In Google Kubernetes Engine, you configure a cluster's configuration and characteristics
using Google Cloud tools and APIs, including the
gcloud command-line tool and the
Google Cloud Console. These tasks include creating, updating, and
deleting clusters, adding or removing nodes, and controlling who can access the
cluster using Identity and Access Management.
To control the cluster's internal behavior, you use the Kubernetes API and the
kubectl command-line interface. You can also configure many aspects of a
cluster's behavior using the Google Cloud Console.
Basic cluster administration
Basic cluster administration tasks are specific to GKE
clusters on Google Cloud Platform and typically do not involve the Kubernetes
system itself; you perform these tasks entirely by using the
Cloud Console, the
gcloud command-line tool, or the
Cluster and node upgrades
By default, clusters and node pools are upgraded automatically. You can learn more about configuring how upgrades work on each cluster, including when they can and cannot occur.
Cluster-level configuration tasks include creating and deleting GKE clusters and nodes. You can control when cluster maintenance tasks can occur, configure cluster-level autoscaling, and enable or disable logging and monitoring for your cluster.
GKE offers a range of options for your
cluster's nodes. For example, you can create one or more node pools; node
pools are groups of nodes within your cluster that share a common configuration.
Your cluster must have at least one node pool, and a node pool called
is created when you create the cluster.
For Standard clusters, you can set other node options on a per-pool basis, including:
- Automatic repairs: enforced on Autopilot clusters
- Spot VMs (Preview)
- Local SSDs
- Minimum CPU platform
Configuring cluster networking
Another aspect of cluster administration is to enable and control various
networking features for your cluster. Most networking features are set at
cluster creation: when you create a cluster using a GCP interface, you must
enable the networking features that you want to use. Some of these features
might require further configuration using Kubernetes interfaces, such as the
kubectl command-line interface.
For example, to enable network policy enforcement
on your GKE cluster, you must first enable the feature using
Cloud Console or
gcloud command-line tool. Then, you specify
the actual network policy rules using the Kubernetes network policy API or
kubectl command-line interface. For Autopilot clusters, network
policy is turned off by default, but you can enable this feature.
See the following guide for information on the specifics of enabling networking features on GKE clusters:
Configuring cluster security
GKE contains a mix of Google Cloud-specific and Kubernetes security features that you can use with your cluster. You can manage Google Cloud-level security, such as Identity and Access Management (IAM), via Google Cloud interfaces like the Cloud Console. You manage intra-cluster security features, such as role-based access control, using Kubernetes APIs and other interfaces.
The following security features are specific to Google Cloud:
Intra-cluster Kubernetes security features you can use on GKE include: