshold and system reservation size are given by the following formulas:
EVICTION-THRESHOLD = 10% * BOOT-DISK-CAPACITY
SYSTEM-RESERVATION = Min(50% *
BOOT-DISK-CAPACITY, 6GB + 35% * BOOT-DISK-CAPACITY, 100 GB)
For an approximate representation of the amount of allocatable ephemeral storage available as boot disk capacity increases, see the following graph:
Ephemeral storage backed by local SSDs
The system reserved space depends on the number of local SSDs:
|Number of local SSDs||
|3 or more||100|
The eviction threshold is similar to ephemeral storage backed by the boot disk:
EVICTION-THRESHOLD = 10% * NUM-LOCAL-SSDS * 375 GB
The capacity of each local SSD is 375 GB. To learn more, see the Compute Engine documentation on Adding Local SSDs.