Create Standard clusters and node pools with Arm nodes

Standard

This page explains how to create a GKE Standard cluster or node pool with Arm nodes, so that you can run Arm workloads on Google Kubernetes Engine (GKE). To learn how to deploy Arm workloads on Autopilot clusters, see Deploy Autopilot workloads on Arm architecture.

You can create clusters with Arm nodes using the C4A machine series or Tau T2A machine series. To learn more about the benefits of Arm and choose the best machine series for your workloads, see Arm VMs on Compute.

With GKE, you can create a cluster that has node pools with one architecture type (for example, Arm), or multiple architecture types (for example, Arm and x86). When you run nodes with multiple architecture types, you can deploy workloads across architectures to the same cluster.

To learn more about using Arm nodes with your GKE clusters, see Arm workloads on GKE.

Before you begin

Before you start, make sure you have performed the following tasks:

Enable the Google Kubernetes Engine API.

Enable Google Kubernetes Engine API

If you want to use the Google Cloud CLI for this task, install and then initialize the gcloud CLI. If you previously installed the gcloud CLI, get the latest version by running gcloud components update.
Note: For existing gcloud CLI installations, make sure to set the compute/region and compute/zone properties. By setting default locations, you can avoid errors in gcloud CLI like the following: One of [--zone, --region] must be supplied: Please specify location.

Review the requirements and limitations for C4A and T2A nodes.
Ensure that you have the correct permissions to create clusters. At minimum, you should be a Kubernetes Engine Cluster Admin.

Set up IAM service accounts for GKE

GKE uses IAM service accounts that are attached to your nodes to run system tasks like logging and monitoring. At a minimum, these node service accounts must have the Kubernetes Engine Default Node Service Account (roles/container.defaultNodeServiceAccount) role on your project. By default, GKE uses the Compute Engine default service account, which is automatically created in your project, as the node service account.

To grant the roles/container.defaultNodeServiceAccount role to the Compute Engine default service account, complete the following steps:

console

Go to the Welcome page:
Go to Welcome
In the Project number field, click Copy to clipboard.
Go to the IAM page:
Go to IAM
Click Grant access.
In the New principals field, specify the following value:
```
PROJECT_NUMBER-compute@developer.gserviceaccount.com
```
Replace PROJECT_NUMBER with the project number that you copied.
In the Select a role menu, select the Kubernetes Engine Default Node Service Account role.
Click Save.

gcloud

Find your Google Cloud project number:
```
gcloud projects describe PROJECT_ID \
    --format="value(projectNumber)"
```
Replace PROJECT_ID with your project ID.

The output is similar to the following:
```
12345678901
```

Grant the roles/container.defaultNodeServiceAccount role to the Compute Engine default service account:

gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com" \
    --role="roles/container.defaultNodeServiceAccount"

Replace PROJECT_NUMBER with the project number from the previous step.

Create a cluster with an Arm node pool

The following instructions explain how to create a new cluster with a node pool running Arm nodes from the C4A machine series or Tau T2A machine series.

You can use the gcloud CLI, the Google Cloud console, or Terraform to create the cluster.

gcloud

Create a new zonal cluster with the default node pool using Arm nodes:

gcloud container clusters create CLUSTER_NAME \
    --zone ZONE  \
    --node-locations NODE_LOCATIONS \
    --machine-type ARM_MACHINE_TYPE \
    --num-nodes NUM_NODES

Replace the following:

CLUSTER_NAME: the name of your new cluster with an Arm node pool.
ZONE: the zone for your cluster, such as us-central1-a. The zone must be one of the available zones for the Arm machine series that you choose. To create a regional cluster, use the --region=REGION flag. The region must be one of the available regions for the Arm machine series that you choose.
NODE_LOCATIONS: the zone(s) for your node pool, such as us-central1-a. You must choose from the available zones for the Arm machine series or node pool creation might fail.
ARM_MACHINE_TYPE: one of the available C4A machine shapes or T2A machine shapes, such as c4a-standard-8 or t2a-standard-16.
NUM_NODES: the number of nodes for your Arm node pool.

We strongly recommend that you specify a minimally-privileged IAM service account that your nodes can use instead of the Compute Engine default service account. To learn how to create a minimally-privileged service account, see Use a least privilege service account.

To specify a custom service account in the gcloud CLI, add the following flag to your command:

--service-account=SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com

Replace SERVICE_ACCOUNT_NAME with the name of your minimally-privileged service account.

If you want to set additional settings for your cluster, see the gcloud container clusters create reference for a complete list of available settings on cluster creation.

Console

Go to the Google Kubernetes Engine page in the Google Cloud console.

Go to Google Kubernetes Engine
Click Create.
Configure your cluster. For more information, see the instructions for Creating a zonal cluster, or Creating a regional cluster.
Choose a location where Arm nodes are available.
1. In the Cluster basics section, under Location type, choose Zonal or Regional:
2. In the drop-down menu, choose a zone or region where Arm nodes are available.
3. Check the box to Specify default node locations. Select zone(s) where Arm nodes are available.
To select an Arm machine type, in the Nodes subsection, under Configure node settings > Machine configuration > Machine family, select GENERAL-PURPOSE. In the Series drop-down menu, select C4A or T2A. In the Machine type drop-down menu, choose from the available options.
Optionally, specify a custom IAM service account for your nodes:
1. In the Advanced settings page, expand the Security section.
2. In the Service account menu, select your preferred service account.
We strongly recommend that you specify a minimally-privileged IAM service account that your nodes can use instead of the Compute Engine default service account. To learn how to create a minimally-privileged service account, see Use a least privilege service account.

Click Create.

Terraform

To create a zonal cluster with the default node pool using Arm nodes using Terraform, refer to the following example:

resource "google_container_cluster" "default" {
  name               = "gke-standard-zonal-arm-cluster"
  location           = "us-central1-a"
  node_locations     = ["us-central1-b", "us-central1-f"]
  initial_node_count = 2

  node_config {
    machine_type    = "t2a-standard-1"
    service_account = google_service_account.default.email
  }

  # Set `deletion_protection` to `true` will ensure that one cannot
  # accidentally delete this instance by use of Terraform.
  deletion_protection = false
}

To learn more about using Terraform, see Terraform support for GKE.

Add an Arm node pool to a GKE cluster

You can add a new node pool to a GKE Standard cluster using gcloud CLI, the Google Cloud console, or Terraform.

As a best practice for creating a GKE cluster using any types of nodes, we recommend that you create and use a minimally-privileged Identity and Access Management (IAM) service account for your node pools to use instead of the Compute Engine default service account. For instructions on creating a minimally-privileged service account, refer to Hardening your cluster's security.

gcloud

Add an Arm node pool to an existing cluster:

gcloud container node-pools create NODE_POOL_NAME \
    --cluster CLUSTER_NAME \
    --zone ZONE \
    --node-locations NODE_LOCATIONS \
    --machine-type ARM_MACHINE_TYPE \
    --num-nodes NUM_NODES \
    --service-account SERVICE_ACCOUNT

Replace the following:

NODE_POOL_NAME: the name of the new Arm node pool for your existing cluster.
ZONE: the zone of the existing cluster. For a regional cluster, use the --region=REGION flag with the region of the cluster.
CLUSTER_NAME: the name of the cluster where you want to add an Arm node pool.
NODE_LOCATIONS: the zone(s) for your node pool, such as us-central1-a. You must choose from the available zones for the Arm machine series or node pool creation might fail.
ARM_MACHINE_TYPE: one of the available C4A machine shapes or T2A machine shapes, such as c4a-standard-8 or t2a-standard-16.
NUM_NODES: the number of nodes for your Arm node pool.

To specify a custom service account in the gcloud CLI, add the following flag to your command:

--service-account=SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com

Replace SERVICE_ACCOUNT_NAME with the name of your minimally-privileged service account.

If you want to set additional settings for your node pool, see the gcloud container node-pools create reference for a complete list of available settings on node pool creation.

Console

To add an Arm node pool to an existing cluster, perform the following steps:

Go to the Google Kubernetes Engine page in the Google Cloud console.

Go to Google Kubernetes Engine
In the cluster list, click the name of the cluster you want to modify.
Click Add node pool.
Configure your node pool.
Choose node locations where Arm nodes are available.
1. In the Node pool details section, check the Specify node locations box.
2. Select zone(s) where Arm nodes are available.
To select an Arm machine type, in the Nodes subsection, under Configure node settings > Machine configuration > Machine family, select GENERAL-PURPOSE. In the Series drop-down menu, select C4A or T2A. In the Machine type drop-down menu, choose from the available options.
In the navigation menu, click Security.
Optionally, specify a custom IAM service account for your nodes:
1. In the Advanced settings page, expand the Security section.
2. In the Service account menu, select your preferred service account.
We strongly recommend that you specify a minimally-privileged IAM service account that your nodes can use instead of the Compute Engine default service account. To learn how to create a minimally-privileged service account, see Use a least privilege service account.

Click Create to add the node pool.

Terraform

To add a node pool that uses Arm nodes to an existing cluster using Terraform, refer to the following example:

resource "google_container_node_pool" "default" {
  name           = "gke-standard-zonal-arm-node-pool"
  cluster        = google_container_cluster.default.id
  node_locations = ["us-central1-a"]
  node_count     = 1

  node_config {
    machine_type = "t2a-standard-1"

    service_account = google_service_account.default.email
  }
}

Replace google_container_cluster.default.id with the name of your cluster.

To learn more about using Terraform, see Terraform support for GKE.

Create Standard clusters and node pools with Arm nodes

Before you begin

Set up IAM service accounts for GKE

console

gcloud

Create a cluster with an Arm node pool

gcloud

Console

Terraform

Add an Arm node pool to a GKE cluster

gcloud

Console

Terraform

What's next