Creating a GKE Cluster

Creating a GKE cluster involves choosing a cluster mode, configuring networking, selecting machine types, and enabling features. This page walks through the prerequisites and step-by-step creation using gcloud and the Google Cloud Console.

Prerequisites

Before creating a cluster, ensure you have:

Requirement	Command / Action
Google Cloud project	`gcloud projects create PROJECT_ID`
Billing enabled	Link a billing account in the Console
Kubernetes Engine API enabled	`gcloud services enable container.googleapis.com`
gcloud CLI installed	Install gcloud CLI
kubectl installed	`gcloud components install kubectl`
Authenticated gcloud	`gcloud auth login`

# Set your project
gcloud config set project PROJECT_ID
 
# Set default compute zone/region
gcloud config set compute/zone ZONE   # e.g., us-central1-a

Quick Create

The fastest way to get a running cluster:

# Autopilot cluster (recommended for most workloads)
gcloud container clusters create-auto my-cluster \
  --region=us-central1
 
# Standard cluster (when you need node-level control)
gcloud container clusters create my-cluster \
  --zone=us-central1-a \
  --num-nodes=3

Tip: create-auto creates an Autopilot cluster. create creates a Standard cluster. The commands are different — do not confuse them.

Cluster Creation Flow

flowchart TD
    A[Choose Cluster Mode] --> B{Autopilot or Standard?}
    B -->|Autopilot| C["gcloud container clusters create-auto"]
    B -->|Standard| D["gcloud container clusters create"]
    C --> E[Configure region & networking]
    D --> F[Configure zone/region, machine type, node count]
    E --> G[Enable features]
    F --> G
    G --> H[Create cluster]
    H --> I[Get credentials]
    I --> J[Deploy workloads]

Autopilot Cluster — Full Example

gcloud container clusters create-auto my-autopilot-cluster \
  --region=us-central1 \
  --network=my-vpc \
  --subnetwork=my-subnet \
  --enable-private-nodes \
  --master-authorized-networks=10.0.0.0/8 \
  --release-channel=regular \
  --workload-pool=PROJECT_ID.svc.id.goog

Key Autopilot Flags

Flag	Purpose	Default
`--region`	Region for the cluster (required)	Prompted
`--network`	VPC network	`default`
`--subnetwork`	Subnet within the VPC	Auto
`--enable-private-nodes`	Nodes have no public IPs	Disabled
`--master-authorized-networks`	CIDR ranges that can access the control plane	Open (0.0.0.0/0)
`--release-channel`	Upgrade cadence: `rapid`, `regular`, `stable`	`regular`
`--workload-pool`	Enable Workload Identity Federation for GKE	Disabled

Note: Autopilot clusters do not accept --machine-type or --num-nodes flags. Google manages nodes automatically based on your pod resource requests.

Standard Cluster — Full Example

gcloud container clusters create my-standard-cluster \
  --zone=us-central1-a \
  --machine-type=e2-medium \
  --num-nodes=3 \
  --disk-size=50GB \
  --disk-type=pd-ssd \
  --enable-autoupgrade \
  --enable-autorepair \
  --max-surge-upgrade=1 \
  --max-unavailable-upgrade=0 \
  --network=my-vpc \
  --subnetwork=my-subnet \
  --enable-ip-alias \
  --cluster-ipv4-cidr=/21 \
  --services-ipv4-cidr=/24 \
  --release-channel=regular \
  --workload-pool=PROJECT_ID.svc.id.goog

Key Standard Flags

Flag	Purpose	Default
`--zone` or `--region`	Cluster location	Prompted
`--machine-type`	VM type for default node pool	`e2-medium`
`--num-nodes`	Initial node count in default pool	`3`
`--disk-size`	Boot disk size per node	`100GB`
`--disk-type`	`pd-standard`, `pd-ssd`, `pd-balanced`	`pd-standard`
`--enable-autoupgrade`	Auto-upgrade nodes to latest K8s version	Enabled
`--enable-autorepair`	Auto-repair unhealthy nodes	Enabled
`--enable-ip-alias`	VPC-native cluster (alias IPs)	Enabled
`--release-channel`	`rapid`, `regular`, `stable`; Standard can opt out	`regular`
`--workload-pool`	Enable Workload Identity Federation for GKE	Disabled
`--cluster-version`	Specific Kubernetes version	Latest in release channel
`--enable-shielded-nodes`	Secure boot and integrity monitoring	Enabled

Networking Configuration

VPC-Native vs Routes-Based

Feature	VPC-Native (Alias IPs)	Routes-Based (Legacy)
Pod IP visibility	Pods get IPs from VPC subnet	Pod IPs hidden behind node NAT
Network Policies	Fully supported	Limited support
Private GKE access	Supported	Not supported
Recommended	Yes	No (deprecated)

Warning: Routes-based clusters are deprecated. Always use VPC-native clusters (--enable-ip-alias, which is now the default).

Private Clusters

# Private cluster — nodes have no public IPs
gcloud container clusters create my-private-cluster \
  --zone=us-central1-a \
  --enable-private-nodes \
  --enable-private-endpoint \
  --master-ipv4-cidr-block=172.16.0.0/28 \
  --master-authorized-networks=10.0.0.0/8

Private Cluster Type	Control Plane Access	Node Access
Private nodes + public endpoint	Public IP (restricted by authorized networks)	No public IP
Private nodes + private endpoint	Private IP only (requires VPN/Interconnect)	No public IP

Tip: For most teams, private nodes with a public endpoint (restricted by --master-authorized-networks) is the right balance of security and convenience.

Release Channels

GKE release channels control how quickly your cluster receives Kubernetes updates:

Channel	Cadence	Risk Level	Best For
Rapid	Latest features first	Higher	Experimentation, dev
Regular	Balanced cadence	Medium	Most production clusters
Stable	Conservative, well-tested	Lowest	Risk-averse production
None (static)	Pinned to specific version	Variable	Strict compliance needs

Key Insight: GKE enrolls Autopilot clusters and new Standard clusters in a release channel by default. Standard clusters can opt out when you need static-version control, but then you must manage upgrades manually.

After Cluster Creation

# Get kubectl credentials
gcloud container clusters get-credentials CLUSTER_NAME \
  --zone ZONE \
  --project PROJECT_ID
 
# Verify the cluster
kubectl get nodes
kubectl cluster-info
 
# Deploy a test workload
kubectl create deployment hello-app --image=us-docker.pkg.dev/google-samples/containers/gke/hello-app:1.0
kubectl expose deployment hello-app --port=80 --target-port=8080 --type=LoadBalancer
 
# Check the deployment
kubectl get pods
kubectl get services

Useful Commands

Command	Purpose
`gcloud container clusters list`	List all clusters in the project
`gcloud container clusters describe NAME --zone ZONE`	Detailed cluster information
`gcloud container clusters update NAME --zone ZONE --enable-autoupgrade`	Enable auto-upgrade on existing cluster
`gcloud container clusters resize NAME --zone ZONE --num-nodes=N`	Resize default node pool
`gcloud container clusters delete NAME --zone ZONE`	Delete a cluster (irreversible)
`kubectl get nodes -o wide`	List nodes with details
`kubectl top nodes`	Show node resource usage

Warning: Deleting a cluster is permanent. All workloads, PersistentVolume data, and configurations are lost. Use --async flag to avoid blocking your terminal during deletion.

Common Pitfalls

Pitfall	Consequence	Fix
Creating cluster in wrong zone/region	Higher latency, potential data residency issues	Use `--region` for regional clusters in production
Not enabling IP alias	Cannot use Network Policies, limited VPC integration	Use VPC-native (default for new clusters)
Open master authorized networks	Control plane accessible from any IP	Restrict with `--master-authorized-networks`
Opting out of release channels	Manual upgrades, may fall behind on security patches	Keep the default release channel or explicitly use `--release-channel=regular`
Using default network	No network isolation from other resources	Create a dedicated VPC or subnet
Forgetting to get credentials	`kubectl` commands fail with connection error	Run `get-credentials` after creating the cluster

TL;DR

Use gcloud container clusters create-auto for Autopilot, gcloud container clusters create for Standard
Always use VPC-native clusters (the default)
Enable a release channel (--release-channel=regular) for automatic upgrades
Use private nodes with restricted master authorized networks for production
Run get-credentials after creation to configure kubectl
Set --workload-pool to enable Workload Identity Federation for GKE

Lalit's Cloud & DevOps notes