Google Kubernetes Engine Cheat Sheet
Overview
Google Kubernetes Engine (GKE) is a managed Kubernetes service built on Google Cloud that provides a production-ready environment for deploying containerized applications. As the original creators of Kubernetes, Google brings deep expertise to GKE with features like Autopilot mode (fully managed node infrastructure), multi-cluster management with GKE Enterprise, and integrated security through Binary Authorization and Workload Identity. GKE runs a certified, conformant version of Kubernetes with automatic upgrades and repair.
GKE offers two operation modes: Standard (you manage node pools and configuration) and Autopilot (Google manages infrastructure, you only define workloads). Both modes integrate with Google Cloud services including Cloud Logging, Cloud Monitoring, Artifact Registry, Cloud Load Balancing, and VPC networking. GKE also supports GKE Sandbox (gVisor) for enhanced workload isolation, Managed Prometheus for metrics, and Gateway API for advanced traffic management.
Installation
Install gcloud CLI and kubectl
# Install gcloud SDK
curl https://sdk.cloud.google.com | bash
exec -l $SHELL
gcloud init
# Install kubectl via gcloud
gcloud components install kubectl
# Install gke-gcloud-auth-plugin (required for kubectl)
gcloud components install gke-gcloud-auth-plugin
# Verify
kubectl version --client
gcloud versionCluster Management
| Command | Description |
|---|---|
gcloud container clusters create <name> | Create a new GKE cluster |
gcloud container clusters delete <name> | Delete a cluster |
gcloud container clusters list | List clusters |
gcloud container clusters describe <name> | Show cluster details |
gcloud container clusters resize <name> --num-nodes <n> | Resize node pool |
gcloud container clusters get-credentials <name> | Configure kubectl access |
gcloud container clusters upgrade <name> | Upgrade cluster version |
Create Clusters
# Autopilot cluster (recommended)
gcloud container clusters create-auto my-cluster \
--region us-central1 \
--project my-project
# Standard cluster
gcloud container clusters create my-cluster \
--region us-central1 \
--num-nodes 3 \
--machine-type e2-standard-4 \
--disk-size 100 \
--enable-autoscaling --min-nodes 1 --max-nodes 10 \
--enable-autorepair \
--enable-autoupgrade \
--workload-pool=my-project.svc.id.goog \
--enable-ip-alias
# Get credentials for kubectl
gcloud container clusters get-credentials my-cluster --region us-central1Node Pool Management
# Add node pool
gcloud container node-pools create gpu-pool \
--cluster my-cluster \
--region us-central1 \
--machine-type n1-standard-4 \
--accelerator type=nvidia-tesla-t4,count=1 \
--num-nodes 2 \
--enable-autoscaling --min-nodes 0 --max-nodes 5
# List node pools
gcloud container node-pools list --cluster my-cluster --region us-central1
# Resize node pool
gcloud container node-pools update default-pool \
--cluster my-cluster \
--region us-central1 \
--enable-autoscaling --min-nodes 2 --max-nodes 8
# Delete node pool
gcloud container node-pools delete old-pool --cluster my-cluster --region us-central1Workload Identity
# Enable Workload Identity on cluster
gcloud container clusters update my-cluster \
--workload-pool=my-project.svc.id.goog
# Create GCP service account
gcloud iam service-accounts create gke-app-sa
# Grant GCS access
gcloud projects add-iam-policy-binding my-project \
--member "serviceAccount:gke-app-sa@my-project.iam.gserviceaccount.com" \
--role "roles/storage.objectViewer"
# Bind Kubernetes SA to GCP SA
gcloud iam service-accounts add-iam-policy-binding gke-app-sa@my-project.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:my-project.svc.id.goog[default/app-sa]"
# Annotate Kubernetes service account
kubectl annotate serviceaccount app-sa \
iam.gke.io/gcp-service-account=gke-app-sa@my-project.iam.gserviceaccount.comNetworking
Ingress with Google Cloud Load Balancer
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: web-ingress
annotations:
kubernetes.io/ingress.class: "gce"
kubernetes.io/ingress.global-static-ip-name: "web-ip"
networking.gke.io/managed-certificates: "web-cert"
spec:
rules:
- host: app.example.com
http:
paths:
- path: /*
pathType: ImplementationSpecific
backend:
service:
name: web-service
port:
number: 80Gateway API
apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
name: external-http
spec:
gatewayClassName: gke-l7-global-external-managed
listeners:
- name: https
protocol: HTTPS
port: 443
tls:
mode: Terminate
certificateRefs:
- name: web-certConfiguration
GKE Config Connector (Manage GCP Resources via K8s)
apiVersion: storage.cnrm.cloud.google.com/v1beta1
kind: StorageBucket
metadata:
name: my-app-data
annotations:
cnrm.cloud.google.com/project-id: my-project
spec:
location: US
storageClass: STANDARD
versioning:
enabled: truePod Disruption Budget
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: web-pdb
spec:
minAvailable: 2
selector:
matchLabels:
app: webAdvanced Usage
Binary Authorization
# Enable Binary Authorization
gcloud container clusters update my-cluster \
--binauthz-evaluation-mode=PROJECT_SINGLETON_POLICY_ENFORCE
# Create attestor
gcloud container binauthz attestors create my-attestor \
--attestation-authority-note=projects/my-project/notes/my-note \
--attestation-authority-note-project=my-projectBackup for GKE
# Enable Backup API
gcloud services enable gkebackup.googleapis.com
# Create backup plan
gcloud beta container backup-restore backup-plans create my-plan \
--cluster=projects/my-project/locations/us-central1/clusters/my-cluster \
--all-namespaces \
--cron-schedule="0 2 * * *" \
--backup-retain-days=30
# Restore from backup
gcloud beta container backup-restore restores create my-restore \
--restore-plan=my-plan \
--backup=backups/my-backupSpot VMs for Cost Savings
gcloud container node-pools create spot-pool \
--cluster my-cluster \
--region us-central1 \
--spot \
--machine-type e2-standard-4 \
--num-nodes 3 \
--enable-autoscaling --min-nodes 0 --max-nodes 10Troubleshooting
| Issue | Solution |
|---|---|
gke-gcloud-auth-plugin not found | Install: gcloud components install gke-gcloud-auth-plugin |
Nodes NotReady | Check kubectl describe node; verify VPC firewall rules allow internal traffic |
Pods stuck Pending | Check resource quotas, node capacity, and PodDisruptionBudgets |
| Ingress returns 404 | Verify backend service health checks pass; check kubectl describe ingress for events |
| Workload Identity not working | Ensure annotation on K8s SA matches GCP SA binding |
| Autopilot rejects workload | Autopilot enforces resource limits; add resources.requests to all containers |
| Image pull errors | Ensure Artifact Registry permissions and node SA has storage.objectViewer role |