REST Resource: projects.locations.clusters

Resource: Cluster

A Google Kubernetes Engine cluster.

JSON representation
{
  "name": string,
  "description": string,
  "initialNodeCount": integer,
  "nodeConfig": {
    object (NodeConfig)
  },
  "masterAuth": {
    object (MasterAuth)
  },
  "loggingService": string,
  "monitoringService": string,
  "network": string,
  "clusterIpv4Cidr": string,
  "addonsConfig": {
    object (AddonsConfig)
  },
  "subnetwork": string,
  "nodePools": [
    {
      object (NodePool)
    }
  ],
  "locations": [
    string
  ],
  "enableKubernetesAlpha": boolean,
  "enableK8sBetaApis": {
    object (K8sBetaAPIConfig)
  },
  "resourceLabels": {
    string: string,
    ...
  },
  "labelFingerprint": string,
  "legacyAbac": {
    object (LegacyAbac)
  },
  "networkPolicy": {
    object (NetworkPolicy)
  },
  "ipAllocationPolicy": {
    object (IPAllocationPolicy)
  },
  "masterAuthorizedNetworksConfig": {
    object (MasterAuthorizedNetworksConfig)
  },
  "maintenancePolicy": {
    object (MaintenancePolicy)
  },
  "binaryAuthorization": {
    object (BinaryAuthorization)
  },
  "podSecurityPolicyConfig": {
    object (PodSecurityPolicyConfig)
  },
  "autoscaling": {
    object (ClusterAutoscaling)
  },
  "networkConfig": {
    object (NetworkConfig)
  },
  "privateCluster": boolean,
  "masterIpv4CidrBlock": string,
  "defaultMaxPodsConstraint": {
    object (MaxPodsConstraint)
  },
  "resourceUsageExportConfig": {
    object (ResourceUsageExportConfig)
  },
  "authenticatorGroupsConfig": {
    object (AuthenticatorGroupsConfig)
  },
  "privateClusterConfig": {
    object (PrivateClusterConfig)
  },
  "verticalPodAutoscaling": {
    object (VerticalPodAutoscaling)
  },
  "shieldedNodes": {
    object (ShieldedNodes)
  },
  "releaseChannel": {
    object (ReleaseChannel)
  },
  "workloadIdentityConfig": {
    object (WorkloadIdentityConfig)
  },
  "workloadCertificates": {
    object (WorkloadCertificates)
  },
  "meshCertificates": {
    object (MeshCertificates)
  },
  "workloadAltsConfig": {
    object (WorkloadALTSConfig)
  },
  "costManagementConfig": {
    object (CostManagementConfig)
  },
  "clusterTelemetry": {
    object (ClusterTelemetry)
  },
  "tpuConfig": {
    object (TpuConfig)
  },
  "notificationConfig": {
    object (NotificationConfig)
  },
  "confidentialNodes": {
    object (ConfidentialNodes)
  },
  "identityServiceConfig": {
    object (IdentityServiceConfig)
  },
  "selfLink": string,
  "zone": string,
  "endpoint": string,
  "initialClusterVersion": string,
  "currentMasterVersion": string,
  "currentNodeVersion": string,
  "createTime": string,
  "status": enum (Status),
  "statusMessage": string,
  "nodeIpv4CidrSize": integer,
  "servicesIpv4Cidr": string,
  "instanceGroupUrls": [
    string
  ],
  "currentNodeCount": integer,
  "expireTime": string,
  "location": string,
  "enableTpu": boolean,
  "tpuIpv4CidrBlock": string,
  "databaseEncryption": {
    object (DatabaseEncryption)
  },
  "conditions": [
    {
      object (StatusCondition)
    }
  ],
  "master": {
    object (Master)
  },
  "autopilot": {
    object (Autopilot)
  },
  "id": string,
  "parentProductConfig": {
    object (ParentProductConfig)
  },
  "loggingConfig": {
    object (LoggingConfig)
  },
  "monitoringConfig": {
    object (MonitoringConfig)
  },
  "nodePoolAutoConfig": {
    object (NodePoolAutoConfig)
  },
  "podAutoscaling": {
    object (PodAutoscaling)
  },
  "etag": string,
  "fleet": {
    object (Fleet)
  },
  "securityPostureConfig": {
    object (SecurityPostureConfig)
  },
  "controlPlaneEndpointsConfig": {
    object (ControlPlaneEndpointsConfig)
  },
  "enterpriseConfig": {
    object (EnterpriseConfig)
  },
  "secretManagerConfig": {
    object (SecretManagerConfig)
  },
  "compliancePostureConfig": {
    object (CompliancePostureConfig)
  },
  "nodePoolDefaults": {
    object (NodePoolDefaults)
  },
  "protectConfig": {
    object (ProtectConfig)
  },
  "satisfiesPzs": boolean,
  "satisfiesPzi": boolean,
  "userManagedKeysConfig": {
    object (UserManagedKeysConfig)
  },
  "rbacBindingConfig": {
    object (RBACBindingConfig)
  }
}
Fields
name

string

The name of this cluster. The name must be unique within this project and location (e.g. zone or region), and can be up to 40 characters with the following restrictions:

  • Lowercase letters, numbers, and hyphens only.
  • Must start with a letter.
  • Must end with a number or a letter.
description

string

An optional description of this cluster.

initialNodeCount
(deprecated)

integer

The number of nodes to create in this cluster. You must ensure that your Compute Engine resource quota is sufficient for this number of instances. You must also have available firewall and routes quota. For requests, this field should only be used in lieu of a "nodePool" object, since this configuration (along with the "nodeConfig") will be used to create a "NodePool" object with an auto-generated name. Do not use this and a nodePool at the same time.

This field is deprecated, use nodePool.initial_node_count instead.

nodeConfig
(deprecated)

object (NodeConfig)

Parameters used in creating the cluster's nodes. For requests, this field should only be used in lieu of a "nodePool" object, since this configuration (along with the "initialNodeCount") will be used to create a "NodePool" object with an auto-generated name. Do not use this and a nodePool at the same time. For responses, this field will be populated with the node configuration of the first node pool. (For configuration of each node pool, see nodePool.config)

If unspecified, the defaults are used. This field is deprecated, use nodePool.config instead.

masterAuth

object (MasterAuth)

The authentication information for accessing the master endpoint. If unspecified, the defaults are used: For clusters before v1.12, if masterAuth is unspecified, username will be set to "admin", a random password will be generated, and a client certificate will be issued.

loggingService

string

The logging service the cluster should use to write logs. Currently available options:

  • logging.googleapis.com/kubernetes - The Cloud Logging service with a Kubernetes-native resource model
  • logging.googleapis.com - The legacy Cloud Logging service (no longer available as of GKE 1.15).
  • none - no logs will be exported from the cluster.

If left as an empty string,logging.googleapis.com/kubernetes will be used for GKE 1.14+ or logging.googleapis.com for earlier versions.

monitoringService

string

The monitoring service the cluster should use to write metrics. Currently available options:

  • "monitoring.googleapis.com/kubernetes" - The Cloud Monitoring service with a Kubernetes-native resource model
  • monitoring.googleapis.com - The legacy Cloud Monitoring service (no longer available as of GKE 1.15).
  • none - No metrics will be exported from the cluster.

If left as an empty string,monitoring.googleapis.com/kubernetes will be used for GKE 1.14+ or monitoring.googleapis.com for earlier versions.

network

string

The name of the Google Compute Engine network to which the cluster is connected. If left unspecified, the default network will be used. On output this shows the network ID instead of the name.

clusterIpv4Cidr

string

The IP address range of the container pods in this cluster, in CIDR notation (e.g. 10.96.0.0/14). Leave blank to have one automatically chosen or specify a /14 block in 10.0.0.0/8.

addonsConfig

object (AddonsConfig)

Configurations for the various addons available to run in the cluster.

subnetwork

string

The name of the Google Compute Engine subnetwork to which the cluster is connected. On output this shows the subnetwork ID instead of the name.

nodePools[]

object (NodePool)

The node pools associated with this cluster. This field should not be set if "nodeConfig" or "initialNodeCount" are specified.

locations[]

string

The list of Google Compute Engine zones in which the cluster's nodes should be located.

This field provides a default value if NodePool.Locations are not specified during node pool creation.

Warning: changing cluster locations will update the NodePool.Locations of all node pools and will result in nodes being added and/or removed.

enableKubernetesAlpha

boolean

Kubernetes alpha features are enabled on this cluster. This includes alpha API groups (e.g. v1beta1) and features that may not be production ready in the kubernetes version of the master and nodes. The cluster has no SLA for uptime and master/node upgrades are disabled. Alpha enabled clusters are automatically deleted thirty days after creation.

enableK8sBetaApis

object (K8sBetaAPIConfig)

Kubernetes open source beta apis enabled on the cluster. Only beta apis.

resourceLabels

map (key: string, value: string)

The resource labels for the cluster to use to annotate any related Google Compute Engine resources.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

labelFingerprint

string

The fingerprint of the set of labels for this cluster.

legacyAbac

object (LegacyAbac)

Configuration for the legacy ABAC authorization mode.

networkPolicy

object (NetworkPolicy)

Configuration options for the NetworkPolicy feature.

ipAllocationPolicy

object (IPAllocationPolicy)

Configuration for cluster IP allocation.

masterAuthorizedNetworksConfig
(deprecated)

object (MasterAuthorizedNetworksConfig)

The configuration options for master authorized networks feature.

Deprecated: Use ControlPlaneEndpointsConfig.IPEndpointsConfig.authorized_networks_config instead.

maintenancePolicy

object (MaintenancePolicy)

Configure the maintenance policy for this cluster.

binaryAuthorization

object (BinaryAuthorization)

Configuration for Binary Authorization.

podSecurityPolicyConfig

object (PodSecurityPolicyConfig)

Configuration for the PodSecurityPolicy feature.

autoscaling

object (ClusterAutoscaling)

Cluster-level autoscaling configuration.

networkConfig

object (NetworkConfig)

Configuration for cluster networking.

privateCluster
(deprecated)

boolean

If this is a private cluster setup. Private clusters are clusters that, by default have no external IP addresses on the nodes and where nodes and the master communicate over private IP addresses. This field is deprecated, use privateClusterConfig.enable_private_nodes instead.

masterIpv4CidrBlock
(deprecated)

string

The IP prefix in CIDR notation to use for the hosted master network. This prefix will be used for assigning private IP addresses to the master or set of masters, as well as the ILB VIP. This field is deprecated, use privateClusterConfig.master_ipv4_cidr_block instead.

defaultMaxPodsConstraint

object (MaxPodsConstraint)

The default constraint on the maximum number of pods that can be run simultaneously on a node in the node pool of this cluster. Only honored if cluster created with IP Alias support.

resourceUsageExportConfig

object (ResourceUsageExportConfig)

Configuration for exporting resource usages. Resource usage export is disabled when this config unspecified.

authenticatorGroupsConfig

object (AuthenticatorGroupsConfig)

Configuration controlling RBAC group membership information.

privateClusterConfig

object (PrivateClusterConfig)

Configuration for private cluster.

verticalPodAutoscaling

object (VerticalPodAutoscaling)

Cluster-level Vertical Pod Autoscaling configuration.

shieldedNodes

object (ShieldedNodes)

Shielded Nodes configuration.

releaseChannel

object (ReleaseChannel)

Release channel configuration. If left unspecified on cluster creation and a version is specified, the cluster is enrolled in the most mature release channel where the version is available (first checking STABLE, then REGULAR, and finally RAPID). Otherwise, if no release channel configuration and no version is specified, the cluster is enrolled in the REGULAR channel with its default version.

workloadIdentityConfig

object (WorkloadIdentityConfig)

Configuration for the use of Kubernetes Service Accounts in GCP IAM policies.

workloadCertificates

object (WorkloadCertificates)

Configuration for issuance of mTLS keys and certificates to Kubernetes pods.

meshCertificates

object (MeshCertificates)

Configuration for issuance of mTLS keys and certificates to Kubernetes pods.

workloadAltsConfig

object (WorkloadALTSConfig)

Configuration for direct-path (via ALTS) with workload identity.

costManagementConfig

object (CostManagementConfig)

Configuration for the fine-grained cost management feature.

clusterTelemetry

object (ClusterTelemetry)

Telemetry integration for the cluster.

tpuConfig

object (TpuConfig)

Configuration for Cloud TPU support;

notificationConfig

object (NotificationConfig)

Notification configuration of the cluster.

confidentialNodes

object (ConfidentialNodes)

Configuration of Confidential Nodes. All the nodes in the cluster will be Confidential VM once enabled.

identityServiceConfig

object (IdentityServiceConfig)

Configuration for Identity Service component.

zone
(deprecated)

string

Output only. The name of the Google Compute Engine zone in which the cluster resides. This field is deprecated, use location instead.

endpoint

string

Output only. The IP address of this cluster's master endpoint. The endpoint can be accessed from the internet at https://username:password@endpoint/.

See the masterAuth property of this resource for username and password information.

initialClusterVersion

string

The initial Kubernetes version for this cluster. Valid versions are those found in validMasterVersions returned by getServerConfig. The version can be upgraded over time; such upgrades are reflected in currentMasterVersion and currentNodeVersion.

Users may specify either explicit versions offered by Kubernetes Engine or version aliases, which have the following behavior:

  • "latest": picks the highest valid Kubernetes version
  • "1.X": picks the highest valid patch+gke.N patch in the 1.X version
  • "1.X.Y": picks the highest valid gke.N patch in the 1.X.Y version
  • "1.X.Y-gke.N": picks an explicit Kubernetes version
  • "","-": picks the default Kubernetes version
currentMasterVersion

string

Output only. The current software version of the master endpoint.

currentNodeVersion
(deprecated)

string

Output only. Deprecated, use NodePool.version instead. The current version of the node software components. If they are currently at multiple versions because they're in the process of being upgraded, this reflects the minimum version of all nodes.

createTime

string

Output only. The time the cluster was created, in RFC3339 text format.

status

enum (Status)

Output only. The current status of this cluster.

statusMessage
(deprecated)

string

Output only. Deprecated. Use conditions instead. Additional information about the current status of this cluster, if available.

nodeIpv4CidrSize

integer

Output only. The size of the address space on each node for hosting containers. This is provisioned from within the container_ipv4_cidr range. This field will only be set when cluster is in route-based network mode.

servicesIpv4Cidr

string

Output only. The IP address range of the Kubernetes services in this cluster, in CIDR notation (e.g. 1.2.3.4/29). Service addresses are typically put in the last /16 from the container CIDR.

instanceGroupUrls[]
(deprecated)

string

Output only. Deprecated. Use nodePools.instance_group_urls.

currentNodeCount
(deprecated)

integer

Output only. The number of nodes currently in the cluster. Deprecated. Call Kubernetes API directly to retrieve node information.

expireTime

string

Output only. The time the cluster will be automatically deleted in RFC3339 text format.

location

string

Output only. The name of the Google Compute Engine zone or region in which the cluster resides.

enableTpu

boolean

Enable the ability to use Cloud TPUs in this cluster. This field is deprecated, use tpuConfig.enabled instead.

tpuIpv4CidrBlock

string

Output only. The IP address range of the Cloud TPUs in this cluster, in CIDR notation (e.g. 1.2.3.4/29).

databaseEncryption

object (DatabaseEncryption)

Configuration of etcd encryption.

conditions[]

object (StatusCondition)

Which conditions caused the current cluster state.

master

object (Master)

Configuration for master components.

autopilot

object (Autopilot)

Autopilot configuration for the cluster.

id

string

Output only. Unique id for the cluster.

parentProductConfig

object (ParentProductConfig)

The configuration of the parent product of the cluster. This field is used by Google internal products that are built on top of the GKE cluster and take the ownership of the cluster.

loggingConfig

object (LoggingConfig)

Logging configuration for the cluster.

monitoringConfig

object (MonitoringConfig)

Monitoring configuration for the cluster.

nodePoolAutoConfig

object (NodePoolAutoConfig)

Node pool configs that apply to all auto-provisioned node pools in autopilot clusters and node auto-provisioning enabled clusters.

podAutoscaling

object (PodAutoscaling)

The config for pod autoscaling.

etag

string

This checksum is computed by the server based on the value of cluster fields, and may be sent on update requests to ensure the client has an up-to-date value before proceeding.

fleet

object (Fleet)

Fleet information for the cluster.

securityPostureConfig

object (SecurityPostureConfig)

Enable/Disable Security Posture API features for the cluster.

controlPlaneEndpointsConfig

object (ControlPlaneEndpointsConfig)

Configuration for all cluster's control plane endpoints.

enterpriseConfig

object (EnterpriseConfig)

GKE Enterprise Configuration.

secretManagerConfig

object (SecretManagerConfig)

Secret CSI driver configuration.

compliancePostureConfig

object (CompliancePostureConfig)

Enable/Disable Compliance Posture features for the cluster.

nodePoolDefaults

object (NodePoolDefaults)

Default NodePool settings for the entire cluster. These settings are overridden if specified on the specific NodePool object.

protectConfig
(deprecated)

object (ProtectConfig)

Deprecated: Use SecurityPostureConfig instead. Enable/Disable Protect API features for the cluster.

satisfiesPzs

boolean

Output only. Reserved for future use.

satisfiesPzi

boolean

Output only. Reserved for future use.

userManagedKeysConfig

object (UserManagedKeysConfig)

The Custom keys configuration for the cluster.

rbacBindingConfig

object (RBACBindingConfig)

RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created.

MasterAuth

The authentication information for accessing the master endpoint. Authentication can be done using HTTP basic auth or using client certificates.

JSON representation
{
  "username": string,
  "password": string,
  "clientCertificateConfig": {
    object (ClientCertificateConfig)
  },
  "clusterCaCertificate": string,
  "clientCertificate": string,
  "clientKey": string
}
Fields
username
(deprecated)

string

The username to use for HTTP basic authentication to the master endpoint. For clusters v1.6.0 and later, basic authentication can be disabled by leaving username unspecified (or setting it to the empty string).

Warning: basic authentication is deprecated, and will be removed in GKE control plane versions 1.19 and newer. For a list of recommended authentication methods, see: https://cloud.google.com/kubernetes-engine/docs/how-to/api-server-authentication

password
(deprecated)

string

The password to use for HTTP basic authentication to the master endpoint. Because the master endpoint is open to the Internet, you should create a strong password. If a password is provided for cluster creation, username must be non-empty.

Warning: basic authentication is deprecated, and will be removed in GKE control plane versions 1.19 and newer. For a list of recommended authentication methods, see: https://cloud.google.com/kubernetes-engine/docs/how-to/api-server-authentication

clientCertificateConfig

object (ClientCertificateConfig)

Configuration for client certificate authentication on the cluster. For clusters before v1.12, if no configuration is specified, a client certificate is issued.

clusterCaCertificate

string

Output only. Base64-encoded public certificate that is the root of trust for the cluster.

clientCertificate

string

Output only. Base64-encoded public certificate used by clients to authenticate to the cluster endpoint. Issued only if clientCertificateConfig is set.

clientKey

string

Output only. Base64-encoded private key used by clients to authenticate to the cluster endpoint.

ClientCertificateConfig

Configuration for client certificates on the cluster.

JSON representation
{
  "issueClientCertificate": boolean
}
Fields
issueClientCertificate

boolean

Issue a client certificate.

AddonsConfig

Configuration for the addons that can be automatically spun up in the cluster, enabling additional functionality.

JSON representation
{
  "httpLoadBalancing": {
    object (HttpLoadBalancing)
  },
  "horizontalPodAutoscaling": {
    object (HorizontalPodAutoscaling)
  },
  "kubernetesDashboard": {
    object (KubernetesDashboard)
  },
  "networkPolicyConfig": {
    object (NetworkPolicyConfig)
  },
  "istioConfig": {
    object (IstioConfig)
  },
  "cloudRunConfig": {
    object (CloudRunConfig)
  },
  "dnsCacheConfig": {
    object (DnsCacheConfig)
  },
  "configConnectorConfig": {
    object (ConfigConnectorConfig)
  },
  "gcePersistentDiskCsiDriverConfig": {
    object (GcePersistentDiskCsiDriverConfig)
  },
  "kalmConfig": {
    object (KalmConfig)
  },
  "gcpFilestoreCsiDriverConfig": {
    object (GcpFilestoreCsiDriverConfig)
  },
  "gkeBackupAgentConfig": {
    object (GkeBackupAgentConfig)
  },
  "gcsFuseCsiDriverConfig": {
    object (GcsFuseCsiDriverConfig)
  },
  "statefulHaConfig": {
    object (StatefulHAConfig)
  },
  "parallelstoreCsiDriverConfig": {
    object (ParallelstoreCsiDriverConfig)
  },
  "rayOperatorConfig": {
    object (RayOperatorConfig)
  }
}
Fields
httpLoadBalancing

object (HttpLoadBalancing)

Configuration for the HTTP (L7) load balancing controller addon, which makes it easy to set up HTTP load balancers for services in a cluster.

horizontalPodAutoscaling

object (HorizontalPodAutoscaling)

Configuration for the horizontal pod autoscaling feature, which increases or decreases the number of replica pods a replication controller has based on the resource usage of the existing pods.

kubernetesDashboard
(deprecated)

object (KubernetesDashboard)

Configuration for the Kubernetes Dashboard. This addon is deprecated, and will be disabled in 1.15. It is recommended to use the Cloud Console to manage and monitor your Kubernetes clusters, workloads and applications. For more information, see: https://cloud.google.com/kubernetes-engine/docs/concepts/dashboards

networkPolicyConfig

object (NetworkPolicyConfig)

Configuration for NetworkPolicy. This only tracks whether the addon is enabled or not on the Master, it does not track whether network policy is enabled for the nodes.

istioConfig
(deprecated)

object (IstioConfig)

Configuration for Istio, an open platform to connect, manage, and secure microservices.

cloudRunConfig

object (CloudRunConfig)

Configuration for the Cloud Run addon. The IstioConfig addon must be enabled in order to enable Cloud Run addon. This option can only be enabled at cluster creation time.

dnsCacheConfig

object (DnsCacheConfig)

Configuration for NodeLocalDNS, a dns cache running on cluster nodes

configConnectorConfig

object (ConfigConnectorConfig)

Configuration for the ConfigConnector add-on, a Kubernetes extension to manage hosted GCP services through the Kubernetes API

gcePersistentDiskCsiDriverConfig

object (GcePersistentDiskCsiDriverConfig)

Configuration for the Compute Engine Persistent Disk CSI driver.

kalmConfig
(deprecated)

object (KalmConfig)

Configuration for the KALM addon, which manages the lifecycle of k8s applications.

gcpFilestoreCsiDriverConfig

object (GcpFilestoreCsiDriverConfig)

Configuration for the GCP Filestore CSI driver.

gkeBackupAgentConfig

object (GkeBackupAgentConfig)

Configuration for the Backup for GKE agent addon.

gcsFuseCsiDriverConfig

object (GcsFuseCsiDriverConfig)

Configuration for the Cloud Storage Fuse CSI driver.

statefulHaConfig

object (StatefulHAConfig)

Optional. Configuration for the StatefulHA add-on.

parallelstoreCsiDriverConfig

object (ParallelstoreCsiDriverConfig)

Configuration for the Cloud Storage Parallelstore CSI driver.

rayOperatorConfig

object (RayOperatorConfig)

Optional. Configuration for Ray Operator addon.

HttpLoadBalancing

Configuration options for the HTTP (L7) load balancing controller addon, which makes it easy to set up HTTP load balancers for services in a cluster.

JSON representation
{
  "disabled": boolean
}
Fields
disabled

boolean

Whether the HTTP Load Balancing controller is enabled in the cluster. When enabled, it runs a small pod in the cluster that manages the load balancers.

HorizontalPodAutoscaling

Configuration options for the horizontal pod autoscaling feature, which increases or decreases the number of replica pods a replication controller has based on the resource usage of the existing pods.

JSON representation
{
  "disabled": boolean
}
Fields
disabled

boolean

Whether the Horizontal Pod Autoscaling feature is enabled in the cluster. When enabled, it ensures that metrics are collected into Stackdriver Monitoring.

KubernetesDashboard

Configuration for the Kubernetes Dashboard.

JSON representation
{
  "disabled": boolean
}
Fields
disabled

boolean

Whether the Kubernetes Dashboard is enabled for this cluster.

NetworkPolicyConfig

Configuration for NetworkPolicy. This only tracks whether the addon is enabled or not on the Master, it does not track whether network policy is enabled for the nodes.

JSON representation
{
  "disabled": boolean
}
Fields
disabled

boolean

Whether NetworkPolicy is enabled for this cluster.

IstioConfig

Configuration options for Istio addon.

JSON representation
{
  "disabled": boolean,
  "auth": enum (IstioAuthMode)
}
Fields
disabled
(deprecated)

boolean

Whether Istio is enabled for this cluster.

auth
(deprecated)

enum (IstioAuthMode)

The specified Istio auth mode, either none, or mutual TLS.

IstioAuthMode

Istio auth mode, https://istio.io/docs/concepts/security/mutual-tls.html

Enums
AUTH_NONE auth not enabled
AUTH_MUTUAL_TLS auth mutual TLS enabled

CloudRunConfig

Configuration options for the Cloud Run feature.

JSON representation
{
  "disabled": boolean,
  "loadBalancerType": enum (LoadBalancerType)
}
Fields
disabled

boolean

Whether Cloud Run addon is enabled for this cluster.

loadBalancerType

enum (LoadBalancerType)

Which load balancer type is installed for Cloud Run.

LoadBalancerType

Load balancer type of ingress service of Cloud Run.

Enums
LOAD_BALANCER_TYPE_UNSPECIFIED Load balancer type for Cloud Run is unspecified.
LOAD_BALANCER_TYPE_EXTERNAL Install external load balancer for Cloud Run.
LOAD_BALANCER_TYPE_INTERNAL Install internal load balancer for Cloud Run.

DnsCacheConfig

Configuration for NodeLocal DNSCache

JSON representation
{
  "enabled": boolean
}
Fields
enabled

boolean

Whether NodeLocal DNSCache is enabled for this cluster.

ConfigConnectorConfig

Configuration options for the Config Connector add-on.

JSON representation
{
  "enabled": boolean
}
Fields
enabled

boolean

Whether Cloud Connector is enabled for this cluster.

GcePersistentDiskCsiDriverConfig

Configuration for the Compute Engine PD CSI driver.

JSON representation
{
  "enabled": boolean
}
Fields
enabled

boolean

Whether the Compute Engine PD CSI driver is enabled for this cluster.

KalmConfig

Configuration options for the KALM addon.

JSON representation
{
  "enabled": boolean
}
Fields
enabled
(deprecated)

boolean

Whether KALM is enabled for this cluster.

GcpFilestoreCsiDriverConfig

Configuration for the GCP Filestore CSI driver.

JSON representation
{
  "enabled": boolean
}
Fields
enabled

boolean

Whether the GCP Filestore CSI driver is enabled for this cluster.

GkeBackupAgentConfig

Configuration for the Backup for GKE Agent.

JSON representation
{
  "enabled": boolean
}
Fields
enabled

boolean

Whether the Backup for GKE agent is enabled for this cluster.

GcsFuseCsiDriverConfig

Configuration for the Cloud Storage Fuse CSI driver.

JSON representation
{
  "enabled": boolean
}
Fields
enabled

boolean

Whether the Cloud Storage Fuse CSI driver is enabled for this cluster.

StatefulHAConfig

Configuration for the Stateful HA add-on.

JSON representation
{
  "enabled": boolean
}
Fields
enabled

boolean

Whether the Stateful HA add-on is enabled for this cluster.

ParallelstoreCsiDriverConfig

Configuration for the Cloud Storage Parallelstore CSI driver.

JSON representation
{
  "enabled": boolean
}
Fields
enabled

boolean

Whether the Cloud Storage Parallelstore CSI driver is enabled for this cluster.

RayOperatorConfig

Configuration options for the Ray Operator add-on.

JSON representation
{
  "enabled": boolean,
  "rayClusterLoggingConfig": {
    object (RayClusterLoggingConfig)
  },
  "rayClusterMonitoringConfig": {
    object (RayClusterMonitoringConfig)
  }
}
Fields
enabled

boolean

Whether the Ray addon is enabled for this cluster.

rayClusterLoggingConfig

object (RayClusterLoggingConfig)

Optional. Logging configuration for Ray clusters.

rayClusterMonitoringConfig

object (RayClusterMonitoringConfig)

Optional. Monitoring configuration for Ray clusters.

RayClusterLoggingConfig

RayClusterLoggingConfig specifies logging configuration for Ray clusters.

JSON representation
{
  "enabled": boolean
}
Fields
enabled

boolean

Enable log collection for Ray clusters.

RayClusterMonitoringConfig

RayClusterMonitoringConfig specifies monitoring configuration for Ray clusters.

JSON representation
{
  "enabled": boolean
}
Fields
enabled

boolean

Enable metrics collection for Ray clusters.

K8sBetaAPIConfig

Kubernetes open source beta apis enabled on the cluster.

JSON representation
{
  "enabledApis": [
    string
  ]
}
Fields
enabledApis[]

string

api name, e.g. storage.k8s.io/v1beta1/csistoragecapacities.

LegacyAbac

Configuration for the legacy Attribute Based Access Control authorization mode.

JSON representation
{
  "enabled": boolean
}
Fields
enabled

boolean

Whether the ABAC authorizer is enabled for this cluster. When enabled, identities in the system, including service accounts, nodes, and controllers, will have statically granted permissions beyond those provided by the RBAC configuration or IAM.

NetworkPolicy

Configuration options for the NetworkPolicy feature. https://kubernetes.io/docs/concepts/services-networking/networkpolicies/

JSON representation
{
  "provider": enum (Provider),
  "enabled": boolean
}
Fields
provider

enum (Provider)

The selected network policy provider.

enabled

boolean

Whether network policy is enabled on the cluster.

Provider

Allowed Network Policy providers.

Enums
PROVIDER_UNSPECIFIED Not set
CALICO Tigera (Calico Felix).

IPAllocationPolicy

Configuration for controlling how IPs are allocated in the cluster.

JSON representation
{
  "useIpAliases": boolean,
  "createSubnetwork": boolean,
  "subnetworkName": string,
  "clusterIpv4Cidr": string,
  "nodeIpv4Cidr": string,
  "servicesIpv4Cidr": string,
  "clusterSecondaryRangeName": string,
  "servicesSecondaryRangeName": string,
  "clusterIpv4CidrBlock": string,
  "nodeIpv4CidrBlock": string,
  "servicesIpv4CidrBlock": string,
  "allowRouteOverlap": boolean,
  "tpuIpv4CidrBlock": string,
  "useRoutes": boolean,
  "stackType": enum (StackType),
  "ipv6AccessType": enum (IPv6AccessType),
  "podCidrOverprovisionConfig": {
    object (PodCIDROverprovisionConfig)
  },
  "subnetIpv6CidrBlock": string,
  "servicesIpv6CidrBlock": string,
  "additionalPodRangesConfig": {
    object (AdditionalPodRangesConfig)
  },
  "defaultPodIpv4RangeUtilization": number
}
Fields
useIpAliases

boolean

Whether alias IPs will be used for pod IPs in the cluster. This is used in conjunction with useRoutes. It cannot be true if useRoutes is true. If both useIpAliases and useRoutes are false, then the server picks the default IP allocation mode

createSubnetwork

boolean

Whether a new subnetwork will be created automatically for the cluster.

This field is only applicable when useIpAliases is true.

subnetworkName

string

A custom subnetwork name to be used if createSubnetwork is true. If this field is empty, then an automatic name will be chosen for the new subnetwork.

clusterIpv4Cidr
(deprecated)

string

This field is deprecated, use clusterIpv4CidrBlock.

nodeIpv4Cidr
(deprecated)

string

This field is deprecated, use nodeIpv4CidrBlock.

servicesIpv4Cidr
(deprecated)

string

This field is deprecated, use servicesIpv4CidrBlock.

clusterSecondaryRangeName

string

The name of the secondary range to be used for the cluster CIDR block. The secondary range will be used for pod IP addresses. This must be an existing secondary range associated with the cluster subnetwork.

This field is only applicable with useIpAliases and createSubnetwork is false.

servicesSecondaryRangeName

string

The name of the secondary range to be used as for the services CIDR block. The secondary range will be used for service ClusterIPs. This must be an existing secondary range associated with the cluster subnetwork.

This field is only applicable with useIpAliases and createSubnetwork is false.

clusterIpv4CidrBlock

string

The IP address range for the cluster pod IPs. If this field is set, then cluster.cluster_ipv4_cidr must be left blank.

This field is only applicable when useIpAliases is true.

Set to blank to have a range chosen with the default size.

Set to /netmask (e.g. /14) to have a range chosen with a specific netmask.

Set to a CIDR notation (e.g. 10.96.0.0/14) from the RFC-1918 private networks (e.g. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to pick a specific range to use.

nodeIpv4CidrBlock

string

The IP address range of the instance IPs in this cluster.

This is applicable only if createSubnetwork is true.

Set to blank to have a range chosen with the default size.

Set to /netmask (e.g. /14) to have a range chosen with a specific netmask.

Set to a CIDR notation (e.g. 10.96.0.0/14) from the RFC-1918 private networks (e.g. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to pick a specific range to use.

servicesIpv4CidrBlock

string

The IP address range of the services IPs in this cluster. If blank, a range will be automatically chosen with the default size.

This field is only applicable when useIpAliases is true.

Set to blank to have a range chosen with the default size.

Set to /netmask (e.g. /14) to have a range chosen with a specific netmask.

Set to a CIDR notation (e.g. 10.96.0.0/14) from the RFC-1918 private networks (e.g. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to pick a specific range to use.

allowRouteOverlap

boolean

If true, allow allocation of cluster CIDR ranges that overlap with certain kinds of network routes. By default we do not allow cluster CIDR ranges to intersect with any user declared routes. With allowRouteOverlap == true, we allow overlapping with CIDR ranges that are larger than the cluster CIDR range.

If this field is set to true, then cluster and services CIDRs must be fully-specified (e.g. 10.96.0.0/14, but not /14), which means: 1) When useIpAliases is true, clusterIpv4CidrBlock and servicesIpv4CidrBlock must be fully-specified. 2) When useIpAliases is false, cluster.cluster_ipv4_cidr muse be fully-specified.

tpuIpv4CidrBlock

string

The IP address range of the Cloud TPUs in this cluster. If unspecified, a range will be automatically chosen with the default size.

This field is only applicable when useIpAliases is true.

If unspecified, the range will use the default size.

Set to /netmask (e.g. /14) to have a range chosen with a specific netmask.

Set to a CIDR notation (e.g. 10.96.0.0/14) from the RFC-1918 private networks (e.g. 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) to pick a specific range to use. This field is deprecated, use cluster.tpu_config.ipv4_cidr_block instead.

useRoutes

boolean

Whether routes will be used for pod IPs in the cluster. This is used in conjunction with useIpAliases. It cannot be true if useIpAliases is true. If both useIpAliases and useRoutes are false, then the server picks the default IP allocation mode

stackType

enum (StackType)

IP stack type

ipv6AccessType

enum (IPv6AccessType)

The ipv6 access type (internal or external) when createSubnetwork is true

podCidrOverprovisionConfig

object (PodCIDROverprovisionConfig)

[PRIVATE FIELD] Pod CIDR size overprovisioning config for the cluster.

Pod CIDR size per node depends on maxPodsPerNode. By default, the value of maxPodsPerNode is doubled and then rounded off to next power of 2 to get the size of pod CIDR block per node. Example: maxPodsPerNode of 30 would result in 64 IPs (/26).

This config can disable the doubling of IPs (we still round off to next power of 2) Example: maxPodsPerNode of 30 will result in 32 IPs (/27) when overprovisioning is disabled.

subnetIpv6CidrBlock

string

Output only. The subnet's IPv6 CIDR block used by nodes and pods.

servicesIpv6CidrBlock

string

Output only. The services IPv6 CIDR block for the cluster.

additionalPodRangesConfig

object (AdditionalPodRangesConfig)

Output only. The additional pod ranges that are added to the cluster. These pod ranges can be used by new node pools to allocate pod IPs automatically. Once the range is removed it will not show up in IPAllocationPolicy.

defaultPodIpv4RangeUtilization

number

Output only. The utilization of the cluster default IPv4 range for the pod. The ratio is Usage/[Total number of IPs in the secondary range], Usage=numNodes*numZones*podIPsPerNode.

StackType

Possible values for IP stack type

Enums
STACK_TYPE_UNSPECIFIED By default, the clusters will be IPV4 only
IPV4 The value used if the cluster is a IPV4 only
IPV4_IPV6 The value used if the cluster is a dual stack cluster

IPv6AccessType

IPv6 access type

Enums
IPV6_ACCESS_TYPE_UNSPECIFIED Default value, will be defaulted as type external.
INTERNAL Access type internal (all v6 addresses are internal IPs)
EXTERNAL Access type external (all v6 addresses are external IPs)

AdditionalPodRangesConfig

AdditionalPodRangesConfig is the configuration for additional pod secondary ranges supporting the ClusterUpdate message.

JSON representation
{
  "podRangeNames": [
    string
  ],
  "podRangeInfo": [
    {
      object (RangeInfo)
    }
  ]
}
Fields
podRangeNames[]

string

Name for pod secondary ipv4 range which has the actual range defined ahead.

podRangeInfo[]

object (RangeInfo)

Output only. Information for additional pod range.

RangeInfo

RangeInfo contains the range name and the range utilization by this cluster.

JSON representation
{
  "rangeName": string,
  "utilization": number
}
Fields
rangeName

string

Output only. Name of a range.

utilization

number

Output only. The utilization of the range.

MasterAuthorizedNetworksConfig

Configuration options for the master authorized networks feature. Enabled master authorized networks will disallow all external traffic to access Kubernetes master through HTTPS except traffic from the given CIDR blocks, Google Compute Engine Public IPs and Google Prod IPs.

JSON representation
{
  "enabled": boolean,
  "cidrBlocks": [
    {
      object (CidrBlock)
    }
  ],
  "gcpPublicCidrsAccessEnabled": boolean,
  "privateEndpointEnforcementEnabled": boolean
}
Fields
enabled

boolean

Whether or not master authorized networks is enabled.

cidrBlocks[]

object (CidrBlock)

cidrBlocks define up to 10 external networks that could access Kubernetes master through HTTPS.

gcpPublicCidrsAccessEnabled

boolean

Whether master is accessbile via Google Compute Engine Public IP addresses.

privateEndpointEnforcementEnabled

boolean

Whether master authorized networks is enforced on private endpoint or not.

CidrBlock

CidrBlock contains an optional name and one CIDR block.

JSON representation
{
  "displayName": string,
  "cidrBlock": string
}
Fields
displayName

string

displayName is an optional field for users to identify CIDR blocks.

cidrBlock

string

cidrBlock must be specified in CIDR notation.

MaintenancePolicy

MaintenancePolicy defines the maintenance policy to be used for the cluster.

JSON representation
{
  "window": {
    object (MaintenanceWindow)
  },
  "resourceVersion": string
}
Fields
window

object (MaintenanceWindow)

Specifies the maintenance window in which maintenance may be performed.

resourceVersion

string

A hash identifying the version of this policy, so that updates to fields of the policy won't accidentally undo intermediate changes (and so that users of the API unaware of some fields won't accidentally remove other fields). Make a get() request to the cluster to get the current resource version and include it with requests to set the policy.

MaintenanceWindow

MaintenanceWindow defines the maintenance window to be used for the cluster.

JSON representation
{
  "maintenanceExclusions": {
    string: {
      object (TimeWindow)
    },
    ...
  },

  // Union field policy can be only one of the following:
  "dailyMaintenanceWindow": {
    object (DailyMaintenanceWindow)
  },
  "recurringWindow": {
    object (RecurringTimeWindow)
  }
  // End of list of possible types for union field policy.
}
Fields
maintenanceExclusions

map (key: string, value: object (TimeWindow))

Exceptions to maintenance window. Non-emergency maintenance should not occur in these windows.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

Union field policy. Unimplemented, reserved for future use. HourlyMaintenanceWindow hourly_maintenance_window = 1; policy can be only one of the following:
dailyMaintenanceWindow

object (DailyMaintenanceWindow)

DailyMaintenanceWindow specifies a daily maintenance operation window.

recurringWindow

object (RecurringTimeWindow)

RecurringWindow specifies some number of recurring time periods for maintenance to occur. The time windows may be overlapping. If no maintenance windows are set, maintenance can occur at any time.

DailyMaintenanceWindow

Time window specified for daily maintenance operations.

JSON representation
{
  "startTime": string,
  "duration": string
}
Fields
startTime

string

Time within the maintenance window to start the maintenance operations. It must be in format "HH:MM", where HH : [00-23] and MM : [00-59] GMT.

duration

string

Output only. Duration of the time window, automatically chosen to be smallest possible in the given scenario.

RecurringTimeWindow

Represents an arbitrary window of time that recurs.

JSON representation
{
  "window": {
    object (TimeWindow)
  },
  "recurrence": string
}
Fields
window

object (TimeWindow)

The window of the first recurrence.

recurrence

string

An RRULE (https://tools.ietf.org/html/rfc5545#section-3.8.5.3) for how this window reccurs. They go on for the span of time between the start and end time.

For example, to have something repeat every weekday, you'd use: FREQ=WEEKLY;BYDAY=MO,TU,WE,TH,FR

To repeat some window daily (equivalent to the DailyMaintenanceWindow): FREQ=DAILY

For the first weekend of every month: FREQ=MONTHLY;BYSETPOS=1;BYDAY=SA,SU

This specifies how frequently the window starts. Eg, if you wanted to have a 9-5 UTC-4 window every weekday, you'd use something like:

start time = 2019-01-01T09:00:00-0400
end time = 2019-01-01T17:00:00-0400
recurrence = FREQ=WEEKLY;BYDAY=MO,TU,WE,TH,FR

Windows can span multiple days. Eg, to make the window encompass every weekend from midnight Saturday till the last minute of Sunday UTC:

start time = 2019-01-05T00:00:00Z
end time = 2019-01-07T23:59:00Z
recurrence = FREQ=WEEKLY;BYDAY=SA

Note the start and end time's specific dates are largely arbitrary except to specify duration of the window and when it first starts. The FREQ values of HOURLY, MINUTELY, and SECONDLY are not supported.

TimeWindow

Represents an arbitrary window of time.

JSON representation
{
  "startTime": string,
  "endTime": string,

  // Union field options can be only one of the following:
  "maintenanceExclusionOptions": {
    object (MaintenanceExclusionOptions)
  }
  // End of list of possible types for union field options.
}
Fields
startTime

string (Timestamp format)

The time that the window first starts.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

endTime

string (Timestamp format)

The time that the window ends. The end time should take place after the start time.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Union field options.

options can be only one of the following:

maintenanceExclusionOptions

object (MaintenanceExclusionOptions)

MaintenanceExclusionOptions provides maintenance exclusion related options.

MaintenanceExclusionOptions

Represents the Maintenance exclusion option.

JSON representation
{
  "scope": enum (Scope)
}
Fields
scope

enum (Scope)

Scope specifies the upgrade scope which upgrades are blocked by the exclusion.

Scope

Scope of exclusion.

Enums
NO_UPGRADES NO_UPGRADES excludes all upgrades, including patch upgrades and minor upgrades across control planes and nodes. This is the default exclusion behavior.
NO_MINOR_UPGRADES NO_MINOR_UPGRADES excludes all minor upgrades for the cluster, only patches are allowed.
NO_MINOR_OR_NODE_UPGRADES NO_MINOR_OR_NODE_UPGRADES excludes all minor upgrades for the cluster, and also exclude all node pool upgrades. Only control plane patches are allowed.

BinaryAuthorization

Configuration for Binary Authorization.

JSON representation
{
  "enabled": boolean,
  "evaluationMode": enum (EvaluationMode),
  "policyBindings": [
    {
      object (PolicyBinding)
    }
  ]
}
Fields
enabled
(deprecated)

boolean

This field is deprecated. Leave this unset and instead configure BinaryAuthorization using evaluationMode. If evaluationMode is set to anything other than EVALUATION_MODE_UNSPECIFIED, this field is ignored.

evaluationMode

enum (EvaluationMode)

Mode of operation for binauthz policy evaluation. If unspecified, defaults to DISABLED.

policyBindings[]

object (PolicyBinding)

Optional. Binauthz policies that apply to this cluster.

EvaluationMode

Binary Authorization mode of operation.

Enums
EVALUATION_MODE_UNSPECIFIED Default value
DISABLED Disable BinaryAuthorization
PROJECT_SINGLETON_POLICY_ENFORCE Enforce Kubernetes admission requests with BinaryAuthorization using the project's singleton policy. This is equivalent to setting the enabled boolean to true.
POLICY_BINDINGS Use Binary Authorization Continuous Validation with the policies specified in policyBindings.
POLICY_BINDINGS_AND_PROJECT_SINGLETON_POLICY_ENFORCE Use Binary Authorization Continuous Validation with the policies specified in policyBindings and enforce Kubernetes admission requests with Binary Authorization using the project's singleton policy.

PolicyBinding

Binauthz policy that applies to this cluster.

JSON representation
{
  "name": string
}
Fields
name

string

The relative resource name of the binauthz platform policy to evaluate. GKE platform policies have the following format: projects/{projectNumber}/platforms/gke/policies/{policyId}.

PodSecurityPolicyConfig

Configuration for the PodSecurityPolicy feature.

JSON representation
{
  "enabled": boolean
}
Fields
enabled

boolean

Enable the PodSecurityPolicy controller for this cluster. If enabled, pods must be valid under a PodSecurityPolicy to be created.

ClusterAutoscaling

ClusterAutoscaling contains global, per-cluster information required by Cluster Autoscaler to automatically adjust the size of the cluster and create/delete node pools based on the current needs.

JSON representation
{
  "enableNodeAutoprovisioning": boolean,
  "resourceLimits": [
    {
      object (ResourceLimit)
    }
  ],
  "autoscalingProfile": enum (AutoscalingProfile),
  "autoprovisioningNodePoolDefaults": {
    object (AutoprovisioningNodePoolDefaults)
  },
  "autoprovisioningLocations": [
    string
  ]
}
Fields
enableNodeAutoprovisioning

boolean

Enables automatic node pool creation and deletion.

resourceLimits[]

object (ResourceLimit)

Contains global constraints regarding minimum and maximum amount of resources in the cluster.

autoscalingProfile

enum (AutoscalingProfile)

Defines autoscaling behaviour.

autoprovisioningNodePoolDefaults

object (AutoprovisioningNodePoolDefaults)

AutoprovisioningNodePoolDefaults contains defaults for a node pool created by NAP.

autoprovisioningLocations[]

string

The list of Google Compute Engine zones in which the NodePool's nodes can be created by NAP.

ResourceLimit

Contains information about amount of some resource in the cluster. For memory, value should be in GB.

JSON representation
{
  "resourceType": string,
  "minimum": string,
  "maximum": string
}
Fields
resourceType

string

Resource name "cpu", "memory" or gpu-specific string.

minimum

string (int64 format)

Minimum amount of the resource in the cluster.

maximum

string (int64 format)

Maximum amount of the resource in the cluster.

AutoscalingProfile

Defines possible options for autoscalingProfile field.

Enums
PROFILE_UNSPECIFIED No change to autoscaling configuration.
OPTIMIZE_UTILIZATION Prioritize optimizing utilization of resources.
BALANCED Use default (balanced) autoscaling configuration.

AutoprovisioningNodePoolDefaults

AutoprovisioningNodePoolDefaults contains defaults for a node pool created by NAP.

JSON representation
{
  "oauthScopes": [
    string
  ],
  "serviceAccount": string,
  "upgradeSettings": {
    object (UpgradeSettings)
  },
  "management": {
    object (NodeManagement)
  },
  "minCpuPlatform": string,
  "diskSizeGb": integer,
  "diskType": string,
  "shieldedInstanceConfig": {
    object (ShieldedInstanceConfig)
  },
  "bootDiskKmsKey": string,
  "imageType": string,
  "insecureKubeletReadonlyPortEnabled": boolean
}
Fields
oauthScopes[]

string

The set of Google API scopes to be made available on all of the node VMs under the "default" service account.

The following scopes are recommended, but not required, and by default are not included:

  • https://www.googleapis.com/auth/compute is required for mounting persistent storage on your nodes.
  • https://www.googleapis.com/auth/devstorage.read_only is required for communicating with gcr.io (the Google Container Registry).

If unspecified, no scopes are added, unless Cloud Logging or Cloud Monitoring are enabled, in which case their required scopes will be added.

serviceAccount

string

The Google Cloud Platform Service Account to be used by the node VMs. Specify the email address of the Service Account; otherwise, if no Service Account is specified, the "default" service account is used.

upgradeSettings

object (UpgradeSettings)

Upgrade settings control disruption and speed of the upgrade.

management

object (NodeManagement)

NodeManagement configuration for this NodePool.

minCpuPlatform
(deprecated)

string

Deprecated. Minimum CPU platform to be used for NAP created node pools. The instance may be scheduled on the specified or newer CPU platform. Applicable values are the friendly names of CPU platforms, such as minCpuPlatform: Intel Haswell or minCpuPlatform: Intel Sandy Bridge. For more information, read how to specify min CPU platform. This field is deprecated, minCpuPlatform should be specified using cloud.google.com/requested-min-cpu-platform label selector on the pod. To unset the min cpu platform field pass "automatic" as field value.

diskSizeGb

integer

Size of the disk attached to each node, specified in GB. The smallest allowed disk size is 10GB.

If unspecified, the default disk size is 100GB.

diskType

string

Type of the disk attached to each node (e.g. 'pd-standard', 'pd-ssd' or 'pd-balanced')

If unspecified, the default disk type is 'pd-standard'

shieldedInstanceConfig

object (ShieldedInstanceConfig)

Shielded Instance options.

bootDiskKmsKey

string

The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption

imageType

string

The image type to use for NAP created node. Please see https://cloud.google.com/kubernetes-engine/docs/concepts/node-images for available image types.

insecureKubeletReadonlyPortEnabled

boolean

Enable or disable Kubelet read only port.

NetworkConfig

NetworkConfig reports the relative names of network & subnetwork.

JSON representation
{
  "network": string,
  "subnetwork": string,
  "enableIntraNodeVisibility": boolean,
  "defaultSnatStatus": {
    object (DefaultSnatStatus)
  },
  "enableL4ilbSubsetting": boolean,
  "datapathProvider": enum (DatapathProvider),
  "privateIpv6GoogleAccess": enum (PrivateIPv6GoogleAccess),
  "dnsConfig": {
    object (DNSConfig)
  },
  "serviceExternalIpsConfig": {
    object (ServiceExternalIPsConfig)
  },
  "gatewayApiConfig": {
    object (GatewayAPIConfig)
  },
  "enableMultiNetworking": boolean,
  "networkPerformanceConfig": {
    object (ClusterNetworkPerformanceConfig)
  },
  "enableFqdnNetworkPolicy": boolean,
  "inTransitEncryptionConfig": enum (InTransitEncryptionConfig),
  "enableCiliumClusterwideNetworkPolicy": boolean,
  "defaultEnablePrivateNodes": boolean
}
Fields
network

string

Output only. The relative name of the Google Compute Engine network(https://cloud.google.com/compute/docs/networks-and-firewalls#networks) to which the cluster is connected. Example: projects/my-project/global/networks/my-network

subnetwork

string

Output only. The relative name of the Google Compute Engine subnetwork to which the cluster is connected. Example: projects/my-project/regions/us-central1/subnetworks/my-subnet

enableIntraNodeVisibility

boolean

Whether Intra-node visibility is enabled for this cluster. This makes same node pod to pod traffic visible for VPC network.

defaultSnatStatus

object (DefaultSnatStatus)

Whether the cluster disables default in-node sNAT rules. In-node sNAT rules will be disabled when defaultSnatStatus is disabled. When disabled is set to false, default IP masquerade rules will be applied to the nodes to prevent sNAT on cluster internal traffic.

enableL4ilbSubsetting

boolean

Whether L4ILB Subsetting is enabled for this cluster.

datapathProvider

enum (DatapathProvider)

The desired datapath provider for this cluster. By default, uses the IPTables-based kube-proxy implementation.

privateIpv6GoogleAccess

enum (PrivateIPv6GoogleAccess)

The desired state of IPv6 connectivity to Google Services. By default, no private IPv6 access to or from Google Services (all access will be via IPv4)

dnsConfig

object (DNSConfig)

DNSConfig contains clusterDNS config for this cluster.

serviceExternalIpsConfig

object (ServiceExternalIPsConfig)

ServiceExternalIPsConfig specifies if services with externalIPs field are blocked or not.

gatewayApiConfig

object (GatewayAPIConfig)

GatewayAPIConfig contains the desired config of Gateway API on this cluster.

enableMultiNetworking

boolean

Whether multi-networking is enabled for this cluster.

networkPerformanceConfig

object (ClusterNetworkPerformanceConfig)

Network bandwidth tier configuration.

enableFqdnNetworkPolicy

boolean

Whether FQDN Network Policy is enabled on this cluster.

inTransitEncryptionConfig

enum (InTransitEncryptionConfig)

Specify the details of in-transit encryption.

enableCiliumClusterwideNetworkPolicy

boolean

Whether CiliumClusterWideNetworkPolicy is enabled on this cluster.

defaultEnablePrivateNodes

boolean

Controls whether by default nodes have private IP addresses only. It is invalid to specify both [PrivateClusterConfig.enablePrivateNodes][] and this field at the same time. To update the default setting, use ClusterUpdate.desired_default_enable_private_nodes

DefaultSnatStatus

DefaultSnatStatus contains the desired state of whether default sNAT should be disabled on the cluster.

JSON representation
{
  "disabled": boolean
}
Fields
disabled

boolean

Disables cluster default sNAT rules.

DatapathProvider

The datapath provider selects the implementation of the Kubernetes networking model for service resolution and network policy enforcement.

Enums
DATAPATH_PROVIDER_UNSPECIFIED Default value.
LEGACY_DATAPATH Use the IPTables implementation based on kube-proxy.
ADVANCED_DATAPATH Use the eBPF based GKE Dataplane V2 with additional features. See the GKE Dataplane V2 documentation for more.

PrivateIPv6GoogleAccess

PrivateIPv6GoogleAccess controls whether and how the pods can communicate with Google Services through gRPC over IPv6.

Enums
PRIVATE_IPV6_GOOGLE_ACCESS_UNSPECIFIED Default value. Same as DISABLED
PRIVATE_IPV6_GOOGLE_ACCESS_DISABLED No private access to or from Google Services
PRIVATE_IPV6_GOOGLE_ACCESS_TO_GOOGLE Enables private IPv6 access to Google Services from GKE
PRIVATE_IPV6_GOOGLE_ACCESS_BIDIRECTIONAL Enables private IPv6 access to and from Google Services

DNSConfig

DNSConfig contains the desired set of options for configuring clusterDNS.

JSON representation
{
  "clusterDns": enum (Provider),
  "clusterDnsScope": enum (DNSScope),
  "clusterDnsDomain": string,
  "additiveVpcScopeDnsDomain": string
}
Fields
clusterDns

enum (Provider)

clusterDns indicates which in-cluster DNS provider should be used.

clusterDnsScope

enum (DNSScope)

clusterDnsScope indicates the scope of access to cluster DNS records.

clusterDnsDomain

string

clusterDnsDomain is the suffix used for all cluster service records.

additiveVpcScopeDnsDomain

string

Optional. The domain used in Additive VPC scope.

Provider

Provider lists the various in-cluster DNS providers.

Enums
PROVIDER_UNSPECIFIED Default value
PLATFORM_DEFAULT Use GKE default DNS provider(kube-dns) for DNS resolution.
CLOUD_DNS Use CloudDNS for DNS resolution.
KUBE_DNS Use KubeDNS for DNS resolution.

DNSScope

DNSScope lists the various scopes of access to cluster DNS records.

Enums
DNS_SCOPE_UNSPECIFIED Default value, will be inferred as cluster scope.
CLUSTER_SCOPE DNS records are accessible from within the cluster.
VPC_SCOPE DNS records are accessible from within the VPC.

ServiceExternalIPsConfig

Config to block services with externalIPs field.

JSON representation
{
  "enabled": boolean
}
Fields
enabled

boolean

Whether Services with ExternalIPs field are allowed or not.

GatewayAPIConfig

GatewayAPIConfig contains the desired config of Gateway API on this cluster.

JSON representation
{
  "channel": enum (Channel)
}
Fields
channel

enum (Channel)

The Gateway API release channel to use for Gateway API.

Channel

Channel describes if/how Gateway API should be installed and implemented in a cluster.

Enums
CHANNEL_UNSPECIFIED Default value.
CHANNEL_DISABLED Gateway API support is disabled
CHANNEL_EXPERIMENTAL

Deprecated: use CHANNEL_STANDARD instead. Gateway API support is enabled, experimental CRDs are installed

CHANNEL_STANDARD Gateway API support is enabled, standard CRDs are installed

ClusterNetworkPerformanceConfig

Configuration of all network bandwidth tiers

JSON representation
{
  "totalEgressBandwidthTier": enum (Tier)
}
Fields
totalEgressBandwidthTier

enum (Tier)

Specifies the total network bandwidth tier for the NodePool.

Tier

Node network tier

Enums
TIER_UNSPECIFIED Default value
TIER_1 Higher bandwidth, actual values based on VM size.

InTransitEncryptionConfig

Options for in-transit encryption.

Enums
IN_TRANSIT_ENCRYPTION_CONFIG_UNSPECIFIED Unspecified, will be inferred as default - IN_TRANSIT_ENCRYPTION_UNSPECIFIED.
IN_TRANSIT_ENCRYPTION_DISABLED In-transit encryption is disabled.
IN_TRANSIT_ENCRYPTION_INTER_NODE_TRANSPARENT Data in-transit is encrypted using inter-node transparent encryption.

ResourceUsageExportConfig

Configuration for exporting cluster resource usages.

JSON representation
{
  "bigqueryDestination": {
    object (BigQueryDestination)
  },
  "enableNetworkEgressMetering": boolean,
  "consumptionMeteringConfig": {
    object (ConsumptionMeteringConfig)
  }
}
Fields
bigqueryDestination

object (BigQueryDestination)

Configuration to use BigQuery as usage export destination.

enableNetworkEgressMetering

boolean

Whether to enable network egress metering for this cluster. If enabled, a daemonset will be created in the cluster to meter network egress traffic.

consumptionMeteringConfig

object (ConsumptionMeteringConfig)

Configuration to enable resource consumption metering.

BigQueryDestination

Parameters for using BigQuery as the destination of resource usage export.

JSON representation
{
  "datasetId": string
}
Fields
datasetId

string

The ID of a BigQuery Dataset.

ConsumptionMeteringConfig

Parameters for controlling consumption metering.

JSON representation
{
  "enabled": boolean
}
Fields
enabled

boolean

Whether to enable consumption metering for this cluster. If enabled, a second BigQuery table will be created to hold resource consumption records.

AuthenticatorGroupsConfig

Configuration for returning group information from authenticators.

JSON representation
{
  "enabled": boolean,
  "securityGroup": string
}
Fields
enabled

boolean

Whether this cluster should return group membership lookups during authentication using a group of security groups.

securityGroup

string

The name of the security group-of-groups to be used. Only relevant if enabled = true.

PrivateClusterConfig

Configuration options for private clusters.

JSON representation
{
  "enablePrivateNodes": boolean,
  "enablePrivateEndpoint": boolean,
  "masterIpv4CidrBlock": string,
  "privateEndpoint": string,
  "publicEndpoint": string,
  "peeringName": string,
  "masterGlobalAccessConfig": {
    object (PrivateClusterMasterGlobalAccessConfig)
  },
  "privateEndpointSubnetwork": string
}
Fields
enablePrivateNodes
(deprecated)

boolean

Whether nodes have internal IP addresses only. If enabled, all nodes are given only RFC 1918 private addresses and communicate with the master via private networking.

Deprecated: Use NetworkConfig.default_enable_private_nodes instead.

enablePrivateEndpoint
(deprecated)

boolean

Whether the master's internal IP address is used as the cluster endpoint. Use ControlPlaneEndpointsConfig.IPEndpointsConfig.enable_public_endpoint instead. Note that the value of enablePublicEndpoint is reversed: if enablePrivateEndpoint is false, then enablePublicEndpoint will be true.

masterIpv4CidrBlock

string

The IP range in CIDR notation to use for the hosted master network. This range will be used for assigning internal IP addresses to the master or set of masters, as well as the ILB VIP. This range must not overlap with any other ranges in use within the cluster's network.

privateEndpoint
(deprecated)

string

Output only. The internal IP address of this cluster's master endpoint.

Deprecated: Use ControlPlaneEndpointsConfig.IPEndpointsConfig.private_endpoint instead.

publicEndpoint
(deprecated)

string

Output only. The external IP address of this cluster's master endpoint.

Deprecated: Use ControlPlaneEndpointsConfig.IPEndpointsConfig.public_endpoint instead.

peeringName

string

Output only. The peering name in the customer VPC used by this cluster.

masterGlobalAccessConfig
(deprecated)

object (PrivateClusterMasterGlobalAccessConfig)

Controls master global access settings.

Deprecated: Use [ControlPlaneEndpointsConfig.IPEndpointsConfig.enable_global_access][] instead.

privateEndpointSubnetwork
(deprecated)

string

Subnet to provision the master's private endpoint during cluster creation. Specified in projects/*/regions/*/subnetworks/* format.

Deprecated: Use ControlPlaneEndpointsConfig.IPEndpointsConfig.private_endpoint_subnetwork instead.

PrivateClusterMasterGlobalAccessConfig

Configuration for controlling master global access settings.

JSON representation
{
  "enabled": boolean
}
Fields
enabled

boolean

Whenever master is accessible globally or not.

VerticalPodAutoscaling

VerticalPodAutoscaling contains global, per-cluster information required by Vertical Pod Autoscaler to automatically adjust the resources of pods controlled by it.

JSON representation
{
  "enabled": boolean
}
Fields
enabled

boolean

Enables vertical pod autoscaling.

ShieldedNodes

Configuration of Shielded Nodes feature.

JSON representation
{
  "enabled": boolean
}
Fields
enabled

boolean

Whether Shielded Nodes features are enabled on all nodes in this cluster.

ReleaseChannel

ReleaseChannel indicates which release channel a cluster is subscribed to. Release channels are arranged in order of risk.

When a cluster is subscribed to a release channel, Google maintains both the master version and the node version. Node auto-upgrade defaults to true and cannot be disabled.

JSON representation
{
  "channel": enum (Channel)
}
Fields
channel

enum (Channel)

channel specifies which release channel the cluster is subscribed to.

Channel

Possible values for 'channel'.

Enums
UNSPECIFIED No channel specified.
RAPID

RAPID channel is offered on an early access basis for customers who want to test new releases.

WARNING: Versions available in the RAPID Channel may be subject to unresolved issues with no known workaround and are not subject to any SLAs.

REGULAR Clusters subscribed to REGULAR receive versions that are considered GA quality. REGULAR is intended for production users who want to take advantage of new features.
STABLE Clusters subscribed to STABLE receive versions that are known to be stable and reliable in production.
EXTENDED Clusters subscribed to EXTENDED receive extended support and availability for versions which are known to be stable and reliable in production.

WorkloadIdentityConfig

Configuration for the use of Kubernetes Service Accounts in GCP IAM policies.

JSON representation
{
  "identityNamespace": string,
  "workloadPool": string,
  "identityProvider": string
}
Fields
identityNamespace
(deprecated)

string

IAM Identity Namespace to attach all Kubernetes Service Accounts to.

workloadPool

string

The workload pool to attach all Kubernetes service accounts to.

identityProvider

string

identity provider is the third party identity provider.

WorkloadCertificates

Configuration for issuance of mTLS keys and certificates to Kubernetes pods.

JSON representation
{
  "enableCertificates": boolean
}
Fields
enableCertificates

boolean

enableCertificates controls issuance of workload mTLS certificates.

If set, the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster, which can then be configured by creating a WorkloadCertificateConfig Custom Resource.

Requires Workload Identity (workloadPool must be non-empty).

MeshCertificates

Configuration for issuance of mTLS keys and certificates to Kubernetes pods.

JSON representation
{
  "enableCertificates": boolean
}
Fields
enableCertificates

boolean

enableCertificates controls issuance of workload mTLS certificates.

If set, the GKE Workload Identity Certificates controller and node agent will be deployed in the cluster, which can then be configured by creating a WorkloadCertificateConfig Custom Resource.

Requires Workload Identity (workloadPool must be non-empty).

WorkloadALTSConfig

Configuration for direct-path (via ALTS) with workload identity.

JSON representation
{
  "enableAlts": boolean
}
Fields
enableAlts

boolean

enableAlts controls whether the alts handshaker should be enabled or not for direct-path.

Requires Workload Identity (workloadPool must be non-empty).

CostManagementConfig

Configuration for fine-grained cost management feature.

JSON representation
{
  "enabled": boolean
}
Fields
enabled

boolean

Whether the feature is enabled or not.

ClusterTelemetry

Telemetry integration for the cluster.

JSON representation
{
  "type": enum (Type)
}
Fields
type

enum (Type)

Type of the integration.

Type

Type of the integration.

Enums
UNSPECIFIED Not set.
DISABLED Monitoring integration is disabled.
ENABLED Monitoring integration is enabled.
SYSTEM_ONLY Only system components are monitored and logged.

TpuConfig

Configuration for Cloud TPU.

JSON representation
{
  "enabled": boolean,
  "useServiceNetworking": boolean,
  "ipv4CidrBlock": string
}
Fields
enabled

boolean

Whether Cloud TPU integration is enabled or not.

useServiceNetworking

boolean

Whether to use service networking for Cloud TPU or not.

ipv4CidrBlock

string

IPv4 CIDR block reserved for Cloud TPU in the VPC.

NotificationConfig

NotificationConfig is the configuration of notifications.

JSON representation
{
  "pubsub": {
    object (PubSub)
  }
}
Fields
pubsub

object (PubSub)

Notification config for Pub/Sub.

PubSub

Pub/Sub specific notification config.

JSON representation
{
  "enabled": boolean,
  "topic": string,
  "filter": {
    object (Filter)
  }
}
Fields
enabled

boolean

Enable notifications for Pub/Sub.

topic

string

The desired Pub/Sub topic to which notifications will be sent by GKE. Format is projects/{project}/topics/{topic}.

filter

object (Filter)

Allows filtering to one or more specific event types. If no filter is specified, or if a filter is specified with no event types, all event types will be sent

Filter

Allows filtering to one or more specific event types. If event types are present, those and only those event types will be transmitted to the cluster. Other types will be skipped. If no filter is specified, or no event types are present, all event types will be sent

JSON representation
{
  "eventType": [
    enum (EventType)
  ]
}
Fields
eventType[]

enum (EventType)

Event types to allowlist.

EventType

Types of notifications currently supported. Can be used to filter what notifications are sent.

Enums
EVENT_TYPE_UNSPECIFIED Not set, will be ignored.
UPGRADE_AVAILABLE_EVENT Corresponds with UpgradeAvailableEvent.
UPGRADE_EVENT Corresponds with UpgradeEvent.
SECURITY_BULLETIN_EVENT Corresponds with SecurityBulletinEvent.

IdentityServiceConfig

IdentityServiceConfig is configuration for Identity Service which allows customers to use external identity providers with the K8S API

JSON representation
{
  "enabled": boolean
}
Fields
enabled

boolean

Whether to enable the Identity Service component

Status

The current status of the cluster.

Enums
STATUS_UNSPECIFIED Not set.
PROVISIONING The PROVISIONING state indicates the cluster is being created.
RUNNING The RUNNING state indicates the cluster has been created and is fully usable.
RECONCILING The RECONCILING state indicates that some work is actively being done on the cluster, such as upgrading the master or node software. Details can be found in the statusMessage field.
STOPPING The STOPPING state indicates the cluster is being deleted.
ERROR The ERROR state indicates the cluster may be unusable. Details can be found in the statusMessage field.
DEGRADED The DEGRADED state indicates the cluster requires user action to restore full functionality. Details can be found in the statusMessage field.

DatabaseEncryption

Configuration of etcd encryption.

JSON representation
{
  "keyName": string,
  "state": enum (State),
  "decryptionKeys": [
    string
  ],
  "lastOperationErrors": [
    {
      object (OperationError)
    }
  ],
  "currentState": enum (CurrentState)
}
Fields
keyName

string

Name of CloudKMS key to use for the encryption of secrets in etcd. Ex. projects/my-project/locations/global/keyRings/my-ring/cryptoKeys/my-key

state

enum (State)

The desired state of etcd encryption.

decryptionKeys[]

string

Output only. Keys in use by the cluster for decrypting existing objects, in addition to the key in keyName.

Each item is a CloudKMS key resource.

lastOperationErrors[]

object (OperationError)

Output only. Records errors seen during DatabaseEncryption update operations.

currentState

enum (CurrentState)

Output only. The current state of etcd encryption.

State

State of etcd encryption.

Enums
UNKNOWN Should never be set
ENCRYPTED Secrets in etcd are encrypted.
DECRYPTED Secrets in etcd are stored in plain text (at etcd level) - this is unrelated to Compute Engine level full disk encryption.

CurrentState

Current State of etcd encryption.

Enums
CURRENT_STATE_UNSPECIFIED Should never be set
CURRENT_STATE_ENCRYPTED Secrets in etcd are encrypted.
CURRENT_STATE_DECRYPTED Secrets in etcd are stored in plain text (at etcd level) - this is unrelated to Compute Engine level full disk encryption.
CURRENT_STATE_ENCRYPTION_PENDING Encryption (or re-encryption with a different CloudKMS key) of Secrets is in progress.
CURRENT_STATE_ENCRYPTION_ERROR Encryption (or re-encryption with a different CloudKMS key) of Secrets in etcd encountered an error.
CURRENT_STATE_DECRYPTION_PENDING De-crypting Secrets to plain text in etcd is in progress.
CURRENT_STATE_DECRYPTION_ERROR De-crypting Secrets to plain text in etcd encountered an error.

OperationError

OperationError records errors seen from CloudKMS keys encountered during updates to DatabaseEncryption configuration.

JSON representation
{
  "keyName": string,
  "errorMessage": string,
  "timestamp": string
}
Fields
keyName

string

CloudKMS key resource that had the error.

errorMessage

string

Description of the error seen during the operation.

timestamp

string (Timestamp format)

Time when the CloudKMS error was seen.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

Master

This type has no fields.

Master is the configuration for components on master.

Autopilot

Autopilot is the configuration for Autopilot settings on the cluster.

JSON representation
{
  "enabled": boolean,
  "workloadPolicyConfig": {
    object (WorkloadPolicyConfig)
  },
  "conversionStatus": {
    object (AutopilotConversionStatus)
  }
}
Fields
enabled

boolean

Enable Autopilot

workloadPolicyConfig

object (WorkloadPolicyConfig)

WorkloadPolicyConfig is the configuration related to GCW workload policy

conversionStatus

object (AutopilotConversionStatus)

Output only. ConversionStatus shows conversion status.

WorkloadPolicyConfig

WorkloadPolicyConfig is the configuration related to GCW workload policy

JSON representation
{
  "allowNetAdmin": boolean
}
Fields
allowNetAdmin

boolean

If true, workloads can use NET_ADMIN capability.

AutopilotConversionStatus

AutopilotConversionStatus represents conversion status.

JSON representation
{
  "state": enum (State)
}
Fields
state

enum (State)

Output only. The current state of the conversion.

State

The current state of the conversion.

Enums
STATE_UNSPECIFIED STATE_UNSPECIFIED indicates the state is unspecified.
DONE DONE indicates the conversion has been completed. Old node pools will continue being deleted in the background.

ParentProductConfig

ParentProductConfig is the configuration of the parent product of the cluster. This field is used by Google internal products that are built on top of a GKE cluster and take the ownership of the cluster.

JSON representation
{
  "productName": string,
  "labels": {
    string: string,
    ...
  }
}
Fields
productName

string

Name of the parent product associated with the cluster.

labels

map (key: string, value: string)

Labels contain the configuration of the parent product.

An object containing a list of "key": value pairs. Example: { "name": "wrench", "mass": "1.3kg", "count": "3" }.

NodePoolDefaults

Subset of Nodepool message that has defaults.

JSON representation
{
  "nodeConfigDefaults": {
    object (NodeConfigDefaults)
  }
}
Fields
nodeConfigDefaults

object (NodeConfigDefaults)

Subset of NodeConfig message that has defaults.

NodeConfigDefaults

Subset of NodeConfig message that has defaults.

JSON representation
{
  "gcfsConfig": {
    object (GcfsConfig)
  },
  "loggingConfig": {
    object (NodePoolLoggingConfig)
  },
  "containerdConfig": {
    object (ContainerdConfig)
  },
  "hostMaintenancePolicy": {
    object (HostMaintenancePolicy)
  },
  "nodeKubeletConfig": {
    object (NodeKubeletConfig)
  }
}
Fields
gcfsConfig

object (GcfsConfig)

GCFS (Google Container File System, also known as Riptide) options.

loggingConfig

object (NodePoolLoggingConfig)

Logging configuration for node pools.

containerdConfig

object (ContainerdConfig)

Parameters for containerd customization.

hostMaintenancePolicy

object (HostMaintenancePolicy)

HostMaintenancePolicy contains the desired maintenance policy for the Google Compute Engine hosts.

nodeKubeletConfig

object (NodeKubeletConfig)

NodeKubeletConfig controls the defaults for new node-pools.

Currently only insecureKubeletReadonlyPortEnabled can be set here.

LoggingConfig

LoggingConfig is cluster logging configuration.

JSON representation
{
  "componentConfig": {
    object (LoggingComponentConfig)
  }
}
Fields
componentConfig

object (LoggingComponentConfig)

Logging components configuration

LoggingComponentConfig

LoggingComponentConfig is cluster logging component configuration.

JSON representation
{
  "enableComponents": [
    enum (Component)
  ]
}
Fields
enableComponents[]

enum (Component)

Select components to collect logs. An empty set would disable all logging.

Component

GKE components exposing logs

Enums
COMPONENT_UNSPECIFIED Default value. This shouldn't be used.
SYSTEM_COMPONENTS system components
WORKLOADS workloads
APISERVER kube-apiserver
SCHEDULER kube-scheduler
CONTROLLER_MANAGER kube-controller-manager
KCP_SSHD kcp-sshd
KCP_CONNECTION kcp connection logs

MonitoringConfig

MonitoringConfig is cluster monitoring configuration.

JSON representation
{
  "componentConfig": {
    object (MonitoringComponentConfig)
  },
  "managedPrometheusConfig": {
    object (ManagedPrometheusConfig)
  },
  "advancedDatapathObservabilityConfig": {
    object (AdvancedDatapathObservabilityConfig)
  }
}
Fields
componentConfig

object (MonitoringComponentConfig)

Monitoring components configuration

managedPrometheusConfig

object (ManagedPrometheusConfig)

Enable Google Cloud Managed Service for Prometheus in the cluster.

advancedDatapathObservabilityConfig

object (AdvancedDatapathObservabilityConfig)

Configuration of Advanced Datapath Observability features.

MonitoringComponentConfig

MonitoringComponentConfig is cluster monitoring component configuration.

JSON representation
{
  "enableComponents": [
    enum (Component)
  ]
}
Fields
enableComponents[]

enum (Component)

Select components to collect metrics. An empty set would disable all monitoring.

Component

GKE components exposing metrics

Enums
COMPONENT_UNSPECIFIED Default value. This shouldn't be used.
SYSTEM_COMPONENTS system components
WORKLOADS

Deprecated: Use Google Cloud Managed Service for Prometheus.

APISERVER kube-apiserver
SCHEDULER kube-scheduler
CONTROLLER_MANAGER kube-controller-manager
STORAGE Storage
HPA Horizontal Pod Autoscaling
POD Pod
DAEMONSET DaemonSet
DEPLOYMENT Deployment
STATEFULSET Statefulset
CADVISOR CADVISOR
KUBELET KUBELET
DCGM NVIDIA Data Center GPU Manager (DCGM)

ManagedPrometheusConfig

ManagedPrometheusConfig defines the configuration for Google Cloud Managed Service for Prometheus.

JSON representation
{
  "enabled": boolean,
  "autoMonitoringConfig": {
    object (AutoMonitoringConfig)
  }
}
Fields
enabled

boolean

Enable Managed Collection.

autoMonitoringConfig

object (AutoMonitoringConfig)

GKE Workload Auto-Monitoring Configuration.

AutoMonitoringConfig

AutoMonitoringConfig defines the configuration for GKE Workload Auto-Monitoring.

JSON representation
{
  "scope": enum (Scope)
}
Fields
scope

enum (Scope)

Scope for GKE Workload Auto-Monitoring.

Scope

Scope for applications monitored by Auto-Monitoring

Enums
SCOPE_UNSPECIFIED Not set.
ALL Auto-Monitoring is enabled for all supported applications.
NONE Disable Auto-Monitoring.

AdvancedDatapathObservabilityConfig

AdvancedDatapathObservabilityConfig specifies configuration of observability features of advanced datapath.

JSON representation
{
  "enableMetrics": boolean,
  "relayMode": enum (RelayMode),
  "enableRelay": boolean
}
Fields
enableMetrics

boolean

Expose flow metrics on nodes

relayMode

enum (RelayMode)

Method used to make Relay available

enableRelay

boolean

Enable Relay component

RelayMode

Supported Relay modes

Enums
RELAY_MODE_UNSPECIFIED Default value. This shouldn't be used.
DISABLED disabled
INTERNAL_VPC_LB exposed via internal load balancer
EXTERNAL_LB exposed via external load balancer

NodePoolAutoConfig

node pool configs that apply to all auto-provisioned node pools in autopilot clusters and node auto-provisioning enabled clusters

JSON representation
{
  "networkTags": {
    object (NetworkTags)
  },
  "resourceManagerTags": {
    object (ResourceManagerTags)
  },
  "nodeKubeletConfig": {
    object (NodeKubeletConfig)
  },
  "linuxNodeConfig": {
    object (LinuxNodeConfig)
  }
}
Fields
networkTags

object (NetworkTags)

The list of instance tags applied to all nodes. Tags are used to identify valid sources or targets for network firewalls and are specified by the client during cluster creation. Each tag within the list must comply with RFC1035.

resourceManagerTags

object (ResourceManagerTags)

Resource manager tag keys and values to be attached to the nodes for managing Compute Engine firewalls using Network Firewall Policies.

nodeKubeletConfig

object (NodeKubeletConfig)

NodeKubeletConfig controls the defaults for autoprovisioned node-pools.

Currently only insecureKubeletReadonlyPortEnabled can be set here.

linuxNodeConfig

object (LinuxNodeConfig)

Output only. Configuration options for Linux nodes.

NetworkTags

Collection of Compute Engine network tags that can be applied to a node's underlying VM instance. (See tags field in NodeConfig).

JSON representation
{
  "tags": [
    string
  ]
}
Fields
tags[]

string

List of network tags.

ProtectConfig

ProtectConfig defines the flags needed to enable/disable features for the Protect API.

JSON representation
{
  "workloadConfig": {
    object (WorkloadConfig)
  },
  "workloadVulnerabilityMode": enum (WorkloadVulnerabilityMode)
}
Fields
workloadConfig

object (WorkloadConfig)

WorkloadConfig defines which actions are enabled for a cluster's workload configurations.

workloadVulnerabilityMode

enum (WorkloadVulnerabilityMode)

Sets which mode to use for Protect workload vulnerability scanning feature.

WorkloadConfig

WorkloadConfig defines the flags to enable or disable the workload configurations for the cluster.

JSON representation
{
  "auditMode": enum (Mode)
}
Fields
auditMode

enum (Mode)

Sets which mode of auditing should be used for the cluster's workloads.

Mode

Mode defines how to audit the workload configs.

Enums
MODE_UNSPECIFIED Default value meaning that no mode has been specified.
DISABLED This disables Workload Configuration auditing on the cluster, meaning that nothing is surfaced.
BASIC Applies the default set of policy auditing to a cluster's workloads.
BASELINE

Surfaces configurations that are not in line with the Pod Security Standard Baseline policy.

RESTRICTED

Surfaces configurations that are not in line with the Pod Security Standard Restricted policy.

WorkloadVulnerabilityMode

WorkloadVulnerabilityMode defines mode to perform vulnerability scanning.

Enums
WORKLOAD_VULNERABILITY_MODE_UNSPECIFIED Default value not specified.
DISABLED Disables Workload Vulnerability Scanning feature on the cluster.
BASIC Applies basic vulnerability scanning settings for cluster workloads.

PodAutoscaling

PodAutoscaling is used for configuration of parameters for workload autoscaling.

JSON representation
{
  "hpaProfile": enum (HPAProfile)
}
Fields
hpaProfile

enum (HPAProfile)

Selected Horizontal Pod Autoscaling profile.

HPAProfile

Possible types of Horizontal Pod Autoscaling profile.

Enums
HPA_PROFILE_UNSPECIFIED HPA_PROFILE_UNSPECIFIED is used when no custom HPA profile is set.
NONE Customers explicitly opt-out of HPA profiles.
PERFORMANCE PERFORMANCE is used when customers opt-in to the performance HPA profile. In this profile we support a higher number of HPAs per cluster and faster metrics collection for workload autoscaling.

Fleet

Fleet is the fleet configuration for the cluster.

JSON representation
{
  "project": string,
  "membership": string,
  "preRegistered": boolean
}
Fields
project

string

The Fleet host project(project ID or project number) where this cluster will be registered to. This field cannot be changed after the cluster has been registered.

membership

string

Output only. The full resource name of the registered fleet membership of the cluster, in the format //gkehub.googleapis.com/projects/*/locations/*/memberships/*.

preRegistered

boolean

Output only. Whether the cluster has been registered through the fleet API.

SecurityPostureConfig

SecurityPostureConfig defines the flags needed to enable/disable features for the Security Posture API.

JSON representation
{
  "mode": enum (Mode),
  "vulnerabilityMode": enum (VulnerabilityMode)
}
Fields
mode

enum (Mode)

Sets which mode to use for Security Posture features.

vulnerabilityMode

enum (VulnerabilityMode)

Sets which mode to use for vulnerability scanning.

Mode

Mode defines enablement mode for GKE Security posture features.

Enums
MODE_UNSPECIFIED Default value not specified.
DISABLED Disables Security Posture features on the cluster.
BASIC Applies Security Posture features on the cluster.
ENTERPRISE Applies the Security Posture off cluster Enterprise level features.

VulnerabilityMode

VulnerabilityMode defines enablement mode for vulnerability scanning.

Enums
VULNERABILITY_MODE_UNSPECIFIED Default value not specified.
VULNERABILITY_DISABLED Disables vulnerability scanning on the cluster.
VULNERABILITY_BASIC Applies basic vulnerability scanning on the cluster.
VULNERABILITY_ENTERPRISE Applies the Security Posture's vulnerability on cluster Enterprise level features.

ControlPlaneEndpointsConfig

Configuration for all of the cluster's control plane endpoints.

JSON representation
{
  "dnsEndpointConfig": {
    object (DNSEndpointConfig)
  },
  "ipEndpointsConfig": {
    object (IPEndpointsConfig)
  }
}
Fields
dnsEndpointConfig

object (DNSEndpointConfig)

DNS endpoint configuration.

ipEndpointsConfig

object (IPEndpointsConfig)

IP endpoints configuration.

DNSEndpointConfig

Describes the configuration of a DNS endpoint.

JSON representation
{
  "endpoint": string,
  "allowExternalTraffic": boolean
}
Fields
endpoint

string

Output only. The cluster's DNS endpoint configuration. A DNS format address. This is accessible from the public internet. Ex: uid.us-central1.gke.goog. Always present, but the behavior may change according to the value of DNSEndpointConfig.allow_external_traffic.

allowExternalTraffic

boolean

Controls whether user traffic is allowed over this endpoint. Note that GCP-managed services may still use the endpoint even if this is false.

IPEndpointsConfig

IP endpoints configuration.

JSON representation
{
  "authorizedNetworksConfig": {
    object (MasterAuthorizedNetworksConfig)
  },
  "publicEndpoint": string,
  "privateEndpoint": string,
  "privateEndpointSubnetwork": string,
  "enabled": boolean,
  "enablePublicEndpoint": boolean,
  "globalAccess": boolean
}
Fields
authorizedNetworksConfig

object (MasterAuthorizedNetworksConfig)

Configuration of authorized networks. If enabled, restricts access to the control plane based on source IP. It is invalid to specify both [Cluster.masterAuthorizedNetworksConfig][] and this field at the same time.

publicEndpoint

string

Output only. The external IP address of this cluster's control plane. Only populated if enabled.

privateEndpoint

string

Output only. The internal IP address of this cluster's control plane. Only populated if enabled.

privateEndpointSubnetwork

string

Subnet to provision the master's private endpoint during cluster creation. Specified in projects/*/regions/*/subnetworks/* format. It is invalid to specify both [PrivateClusterConfig.privateEndpointSubnetwork][] and this field at the same time.

enabled

boolean

Controls whether to allow direct IP access.

enablePublicEndpoint

boolean

Controls whether the control plane allows access through a public IP. It is invalid to specify both [PrivateClusterConfig.enablePrivateEndpoint][] and this field at the same time.

globalAccess

boolean

Controls whether the control plane's private endpoint is accessible from sources in other regions. It is invalid to specify both PrivateClusterMasterGlobalAccessConfig.enabled and this field at the same time.

EnterpriseConfig

EnterpriseConfig is the cluster enterprise configuration.

JSON representation
{
  "clusterTier": enum (ClusterTier),
  "desiredTier": enum (ClusterTier)
}
Fields
clusterTier

enum (ClusterTier)

Output only. clusterTier indicates the effective tier of the cluster.

desiredTier

enum (ClusterTier)

desiredTier specifies the desired tier of the cluster.

ClusterTier

Premium tiers for GKE Cluster.

Enums
CLUSTER_TIER_UNSPECIFIED CLUSTER_TIER_UNSPECIFIED is when clusterTier is not set.
STANDARD STANDARD indicates a standard GKE cluster.
ENTERPRISE ENTERPRISE indicates a GKE Enterprise cluster.

SecretManagerConfig

SecretManagerConfig is config for secret manager enablement.

JSON representation
{
  "enabled": boolean
}
Fields
enabled

boolean

Enable/Disable Secret Manager Config.

CompliancePostureConfig

CompliancePostureConfig defines the settings needed to enable/disable features for the Compliance Posture.

JSON representation
{
  "complianceStandards": [
    {
      object (ComplianceStandard)
    }
  ],
  "mode": enum (Mode)
}
Fields
complianceStandards[]

object (ComplianceStandard)

List of enabled compliance standards.

mode

enum (Mode)

Defines the enablement mode for Compliance Posture.

Mode

Mode defines enablement mode for Compliance Posture.

Enums
MODE_UNSPECIFIED Default value not specified.
DISABLED Disables Compliance Posture features on the cluster.
ENABLED Enables Compliance Posture features on the cluster.

ComplianceStandard

Defines the details of a compliance standard.

JSON representation
{
  "standard": string
}
Fields
standard

string

Name of the compliance standard.

UserManagedKeysConfig

UserManagedKeysConfig holds the resource address to Keys which are used for signing certs and token that are used for communication within cluster.

JSON representation
{
  "clusterCa": string,
  "etcdApiCa": string,
  "etcdPeerCa": string,
  "serviceAccountSigningKeys": [
    string
  ],
  "serviceAccountVerificationKeys": [
    string
  ],
  "aggregationCa": string,
  "controlPlaneDiskEncryptionKey": string,
  "gkeopsEtcdBackupEncryptionKey": string
}
Fields
clusterCa

string

The Certificate Authority Service caPool to use for the cluster CA in this cluster.

etcdApiCa

string

Resource path of the Certificate Authority Service caPool to use for the etcd API CA in this cluster.

etcdPeerCa

string

Resource path of the Certificate Authority Service caPool to use for the etcd peer CA in this cluster.

serviceAccountSigningKeys[]

string

The Cloud KMS cryptoKeyVersions to use for signing service account JWTs issued by this cluster.

Format: projects/{project}/locations/{location}/keyRings/{keyring}/cryptoKeys/{cryptoKey}/cryptoKeyVersions/{cryptoKeyVersion}

serviceAccountVerificationKeys[]

string

The Cloud KMS cryptoKeyVersions to use for verifying service account JWTs issued by this cluster.

Format: projects/{project}/locations/{location}/keyRings/{keyring}/cryptoKeys/{cryptoKey}/cryptoKeyVersions/{cryptoKeyVersion}

aggregationCa

string

The Certificate Authority Service caPool to use for the aggregation CA in this cluster.

controlPlaneDiskEncryptionKey

string

The Cloud KMS cryptoKey to use for Confidential Hyperdisk on the control plane nodes.

gkeopsEtcdBackupEncryptionKey

string

Resource path of the Cloud KMS cryptoKey to use for encryption of internal etcd backups.

RBACBindingConfig

RBACBindingConfig allows user to restrict ClusterRoleBindings an RoleBindings that can be created.

JSON representation
{
  "enableInsecureBindingSystemUnauthenticated": boolean,
  "enableInsecureBindingSystemAuthenticated": boolean
}
Fields
enableInsecureBindingSystemUnauthenticated

boolean

Setting this to true will allow any ClusterRoleBinding and RoleBinding with subjets system:anonymous or system:unauthenticated.

enableInsecureBindingSystemAuthenticated

boolean

Setting this to true will allow any ClusterRoleBinding and RoleBinding with subjects system:authenticated.

Methods

checkAutopilotCompatibility

Checks the cluster compatibility with Autopilot mode, and returns a list of compatibility issues.

completeIpRotation

Completes master IP rotation.

create

Creates a cluster, consisting of the specified number and type of Google Compute Engine instances.

delete

Deletes the cluster, including the Kubernetes endpoint and all worker nodes.

fetchClusterUpgradeInfo

Fetch upgrade information of a specific cluster.

get

Gets the details for a specific cluster.

getJwks

Gets the public component of the cluster signing keys in JSON Web Key format.

list

Lists all clusters owned by a project in either the specified zone or all zones.

setAddons

Sets the addons for a specific cluster.

setLegacyAbac

Enables or disables the ABAC authorization mechanism on a cluster.

setLocations
(deprecated)

Sets the locations for a specific cluster.

setLogging

Sets the logging service for a specific cluster.

setMaintenancePolicy

Sets the maintenance policy for a cluster.

setMasterAuth

Sets master auth materials.

setMonitoring

Sets the monitoring service for a specific cluster.

setNetworkPolicy

Enables or disables Network Policy for a cluster.

setResourceLabels

Sets labels on a cluster.

startIpRotation

Starts master IP rotation.

update

Updates the settings for a specific cluster.

updateMaster

Updates the master for a specific cluster.