Cluster administration overview

In Google Kubernetes Engine, you configure a cluster's configuration and characteristics using Google Cloud tools and APIs, including the gcloud command-line tool and the Google Cloud Console. These tasks include creating, updating, and deleting clusters, adding or removing nodes, and controlling who can access the cluster using Cloud Identity and Access Management.

To control the cluster's internal behavior, you use the Kubernetes API and the kubectl command-line interface. You can also configure many aspects of a cluster's behavior using the Google Cloud Console.

Basic cluster administration

Basic cluster administration tasks are specific to GKE clusters on Google Cloud Platform and typically do not involve the Kubernetes system itself; you perform these tasks entirely by using the Cloud Console, the gcloud command-line interface, or the GKE API.

Cluster and node upgrades

By default, clusters and node pools are upgraded automatically. You can learn more about configuring how upgrades work on each cluster, including when they can and cannot occur.

Cluster-level configuration

Cluster-level configuration tasks include creating and deleting GKE clusters and nodes. You can control when cluster maintenance tasks can occur, configure cluster-level autoscaling, and enable or disable logging and monitoring for your cluster.

Node configuration

GKE offers a range of options for your cluster's nodes. For example, you can create one or more node pools; node pools are groups of nodes within your cluster that share a common configuration. Your cluster must have at least one node pool, and a node pool called default is created when you create the cluster.

You can set other node options on a per-pool basis, including:

• Automatic repairs
• Preemptible VMs
• Local SSDs
• Minimum CPU platform

Configuring cluster networking

Another aspect of cluster administration is to enable and control various networking features for your cluster. Most networking features are set at cluster creation: when you create a cluster using a GCP interface, you must enable the networking features that you want to use. Some of these features might require further configuration using Kubernetes interfaces, such as the kubectl command-line interface.

For example, to enable network policy enforcement on your GKE cluster, you must first enable the feature using Cloud Console or gcloud command-line tool. Then, you specify the actual network policy rules using the Kubernetes network policy API or kubectl command-line interface.

See the following guide for information on the specifics of enabling networking features on GKE clusters:

• Internal load balancing
• Alias IPs
• IP masquerade agent
• Network policy

Configuring cluster security

GKE contains a mix of Google Cloud-specific and Kubernetes security features that you can use with your cluster. You can manage Google Cloud-level security, such as Cloud Identity and Access Management (Cloud IAM), via Google Cloud interfaces like the Cloud Console. You manage intra-cluster security features, such as role-based access control, using Kubernetes APIs and other interfaces.

The following security features are specific to Google Cloud:

• Cloud IAM
• IP rotation
• Master authorized networks

Intra-cluster Kubernetes security features you can use on GKE include:

• Role-based access control