Use node auto-provisioning

Standard

This page explains how to enable and configure node auto-provisioning in Google Kubernetes Engine (GKE) Standard clusters. Using examples, this page shows you how to use YAML configuration files to configure advanced settings such as resource limits, auto-repair, and auto-upgrade, and to set some default values for auto-provisioning.

You also learn how to do the following:

Enhance cluster security by using customer-managed encryption keys (CMEK), and by configuring node integrity.
Optimize resource utilization and minimize disruptions by specifying surge or blue-green upgrade strategies, and by separating GKE-managed Pods from user workloads.
Improve performance by using accelerators, such as GPUs or TPUs, with auto-provisioning.

This page is for Operators, Cloud architects, Developers, and Network engineers who provision and configure cloud resources, and deploy workloads on GKE clusters. To learn more about common roles and example tasks referenced in Google Cloud content, see Common GKE user roles and tasks.

Before reading this page, ensure that you're familiar with the following:

Before you begin

Before you start, make sure that you have performed the following tasks:

Enable the Google Kubernetes Engine API.

Enable Google Kubernetes Engine API

If you want to use the Google Cloud CLI for this task, install and then initialize the gcloud CLI. If you previously installed the gcloud CLI, get the latest version by running gcloud components update.
Note: For existing gcloud CLI installations, make sure to set the compute/region property. If you use primarily zonal clusters, set the compute/zone instead. By setting a default location, you can avoid errors in the gcloud CLI like the following: One of [--zone, --region] must be supplied: Please specify location. You might need to specify the location in certain commands if the location of your cluster differs from the default that you set.

Ensure that you have an existing Standard cluster. To enable auto-provisioning on clusters that run TPU VMs, ensure that the GKE cluster runs one of the following versions:
- Version 1.27.6 and later or 1.28 and later, for Cloud TPU v4 and v5e.
- Version 1.28.7-gke.1020000 or later and 1.29.2-gke.1035000 or later for Cloud TPU v5p.
- Version 1.31.1-gke.1146000 or later for Cloud TPU Trillium.
To create a Standard cluster, see Create a regional cluster.

Limitations

Node auto-provisioning has the following resource limitations:

You must plan the node IP address range carefully. You can expand the node IP address range after you create a cluster. However, we recommend not to expand the node IP address range after you create the cluster as you must update the firewall rules to include the new range as a source. You can expand the Pod IP address range by using discontiguous multi-Pod CIDR with node auto-provisioning.
When you define maximum CPU and memory ranges, limits are calculated for your entire GKE cluster, not per node or per node pool. Node auto-provisioning checks these limits by considering the sum of resources from your existing, manually created node pools, all active auto-provisioned node pools, and any potential new nodes that node auto-provisioning might create. If provisioning a new node would cause the cluster's total resource usage to exceed either of these specified maximums, node auto-provisioning does not create the new node. This scenario can result in Pods remaining unscheduled if they require resources that exceed the defined maximums.

Enable node auto-provisioning

You can enable node auto-provisioning on a cluster with the gcloud CLI or the Google Cloud console.

gcloud

To enable node auto-provisioning, run the following command:

gcloud container clusters update CLUSTER_NAME \
    --location CONTROL_PLANE_LOCATION \
    --enable-autoprovisioning \
    --min-cpu MINIMUM_CPU \
    --min-memory MINIMUM_MEMORY \
    --max-cpu MAXIMUM_CPU \
    --max-memory MAXIMUM_MEMORY \
    --autoprovisioning-scopes=https://www.googleapis.com/auth/logging.write,https://www.googleapis.com/auth/monitoring,https://www.googleapis.com/auth/devstorage.read_only

Replace the following:

CLUSTER_NAME: the name of the cluster to enable node auto-provisioning.
CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.
MINIMUM_CPU: the minimum number of cores in the cluster.
MINIMUM_MEMORY: the minimum number of gigabytes of memory in the cluster.
MAXIMUM_CPU: the maximum number of cores in the cluster. This limit sums the CPU resources across all existing manually created node pools and all potential node pools created by node auto-provisioning.
MAXIMUM_MEMORY: the maximum number of gigabytes of memory in the cluster. This limit sums the memory resources across all existing manually created node pools and all potential node pools created by node auto-provisioning.

The following example enables node auto-provisioning on the dev-cluster and allows scaling between a total cluster size of 1 CPU and 1 gigabyte of memory to a maximum of 10 CPU and 64 gigabytes of memory:

gcloud container clusters update dev-cluster \
    --location us-central1 \
    --enable-autoprovisioning \
    --min-cpu 1 \
    --min-memory 1 \
    --max-cpu 10 \
    --max-memory 64

Console

To enable node auto-provisioning, perform the following steps:

Go to the Google Kubernetes Engine page in Google Cloud console.

Go to Google Kubernetes Engine
Click the name of the cluster.
In the Automation section, for Node auto-provisioning, click Edit.
Select the Enable node auto-provisioning checkbox.
Set your desired minimum and maximum CPU and memory usage for the cluster.
Click Save changes.

Using an auto-provisioning config file

Node auto-provisioning can be configured by using a YAML configuration file. The configuration file can contain just a single line if it's used to change a single setting. Multiple settings can be specified in a single config file. In this case, all those setting will be changed when the config file is applied.

Some advanced configurations can only be specified by using a configuration file.

Example 1: Applying the following configuration file enables node auto-repair and auto-upgrade for any new node pools created by node auto-provisioning:

management:
  autoRepair: true
  autoUpgrade: true

Example 2: Applying the following configuration file would change the following settings:

Sets resource limits for CPU, memory and GPU. Node auto-provisioning doesn't create a node if the combined CPU, memory, or GPU total of all node pools in the cluster exceeds the specified resource limits.
Enables node auto-repair and auto-upgrade for any new node pools created by node auto-provisioning.
Enables Secure boot and integrity monitoring for any new node pools created by node auto-provisioning.
Sets boot disk size to 100 GB for any new node pools created by node auto-provisioning.

# Set cluster-wide limits for CPU, memory, and hardware accelerators.
resourceLimits:
  - resourceType: 'cpu'
    minimum: 4
    maximum: 10
  - resourceType: 'memory'
    maximum: 64
  - resourceType: 'nvidia-tesla-t4'
    maximum: 4
# Enable automatic node repairs and upgrades for auto-created node pools.
management:
  autoRepair: true
  autoUpgrade: true
# Enable secure boot and integrity monitoring for auto-created node pools.
shieldedInstanceConfig:
  enableSecureBoot: true
  enableIntegrityMonitoring: true
# Set the boot disk size to 100 GB for auto-created node pools.
diskSizeGb: 100

To use an auto-provisioning configuration file:

Create a file with the desired configuration in a location where the gcloud CLI can access it.
Apply the configuration to your cluster by running the following command:
```
gcloud container clusters update CLUSTER_NAME \
   --location CONTROL_PLANE_LOCATION \
   --enable-autoprovisioning \
   --autoprovisioning-config-file FILE_NAME
```
Replace the following:
- CLUSTER_NAME: the name of the cluster.
- CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.
- FILE_NAME: the name of the configuration file.
For more information, see the gcloud container clusters update documentation.

Auto-provisioning defaults

Node auto-provisioning looks at Pod requirements in your cluster to determine what type of nodes would best fit those Pods. However, some node pool settings are not directly specified by Pods (for example settings related to node upgrades). You can set default values for those settings, which will be applied to all newly created node pools.

Setting the default node image type

You can specify the node image type to use for all new auto-provisioned node pools using the gcloud CLI or a configuration file. This setting is only available for GKE cluster version 1.20.6-gke.1800 and later.

gcloud

To set the default node image type, run the following command:

gcloud container clusters update CLUSTER_NAME \
  --location CONTROL_PLANE_LOCATION \
  --enable-autoprovisioning \
  --autoprovisioning-image-type IMAGE_TYPE

Replace the following:

CLUSTER_NAME: the name of the cluster.
CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.
IMAGE_TYPE: the node image type, which can be one of the following:
- cos_containerd: Container-Optimized OS with containerd.
- ubuntu_containerd: Ubuntu with containerd.

YAML

For all new auto-provisioned node pools, you can specify the node image type to use by using a configuration file. The following YAML configuration specifies that for new auto-provisioned node pools, the image type is cos_containerd, and has associated resource limits for CPU and memory. You must specify maximum values for CPU and memory to enable auto-provisioning.

Save the YAML configuration:

resourceLimits:
  - resourceType: 'cpu'
    minimum: 4
    maximum: 10
  - resourceType: 'memory'
    maximum: 64
# Set the default node image type to Container-Optimized OS
# with containerd, which is also the default GKE node
# image.
imageType: 'cos_containerd'

Apply the configuration:
```
gcloud container clusters update CLUSTER_NAME \
  --location CONTROL_PLANE_LOCATION \
  --enable-autoprovisioning \
  --autoprovisioning-config-file FILE_NAME
```
Replace the following:
- CLUSTER_NAME: the name of the cluster.
- CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.
- FILE_NAME: the name of the configuration file.

Setting identity defaults for auto-provisioned node pools

Permissions for Google Cloud resources are provided by identities.

You can specify the default identity (either a service account or one or more scopes) for new auto-provisioned node pools using the gcloud CLI or through a configuration file.

gcloud

To specify the default IAM service account used by node auto-provisioning, run the following command:

gcloud container clusters update CLUSTER_NAME \
    --location CONTROL_PLANE_LOCATION \
    --enable-autoprovisioning \
    --autoprovisioning-service-account=SERVICE_ACCOUNT

Replace the following:

CLUSTER_NAME: the name of the cluster.
CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.
SERVICE_ACCOUNT: the name of the default service account.

The following example sets test-service-account@google.com as the default service account on the dev-cluster cluster:

gcloud container clusters update dev-cluster \
    --location us-central1 \
    --enable-autoprovisioning \
    --autoprovisioning-service-account=test-service-account@google.com

To specify the default scopes used by node auto-provisioning, run the following command:

gcloud container clusters update CLUSTER_NAME \
    --location CONTROL_PLANE_LOCATION \
    --enable-autoprovisioning \
    --autoprovisioning-scopes=SCOPE

Replace the following:

CLUSTER_NAME: the name of the cluster.
CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.
SCOPE: the Google Cloud scopes used by auto-provisioned node pools. To specify multiple scopes, separate the scopes by a comma (for example, SCOPE1, SCOPE2,...).

The following example sets the default scope on the dev-cluster cluster to devstorage.read_only:

gcloud container clusters update dev-cluster \
    --location us-central1 \
    --enable-autoprovisioning \
    --autoprovisioning-scopes=https://www.googleapis.com/auth/pubsub,https://www.googleapis.com/auth/devstorage.read_only

YAML

You can specify identity default used by node auto-provisioning by using a configuration file. The following YAML configuration sets IAM service account:

  serviceAccount: SERVICE_ACCOUNT

Replace SERVICE_ACCOUNT with the name of the default service account.

Alternatively, you can use the following YAML configuration to specify default scopes used by node auto-provisioning:

  scopes: SCOPE

Replace SCOPE with the Google Cloud scope used by auto-provisioned node pools. To specify multiple scopes, separate the scopes by a comma (for example, SCOPE1, SCOPE2,...).

To use an auto-provisioning configuration file:

Create a configuration file specifying identity defaults in a location where the gcloud CLI can access it.

Apply the configuration to your cluster by running the following command:

gcloud container clusters update CLUSTER_NAME \
   --location CONTROL_PLANE_LOCATION \
   --enable-autoprovisioning \
   --autoprovisioning-config-file FILE_NAME

Replace the following:

CLUSTER_NAME: the name of the cluster.
CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.
FILE_NAME: the name of the configuration file.

Customer-managed encryption keys (CMEK)

You can specify Customer Managed Encryption Keys (CMEK) used by new auto-provisioned node pools.

You can enable customer-managed encryption for boot drives by using a configuration file. The following YAML configuration sets the CMEK key:

  bootDiskKmsKey: projects/KEY_PROJECT_ID/locations/LOCATION/keyRings/KEY_RING/cryptoKeys/KEY_NAME

Replace the following:

KEY_PROJECT_ID: your key project ID.
LOCATION: the location of your key ring.
KEY_RING: the name of your key ring.
KEY_NAME: the name of your key.

To use an auto-provisioning configuration file:

Create a configuration file specifying a CMEK key in a location where the gcloud CLI can access it.
Apply the configuration to your cluster by running the following command:
```
gcloud container clusters update CLUSTER_NAME \
   --location CONTROL_PLANE_LOCATION \
   --enable-autoprovisioning \
   --autoprovisioning-config-file FILE_NAME
```
Replace the following:
- CLUSTER_NAME: the name of the cluster.
- CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.
- FILE_NAME: the name of the configuration file.

Node integrity

Node auto-provisioning supports creating node pools with Secure Boot and Integrity Monitoring enabled.

You can enable Secure Boot and Integrity Monitoring by using a configuration file. The following YAML configuration enables Secure Boot and disables Integrity Monitoring:

  shieldedInstanceConfig:
    enableSecureBoot: true
    enableIntegrityMonitoring: false

To use an auto-provisioning configuration file:

Copy the configuration above to a file in a location where the gcloud CLI can access it. Edit the values for enableSecureBoot and enableIntegrityMonitoring. Save the file.
Apply the configuration to your cluster by running the following command:
```
gcloud container clusters update CLUSTER_NAME \
   --location CONTROL_PLANE_LOCATION \
   --enable-autoprovisioning \
   --autoprovisioning-config-file FILE_NAME
```
Replace the following:
- CLUSTER_NAME: the name of the cluster.
- CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.
- FILE_NAME: the name of the configuration file.

Node auto-repair and auto-upgrade

Node auto-provisioning supports creating node pools with node auto-repair and node auto-upgrade enabled.

gcloud

To enable auto-repair and auto-upgrade for all new auto-provisioned node pools, run the following command:

gcloud container clusters update CLUSTER_NAME \
    --location CONTROL_PLANE_LOCATION \
    --enable-autoprovisioning \
    --enable-autoprovisioning-autorepair \
    --enable-autoprovisioning-autoupgrade

Replace the following:

CLUSTER_NAME: the name of the cluster.
CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.

To disable auto-repair and auto-upgrade for all new auto-provisioned node pools, run the following command:

gcloud container clusters update CLUSTER_NAME \
    --location CONTROL_PLANE_LOCATION \
    --enable-autoprovisioning \
    --no-enable-autoprovisioning-autorepair \
    --no-enable-autoprovisioning-autoupgrade

Replace the following:

CLUSTER_NAME: the name of the cluster.
CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.

YAML

You can enable or disable node auto-repair and auto-upgrade by using a configuration file. The following YAML configuration enables auto-repair and disables auto-upgrade:

  management:
    autoRepair: true
    autoUpgrade: false

To use an auto-provisioning configuration file:

Copy the configuration above to a file in a location where the gcloud CLI can access it. Edit the values for autoUpgrade and autoRepair. Save the file.
Apply the configuration to your cluster by running the following command:

gcloud container clusters update CLUSTER_NAME \
    --location CONTROL_PLANE_LOCATION \
    --enable-autoprovisioning \
    --autoprovisioning-config-file FILE_NAME

Replace the following:

CLUSTER_NAME: the name of the cluster.
CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.
FILE_NAME: the name of the configuration file.

Use surge upgrades for new auto-provisioned node pools

You can specify surge upgrade settings on all new auto-provisioned node pools by using the gcloud CLI or a configuration file. By default, GKE sets the node upgrade strategy to surge upgrades.

gcloud

To specify surge upgrade settings for all new auto-provisioned node pools, run the following command:

gcloud container clusters update CLUSTER_NAME \
    --location CONTROL_PLANE_LOCATION \
    --enable-autoprovisioning \
    --autoprovisioning-max-surge-upgrade MAX_SURGE \
    --autoprovisioning-max-unavailable-upgrade MAX_UNAVAILABLE

Replace the following:

CLUSTER_NAME: the name of the cluster.
CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.
MAX_SURGE: the maximum number of nodes that can be added to the node pool during upgrades.
MAX_UNAVAILABLE: the maximum number of nodes in the node pool that can be simultaneously unavailable during upgrades.

YAML

You can specify surge upgrade settings for all new auto-provisioned node pools by using a configuration file like the following:

  upgradeSettings:
    maxSurgeUpgrade: 1
    maxUnavailableUpgrade: 2

To use an auto-provisioning configuration file:

Copy the configuration above to a file in a location where gcloud can access it. Edit the values for maxSurgeUpgrade and maxUnavailableUpgrade. Save the file.
Apply the configuration to your cluster by running the following command:

gcloud container clusters update CLUSTER_NAME \
    --location CONTROL_PLANE_LOCATION \
    --enable-autoprovisioning \
    --autoprovisioning-config-file FILE_NAME

Replace the following:

CLUSTER_NAME: the name of the cluster.
CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.
FILE_NAME: the name of the configuration file.

For more information, see the gcloud container clusters update documentation.

To switch back to using surge upgrades for new auto-provisioned node pools, run the following command:

gcloud container clusters update CLUSTER_NAME \
  --location CONTROL_PLANE_LOCATION \
  --enable-autoprovisioning \
  --enable-autoprovisioning-surge-upgrade

Replace the following:

CLUSTER_NAME: the name of the cluster.
CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.

You can optionally include the flags for specific settings as in the previous commands. GKE reuses your previous configuration for the upgrade strategy, if it was set.

Use blue-green upgrades for new auto-provisioned node pools

You can use blue-green upgrades for all new auto-provisioned node pools by using the gcloud CLI. With blue-green upgrades, you can use the default settings, or tune it to optimize for your environment. To learn more about blue-green upgrades, see Blue-green upgrades.

To update the node upgrade strategy for any existing auto-provisioned node pool, see Turn on or off surge upgrade for an existing node pool and Updating an existing node pool blue-green upgrade strategy.

The following variables are used in the commands listed below:

CLUSTER_NAME: the name of the cluster for the node pool.
CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.
COMPUTE_ZONE: the zone for the cluster.
NODE_POOL_NAME: the name of the node pool.
NUMBER_NODES: the number of nodes in the node pool in each of the cluster's zones.
BATCH_NODE_COUNT: the number of blue nodes to drain in a batch during the blue pool drain phase. Default is one. If it is set to zero, the blue pool drain phase will be skipped.
BATCH_PERCENT: the percentage of blue nodes to drain in a batch during the blue pool drain phase. Must be in the range of [0.0, 1.0].
BATCH_SOAK_DURATION: the duration in seconds to wait after each batch drain. Default is zero.
NODE_POOL_SOAK_DURATION: the duration in seconds to wait after completing drain of all batches. Default is 3600 seconds.

The default settings for blue-green upgrades are:

BATCH_NODE_COUNT = 1
BATCH_SOAK_DURATION = 0 seconds
NODE_POOL_SOAK_DURATION = 3600 seconds (1 hour)

Update a cluster to use blue-green upgrades for new auto-provisioned node pools

The following commands use gcloud container clusters update to update the node upgrade strategy for new auto-provisioned node pools.

You can also use these flags when:

using the gcloud container clusters create command to create a cluster with node auto-provisioning enabled.
using the gcoud container clusters update command to enable node auto-provisioning.

To update a cluster to use blue-green upgrades with default settings for new auto-provisioned node pools, use this command:

gcloud container clusters update CLUSTER_NAME \
  --location CONTROL_PLANE_LOCATION \
  --enable-autoprovisioning \
  --enable-autoprovisioning-blue-green-upgrade

You can update a cluster to use blue-green upgrades with specific settings for new auto-provisioned node pools. These commands can also be used without the --enable-autoprovisioning-blue-green-upgrade flag to update the settings.

The following command uses BATCH_NODE_COUNT to set an absolute node count batch size:

gcloud container clusters update CLUSTER_NAME \
  --location CONTROL_PLANE_LOCATION \
  --enable-autoprovisioning \
  --enable-autoprovisioning-blue-green-upgrade \
  --autoprovisioning-node-pool-soak-duration=NODE_POOL_SOAK_DURATION \
  --autoprovisioning-standard-rollout-policy=batch-node-count=BATCH_NODE_COUNT,batch-soak-duration=BATCH_SOAK_DURATION

You can also use BATCH_PERCENT to set a percentage-based batch size, replacing batch-node-count in the last command with batch-percent and using a decimal between 0 and 1 (e.g. 25% is 0.25). To see how percentage-based batch sizes are set, see Update a node pool with blue/green upgrade using percentage-based batch sizes.

Custom boot disks

Node auto-provisioning supports creating node pools with Custom boot disks.

You can customize boot disk setting using a configuration file. GKE reserves a portion of the node boot disk for the kubelet functions. For more information, see Ephemeral storage backed by node boot disk.

The following YAML configuration causes node auto-provisioning to create node pools with 100 GB SSD disks:

  diskSizeGb: 100
  diskType: pd-ssd

Specify the following:

diskSizeGb: the size of the disk, specified in GB.
diskType: the type of disk, which can be one of the following values:
- pd-balanced (default)
- pd-standard
- pd-ssd. In GKE version 1.22 and earlier, if you specify pd-ssd, node auto-provisioning only considers N1 machine types when creating node pools.

To use an auto-provisioning configuration file:

Create a file with desired boot disk configuration in a location where the gcloud CLI can access it.
Apply the configuration to your cluster by running the following command:
```
gcloud container clusters update CLUSTER_NAME \
   --location CONTROL_PLANE_LOCATION \
   --enable-autoprovisioning \
   --autoprovisioning-config-file FILE_NAME
```
Replace the following:
- CLUSTER_NAME: the name of the cluster.
- CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.
- FILE_NAME: the name of the configuration file.

Separate GKE-managed Pods from your workloads

As a cluster administrator, you might want to separate Pods that GKE manages from your workloads. This separation helps to avoid scale-down issues if there are underutilized nodes in the cluster that have system Pods running.

The following example shows how you can separate managed Pods from your workloads by using a combination of node auto-provisioning and Kubernetes taints and tolerations.

Create a node pool of e2-standard-2 VMs and apply a node taint that only lets GKE system workloads run on those nodes:
```
gcloud container node-pools create NODE_POOL_NAME \
    --cluster=CLUSTER_NAME \
    --location=CONTROL_PLANE_LOCATION \
    --machine-type=e2-standard-2 \
    --node-taints=components.gke.io/gke-managed-components=true:NoSchedule
```
Replace the following:
- NODE_POOL_NAME: the name you choose for your node pool.
- CLUSTER_NAME: the name of the cluster.
- CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.

Enable node auto-provisioning for your cluster:

gcloud container clusters update CLUSTER_NAME \
    --location CONTROL_PLANE_LOCATION \
    --enable-autoprovisioning \
    --min-cpu 1 \
    --min-memory 1 \
    --max-cpu 10 \
    --max-memory 64

Your cluster is able to scale between a total cluster size of 1 CPU and 1 gigabyte of memory to a maximum of 10 CPU and 64 gigabytes of memory.

Test this configuration by saving the following sample manifest as nginx.yaml:

apiVersion: v1
kind: Pod
metadata:
  name: nginx
  labels:
    env: test
spec:
  containers:
  - name: nginx
    image: nginx
    imagePullPolicy: IfNotPresent
  # Allow this Pod to run on nodes that have a dedicated: ui-team taint.
  tolerations:
  - key: dedicated
    operator: Equal
    value: ui-team
    # The NoSchedule effect prevents Pods that don't have this toleration from
    # running on the nodes.
    effect: NoSchedule
  nodeSelector:
    # Run this Pod only on nodes that have the dedicated: ui-team node label.
    dedicated: ui-team

This manifest deploys a test workload Pod in the cluster with a nodeSelector label and node taint of dedicated: ui-team. Without node auto-provisioning, this workload Pod cannot be scheduled since no node pool has the proper label and taints.

Apply the manifest to the cluster:
```
kubectl apply -f nginx.yaml
```
The output is similar to the following:
```
pod/nginx created
```

See the new node pool that fits the ui-team label:

kubectl get node --selector=dedicated=ui-team

The output is similar to the following:

NAME                                            STATUS   ROLES    AGE   VERSION
gke-test-nap-e2-medium-14b723z1-19f89fa8-jmhr   Ready    <none>   14s   v1.21.11-gke.900

Your cluster separates your workloads from managed GKE Pods.

Limit the run time of auto-provisioned nodes

In GKE version 1.31.2-gke.1518000 and later, you can limit the run time of auto-provisioned nodes using the cloud.google.com/gke-max-run-duration-seconds node selector. Add the following field to your manifest:

spec:
  nodeSelector:
    cloud.google.com/gke-max-run-duration-seconds: "MAX_RUN_DURATION"

Replace MAX_RUN_DURATION with the duration, in seconds, you want the auto-provisioned node to run before being automatically terminated. To learn about restrictions, see MaxRunDuration Restrictions.

Use accelerators for new auto-provisioned node pools

You can enable node auto-provisioning and configure GKE to provision GPU or Cloud TPU accelerators automatically to ensure the capacity required to schedule AI/ML workloads.

Configuring GPU limits

When using node auto-provisioning with GPUs, you must set the maximum limit for each GPU type in the cluster by using the gcloud CLI or the Google Cloud console. The GPU limit count is the maximum number of GPUs. For example, a VM with 16 GPUs counts as 16 not 1 for the purpose of this limit. To configure multiple types of GPU, you must use a configuration file.

To list the available resourceTypes, run gcloud compute accelerator-types list.

gcloud

gcloud container clusters update CLUSTER_NAME \
    --location CONTROL_PLANE_LOCATION \
    --enable-autoprovisioning \
    --max-cpu MAXIMUM_CPU \
    --max-memory MAXIMUM_MEMORY \
    --min-accelerator type=GPU_TYPE,count=MINIMUM_ACCELERATOR \
    --max-accelerator type=GPU_TYPE,count=MAXIMUM_ACCELERATOR

Replace the following:

CLUSTER_NAME: the name of the cluster.
CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.
MAXIMUM_CPU: the maximum number of cores in the cluster.
MAXIMUM_MEMORY: the maximum number of gigabytes of memory in the cluster.
GPU_TYPE: the GPU type.
MINIMUM_ACCELERATOR: the minimum number of GPU accelerators in the cluster.
MAXIMUM_ACCELERATOR: the maximum number of GPU accelerators in the cluster.

The following example sets the GPU limits for the nvidia-tesla-t4 GPU accelerator type in the dev-cluster cluster:

gcloud container clusters update dev-cluster \
    --location us-central1 \
    --enable-autoprovisioning \
    --max-cpu 10 \
    --max-memory 64 \
    --min-accelerator type=nvidia-tesla-t4,count=1 \
    --max-accelerator type=nvidia-tesla-t4,count=4

YAML

You can load limits for multiple types of GPU by using a configuration file. The following YAML configuration configures two different types of GPUs:

  resourceLimits:
    - resourceType: 'cpu'
      minimum: 4
      maximum: 10
    - resourceType: 'memory'
      maximum: 64
    # Limit the number of T4 GPUs in the cluster to 4.
    - resourceType: 'nvidia-tesla-t4'
      maximum: 4
    # Limit the number of V100 GPUs in the cluster to 2.
    - resourceType: 'nvidia-tesla-v100'
      maximum: 2

To use an auto-provisioning configuration file:

Copy the configuration above to a file in a location where the gcloud CLI can access it. Edit the values for cpu and memory. Add as many values for resourceType as you need. Save the file.
Apply the configuration to your cluster by running the following command:

gcloud container clusters update CLUSTER_NAME \
    --location CONTROL_PLANE_LOCATION \
    --enable-autoprovisioning \
    --autoprovisioning-config-file FILE_NAME

Replace the following:

CLUSTER_NAME: the name of the cluster.
CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.
FILE_NAME: the name of the configuration file.

For more information, see the gcloud container clusters update documentation.

Console

To enable node auto-provisioning with GPU resources, perform the following steps:

Go to the Google Kubernetes Engine page in Google Cloud console.

Go to Google Kubernetes Engine
Click the name of the cluster.
In the Automation section, for Node auto-provisioning, click Edit.
Select the Enable node auto-provisioning checkbox.
Set the minimum and maximum CPU and memory usage for the cluster.
Click Add resource.
Select the type of GPU (for example, NVIDIA T4) you want to add. Set the minimum and maximum number of GPUs to add to the cluster.
Accept the limitations of GPUs in GKE.
Click Save changes.

Choose a driver version to install

In GKE version 1.29.2-gke.1108000 and later, you can select a GPU driver version for GKE to automatically install in auto-provisioned GPU nodes. Add the following field to your manifest:

spec:
  nodeSelector:
    cloud.google.com/gke-gpu-driver-version: "DRIVER_VERSION"

Replace DRIVER_VERSION with one of the following values:

default - the default, stable driver for your node GKE version. If you omit the nodeSelector in your manifest, this is the default option.
latest - the latest available driver version for your node GKE version.

Configuring Cloud TPUs

If you are using node auto-provisioning for one or multiple TPU resources, you must configure the TPU limits. To learn more about how node auto-provisioning works with TPUs, see Supported machine learning accelerators.

Configure your Pods to use TPU resources by using the gcloud CLI. To configure multiple types of TPU, you must use a configuration file.

gcloud

Update your cluster and define the TPU limits:
```
gcloud container clusters update CLUSTER_NAME \
    --location CONTROL_PLANE_LOCATION \
    --enable-autoprovisioning \
    [--min-cpu  MINIMUM_CPU ] \
    --max-cpu MAXIMUM_CPU \
    [--min-memory MINIMUM_MEMORY ] \
    --max-memory MAXIMUM_MEMORY \
    --min-accelerator=type=TPU_TYPE,count= MINIMUM_ACCELERATOR  \
    --max-accelerator=type=TPU_TYPE,count= MAXIMUM_ACCELERATOR
```
Replace the following:
- CLUSTER_NAME: the name of the cluster.
- CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.
- MINIMUM_CPU: the minimum number of vCPUs in the cluster.
- MAXIMUM_CPU: the maximum number of vCPUs in the cluster.
- MINIMUM_MEMORY:the minimum number of gigabytes of memory in the cluster.
- MAXIMUM_MEMORY: the maximum number of gigabytes of memory in the cluster.
- TPU_TYPE: the type of TPU you choose:
  - To select TPU v4, use tpu-v4-podslice.
  - To select TPU v5e with a machine type that begins with ct5lp-, use tpu-v5-lite-podslice.
  - To select TPU v5p with a machine type that begins with ct5p-, use tpu-v5p-slice.
  - To select TPU Trillium, use tpu-v6e-slice.
- MINIMUM_ACCELERATOR: the minimum number of TPU chips in the cluster.
  - Note that using MINIMUM_ACCELERATOR might block scale down of multi-host TPU slices even if count is smaller than the number of TPU chips in the slice.
- MAXIMUM_ACCELERATOR: the maximum number of TPU chips in the cluster.
  - If the Pod configuration requests a multi-host TPU slice, GKE creates such slice atomically. Set the count value high enough to allow the provisioning of all TPU chips of the specified topology. The number of chips in each TPU slice equals the product of the topology. For example, if the topology of the multi-host TPU slice is 2x2x2, the number of TPU chips equals 8, therefore the MAXIMUM_ACCELERATOR must be higher than 8.
The following example sets the TPU limits for the ct5lp-hightpu-1t, ct5lp-hightpu-4t, and ct5lp-hightpu-8t machine types in the dev-cluster cluster. For example, up to ten ct5lp-hightpu-4t machines could be provisioned, each with 4 TPU chips, 112 vCPU, and 192 GiB of memory.
```
gcloud container clusters update dev-cluster-inference \
      --location us-central1 \
      --enable-autoprovisioning \
      --min-cpu 0 \
      --max-cpu 1120 \
      --min-memory 0 \
      --max-memory 1920 \
      --min-accelerator=type=tpu-v5-lite-podslice,count=0 \
      --max-accelerator=type=tpu-v5-lite-podslice,count=40
```
Create a Deployment specification that results in a Pod requesting TPU resources. For example, the following manifest will cause GKE to provision four ct5lp-hightpu-4t nodes:
```
apiVersion: apps/v1
kind: Deployment
metadata:
  name: tpu-workload
  labels:
    app: tpu-workload
spec:
  replicas: 4
  selector:
    matchLabels:
      app: nginx-tpu
  template:
    metadata:
      labels:
        app: nginx-tpu
    spec:
      nodeSelector:
        # Request a TPU type and topology.
        cloud.google.com/gke-tpu-accelerator: tpu-v5-lite-podslice
        cloud.google.com/gke-tpu-topology:  2x2
        # Request resources from a specific capacity reservation.
        cloud.google.com/reservation-name: my-reservation
      containers:
      - name: nginx
        image: nginx:1.14.2
        # Request a specific number of TPU chips for each node.
        resources:
          requests:
            google.com/tpu: 4
          limits:
            google.com/tpu: 4
        ports:
        - containerPort: 80
```
In the nodeSelector field, you define the TPU type, TPU topology, and accelerator count, where:
- cloud.google.com/gke-tpu-accelerator: defines the TPU type, for example, tpu-v4-podslice.
- cloud.google.com/gke-tpu-topology: defines the TPU topology, for example, 2x2x1 or 4x4x8.
- limits: google.com/tpu: defines the number of TPU chips per node.
Optionally, you can configure the following fields in the nodeSelector:
- TPU reservation: to consume an existing reservation with your workload, specify the name of the reservation in cloud.google.com/reservation-name.
- Collection schedulling: to create a collection with node auto-provisioning, include the following values based on the type of node pool that you request:
  - Single-host TPU slice node pool: cloud.google.com/gke-workload-type: HIGH_AVAILABILITY.
  - Multi-host TPU slice node pool: cloud.google.com/gke-nodepool-group-name: COLLECTION_NAME, cloud.google.com/gke-workload-type: HIGH_AVAILABILITY. Replace the COLLECTION_NAME value with the name of the collection. This value must adhere to the requirements for cluster labels.

YAML

You can assign limits for multiple types of TPUs by using a configuration file. The following YAML configuration configures two different types of TPUs:

  resourceLimits:
    - resourceType: 'cpu'
      maximum: 10000
    - resourceType: 'memory'
      maximum: 10000
    # Limit the number of TPU v4 chips in the cluster to 32.
    - resourceType: 'tpu-v4-podslice'
      maximum: 32
    # Limit the number of TPU v5 chips in the cluster to 64.
    - resourceType: 'tpu-v5-lite'
      maximum: 64

To use an auto-provisioning configuration file:

Copy the configuration above to a file in a location where the gcloud CLI can access it. Edit the values for resourceType and maximum. Add as many values for resourceType as you need. Save the file.
Apply the configuration to your cluster by running the following command:

gcloud container clusters update CLUSTER_NAME \
    --location CONTROL_PLANE_LOCATION \
    --enable-autoprovisioning \
    --autoprovisioning-config-file FILE_NAME

Replace the following:

CLUSTER_NAME: the name of the cluster.
CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.
FILE_NAME: the name of the configuration file.

For more information, see the gcloud container clusters update documentation.

Node auto-provisioning locations

You set the zones where node auto-provisioning can create new node pools. Regional locations are not supported. Zones must belong to the same region as the cluster but are not limited to node locations defined on the cluster level. Changing node auto-provisioning locations doesn't affect any existing node pools.

To set locations where node auto-provisioning can create new node pools, use the gcloud CLI or a configuration file.

gcloud

Run the following command:

gcloud container clusters update CLUSTER_NAME \
   --location CONTROL_PLANE_LOCATION \
   --enable-autoprovisioning \
   --autoprovisioning-locations=ZONE

Replace the following:

CLUSTER_NAME: the name of the cluster.
CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.
ZONE: the zone where node auto-provisioning can create new node pools. To specify multiple zones, separate the zones by a comma (for example, ZONE1, ZONE2,...).

YAML

To set locations where node auto-provisioning can create new node pools, you can use a configuration file.

Add the following YAML configuration that sets the new node pools location:

    autoprovisioningLocations:
      - ZONE

Replace ZONE with the zone where node auto-provisioning can create new node pools. To specify multiple zones, add more zones to the list. Save the file.

To use an auto-provisioning configuration file:

Create a configuration file in a location where gcloud CLI can access it.
Apply the configuration to your cluster:
```
gcloud container clusters update CLUSTER_NAME \
    --location CONTROL_PLANE_LOCATION \
    --enable-autoprovisioning \
    --autoprovisioning-config-file FILE_NAME
```
Replace the following:
- CLUSTER_NAME: the name of the cluster.
- CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.
- FILE_NAME: the path to of the configuration file.

Physically closer nodes with compact placement

Starting in GKE version 1.25, node auto-provisioning supports compact placement policy. With compact placement policy, you can instruct GKE to create node pools in closer proximity to each other within a zone.

To define a compact placement policy, add a nodeSelector to the Pod specification with the following keys:

cloud.google.com/gke-placement-group is the identifier you assign for the group of Pods that should run together, in the same compact placement group.
cloud.google.com/machine-family is the name of the machine family name. For more information, see the machine families that support compact placement.

The following example sets a compact placement policy with a placement group identifier of placement-group-1, and a machine family of c2:

apiVersion: v1
kind: Pod
metadata:
  ...
spec:
  ...
  nodeSelector:
    cloud.google.com/gke-placement-group: placement-group-1
    cloud.google.com/machine-family: c2

For more information, see learn how to define compact placement for GKE nodes.

Disabling node auto-provisioning

When you disable node auto-provisioning for a cluster, node pools are no longer auto-provisioned.

gcloud

To disable node auto-provisioning for a cluster, run the following command:

gcloud container clusters update CLUSTER_NAME \
   --location CONTROL_PLANE_LOCATION \
   --no-enable-autoprovisioning

Replace the following:

CLUSTER_NAME: the name of the cluster.
CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.

YAML

To disable node auto-provisioning using the Google Cloud console:

Go to the Google Kubernetes Engine page in Google Cloud console.

Go to Google Kubernetes Engine
Click the name of the cluster.
In the Automation section, for Node auto-provisioning, click the Edit.
Clear the Enable node auto-provisioning checkbox.
Click Save changes.

Marking a node pool as auto-provisioned

After enabling node auto-provisioning on the cluster, you can specify which node pools are auto-provisioned. An auto-provisioned node pool is automatically deleted when no workloads are using it.

To mark a node pool as auto-provisioned, run the following command:

gcloud container node-pools update NODE_POOL_NAME \
  --cluster=CLUSTER_NAME \
  --location=CONTROL_PLANE_LOCATION \
  --enable-autoprovisioning

Replace the following:

NODE_POOL_NAME: the name of the node pool.
CLUSTER_NAME: the name of the cluster.
CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.

Marking a node pool as not auto-provisioned

To mark a node pool as not auto-provisioned, run the following command:

gcloud container node-pools update NODE_POOL_NAME \
  --cluster=CLUSTER_NAME \
  --location=CONTROL_PLANE_LOCATION \
  --no-enable-autoprovisioning

Replace the following:

NODE_POOL_NAME: the name of the node pool.
CLUSTER_NAME: the name of the cluster.
CONTROL_PLANE_LOCATION: the Compute Engine location of the control plane of your cluster. Provide a region for regional clusters, or a zone for zonal clusters.

Using a custom machine family

You can choose a specific Compute Engine machine series, like n2 or t2d, for your workloads by setting one of the following fields in your manifest:

Set the node affinity with the key of cloud.google.com/machine-family, operator In, and the value being the desired machine family (for example, n2).
Add a nodeSelector with the key of cloud.google.com/machine-family and the value being the desired machine family.

Here is an example that sets the nodeAffinity to a machine family of n2:

spec:
  affinity:
    nodeAffinity:
      requiredDuringSchedulingIgnoredDuringExecution:
        nodeSelectorTerms:
        - matchExpressions:
          - key: cloud.google.com/machine-family
            operator: In
            values:
            - n2

After applying the changes, node auto-provisioning chooses the best node pool with a machine type within the specified machine series. If you specify multiple entries for matchExpressions, GKE arbitrarily chooses a machine series from the specified entries.

Control node attributes using a custom compute class

For more control over the attributes of your auto-provisioned node pools, create and use custom compute classes. Custom compute classes let you configure scaling behaviors like fallback priorities when choosing machine types for nodes or specific resource utilization thresholds that trigger consolidating workloads on nodes to free up unused resources. Custom compute classes are available to use in GKE version 1.30.3-gke.1451000 and later.

To learn about the capabilities of custom compute classes and how to use custom compute classes with node auto-provisioning, see About custom compute classes.

Minimum CPU platform

Node auto-provisioning supports creating node pools with a minimum CPU platform specified. You can specify the minimum CPU platform at the workload level (recommended) or at the cluster level.

Use node auto-provisioning Stay organized with collections Save and categorize content based on your preferences.

Before you begin

Limitations

Enable node auto-provisioning

gcloud

Console

Using an auto-provisioning config file

Auto-provisioning defaults

Setting the default node image type

gcloud

YAML

Setting identity defaults for auto-provisioned node pools

gcloud

YAML

Customer-managed encryption keys (CMEK)

Node integrity

Node auto-repair and auto-upgrade

gcloud

YAML

Use surge upgrades for new auto-provisioned node pools

gcloud

YAML

Use blue-green upgrades for new auto-provisioned node pools

Update a cluster to use blue-green upgrades for new auto-provisioned node pools

Custom boot disks

Separate GKE-managed Pods from your workloads

Limit the run time of auto-provisioned nodes

Use accelerators for new auto-provisioned node pools

Configuring GPU limits

gcloud

YAML

Console

Choose a driver version to install

Configuring Cloud TPUs

gcloud

YAML

Node auto-provisioning locations

gcloud

YAML

Physically closer nodes with compact placement

Disabling node auto-provisioning

gcloud

YAML

Marking a node pool as auto-provisioned

Marking a node pool as not auto-provisioned

Using a custom machine family

Control node attributes using a custom compute class

Minimum CPU platform

What's next

Use node auto-provisioning