This page shows you how to dynamically apply network tags to nodes in your Google Kubernetes Engine (GKE) Autopilot and Standard clusters without disrupting running workloads.
Overview
Network tags are metadata on Compute Engine virtual machines (VMs) that allow you to make firewall rules and routes applicable to specific VM instances. In GKE, you can use network tags to make firewall rules or routes applicable to the nodes in your cluster.
You can use the GKE API to apply and update network tags on your Autopilot and Standard clusters without disrupting running workloads. Network tags that you specify are also applied to any new nodes that Autopilot provisions, and to new node pools that node auto-provisioning provisions in your Standard clusters.
Command-line options for applying network tags
The following table describes the flags that you can specify using the Google Cloud CLI to apply network tags to your clusters, as well as their use cases.
| Flag | Mode of operation | Level | Description |
|---|---|---|---|
--autoprovisioning-network-tags |
|
Cluster |
Applies the specified network tags to all Autopilot nodes and all auto-provisioned Standard node pools. |
--tags |
|
Node pool | Manually applies network tags to specific Standard node pools. |
Requirements
Your clusters must run GKE version 1.23.2-gke.300 or later to
apply network tags to Autopilot clusters or to auto-provisioned
Standard node pools using --autoprovisioning-network-tags.
Limitations
Using --autoprovisioning-network-tags prevents you from using --tags to update
the network tags for auto-provisioned Standard node pools.
We recommend that you use --autoprovisioning-network-tags for auto-provisioned
node pools, and that you use --tags only for manually-created node pools.
Before you begin
Before you start, make sure you have performed the following tasks:
- Enable the Google Kubernetes Engine API. Enable Google Kubernetes Engine API
- If you want to use the Google Cloud CLI for this task, install and then initialize the gcloud CLI.
Add network tags to new clusters
You can add network tags when you create a new Autopilot cluster or a new Standard cluster. For Standard, you can also specify network tags specifically for node auto-provisioning to use.
Autopilot
Run the following command:
gcloud container clusters create-auto CLUSTER_NAME \
--region=COMPUTE_REGION \
--autoprovisioning-network-tags=TAG1,TAG2,...
Replace the following:
CLUSTER_NAME: the name of your new Autopilot cluster.COMPUTE_REGION: the Compute Engine region for your new cluster.TAG1,TAG2, ...: a comma-separated list of the network tags you want to apply.
Standard
Apply network tags to the default node pool
Run the following command to create a new Standard cluster and apply network tags to the default node pool:
gcloud container clusters create CLUSTER_NAME \
--region=COMPUTE_REGION \
--tags=NETWORK_TAG1,NETWORK_TAG2,...
Replace the following:
CLUSTER_NAME: the name of your new Standard cluster.COMPUTE_REGION: the Compute Engine region for your new cluster.NETWORK_TAG1,NETWORK_TAG2, ...: a comma-separated list of the network tags that you want to apply.
Apply network tags to auto-provisioned node pools
You can automatically apply network tags to all node pools that are created by node auto-provisioning.
Run the following command:
gcloud container clusters create CLUSTER_NAME \
--region=COMPUTE_REGION \
--enable-autoprovisioning \
--autoprovisioning-network-tags=TAG1,TAG2,...
Replace TAG1,TAG2,... with a comma-separated
list of network tags that you want applied to all autoprovisioned node pools.
Update network tags on existing clusters
You can update the network tags on existing Autopilot and Standard clusters.
Autopilot
Run the following command:
gcloud container clusters update CLUSTER_NAME \
--autoprovisioning-network-tags=TAG1,TAG2,...
Standard
Update network tags on specific node pools
Run the following command to update the network tags on a specific Standard
node pool. You cannot use this command to update auto-provisioned node pools
if you used --autoprovisioning-network-tags.
gcloud container node-pools update NODE_POOL_NAME \
--cluster=CLUSTER_NAME \
--tags=NETWORK_TAG1,NETWORK_TAG2,...
If --autoprovisioning-network-tags is set for the cluster, this command
returns an error.
Update network tags for auto-provisioned node pools
You can update the network tags that node auto-provisioning applies to new and existing auto-provisioned node pools.
Run the following command:
gcloud container clusters update CLUSTER_NAME \
--autoprovisioning-network-tags=TAG1,TAG2,...
Add network tags to new Standard node pools
To create a new node pool in a Standard clusters with specific network tags, run the following command:
gcloud container node-pools create NODE_POOL_NAME \
--cluster=CLUSTER_NAME \
--tags=NETWORK_TAG1,NETWORK_TAG2,...
Replace NODE_POOL_NAME with the name of the new node
pool.
Remove network tags from clusters and node pools
You can remove the network tags from GKE Autopilot and Standard clusters.
Autopilot
Run the following command:
gcloud container clusters update CLUSTER_NAME \
--autoprovisioning-network-tags=""
Standard
Remove network tags from auto-provisioned node pools
To remove network tags from all auto-provisioned node pools, run the following command:
gcloud container clusters update CLUSTER_NAME \
--autoprovisioning-network-tags=""
This command also restores your ability to use the --tags option to manually
specify network tags for auto-provisioned node pools.
Remove network tags from specific node pools
To remove network tags from specific node pools, run the following command:
gcloud container node-pools update NODE_POOL_NAME \
--cluster=CLUSTER_NAME \
--tags=""