Cluster Admin

Cluster administration overview #

Basic cluster administration #

  • Cluster-level configuration

Node Configuration #

  • Automatic upgrades

Lower management overhead

Better Security

gcloud container clusters create [CLUSTER_NAME] --zone [COMPUTE_ZONE] \
    --enable-autoupgrade

gcloud container node-pools create [NODE_POOL] --cluster [CLUSTER_NAME] \
    --zone [COMPUTE_ZONE] --enable-autoupgrade
  • Automatic repairs

Repair criteria

A node reports a NotReady status on consecutive checks over the given time threshold (approximately 10 minutes).

A node does not report any status at all over the given time threshold (approximately 10 minutes).

A node’s boot disk is out of disk space for an extended time period (approximately 30 minutes).

gcloud container clusters create [CLUSTER_NAME] --zone [COMPUTE_ZONE] \
--enable-autorepair
To create a node pool with auto-repair enabled:

gcloud container node-pools create [POOL_NAME] --cluster [CLUSTER_NAME] \
--zone [COMPUTE_ZONE] --enable-autorepair
  • Preemptible VMs

Preemptible VMs are Google Compute Engine VM instances that last a maximum of 24 hours and provide no availability guarantees.

  • Local SSDs

Local SSDs provide high-performance, ephemeral storage to every node in the cluster. Local SSDs provide higher throughput and lower latency than standard disks. Local caching and processing are suitable workloads for local SSDs.

  • Minimum CPU platform

Configuring cluster networking #

  • Internal load balancing
  • Alias IPs
  • IP masquerade agent
  • Network policy

Configuring cluster security #

The following security features are specific to Google Cloud Platform: #

  • Cloud Identity and Access Management
  • IP rotation

You can perform an IP rotation to change the IP address that your cluster’s Kubernetes master uses to serve requests from the Kubernetes API.

IP rotation also changes the SSL certificate and cluster certificate authority, so there is no externally-visible connection between the previous address and the new one.

  • Master authorized networks

uthorized networks allow you to whitelist specific CIDR ranges and allow IP addresses in those ranges to access your cluster master endpoint using HTTPS. Authorized networks are compatible with all clusters.

gcloud container clusters create [CLUSTER_NAME] \
    --enable-master-authorized-networks \
    --master-authorized-networks [CIDR],[CIDR]...


gcloud container clusters create example-cluster \
    --enable-master-authorized-networks \
    --master-authorized-networks 8.8.8.8/32,8.8.8.0/24

Intra-cluster Kubernetes security features you can use on GKE include: #

  • Role-based access control (RBAC) system lets you exercise fine-grained control over how users access the API resources running on your cluster. You can use RBAC to dynamically configure permissions for your cluster’s users and define the kinds of resources with which they can interact.