GCP Kubernetes Engine GKE Cluster Setup Guide
GCP Kubernetes Engine GKE Cluster Setup Guide
Google Kubernetes Engine (GKE) is the world's most mature managed Kubernetes service and one of GCP's most competitive offerings. As the creator of Kubernetes, Google has unmatched depth in container orchestration. This guide walks you through building a production-grade GKE cluster from scratch.
Choosing Your GKE Mode
GKE offers two operational modes—understanding the differences is critical for cluster planning:
| Feature | Autopilot | Standard | |---------|----------|----------| | Node management | Fully managed by Google | User-managed | | Billing | Per Pod resource request | Per node | | Node operations | None to worry about | OS upgrades, security patches required | | Customizability | Limited (full K8s control) | Full control | | Use case | No dedicated SRE, app-focused teams | Node-level control, special hardware | | Cost predictability | High (pay for what you use) | Medium (must estimate node utilization) |
Recommendations:
- Startups, small teams → Autopilot
- Large enterprises, compliance requirements → Standard
- Cost-sensitive workloads → Standard (with committed use discounts)
Cost Comparison (asia-east1 region)
| Scenario | Autopilot Cost | Standard Cost | |----------|---------------|---------------| | 10 Pods (1C2G each) | ~$180/month | ~$120/month (incl. node idle) | | 50 Pods (1C2G each) | ~$900/month | ~$600/month | | Variable load | Better (exact per-use) | Requires buffer capacity |
Compared to Alibaba Cloud ACK, GKE Autopilot eliminates node operations overhead, making it especially friendly for teams without dedicated SREs.
Cluster Planning
Network Mode
| Mode | Pod IP Source | Max Pods/Node | Recommended | |------|-------------|---------------|-------------| | VPC-native (Alias IPs) | VPC subnet alias | 110 | Yes | | Routes-based | Node routing | 110 | No (legacy) |
Always choose VPC-native mode—required for Network Policy and Private GKE clusters.
Cluster Network Planning
VPC: 10.0.0.0/8
├── Subnet (Nodes): 10.0.0.0/20 (4,091 nodes)
├── Subnet (Pod alias): 10.4.0.0/14 (262,144 Pods)
└── Subnet (Service): 10.8.0.0/20 (4,091 Services)
Cluster Types
| Type | Description | Use Case | |------|-------------|----------| | Zonal | Single availability zone | Dev/test | | Regional | Multi-zone (3-replica control plane) | Production | | Private | Nodes have no public IPs | High security/compliance |
Creating a GKE Cluster
Autopilot Cluster
gcloud container clusters create-auto my-autopilot-cluster \
--region=asia-east1 \
--network=my-vpc \
--subnetwork=my-subnet \
--enable-private-nodes \
--master-ipv4-cidr-block=172.16.0.0/28 \
--release-channel=regular
Standard Cluster
gcloud container clusters create my-standard-cluster \
--region=asia-east1 \
--num-nodes=2 \
--machine-type=e2-standard-4 \
--disk-type=pd-ssd \
--disk-size=100GB \
--network=my-vpc \
--subnetwork=my-subnet \
--enable-private-nodes \
--enable-ip-alias \
--master-ipv4-cidr-block=172.16.0.0/28 \
--release-channel=regular \
--addons=HorizontalPodAutoscaling,NetworkPolicy
Node Pool Management
For Standard clusters, separate system and workload nodes:
# System components node pool
gcloud container node-pools create system-pool \
--cluster=my-standard-cluster \
--machine-type=e2-standard-2 \
--num-nodes=1 \
--node-labels=dedicated=system
# Workload node pool
gcloud container node-pools create workload-pool \
--cluster=my-standard-cluster \
--machine-type=e2-standard-8 \
--min-nodes=1 --max-nodes=10 \
--enable-autoscaling \
--node-labels=dedicated=workload
Connecting to the Cluster
# Get cluster credentials
gcloud container clusters get-credentials my-standard-cluster \
--region=asia-east1
# Verify connection
kubectl get nodes
kubectl cluster-info
Private Cluster Access
Private cluster API Servers have no public IP. Access via:
- Cloud Shell: Automatically in the same VPC
- VPN/Express Connect: From your on-prem network
- Authorized Networks: Temporarily add your IP
# Temporarily authorize your IP
gcloud container clusters update my-standard-cluster \
--region=asia-east1 \
--enable-master-authorized-networks \
--master-authorized-networks=YOUR_IP/32
Deploying Applications
Sample Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: web-app
spec:
replicas: 3
selector:
matchLabels:
app: web-app
template:
metadata:
labels:
app: web-app
spec:
containers:
- name: web
image: nginx:1.25
resources:
requests:
cpu: "500m"
memory: "512Mi"
limits:
cpu: "1000m"
memory: "1Gi"
ports:
- containerPort: 80
Exposing Services
| Method | Description | GCP Integration | |--------|-------------|-----------------| | ClusterIP | Internal cluster access | None | | NodePort | Expose via node port | Not recommended for production | | LoadBalancer | Auto-creates Cloud Load Balancer | GCP native integration | | Ingress | HTTP(S) routing | GKE Ingress → Cloud LB |
# Create LoadBalancer Service
kubectl expose deployment web-app --type=LoadBalancer --port=80
# Or use Ingress
kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: web-app-ingress
spec:
defaultBackend:
service:
name: web-app
port:
number: 80
EOF
Horizontal Pod Autoscaling
kubectl autoscale deployment web-app \
--cpu-percent=60 \
--min=2 \
--max=10
Security Configuration
| Security Measure | Configuration | Importance | |-----------------|---------------|-----------| | Workload Identity | Link K8s SA to GCP IAM SA | High | | Network Policy | Restrict inter-Pod communication | High | | Binary Authorization | Deploy only trusted images | Medium | | Pod Security Standards | Restrict privileged containers | High | | Secret Manager | Integrate GCP Secret Manager | Medium | | Container Scanning | Automatic vulnerability scanning | Medium |
Workload Identity Setup
# Enable Workload Identity
gcloud container clusters update my-standard-cluster \
--region=asia-east1 \
--workload-pool=my-project.svc.id.goog
# Bind K8s SA to GCP SA
gcloud iam service-accounts add-iam-policy-binding \
[email protected] \
--role=roles/iam.workloadIdentityUser \
--member="serviceAccount:my-project.svc.id.goog[my-namespace/my-k8s-sa]"
Monitoring and Operations
Cloud Monitoring Integration
GKE automatically sends metrics to Cloud Monitoring:
- Node CPU/memory/disk
- Pod resource usage
- Control plane latency
- Network traffic
Cloud Logging Integration
All container logs are automatically sent to Cloud Logging with support for structured logging and correlated queries.
Key Alert Configuration
| Alert | Condition | Suggested Threshold | |-------|-----------|-------------------| | Node NotReady | For 5 minutes | Immediate action | | Pod restarts | >3 in 15 minutes | Check app health | | CPU utilization | >80% for 10 minutes | Auto-scale | | Disk usage | >85% | Clean logs/expand | | API Server latency | >1 second | Check cluster load |
Compared to AWS EKS, GKE's monitoring integration is more turnkey—no additional Prometheus/Grafana installation needed for full observability.
Cost Optimization
- Committed Use Discounts: 1-year ~-20%, 3-year ~-57%
- Preemptible VM node pools: Batch processing and CI/CD workloads
- HPA scale-down: Auto-release nodes during low-traffic periods
- GKE Cost Analysis: View costs by Namespace/Label
- Right-size requests: Avoid over-provisioning waste
Conclusion
GKE delivers the most hassle-free managed Kubernetes experience, backed by Google's unparalleled expertise. Whether you choose Autopilot for full management or Standard for flexible control, GKE meets containerization needs across all scales.
Duoyun Cloud is a GCP partner offering GKE architecture consulting and resource procurement. Order GCP resources through Duoyun for exclusive channel discounts and professional Chinese-language support, helping you build a production-grade Kubernetes platform at a lower cost. Visit duoyun.io for special offers.
Need Professional Cloud Consulting?
Our cloud architect team will customize the best solution for you — free
Free Consultation