Create an Autopilot cluster

This page explains how to create a Google Kubernetes Engine (GKE) cluster in Autopilot mode. Autopilot is a GKE mode of operation that lets you focus on your services and applications, while GKE manages your nodes and infrastructure. When you deploy your workloads, GKE provisions, configures, and manages the resources and hardware, including when you scale.

Before you begin

Before you start, make sure that you have performed the following tasks:

  • Enable the Google Kubernetes Engine API.
    • Enable Google Kubernetes Engine API
  • If you want to use the Google Cloud CLI for this task, install and then initialize the gcloud CLI. If you previously installed the gcloud CLI, get the latest version by running gcloud components update.

Set up IAM service accounts for GKE

GKE uses IAM service accounts that are attached to your nodes to run system tasks like logging and monitoring. At a minimum, these node service accounts must have the Kubernetes Engine Default Node Service Account (roles/container.defaultNodeServiceAccount) role on your project. By default, GKE uses the Compute Engine default service account, which is automatically created in your project, as the node service account.

To grant the roles/container.defaultNodeServiceAccount role to the Compute Engine default service account, complete the following steps:

console

  1. Go to the Welcome page:

    Go to Welcome

  2. In the Project number field, click Copy to clipboard.
  3. Go to the IAM page:

    Go to IAM

  4. Click Grant access.
  5. In the New principals field, specify the following value: 
    PROJECT_NUMBER-compute@developer.gserviceaccount.com
     Replace PROJECT_NUMBER with the project number that you copied.
  6. In the Select a role menu, select the Kubernetes Engine Default Node Service Account role.
  7. Click Save.

gcloud

  1. Find your Google Cloud project number: 
    gcloud projects describe PROJECT_ID \
    --format="value(projectNumber)"

    Replace PROJECT_ID with your project ID.

    The output is similar to the following:

    12345678901
  2. Grant the roles/container.defaultNodeServiceAccount role to the Compute Engine default service account: 
    gcloud projects add-iam-policy-binding PROJECT_ID \
    --member="serviceAccount:PROJECT_NUMBER-compute@developer.gserviceaccount.com" \
    --role="roles/container.defaultNodeServiceAccount"

    Replace PROJECT_NUMBER with the project number from the previous step.

Create an Autopilot cluster

The minimum information that you need to specify when creating a new Autopilot cluster is a name, project (usually the current project), and region (usually the default region for command line tools). However, there are many more possible configuration settings, some of which can't be changed after cluster creation. Ensure that you understand which settings can't be changed after cluster creation, and that you choose the right setting when creating a cluster if you don't want to have to create it again.

You can see an overview of cluster configuration options in About cluster configuration choices, and a complete list of possible options in the gcloud container clusters create-auto and Terraform google_container_cluster reference guides.

You can create an Autopilot cluster by using the Google Cloud CLI, the Google Cloud console, or by using Terraform:

gcloud

Run the following command:

gcloud container clusters create-auto CLUSTER_NAME \
    --location=LOCATION \
    --project=PROJECT_ID

Replace the following:

  • CLUSTER_NAME: the name of your new Autopilot cluster.
  • LOCATION: the region for your cluster.
  • PROJECT_ID: your project ID.

We strongly recommend that you specify a minimally-privileged IAM service account that your nodes can use instead of the Compute Engine default service account. To learn how to create a minimally-privileged service account, see Use a least privilege service account.

To specify a custom service account in the gcloud CLI, add the following flag to your command:

--service-account=SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com

Replace SERVICE_ACCOUNT_NAME with the name of your minimally-privileged service account.

For a list of other options that you can specify, see the gcloud container clusters create-auto reference documentation.

Console

Perform the following tasks:

  1. In the Google Cloud console, go to the Create an Autopilot cluster page.

    Go to Create an Autopilot cluster

  2. In the Cluster basics section, complete the following:

  3. Enter the Name for your cluster.

  4. Select a region for your cluster.

    1. Optional (available with GKE Enterprise): If you want to register your new cluster to a fleet, go to the Fleet registration section, and follow the Google Cloud console instructions for Create and register a new cluster to complete your cluster registration.

  5. For the Networking section, refer to Customize your network isolation for configuration instructions.

  6. Optionally, specify a custom IAM service account for your nodes:
    1. In the Advanced settings page, expand the Security section.
    2. In the Service account menu, select your preferred service account.

    We strongly recommend that you specify a minimally-privileged IAM service account that your nodes can use instead of the Compute Engine default service account. To learn how to create a minimally-privileged service account, see Use a least privilege service account.

  7. Optionally, configure other settings such as maintenance windows and advanced security features.

  8. Click Create.

Terraform

To create an Autopilot cluster using Terraform, refer to the following example:

resource "google_container_cluster" "default" {
  name     = "gke-autopilot-basic"
  location = "us-central1"

  enable_autopilot = true
}

To learn more about using Terraform, see Terraform support for GKE.

Create an Autopilot cluster with a specific release channel and version

By default, GKE enrolls new Autopilot clusters in the Regular release channel, with the default GKE version in the channel. You can change the release channel when you create an Autopilot cluster using the gcloud CLI, the Google Cloud console, or by using Terraform.

You can also set a specific GKE version when you create a cluster using the gcloud CLI. Setting the cluster version is only useful if you have a specific version requirement. To set the cluster version, specify the --cluster-version flag in the gcloud container clusters create-auto command. The version that you specify must be an available GKE version.

The following instructions for setting the release channel and version are optional. Unless you require a specific GKE version, we recommend that you keep the default release channel setting.

gcloud

Run the following command:

gcloud container clusters create-auto CLUSTER_NAME \
    --location=LOCATION \
    --release-channel=RELEASE_CHANNEL

Replace RELEASE_CHANNEL with the name of the release channel for the cluster. The default is Regular.

Optionally, specify --cluster-version=CLUSTER_VERSION, replacing CLUSTER_VERSION with the GKE version for the cluster, like 1.29.4-gke.1043002. The version that you specify applies until a newer version becomes the default in your release channel. GKE then automatically upgrades your cluster to the new default version. If you omit this flag, GKE sets the version to the release channel's default version.

To check the available versions, refer to What versions are available in a channel?. You can run any minor version in your selected channel or choose a subset of patch versions from other channels.

Console

To set the release channel when you create an Autopilot cluster, do the following:

  1. In the Google Cloud console, go to the Create an Autopilot cluster page.

    Go to Create an Autopilot cluster

  2. In the Cluster basics section, complete the following:

    1. Specify a Name.
    2. Select a Region.

  3. In the Advanced settings section, choose a release channel.

  4. Optionally, configure other settings for your new cluster.

  5. Click Create.

Terraform

To set the release channel and the cluster version when you create an Autopilot cluster using Terraform, refer to the following example:

resource "google_container_cluster" "default" {
  name     = "gke-autopilot-release-channel"
  location = "us-central1"

  enable_autopilot = true

  release_channel {
    channel = "REGULAR"
  }
}

To learn more about using Terraform, see Terraform support for GKE.

You can also change the release channel and GKE version for existing clusters. For instructions, refer to Manually upgrading a control plane and to Selecting a new release channel.

Connect to the cluster

gcloud

gcloud container clusters get-credentials CLUSTER_NAME \
    --location=LOCATION \
    --project=PROJECT_ID

This command configures kubectl to use the cluster you created.

Console

  1. In the cluster list, beside the cluster that you want to connect to, click Actions, and then click Connect.

  2. Click Run in Cloud Shell when prompted. The generated command is copied into your Cloud Shell, for example:

    gcloud container clusters get-credentials autopilot-cluster --location=us-central1 --project=autopilot-test

  3. Press Enter to run the command.

Verify the cluster mode

You can verify that your cluster is an Autopilot cluster by using the gcloud CLI or the Google Cloud console.

gcloud

To verify that your cluster is created in Autopilot mode, run the following command:

gcloud container clusters describe CLUSTER_NAME \
    --location=LOCATION

The output contains the following:

autopilot:
  enabled: true

Console

To verify that your cluster is created in Autopilot mode, do the following:

  1. Go to the Google Kubernetes Engine page in the Google Cloud console.

    Go to Google Kubernetes Engine

  2. Find your cluster in the cluster list. Under Mode, it should say Autopilot.

What's next