This page explains how to create a GKE Standard cluster or node pool with Arm nodes, so that you can run Arm workloads on Google Kubernetes Engine (GKE). To learn how to deploy Arm workloads on Autopilot clusters, see Deploy Autopilot workloads on Arm architecture.
You can create clusters with Arm nodes using the C4A machine series or Tau T2A machine series. To learn more about the benefits of Arm and choose the best machine series for your workloads, see Arm VMs on Compute.
With GKE, you can create a cluster that has node pools with one architecture type (for example, Arm), or multiple architecture types (for example, Arm and x86). When you run nodes with multiple architecture types, you can deploy workloads across architectures to the same cluster.
To learn more about using Arm nodes with your GKE clusters, see Arm workloads on GKE.
Before you begin
Before you start, make sure you have performed the following tasks:
- Enable the Google Kubernetes Engine API. Enable Google Kubernetes Engine API
- If you want to use the Google Cloud CLI for this task,
install and then
initialize the
gcloud CLI. If you previously installed the gcloud CLI, get the latest
version by running
gcloud components update
.
- Review the requirements and limitations for C4A and T2A nodes.
- Ensure that you have the correct permissions to create clusters. At minimum, you should be a Kubernetes Engine Cluster Admin.
Set up IAM service accounts for GKE
GKE uses IAM service accounts that are attached to your nodes to
run system tasks like logging and monitoring. At a minimum, these node service accounts
must have the
Kubernetes Engine Default Node Service Account
(roles/container.defaultNodeServiceAccount
) role on your project. By default,
GKE uses the
Compute Engine default service account,
which is automatically created in your project, as the node service account.
To grant the roles/container.defaultNodeServiceAccount
role to the
Compute Engine default service account, complete the following steps:
console
- Go to the Welcome page:
- In the Project number field, click Copy to clipboard.
- Go to the IAM page:
- Click Grant access.
- In the New principals field, specify the following value:
ReplacePROJECT_NUMBER[email protected]
PROJECT_NUMBER
with the project number that you copied. - In the Select a role menu, select the Kubernetes Engine Default Node Service Account role.
- Click Save.
gcloud
- Find your Google Cloud project number:
gcloud projects describe PROJECT_ID \ --format="value(projectNumber)"
Replace
PROJECT_ID
with your project ID.The output is similar to the following:
12345678901
- Grant the
roles/container.defaultNodeServiceAccount
role to the Compute Engine default service account:gcloud projects add-iam-policy-binding PROJECT_ID \ --member="serviceAccount:PROJECT_NUMBER[email protected]" \ --role="roles/container.defaultNodeServiceAccount"
Replace
PROJECT_NUMBER
with the project number from the previous step.
Create a cluster with an Arm node pool
The following instructions explain how to create a new cluster with a node pool running Arm nodes from the C4A machine series or Tau T2A machine series.
You can use the gcloud CLI, the Google Cloud console, or Terraform to create the cluster.
gcloud
Create a new zonal cluster with the default node pool using Arm nodes:
gcloud container clusters create CLUSTER_NAME \
--zone ZONE \
--node-locations NODE_LOCATIONS \
--machine-type ARM_MACHINE_TYPE \
--num-nodes NUM_NODES
Replace the following:
CLUSTER_NAME
: the name of your new cluster with an Arm node pool.ZONE
: the zone for your cluster, such asus-central1-a
. The zone must be one of the available zones for the Arm machine series that you choose. To create a regional cluster, use the--region=REGION
flag. The region must be one of the available regions for the Arm machine series that you choose.NODE_LOCATIONS
: the zone(s) for your node pool, such asus-central1-a
. You must choose from the available zones for the Arm machine series or node pool creation might fail.ARM_MACHINE_TYPE
: one of the available C4A machine shapes or T2A machine shapes, such asc4a-standard-8
ort2a-standard-16
.NUM_NODES
: the number of nodes for your Arm node pool.
We strongly recommend that you specify a minimally-privileged IAM service account that your nodes can use instead of the Compute Engine default service account. To learn how to create a minimally-privileged service account, see Use a least privilege service account.
To specify a custom service account in the gcloud CLI, add the following flag to your command:
--service-account=SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com
Replace SERVICE_ACCOUNT_NAME with the name of your minimally-privileged service account.
If you want to set additional settings for your cluster, see the gcloud container clusters create
reference for a complete list of
available settings on cluster creation.
Console
Go to the Google Kubernetes Engine page in the Google Cloud console.
Click add_box Create.
Configure your cluster. For more information, see the instructions for Creating a zonal cluster, or Creating a regional cluster.
Choose a location where Arm nodes are available.
- In the Cluster basics section, under Location type, choose Zonal or Regional:
- In the drop-down menu, choose a zone or region where Arm nodes are available.
- Check the box to Specify default node locations. Select zone(s) where Arm nodes are available.
To select an Arm machine type, in the Nodes subsection, under Configure node settings > Machine configuration > Machine family, select GENERAL-PURPOSE. In the Series drop-down menu, select C4A or T2A. In the Machine type drop-down menu, choose from the available options.
- Optionally, specify a custom IAM service account for your nodes:
- In the Advanced settings page, expand the Security section.
- In the Service account menu, select your preferred service account.
We strongly recommend that you specify a minimally-privileged IAM service account that your nodes can use instead of the Compute Engine default service account. To learn how to create a minimally-privileged service account, see Use a least privilege service account.
Click Create.
Terraform
To create a zonal cluster with the default node pool using Arm nodes using Terraform, refer to the following example:
To learn more about using Terraform, see Terraform support for GKE.
Add an Arm node pool to a GKE cluster
You can add a new node pool to a GKE Standard cluster using gcloud CLI, the Google Cloud console, or Terraform.
As a best practice for creating a GKE cluster using any types of nodes, we recommend that you create and use a minimally-privileged Identity and Access Management (IAM) service account for your node pools to use instead of the Compute Engine default service account. For instructions on creating a minimally-privileged service account, refer to Hardening your cluster's security.
gcloud
Add an Arm node pool to an existing cluster:
gcloud container node-pools create NODE_POOL_NAME \
--cluster CLUSTER_NAME \
--zone ZONE \
--node-locations NODE_LOCATIONS \
--machine-type ARM_MACHINE_TYPE \
--num-nodes NUM_NODES \
--service-account SERVICE_ACCOUNT
Replace the following:
NODE_POOL_NAME
: the name of the new Arm node pool for your existing cluster.ZONE
: the zone of the existing cluster. For a regional cluster, use the--region=REGION
flag with the region of the cluster.CLUSTER_NAME
: the name of the cluster where you want to add an Arm node pool.NODE_LOCATIONS
: the zone(s) for your node pool, such asus-central1-a
. You must choose from the available zones for the Arm machine series or node pool creation might fail.ARM_MACHINE_TYPE
: one of the available C4A machine shapes or T2A machine shapes, such asc4a-standard-8
ort2a-standard-16
.NUM_NODES
: the number of nodes for your Arm node pool.
We strongly recommend that you specify a minimally-privileged IAM service account that your nodes can use instead of the Compute Engine default service account. To learn how to create a minimally-privileged service account, see Use a least privilege service account.
To specify a custom service account in the gcloud CLI, add the following flag to your command:
--service-account=SERVICE_ACCOUNT_NAME@PROJECT_ID.iam.gserviceaccount.com
Replace SERVICE_ACCOUNT_NAME with the name of your minimally-privileged service account.
If you want to set additional settings for your node pool, see the
gcloud container node-pools create
reference for a complete list of available settings on node pool creation.
Console
To add an Arm node pool to an existing cluster, perform the following steps:
Go to the Google Kubernetes Engine page in the Google Cloud console.
In the cluster list, click the name of the cluster you want to modify.
Click add_box Add node pool.
Configure your node pool.
Choose node locations where Arm nodes are available.
- In the Node pool details section, check the Specify node locations box.
- Select zone(s) where Arm nodes are available.
To select an Arm machine type, in the Nodes subsection, under Configure node settings > Machine configuration > Machine family, select GENERAL-PURPOSE. In the Series drop-down menu, select C4A or T2A. In the Machine type drop-down menu, choose from the available options.
In the navigation menu, click Security.
- Optionally, specify a custom IAM service account for your nodes:
- In the Advanced settings page, expand the Security section.
- In the Service account menu, select your preferred service account.
We strongly recommend that you specify a minimally-privileged IAM service account that your nodes can use instead of the Compute Engine default service account. To learn how to create a minimally-privileged service account, see Use a least privilege service account.
Click Create to add the node pool.
Terraform
To add a node pool that uses Arm nodes to an existing cluster using Terraform, refer to the following example:
Replace google_container_cluster.default.id
with the name of your cluster.
To learn more about using Terraform, see Terraform support for GKE.
What's next
- Build multi-architecture images for Arm workloads
- Prepare an Arm workload for deployment
- Migrate x86 application on GKE to multi-arch with Arm