Back to Details

gcp-gke-cluster-setup

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

GKE Cluster Setup

GKE集群搭建

Purpose

用途

Create production-ready GKE clusters with proper architecture, networking, and security configurations. This skill guides you through cluster creation, mode selection (Autopilot vs Standard), networking setup, and initial resource configuration.
创建具备合理架构、网络与安全配置的生产级GKE集群。本技能将引导你完成集群创建、模式选择(Autopilot vs Standard)、网络设置以及初始资源配置。

When to Use

适用场景

Use this skill when you need to:
  • Create a new GKE cluster for production or development
  • Choose between Autopilot and Standard cluster modes
  • Configure VPC-native networking and private clusters
  • Set up node pools with autoscaling
  • Enable security features (Workload Identity, private nodes)
  • Plan cluster architecture for Spring Boot microservices
Trigger phrases: "create GKE cluster", "set up Kubernetes cluster", "Autopilot vs Standard", "configure GKE networking"
当你需要以下操作时,可使用本技能:
  • 为生产或开发环境创建新的GKE集群
  • 在Autopilot与Standard集群模式间做选择
  • 配置VPC原生网络与私有集群
  • 设置具备自动扩缩容能力的节点池
  • 启用安全功能(Workload Identity、私有节点)
  • 为Spring Boot微服务规划集群架构
触发短语:"创建GKE集群"、"搭建Kubernetes集群"、"Autopilot vs Standard"、"配置GKE网络"

Table of Contents

目录

Quick Start

快速开始

Choose your cluster mode and create it:
bash
undefined
选择你的集群模式并创建:
bash
undefined

GKE Autopilot (Recommended for most use cases)

GKE Autopilot(大多数场景推荐)

gcloud container clusters create-auto CLUSTER_NAME
--region=europe-west2
--enable-ip-alias
gcloud container clusters create-auto CLUSTER_NAME
--region=europe-west2
--enable-ip-alias

GKE Standard (if you need node control)

GKE Standard(如需节点控制权)

gcloud container clusters create CLUSTER_NAME
--region=europe-west2
--enable-ip-alias
--machine-type=n2-standard-4
--num-nodes=3
undefined
gcloud container clusters create CLUSTER_NAME
--region=europe-west2
--enable-ip-alias
--machine-type=n2-standard-4
--num-nodes=3
undefined

Instructions

操作步骤

Step 1: Decide Between Autopilot and Standard

步骤1:选择Autopilot或Standard模式

Choose Autopilot if:
  • You have Spring Boot microservices (stateless, scalable)
  • You want Google to manage nodes and security
  • You benefit from per-pod billing (variable workloads)
  • Team focuses on application development, not infrastructure
  • You need rapid scaling and cost optimization
Choose Standard if:
  • You need full control over node configuration
  • You have specific infrastructure requirements
  • You need custom kernel or privileged containers
  • You have dedicated Kubernetes operations expertise
Recommendation: Use Autopilot for most new GKE deployments. It provides 99.9% SLA, automatic security patching, and cost savings up to 60%.
选择Autopilot的场景:
  • 你运行的是Spring Boot微服务(无状态、可扩展)
  • 希望由Google管理节点与安全事宜
  • 希望受益于按Pod计费(应对可变工作负载)
  • 团队专注于应用开发而非基础设施管理
  • 需要快速扩缩容与成本优化
选择Standard的场景:
  • 需要完全控制节点配置
  • 有特定的基础设施需求
  • 需要自定义内核或特权容器
  • 拥有专门的Kubernetes运维团队
推荐方案: 大多数新的GKE部署使用Autopilot。它提供99.9%的SLA、自动安全补丁,最多可节省60%的成本。

Step 2: Select Cluster Type (Regional vs Zonal)

步骤2:选择集群类型(区域型 vs 可用区型)

Regional (Production Recommended):
bash
undefined
区域型(生产环境推荐):
bash
undefined

99.95% SLA for control plane

控制平面SLA达99.95%

Control plane and nodes distributed across multiple zones

控制平面与节点分布在多个可用区

gcloud container clusters create-auto CLUSTER_NAME
--region=europe-west2 # Distributes across a, b, c zones

**Zonal (Development/Test Only):**
```bash
gcloud container clusters create-auto CLUSTER_NAME
--region=europe-west2 # 分布在a、b、c可用区

**可用区型(仅用于开发/测试):**
```bash

99.5% SLA, single point of failure

SLA为99.5%,存在单点故障

Use only for non-critical environments

仅用于非关键环境

gcloud container clusters create-auto CLUSTER_NAME
--zone=europe-west2-a
undefined
gcloud container clusters create-auto CLUSTER_NAME
--zone=europe-west2-a
undefined

Step 3: Configure Networking (VPC-Native Required)

步骤3:配置网络(必须使用VPC原生)

All production clusters must be VPC-native with proper IP allocation:
bash
gcloud container clusters create-auto CLUSTER_NAME \
  --region=europe-west2 \
  --network=wtr-vpc \
  --subnetwork=wtr-cluster-subnet \
  --enable-ip-alias \
  --cluster-secondary-range-name=pods \
  --services-secondary-range-name=services
IP Ranges (Example):
  • Primary (Nodes): 
    10.0.0.0/24
  • Secondary Pods: 
    10.1.0.0/16
  • Secondary Services: 
    10.2.0.0/20
所有生产集群必须是VPC原生,并配置合理的IP分配:
bash
gcloud container clusters create-auto CLUSTER_NAME \
  --region=europe-west2 \
  --network=wtr-vpc \
  --subnetwork=wtr-cluster-subnet \
  --enable-ip-alias \
  --cluster-secondary-range-name=pods \
  --services-secondary-range-name=services
IP范围示例:
  • 主IP(节点):
    10.0.0.0/24
  • 二级Pod IP:
    10.1.0.0/16
  • 二级服务IP:
    10.2.0.0/20

Step 4: Enable Security Features

步骤4:启用安全功能

bash
gcloud container clusters create-auto CLUSTER_NAME \
  --region=europe-west2 \
  --enable-private-nodes \
  --enable-private-endpoint \
  --master-ipv4-cidr=172.16.0.0/28 \
  --enable-master-authorized-networks \
  --master-authorized-networks=203.0.113.0/24
Security Features:
  • Private nodes (no public IPs)
  • Private endpoint (kubectl only from VPC)
  • Workload Identity enabled by default
  • Shielded nodes enabled by default
bash
gcloud container clusters create-auto CLUSTER_NAME \
  --region=europe-west2 \
  --enable-private-nodes \
  --enable-private-endpoint \
  --master-ipv4-cidr=172.16.0.0/28 \
  --enable-master-authorized-networks \
  --master-authorized-networks=203.0.113.0/24
安全特性:
  • 私有节点(无公网IP)
  • 私有端点(仅可从VPC内使用kubectl访问)
  • 默认启用Workload Identity
  • 默认启用Shielded节点

Step 5: Configure Node Pools (Standard Only)

步骤5:配置节点池(仅适用于Standard模式)

For GKE Standard, create specialized node pools:
bash
undefined
对于GKE Standard,创建专用节点池:
bash
undefined

Production workloads

生产工作负载

gcloud container node-pools create production-pool
--cluster=CLUSTER_NAME
--region=europe-west2
--machine-type=n2-standard-4
--num-nodes=3
--enable-autoscaling
--min-nodes=2
--max-nodes=10
gcloud container node-pools create production-pool
--cluster=CLUSTER_NAME
--region=europe-west2
--machine-type=n2-standard-4
--num-nodes=3
--enable-autoscaling
--min-nodes=2
--max-nodes=10

Batch/non-critical workloads (optional)

批处理/非关键工作负载(可选)

gcloud container node-pools create batch-pool
--cluster=CLUSTER_NAME
--region=europe-west2
--machine-type=n2-standard-2
--spot # Up to 91% cheaper
undefined
gcloud container node-pools create batch-pool
--cluster=CLUSTER_NAME
--region=europe-west2
--machine-type=n2-standard-2
--spot # 最高可节省91%成本
undefined

Step 6: Enable Monitoring and Logging

步骤6:启用监控与日志

bash
gcloud container clusters update CLUSTER_NAME \
  --region=europe-west2 \
  --logging=SYSTEM,WORKLOAD \
  --monitoring=SYSTEM,WORKLOAD \
  --enable-cloud-logging \
  --enable-cloud-monitoring \
  --enable-managed-prometheus
bash
gcloud container clusters update CLUSTER_NAME \
  --region=europe-west2 \
  --logging=SYSTEM,WORKLOAD \
  --monitoring=SYSTEM,WORKLOAD \
  --enable-cloud-logging \
  --enable-cloud-monitoring \
  --enable-managed-prometheus

Step 7: Get Credentials and Verify

步骤7:获取凭证并验证

bash
undefined
bash
undefined

Get kubectl credentials

获取kubectl凭证

gcloud container clusters get-credentials CLUSTER_NAME
--region=europe-west2
--project=PROJECT_ID
gcloud container clusters get-credentials CLUSTER_NAME
--region=europe-west2
--project=PROJECT_ID

Verify cluster access

验证集群访问

kubectl cluster-info kubectl get nodes
undefined
kubectl cluster-info kubectl get nodes
undefined

Examples

示例

Example 1: Production Autopilot Cluster

示例1:生产级Autopilot集群

bash
#!/bin/bash
bash
#!/bin/bash

Create production-ready Autopilot cluster for Supplier Charges Hub

为供应商费用中心创建生产级Autopilot集群

CLUSTER_NAME="supplier-charges-production" REGION="europe-west2" PROJECT_ID="ecp-wtr-supplier-charges-prod" NETWORK="wtr-vpc" SUBNET="wtr-prod-subnet"
gcloud container clusters create-auto $CLUSTER_NAME
--region=$REGION
--project=$PROJECT_ID
--network=$NETWORK
--subnetwork=$SUBNET
--enable-ip-alias
--cluster-secondary-range-name=pods
--services-secondary-range-name=services
--enable-private-nodes
--enable-private-endpoint
--master-ipv4-cidr=172.16.0.0/28
--enable-master-authorized-networks
--master-authorized-networks=203.0.113.0/24
--logging=SYSTEM,WORKLOAD
--monitoring=SYSTEM,WORKLOAD
--release-channel=regular
--enable-managed-prometheus
CLUSTER_NAME="supplier-charges-production" REGION="europe-west2" PROJECT_ID="ecp-wtr-supplier-charges-prod" NETWORK="wtr-vpc" SUBNET="wtr-prod-subnet"
gcloud container clusters create-auto $CLUSTER_NAME
--region=$REGION
--project=$PROJECT_ID
--network=$NETWORK
--subnetwork=$SUBNET
--enable-ip-alias
--cluster-secondary-range-name=pods
--services-secondary-range-name=services
--enable-private-nodes
--enable-private-endpoint
--master-ipv4-cidr=172.16.0.0/28
--enable-master-authorized-networks
--master-authorized-networks=203.0.113.0/24
--logging=SYSTEM,WORKLOAD
--monitoring=SYSTEM,WORKLOAD
--release-channel=regular
--enable-managed-prometheus

Get credentials

获取凭证

gcloud container clusters get-credentials $CLUSTER_NAME
--region=$REGION
--project=$PROJECT_ID
gcloud container clusters get-credentials $CLUSTER_NAME
--region=$REGION
--project=$PROJECT_ID

Verify

验证

kubectl cluster-info
undefined
kubectl cluster-info
undefined

Example 2: Development Zonal Cluster

示例2:开发用可用区型集群

bash
undefined
bash
undefined

Quick dev/test cluster (lower cost, single zone)

快速搭建开发/测试集群(成本更低,单可用区)

gcloud container clusters create-auto dev-cluster
--zone=europe-west2-a
--project=ecp-wtr-supplier-charges-labs
undefined
gcloud container clusters create-auto dev-cluster
--zone=europe-west2-a
--project=ecp-wtr-supplier-charges-labs
undefined

Example 3: GKE Standard with Multiple Node Pools

示例3:多节点池的GKE Standard集群

bash
undefined
bash
undefined

Create Standard cluster

创建Standard集群

gcloud container clusters create managed-cluster
--region=europe-west2
--machine-type=n2-standard-4
--num-nodes=3
--enable-autoscaling
--min-nodes=2
--max-nodes=10
--enable-ip-alias
--network=wtr-vpc
--subnetwork=wtr-cluster-subnet
gcloud container clusters create managed-cluster
--region=europe-west2
--machine-type=n2-standard-4
--num-nodes=3
--enable-autoscaling
--min-nodes=2
--max-nodes=10
--enable-ip-alias
--network=wtr-vpc
--subnetwork=wtr-cluster-subnet

Add specialized batch node pool

添加专用批处理节点池

gcloud container node-pools create batch-pool
--cluster=managed-cluster
--region=europe-west2
--machine-type=n2-highmem-8
--spot
--enable-autoscaling
--min-nodes=0
--max-nodes=20
undefined
gcloud container node-pools create batch-pool
--cluster=managed-cluster
--region=europe-west2
--machine-type=n2-highmem-8
--spot
--enable-autoscaling
--min-nodes=0
--max-nodes=20
undefined

Requirements

要求

  • gcloud
    CLI configured with appropriate project and permissions
  • GCP project with GKE API enabled: 
    gcloud services enable container.googleapis.com
  • VPC and subnets already created with secondary IP ranges
  • For private clusters: authorized networks configured (your office IP range)
  • IAM role: 
    roles/container.admin
    or 
    roles/container.clusterManager
  • 已配置
    gcloud
    CLI,且拥有对应项目的权限
  • 已启用GKE API的GCP项目:
    gcloud services enable container.googleapis.com
  • 已创建带有二级IP范围的VPC与子网
  • 对于私有集群:已配置授权网络(如你的办公IP段)
  • IAM角色:
    roles/container.admin
    roles/container.clusterManager

See Also

相关链接

  • gcp-gke-workload-identity - Set up secure service-to-service authentication
  • gcp-gke-deployment-strategies - Deploy and update applications
  • gcp-gke-troubleshooting - Diagnose and fix cluster issues
  • gcp-gke-workload-identity - 搭建安全的服务间认证
  • gcp-gke-deployment-strategies - 部署与更新应用
  • gcp-gke-troubleshooting - 诊断与修复集群问题