GCPGKEWorkload IdentityAutopilotgcloud

GKE — Google Kubernetes Engine

GKE cluster management, Workload Identity, Autopilot, node pools, and gcloud daily opsUpdated May 2026
TL;DR

Use gcloud container clusters get-credentials to connect, GKE Workload Identity to bind Kubernetes SAs to Google Service Accounts, and consider GKE Autopilot for fully-managed node lifecycle. Run gcloud config list to confirm active project and account.

Cluster Basics

Daily GKE commands for connecting, inspecting cluster state, and listing node pools. GKE clusters are regional by default in modern configurations, giving you control plane HA across zones.

bashgke-basics.sh
PROJECT=my-gcp-project
REGION=us-central1
CLUSTER=my-gke-cluster

# Connect
gcloud container clusters get-credentials $CLUSTER \
  --region $REGION --project $PROJECT

# Cluster info
gcloud container clusters describe $CLUSTER \
  --region $REGION --project $PROJECT \
  --format="value(currentMasterVersion,status,endpoint)"

# List available versions
gcloud container get-server-config --region $REGION --project $PROJECT \
  --format="value(validMasterVersions[0])"

# Node pools
gcloud container node-pools list \
  --cluster $CLUSTER --region $REGION --project $PROJECT

# Scale a node pool
gcloud container clusters resize $CLUSTER \
  --node-pool default-pool \
  --num-nodes 5 \
  --region $REGION

# Check active project and account
gcloud config list

Workload Identity

GKE Workload Identity binds a Kubernetes ServiceAccount to a Google Service Account — pods annotated with the KSA automatically receive GCP credentials without any key files.

bashworkload-identity.sh
PROJECT=my-gcp-project
CLUSTER=my-gke-cluster
REGION=us-central1
GSA=my-app-gsa         # Google Service Account name
KSA=my-service-account # Kubernetes Service Account name
NAMESPACE=my-namespace

# 1. Enable Workload Identity on cluster
gcloud container clusters update $CLUSTER \
  --region $REGION --workload-pool=$PROJECT.svc.id.goog

# 2. Create Google Service Account
gcloud iam service-accounts create $GSA --project $PROJECT

# 3. Grant GCP permissions to the GSA (e.g. Storage Object Viewer)
gcloud projects add-iam-policy-binding $PROJECT \
  --member "serviceAccount:$GSA@$PROJECT.iam.gserviceaccount.com" \
  --role "roles/storage.objectViewer"

# 4. Bind K8s SA to GSA via IAM
gcloud iam service-accounts add-iam-policy-binding \
  $GSA@$PROJECT.iam.gserviceaccount.com \
  --role roles/iam.workloadIdentityUser \
  --member "serviceAccount:$PROJECT.svc.id.goog[$NAMESPACE/$KSA]"

# 5. Annotate the K8s Service Account
kubectl annotate sa $KSA -n $NAMESPACE \
  iam.gke.io/gcp-service-account=$GSA@$PROJECT.iam.gserviceaccount.com

# 6. Verify: pod must use the annotated KSA
kubectl exec -it <pod> -- gcloud auth list

Autopilot vs Standard

GKE Autopilot removes node management entirely — GCP provisions nodes on demand per Pod spec, and you pay per Pod resource request. Prefer Autopilot for teams that don't want to manage node capacity.

bashautopilot.sh
# Create an Autopilot cluster
gcloud container clusters create-auto my-autopilot-cluster \
  --region us-central1 \
  --project my-gcp-project

# Autopilot key differences:
# - No node pools to manage or scale manually
# - Each Pod must have resource requests (required, enforced)
# - Certain privileged workloads are restricted (no DaemonSets, no privileged containers)
# - Node auto-provisioning is always on
# - Pricing is per vCPU/memory/storage requested by Pods

# Check if a cluster is Autopilot
gcloud container clusters describe my-cluster \
  --region us-central1 \
  --format="value(autopilot.enabled)"

Node Pool Operations

For Standard GKE clusters, node pools let you mix machine types, GPU nodes, and spot instances within the same cluster.

bashnode-pools.sh
PROJECT=my-gcp-project
REGION=us-central1
CLUSTER=my-gke-cluster

# Add a node pool with autoscaling
gcloud container node-pools create high-mem \
  --cluster $CLUSTER \
  --region $REGION \
  --project $PROJECT \
  --machine-type n2-highmem-8 \
  --num-nodes 1 \
  --enable-autoscaling \
  --min-nodes 0 \
  --max-nodes 10 \
  --node-labels workload=highmem \
  --node-taints highmem=true:NoSchedule

# Add a Spot VM node pool (preemptible replacement, ~70% cheaper)
gcloud container node-pools create spot-pool \
  --cluster $CLUSTER --region $REGION --project $PROJECT \
  --machine-type e2-medium \
  --spot \
  --num-nodes 3 \
  --enable-autoscaling --min-nodes 0 --max-nodes 20

# Upgrade a node pool to a new K8s version
gcloud container node-pools upgrade high-mem \
  --cluster $CLUSTER --region $REGION \
  --master-version  # upgrades to current master version

# Delete node pool
gcloud container node-pools delete high-mem \
  --cluster $CLUSTER --region $REGION --project $PROJECT
AWS Ops (EKS) AKS (Azure) Cost Optimization Cluster Upgrades