Creating an Autopilot cluster

This page explains how to create a Google Kubernetes Engine (GKE) cluster in Autopilot mode. The Autopilot mode of operation is a hands-off Kubernetes experience that lets you focus on your services and applications, while Google takes care of node management and infrastructure. You can schedule your Pods without having to plan your node usage. After you create an Autopilot cluster, you can deploy your workload and scale your application as needed. GKE provisions, configures, and manages the resources and hardware to run your workload.

Before you begin

Before you start, make sure you have performed the following tasks:

  • Ensure that you have enabled the Google Kubernetes Engine API.
    • Enable Google Kubernetes Engine API
  • Ensure that you have installed the Google Cloud CLI.
  • Set up default Google Cloud CLI settings for your project by using one of the following methods:
    • Use gcloud init, if you want to be walked through setting project defaults.
    • Use gcloud config, to individually set your project ID, zone, and region.

    gcloud init

    1. Run gcloud init and follow the directions:

      gcloud init

      If you are using SSH on a remote server, use the --console-only flag to prevent the command from launching a browser:

      gcloud init --console-only
    2. Follow the instructions to authorize the gcloud CLI to use your Google Cloud account.
    3. Create a new configuration or select an existing one.
    4. Choose a Google Cloud project.
    5. Choose a default Compute Engine zone.
    6. Choose a default Compute Engine region.

    gcloud config

    1. Set your default project ID: 
      gcloud config set project PROJECT_ID
    2. Set your default Compute Engine region (for example, us-central1): 
      gcloud config set compute/region COMPUTE_REGION
    3. Set your default Compute Engine zone (for example, us-central1-c): 
      gcloud config set compute/zone COMPUTE_ZONE
    4. Update gcloud to the latest version: 
      gcloud components update

    By setting default locations, you can avoid errors in gcloud CLI like the following: One of [--zone, --region] must be supplied: Please specify location.

Create an Autopilot cluster

You can create an Autopilot cluster by using the Google Cloud CLI or the Google Cloud console.

gcloud

To create a public Autopilot cluster using the Google Cloud CLI, run the following command:

gcloud container clusters create-auto CLUSTER_NAME \
    --region REGION \
    --project=PROJECT_ID

Replace the following:

  • CLUSTER_NAME: the name of your new Autopilot cluster.
  • REGION: the region for your cluster, such as us-central1.
  • PROJECT_ID: your project ID.

You can optionally use the --service-account=SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com flag to specify a different IAM service account that nodes use instead of the Compute Engine default service account. This flag is optional, but we strongly recommend that you create and use a service account with minimal privileges so that your nodes don't have more privileges that they require.

For a list of options that you can specify, see the gcloud container clusters create-auto reference documentation.

Console

To create an Autopilot cluster with the Google Cloud console, perform the following tasks:

  1. Go to the Google Kubernetes Engine page in the Google Cloud console.

    Go to Google Kubernetes Engine

  2. Click Create.

  3. In the Autopilot section, click Configure.

  4. Enter the Name for your cluster.

  5. Select a region for your cluster.

  6. Choose a public or private cluster.

  7. (Optional) Expand Networking Options to specify network settings:

    1. If you choose a private cluster:
      1. To create a control plane that is accessible from authorized external IP addresses, select the Access control plane using its external IP address checkbox. Clear this checkbox to disable public endpoint access.
      2. (Optional) Set the Control plane IP range, for example 172.16.0.0/28.
    2. If you want to create a cluster with limited access to the public endpoint, select the Enable control plane authorized networks checkbox.
      1. Click Add Authorized Network to grant access to a specific set of addresses that you designate.
      2. For Name, enter the desired name for the network.
      3. For Network, enter a CIDR range that you want to grant allowed access to your cluster control plane.
      4. Click Done. Add additional authorized networks as needed.
    3. Enter a Network and Node subnet, or accept the default setting. This option generates a subnet for your cluster.
    4. In the Pod address range field, enter a pod range, mask, or accept the defaults (example: 10.0.0.0/14).
    5. In the Service address range field, enter a service range pod range, mask, or accept the defaults (example: 10.4.0.0/19).

  8. (Optional) Expand Advanced options to specify more settings:

    1. Select a release channel for the control plane.
    2. Click Enable Maintenance Window to control when automatic cluster maintenance occurs on your clusters.
      1. Click Add maintenance exclusion. For weekly maintenance, select the start time and length, and then select the days of the week that the maintenance window occurs on. Switch to the custom editor to edit the rule directly,
    3. In the Metadata field, enter a description of your cluster.
    4. Click Add label to add key-value pairs to help organize your clusters.

  9. Click Create.

Enabling outbound internet access on private clusters with Cloud NAT

By default, Autopilot clusters are public. If you created a private Autopilot cluster, these nodes do not have external IP addresses. To make outbound internet connections from your cluster, for example pulling images from DockerHub, you must configure Cloud NAT. Cloud NAT lets private clusters send outbound packets to the internet and receive any corresponding established inbound response packets. Perform the following tasks to create a NAT configuration on a Cloud Router.

gcloud

To NAT your cluster using the Google Cloud CLI, run the following commands:

  1. Create a Cloud Router :

    gcloud compute routers create NAT_ROUTER \
    --network NETWORK \
    --region REGION \
    --project=PROJECT_ID

    Replace the following:

    • NAT_ROUTER: the name of your Cloud Router.
    • NETWORK: the network name that you want to create the Cloud Router for. For example, if you want to NAT your default network, use the default network name when creating the router.
    • REGION: the region for your cluster, such as us-central1.
    • PROJECT_ID: your project ID.

  2. Add a configuration to the router. This configuration allows all instances in the region to use Cloud NAT for all primary and alias IP ranges. It also automatically allocates the external IP addresses for the NAT gateway. For more options, see the Google Cloud CLI documentation.:

    gcloud compute routers nats create NAT_CONFIG \
    --region REGION \
    --router NAT_ROUTER \
    --nat-all-subnet-ip-ranges \
    --auto-allocate-nat-external-ips \
    --project=PROJECT_ID

    Replace the following:

    • NAT_CONFIG: the name of your NAT configuration.
    • REGION: the region for your cluster, such as us-central1.
    • NAT_ROUTER: the name of your Cloud Router.
    • PROJECT_ID: your project ID.

Console

  1. Go to the Cloud NAT page on Google Cloud console.

    Go to Cloud NAT

  2. Click Get started or Create NAT gateway.

  3. Enter a Gateway name.

  4. Choose a VPC network.

  5. Set the Region for the NAT gateway.

  6. Select or create a Cloud Router in the region.

  7. Click Create.

Connecting to the cluster

After creating your cluster, you need to get authentication credentials to connect to the cluster.

gcloud

gcloud container clusters get-credentials CLUSTER_NAME \
    --region REGION \
    --project=PROJECT_ID

Replace the following:

  • CLUSTER_NAME: the name of your new Autopilot cluster.
  • REGION: the region for your cluster, such as us-central1.
  • PROJECT_ID: your project ID.

This command configures kubectl to use the cluster you created.

Console

  1. Go to the Google Kubernetes Engine page on Google Cloud console.

    Go to Google Kubernetes Engine

  2. In the cluster list, beside the cluster that you want to connect to, click Actions, and then click Connect.

  3. Click Run in Cloud Shell when prompted. The generated command is copied into your Cloud Shell, for example:

    gcloud container clusters get-credentials autopilot-cluster --region us-east1 --project autopilot-test

  4. Press Enter to run the command.

Verifying the cluster mode

You can verify that your cluster is an Autopilot cluster by using the Google Cloud CLI or the Google Cloud console.

gcloud

To verify that your cluster is created in Autopilot mode, run the following command:

gcloud container clusters describe CLUSTER_NAME \
    --region REGION

Replace the following:

  • CLUSTER_NAME: the name of your Autopilot cluster.
  • REGION: the region for your cluster, such as us-central1.

The output of the command contains the following:

autopilot:
  enabled: true

Console

To verify that your cluster is created in Autopilot mode:

  1. Go to the Google Kubernetes Engine page on Google Cloud console.

    Go to Google Kubernetes Engine

  2. Find your cluster in the cluster list. In the Mode column, the status shows Autopilot.

Verifying the cluster configuration

To see all of your resources across namespaces, run the following command:

kubectl get all --all-namespaces

You'll see the new resources for the cluster such as Pods, Services, Deployments, and DaemonSets for the cluster.

What's next