Admin cluster configuration file 1.30 and higherStay organized with collectionsSave and categorize content based on your preferences.
This document describes the fields in the admin cluster configuration file for
versions 1.30 and higher Google Distributed Cloud.
Generating a template for your configuration file
If you usedgkeadmto create your admin workstation, thengkeadmgenerated
a template for your admin cluster configuration file. Also,gkeadmfilled in
some of the fields for you.
If you did not usegkeadmto create your admin workstation, you can usegkectlto generate a template for your admin cluster configuration file.
To generate a template for your admin cluster configuration file:
OUTPUT_FILENAME: a path of your choice for the
generated template. If you omit this flag,gkectlnames the fileadmin-cluster.yamland puts it in the current directory.
VERSION: the Google Distributed Cloud version number. For example:gkectl create-config admin --gke-on-prem-version=1.34.0-gke.566.
This version must be equal to or less than yourgkectlversion. If you omit
this flag, the generated config template is populated with values based on the
latest 1.34 patch.
Template
Click to see the generated template for version 1.34.
apiVersion: v1
kind: AdminCluster
# (Optional) A unique name for this admin cluster. This will default to a random name
# prefixed with 'gke-admin-'
name: ""
# (Required) Absolute path to a GKE bundle on disk
bundlePath: ""
# (Optional) Enable advanced cluster options
enableAdvancedCluster: true
# # (Optional/Preview) The absolute or relative path to the yaml file to use for topology
# # domains. Require advanced cluster is enabled
# infraConfigFilePath: ""
# # (Optional/Preview) Specify the prepared secret configuration which can be added
# # or edited only during cluster creation
# preparedSecrets:
# # enable prepared credentials for the admin cluster; it is immutable
# enabled: false
# (Required) vCenter configuration
vCenter:
address: ""
datacenter: ""
cluster: ""
# Resource pool to use. Specify [VSPHERE_CLUSTER_NAME]/Resources to use the default
# resource pool
resourcePool: ""
# Storage policy to use for cluster VM storage and default StorageClass. Do not
# specify it together with datastore
storagePolicyName: ""
# # Datastore to use for cluster VM storage and default StorageClass. Do not specify
# # it together with storagePolicyName
# datastore: ""
# Provide the path to vCenter CA certificate pub key for SSL verification
caCertPath: ""
# The credentials to connect to vCenter
credentials:
# reference to external credentials file
fileRef:
# read credentials from this file
path: ""
# entry in the credential file
entry: ""
# (Optional) vSphere folder where cluster VMs will be located. Defaults to the
# datacenter wide folder if unspecified.
folder: ""
# # (Only used in 1.16 and older versions for non-HA admin cluster) Provide the name
# # for the persistent disk to be used by the deployment (ending in .vmdk). Any directory
# # in the supplied path must be created before deployment. Required for non-HA admin
# # cluster. Invalid for HA admin cluster as the path is generated automatically under
# # the root directory "anthos" in the specified datastore.
# dataDisk: ""
# (Required) Network configuration
network:
# (Required when using "static" ipMode.type; or "Seesaw" loadBalancer.kind; or using
# amdin cluster HA mode) This section overrides ipMode.ipBlockFilePath values when
# ipMode.type=static. It's also used for seesaw nodes
hostConfig:
# List of DNS servers
dnsServers:
- ""
# List of NTP servers
ntpServers:
- ""
# # List of DNS search domains
# searchDomainsForDNS:
# - ""
ipMode:
# (Required) Define what IP mode to use ("dhcp" or "static")
type: static
# (Required when using "static" mode) The absolute or relative path to the yaml
# file to use for static IP allocation. Hostconfig part will be overwritten by
# network.hostconfig if specified
ipBlockFilePath: ""
# (Required) The Kubernetes service CIDR range for the cluster. Must not overlap
# with the pod CIDR range
serviceCIDR: 10.96.232.0/24
# (Required) The Kubernetes pod CIDR range for the cluster. Must not overlap with
# the service CIDR range
podCIDR: 192.168.0.0/16
vCenter:
# vSphere network name
networkName: ""
# (Required for HA admin cluster) Specify the IPs to use for control plane machines
# for HA admin cluster.
controlPlaneIPBlock:
netmask: ""
gateway: ""
ips:
- ip: ""
hostname: ""
- ip: ""
hostname: ""
- ip: ""
hostname: ""
# (Required) Load balancer configuration
loadBalancer:
# (Required) The VIPs to use for load balancing
vips:
# Used to connect to the Kubernetes API
controlPlaneVIP: ""
# (Required) Which load balancer to use "ManualLB" or "MetalLB".
kind: MetalLB
# # (Required when using "ManualLB" kind) Specify pre-defined nodeports
# manualLB:
# # NodePort for ingress service's http (only needed for user cluster)
# ingressHTTPNodePort: 0
# # NodePort for ingress service's https (only needed for user cluster)
# ingressHTTPSNodePort: 0
# # NodePort for konnectivity server service (only needed for controlplane v1 user
# # cluster)
# konnectivityServerNodePort: 0
# # NodePort for control plane service (not needed for HA admin cluster or controlplane
# # V2 user cluster)
# controlPlaneNodePort: 30968
# Spread admin addon nodes and user masters across different physical hosts (requires
# at least three hosts)
antiAffinityGroups:
# Set to false to disable DRS rule creation
enabled: true
# Specify the admin master node configuration (default: 4 CPUs; 16384 MB memory; 3
# replicas). The replicas field has to be 3 for new admin cluster creation
adminMaster:
cpus: 4
memoryMB: 16384
# How many machines of this type to deploy
replicas: 3
# # (Optional/Preview) Topology domains that admin cluster master nodes will be deployed
# # to. Only 1 element is allowed. Advanced cluster must be enabled and infraConfigFilePath
# # must be filled in admin cluster
# topologyDomains:
# - ""
# # (Optional) Control plane load balancer configuration. Only supported when advanced
# # cluster is enabled
# controlPlaneLoadBalancer:
# # # (Optional) The control plane load balancer mode for advanced cluster. Possible values
# # # are bundled or manual. Default value is bundled for advanced cluster without topology
# # # domains; and is manual for advanced cluster with topology domains.
# # mode: ""
# # (Only used in 1.16 and older versions) Specify the addon node configuration which
# # can be added or edited only during cluster creation
# addonNode:
# # Enable auto resize for addon node
# autoResize:
# # Whether to enable auto resize for master. Defaults to false.
# enabled: false
# (Optional) Specify the proxy configuration
proxy:
# The URL of the proxy
url: ""
# The domains and IP addresses excluded from proxying
noProxy: ""
# # (Optional) Use a private registry to host GKE images
# privateRegistry:
# # Do not include the scheme with your registry address
# address: ""
# credentials:
# # reference to external credentials file
# fileRef:
# # read credentials from this file
# path: ""
# # entry in the credential file
# entry: ""
# # The absolute or relative path to the CA certificate for this registry
# caCertPath: ""
# (Required): The absolute or relative path to the GCP service account key for pulling
# GKE images
componentAccessServiceAccountKeyPath: ""
# (Required) Specify which GCP project to register your GKE OnPrem cluster to
gkeConnect:
projectID: ""
# # (Optional) The location of the GKE Hub and Connect service where the cluster is
# # registered to. It can be any GCP region or "global". Default to "global" when unspecified.
# location: us-central1
# The absolute or relative path to the key file for a GCP service account used to
# register the cluster
registerServiceAccountKeyPath: ""
# # (Optional) Specify if you wish to explicitly enable/disable the cloud hosted gkeonprem
# # API to enable/disable cluster lifecycle management from gcloud UI and Terraform.
# gkeOnPremAPI:
# enabled: false
# (Required) Specify which GCP project to connect your logs and metrics to
stackdriver:
# The project ID for logs and metrics. It should be the same with gkeconnect.projectID.
projectID: ""
# A GCP region where you would like to store logs and metrics for this cluster.
clusterLocation: us-central1
# The absolute or relative path to the key file for a GCP service account used to
# send logs and metrics from the cluster
serviceAccountKeyPath: ""
# (Optional) Disable vsphere resource metrics collection from vcenter. False by
# default
disableVsphereResourceMetrics: false
# (Optional) Configure kubernetes apiserver audit logging
cloudAuditLogging:
# The project ID for logs and metrics. It should be the same with gkeconnect.projectID.
projectID: ""
# A GCP region where you would like to store audit logs for this cluster.
clusterLocation: us-central1
# The absolute or relative path to the key file for a GCP service account used to
# send audit logs from the cluster
serviceAccountKeyPath: ""
# # (Optional/Preview) Configure backups for admin cluster. Backups will be stored under
# #/anthos-backups/.
# clusterBackup:
# # # datastore where admin cluster backups are desired
# # datastore: ""
# Enable auto repair for the cluster
autoRepair:
# Whether to enable auto repair feature. Set false to disable.
enabled: true
# # Encrypt Kubernetes secrets at rest
# secretsEncryption:
# # Secrets Encryption Mode. Possible values are: GeneratedKey
# mode: GeneratedKey
# # GeneratedKey Secrets Encryption config
# generatedKey:
# # # key version
# # keyVersion: 1
# # # disable secrets encryption
# # disabled: false
# (Optional) Specify the type of OS image; available options can be set to "ubuntu_containerd"
# "cos" "ubuntu_cgv2" or "cos_cgv2". Default is "ubuntu_containerd".
osImageType: ubuntu_cgv2
Required fields and default values
If a field is marked asRequired, then the completed configuration file must
have a value filled in for the field.
If aDefaultvalue is given for a field, then the cluster will use that value
if you don't enter anything for the field. You can override a default value by
entering a value.
If a field is not marked as Required, then the field is optional. You can fill
it in if it is relevant for you, but you don't have to fill it in.
Filling in your configuration file
In your configuration file, enter field values as described in the following
sections.
enableAdvancedCluster
1.33 and higher
All new clusters are created as advanced clusters. If you include this field
in your configuration file when creating a new cluster, it must be set totrue. If you set this field tofalse, cluster creation will be blocked.
SetenableAdvancedClustertofalseif you don't want to enable advanced
cluster when creating a new cluster. When this flag is set totrue(advanced
cluster enabled), Google Distributed Cloud software deploys controllers that allow for
a more extensible architecture. Enabling advanced cluster gives you access to
new features and capabilities, such astopology domains.
This field is required ifinfraConfigFilePathis configured.
Available only for new clusters Preview Optional Immutable Boolean Prepopulated: false Default: false
SetenableAdvancedClusterstotrueto enable advanced cluster when
creating a new cluster. When this flag is enabled, the underlying
Google Distributed Cloud software deploys controllers that allow for a more
extensible architecture. Enabling advanced cluster gives you access to new
features and capabilities, such astopology domains.
This field is required ifinfraConfigFilePathis configured.
1.30 and lower
Not available.
name
Optional String Default: A random name starting with prefix "gke-admin-"
A name of your choice for the cluster.
Example:
name: "my-admin-cluster"
bundlePath
Required Mutable String
The path of your Google Distributed Cloud bundle file.
The Google Distributed Cloud full bundle file contains all of the components
in a particular release of Google Distributed Cloud. When you create an admin
workstation, it comes with a full bundle at:
The value you specify is relative to the root folder named/.
If your data center is in the root folder, the value is the name of the
data center.
Example:
vCenter:
datacenter: "my-data-center"
Otherwise, the value is a relative path that includes one or more folders along
with the name of the data center.
Example:
vCenter:
datacenter: "data-centers/data-center-1"
vCenter.cluster
Required Immutable String
The relative path of avSphere clusterthat represents the ESXi hosts where your admin cluster VMs will run. This vSphere
cluster represents a subset of the physical ESXi hosts in your vCenter data center.
The value you specify is relative to/.../DATA_CENTER/vm/.
If your vSphere cluster is in the/.../DATA_CENTER/vm/folder, the value is the name of the vSphere cluster.
Example:
vCenter:
cluster: "my-vsphere-cluster"
Otherwise, the value is a relative path that includes one or more folders along
with the name of the vSphere cluster.
The value you specify must be a name, not a path. Don't include any folders
in the value.
Example:
vCenter:
datastore: "my-datastore"
You must specify a value for eithervCenter.datastoreorvCenter.storagePolicyName, but not both. If you specify a value for this
field, don't specify a value forvCenter.storagePolicyName. ThevCenter.datastorefield is immutable except when you set the field to an empty
string when youmigrate a datastore to Storage Policy Based Management (SPBM).
You must specify a value for eithervCenter.datastoreorvCenter.storagePolicyName, but not both. If you specify a value for this
field, don't specify a value forvCenter.datastore.
vCenter.caCertPath
Required Mutable String
The path of the CA certificate for your vCenter server.
The path of acredentials configuration filethat holds the username and password
of your vCenter user account. The user account should have
the Administrator role or equivalent privileges. SeevSphere requirements.
You can usegkectl updateto update this field in an existing cluster.
If you want your cluster nodes to get their IP address from a DHCP server,
set this to"dhcp". If you want your cluster nodes to have static IP
addresses chosen from a list that you provide, set this to"static".
In most cases you should specifystaticbecause you always have to provide IP
addresses for the admin cluster's control-plane nodes. DHCP is used only to
provide IP addresses in the following cases:
IfenableControlplaneV2isn't enabled in user clusters, then you can use DHCP for the user
cluster's control-plane nodes, which are in the admin cluster.
In version 1.16 and lower, add-on nodes for non-HA admin clusters can get
their IP addresses from DHCP. In version 1.28 and higher, admin clusters
are required to be HA, and they don't have add-on nodes.
Example:
network:
ipMode:
type: "static"
network.ipMode.ipBlockFilePath
The absolute or relative path of theIP block filefor your cluster.
Required Immutable String Smallest possible range: /24 Largest possible range: /12 Prepopulated: "10.96.232.0/24"
A range of IP addresses, in CIDR format, to be used for Services in your
cluster.
Example:
network:
serviceCIDR: "10.96.232.0/24"
network.podCIDR
Required Immutable String Smallest possible range: /18 Largest possible range: /8 Prepopulated: "192.168.0.0/16"
A range of IP addresses, in CIDR format, to be used for Pods in your
cluster.
Example:
network:
podCIDR: "192.168.0.0/16"
The Service range must not overlap with the Pod range.
The Service and Pod ranges must not overlap with any address outside the cluster
that you want to reach from inside the cluster.
For example, suppose your Service range is 10.96.232.0/24, and your Pod range is
192.168.0.0/16. Any traffic sent from a Pod to an address in either of those
ranges will be treated as in-cluster and will not reach any destination outside
the cluster.
In particular, the Service and Pod ranges must not overlap with:
IP addresses of nodes in any cluster
IP addresses used by load balancer machines
VIPs used by control-plane nodes and load balancers
IP address of vCenter servers, DNS servers, and NTP servers
We recommend that your Service and Pod ranges be in theRFC 1918address space.
Here is one reason for the recommendation to use RFC 1918 addresses. Suppose
your Pod or Service range contains external IP addresses. Any traffic sent from
a Pod to one of those external addresses will be treated as in-cluster traffic
and will not reach the external destination.
network.vCenter.networkName
The name of the vSphere network for your cluster nodes.
IfinfraConfigFilePathis configured,
remove this field. Otherwise, this field is required and immutable.
Example:
network:
vCenter:
networkName: "my-network"
If the name contains a special character, you must use an escape sequence for it.
Special characters
Escape sequence
Slash (/)
%2f
Backslash (\)
%5c
Percent sign (%)
%25
If the network name is not unique in your data center, you can specify a full
path.
If you add a path toinfraConfigFilePath, you need to make the following
changes to your admin cluster and user cluster configuration files.
Admin cluster configuration file changes
Remove the following from your admin cluster configuration file. You
configure this information in the vSphere infrastructure configuration file
per topology domain.
vCenter: remove the entirevCentersection.
network.hostConfig: remove the entirenetwork.hostConfigsection.
network.vCenter.networkName: remove this field.
Make the following changes in your admin cluster configuration file:
network.controlPlaneIPBlock: remove the entire section. Instead,
specify the IP addresses for the admin cluster control-plane nodes in anIP block file.
preparedSecrets: remove this field.Prepared credentialsaren't supported when topology domains is enabled. Remove this
field.
loadBalancer.kind: set to"ManualLB"."ManualLB"is the only available multi-subnet (layer 3) load balancing
option that Google Distributed Cloud offers.
User cluster configuration file changes
Remove the following from your user cluster configuration file. You
configure this information in the vSphere infrastructure configuration file
per topology domain.
vCenter: remove the entirevCentersection.
network.hostConfig: remove the entirenetwork.hostConfigsection.
network.vCenter.networkName: remove this field.
masterNode.vsphere: remove the entire section.
nodePools[i].vsphere.datastoreandnodePools[i].vsphere.storagePolicyName: remove these fields.
Make the following changes in your user cluster configuration file:
network.controlPlaneIPBlock: remove the entire section. Instead,
specify the IP addresses for the admin cluster control-plane nodes in anIP block file.
preparedSecrets: remove this field.Prepared credentialsaren't supported when topology domains is enabled.
nodePools[i].vsphere.hostgroups: remove this field.VM-Host affinityaren't supported when topology domains is enabled.
multipleNetworkInterfaces: set this field tofalse. Multiple network
interfaces for Pods aren't supported when topology domains is enabled.
storage.vSphereCSIDisabled: set this field totrueto disable the
deployment of vSphere CSI components
The kind of load balancer that you can use depends on whether you will
set up the cluster to usetopology domains. The
cluster is assumed to use topology domains if theinfraConfigFilePathfield is configured.
With topology domains: set this to"ManualLB". You must
configure a third-party load balancer (such as F5 BIG-IP or
Citrix) if you want to use topology domains.
Without topology domains: set this to"ManualLB"or"MetalLB".
Use"ManualLB"if you have a third-party load balancer or"MetalLB"for
our bundled solution.
The kind of load balancer that you can use depends on whether you will
set up the cluster to usetopology domains. The
cluster is assumed to use topology domains if theinfraConfigFilePathfield is configured.
With topology domains: set this to"ManualLB". You must
configure a third-party load balancer (such as F5 BIG-IP or
Citrix) if you want to use topology domains.
Without topology domains: set this to"ManualLB"or"MetalLB".
Use"ManualLB"if you have a third-party load balancer or"MetalLB"for
our bundled solution.
Example:
loadBalancer:kind:"MetalLB"
1.30
Required Immutable String Prepopulated: "MetalLB"
Set this to"ManualLB"or"MetalLB". Use"ManualLB"if you have a
third-party load balancer (such as F5 BIG-IP or Citrix) or"MetalLB"for our
bundled solution.
Note the following differences from previous versions:
In 1.30 and higher, the value"F5BigIP"isn't allowed for new admin
clusters.
In 1.28 and higher, the value"Seesaw"isn't allowed for new admin
clusters.
To enable new and advanced features, we recommend that you use"ManualLB"if you have a third-party load balancer (such as F5 BIG-IP or Citrix) or"MetalLB"for our bundled solution.
String. Set this to"ManualLB","F5BigIP","Seesaw", or"MetalLB"
If you setadminMaster.replicasto3, then you can't use the Seesaw load
balancer.
Example:
loadBalancer:kind:"MetalLB"
When you create user clusters using the Google Cloud console, the
gcloud CLI, or Terraform, the kind of load balancer for the admin
cluster and its user clusters must be the same. The only exception is if the
admin cluster uses Seesaw, then the user clusters can use MetalLB. If you want
your admin and user clusters to use different kinds of load balancers, you must
create user clusters using thegkectlcommand-line tool.
loadBalancer.manualLB
If you setloadbalancer.kindto"ManualLB", fill in this section. Otherwise,
remove this section. Immutable
loadBalancer.manualLB.ingressHTTPNodePort
Remove this field from your configuration file. It is not used in an admin
cluster.
loadBalancer.manualLB.ingressHTTPSNodePort
Remove this field from your configuration file. It is not used in an admin
cluster.
loadBalancer.manualLB.konnectivityServerNodePort
Remove this field from your configuration file. It is not used in an admin
cluster.
loadBalancer.f5BigIP
1.30 and higher
In version 1.30 and higher, the value"F5BigIP"isn't allowed forloadbalancer.kindfor new admin clusters. If theloadBalancer.f5BigIPsection is in your configuration file, remove it or comment it out.
You can still use your F5 BIG-IP load balancer with new admin clusters,
but the configuration is different. For configuration details, seeEnabling manual load balancing mode.
If you setloadbalancer.kindto"F5BigIP", fill in this section.
Otherwise, remove this section.
To enable new and advanced features, we recommend that you configure manual
load balancing for your F5 BIG-IP load balancer. To enable manual load
balancing, setloadbalancer.kindto"ManualLB"and fill in theloadBalancer.manualLBsection. For more
information, seeEnabling manual load balancing mode.
If you have an existing F5-BIG-IP load balancer and the cluster configuration
uses this section, after you have upgraded to 1.29 or higher, we recommend
that youmigrate to manual load balancing.
1.28 and lower
If you setloadbalancer.kindto"F5BigIP", fill in this section.
Otherwise, remove this section.
To enable new and advanced features, we recommend that you configure manual
load balancing for your F5 BIG-IP load balancer. To enable manual load
balancing, setloadbalancer.kindto"ManualLB"and fill in theloadBalancer.manualLBsection. For more
information, seeEnabling manual load balancing mode.
loadBalancer.f5BigIP.address
1.30 and higher
Not allowed for new clusters Required ifloadBalancer.kind="F5BigIp" Immutable String
The address of your F5 BIG-IP load balancer. For example:
The address of your F5 BIG-IP load balancer. For example:
loadBalancer:f5BigIP:address:"203.0.113.2"
loadBalancer.f5BigIP.credentials.fileRef.path
1.30 and higher
Not allowed for new clusters Required ifloadBalancer.kind="F5BigIp" Mutable String
The path of acredentials configuration filethat holds the username and password of an account that Google Distributed Cloud
can use to connect to your F5 BIG-IP load balancer.
The user account must have auser rolethat has sufficient permissions to set up and manage the load balancer. Either
the Administrator role or the Resource Administrator role is sufficient.
You can usegkectl updateto update this field in an existing cluster.
The path of acredentials configuration filethat holds the username and password of an account that Google Distributed Cloud
can use to connect to your F5 BIG-IP load balancer.
The user account must have auser rolethat has sufficient permissions to set up and manage the load balancer. Either
the Administrator role or the Resource Administrator role is sufficient.
You can usegkectl updateto update this field in an existing cluster.
If you are using SNAT, the name of your SNAT pool. If you are not using
SNAT, remove this field.
Example:
loadBalancer:f5BigIP:snatPoolName:"my-snat-pool"
loadBalancer.seesaw
Don't use this section. The Seesaw load balancer is not supported for new
admin clusters in version 1.28 and higher. Instead, we recommend that you
configure the MetalLB load balancer for new admin clusters. For more
information on configuring MetalLB, seeBundled load balancing with MetalLB.
Although we still support Seesaw for non-HA admin clusters that have been
upgraded, we recommend that youmigrate to MetalLB.
antiAffinityGroups.enabled
Optional MutableBoolean Prepopulated: true
Set this totrueto enable DRS rule creation. Otherwise, set this tofalse.
If this field istrue, Google Distributed Cloud creates VMwareDistributed Resource Scheduler(DRS) anti-affinity rules for your admin cluster nodes, causing them to be
spread across at least three physical ESXi hosts in your datacenter.
This feature requires that your vSphere environment meets the following
conditions:
VMware DRS is enabled. VMware DRS requires vSphere Enterprise Plus license
edition.
Even though the rule requires that the cluster nodes are spread across three
ESXi hosts, we strongly recommend that you have at least four ESXi hosts
available. This protects you from losing your admin cluster control plane. For
example, suppose you have only three ESXi hosts, and your admin cluster
control-plane node is on an ESXi host that fails. The DRS rule will prevent the
control-plane node from being placed on one of the remaining two ESXi hosts.
If you don't have DRS enabled, or if you don't have at least four hosts where
vSphere VMs can be scheduled, setantiAffinityGroups.enabledtofalse.
Note the following limitation with advanced clusters:
Version 1.31: if theenableAdvancedClusterfield istrue,
anti-affinity rules aren't supported on advanced clusters, and you must setantiAffinityGroups.enabledtofalse.
Version 1.32: anti-affinity rules are supported on advanced clusters.
Example:
antiAffinityGroups:
enabled: true
adminMaster
Immutable
Configuration settings for the control-plane nodes in the admin cluster.
adminMaster.controlPlaneLoadBalancer
1.32 and higher
Optionally, include this section to specify the kind of load balancer to use
for control-plane traffic in the admin cluster. IncludeadminMaster.controlPlaneLoadBalancer.modein your configuration file
if you want to explicitly set the kind of load balancer to use rather than
relying on the default value. Additionally, you must setloadBalancer.kindin your configuration file
even though the field is a no-op in 1.32 and higher.
adminMaster.controlPlaneLoadBalancer.mode
Optional ImmutableString Default: Depends on whether the cluster uses topology domains
The kind of load balancer that you can use depends on whether you will
set up the cluster to usetopology domains. The
cluster is assumed to use topology domains if theinfraConfigFilePathfield is configured.
With topology domains: specify"manual", which is the default
value. You must configure a third-party load balancer (such as F5 BIG-IP or
Citrix) if you want to use topology domains.
Without topology domains: specify either"manual"or"bundled".
Use"manual"if you have a third-party load balancer or"bundled"for
our bundled solution, which useskeepalived+haproxyrunning on the three admin cluster control-plane nodes. The default value is
"bundled".
The number of mebibytes of memory for each control-plane node in the admin
cluster.
Example:
adminMaster:
memoryMB: 16384
adminMaster.replicas
1.28 and higher
Required for new clusters ImmutableInteger Possible values: 3
The number of control-plane nodes in the admin cluster. In 1.28 and higher,
new admin clusters must be highly available (HA). Set this field to3to
create an HA admin cluster with 3 control plane nodes.
Example:
adminMaster:replicas:3
1.16 and lower
Optional Immutable Integer Possible values: 1 or 3 Prepopulated: 1 Default: 1
The number of control-plane nodes in the admin cluster. Set this to3if you
want to create a high-availability admin cluster. Otherwise, set it to1.
If you set this to3, then you cannot use the Seesaw load balancer.
Example:
adminMaster:replicas:3
adminMaster.topologyDomains
1.32 and higher
Preview Optional Array of strings | Allows one element or three different elements Immutable Default:vSphereInfraConfig.defaultTopologyDomainif specified in thevSphere infrastructure configuration file
An array of topology domains. IfinfraConfigFilePathis configured
(which indicates the cluster will usetopology domains), optionally
include this field. The number of topology domains in the array determines
how the admin cluster control-plane nodes are deployed, as follows:
One element: all three admin cluster control-plane nodes will be
deployed in the specified topology domain.
Three elements: each admin cluster control-plane node will be deployed
in a different topology domain (that is, one node per topology domain).
1.31 and higher
Available for new clusters only Preview Array of strings | Allows only one element Optional Immutable Default:vSphereInfraConfig.defaultTopologyDomainif specified in thevSphere infrastructure configuration file
An array of topology domains. IfinfraConfigFilePathis configured
(which indicates the cluster will usetopology domains), optionally
include this field. The admin cluster control-plane nodes will be deployed in
the specified topology domain.
1.30 and lower
Not available.
addonNode.autoResize.enabled
1.28 and higher
Don't include this setting in your configuration file when creating a new
cluster. Admin clusters created in version 1.28 and higher must be highly
available (HA) with three control plane nodes. In version 1.28 and higher,
HA admin clusters don't have add-on nodes.
Set this totrueto enable automatic resizing of the add-on nodes in
the admin cluster. Othersise set it tofalse.
To update the value of this field, usegkectl update admin.
Example:
addonNode:autoResize:enabled:true
proxy
If your network is behind a proxy server, fill in this section. Otherwise,
remove this section or leave it commented out. The proxy server you specify
here is used by the user clusters that this admin cluster manages.Immutable
proxy.url
Required ifproxysection is filled in.Immutable String
The HTTP address of your proxy server. Include the port number even if it's the
same as the scheme's default port.
Example:
proxy:
url: "http://my-proxy.example.local:80"
The proxy server you specify here is used by your Google Distributed Cloud
clusters. Also, your admin workstation is automatically configured to use this
same proxy server unless you set theHTTPS_PROXYenvironment variable on your
admin workstation.
If you specifyproxy.url, you must also specifyproxy.noProxy.
After the proxy configuration for the admin cluster has been set, it cannot be
modified or deleted, unless the cluster is rebuilt.
proxy.noProxy
Optional Immutable String
A comma-separated list of IP addresses, IP address ranges, host names,
and domain names that should not go through the proxy server. When
Google Distributed Cloud sends a request to one of these addresses, hosts, or
domains, the request is sent directly.
Aprivate container
registryis a registry where access to container images is restricted to
authenticated users. Fill in this section if your user clusters need to
access workload images. When you configure theprivateRegistrysection, all
user clusters managed by this admin cluster will pull workload images from the
private registry that you configure here.
If you configure theprivateRegistrysection, when you rungkectl preparebefore cluster creation or upgrade,gkectlpushes the Google Distributed Cloud system
images to the private registry. During the cluster creation or upgrade,
system images are pulled from the private registry. If you don't configure theprivateRegistrysection, system images are pulled fromgcr.io/gke-on-prem-releaseusing thecomponent access service account.
You might want to configure theprivateRegistrysection so that clusters pull
system images from the private registry instead ofgcr.io/gke-on-prem-releasein the following cases:
You need to minimize connections to Google Cloud because of security concerns
or regulatory requirements.
Your organization requires outbound traffic to pass through a proxy server,
and the network speed to connect to Google Cloud is slow.
The IP address or FQDN (Fully Qualified Domain Name) of the machine that runs
your private registry.
Examples:
privateRegistry:
address: "203.0.113.10"
privateRegistry:
address: "fqdn.example.com"
privateRegistry.credentials.fileRef.path
Required for private registry Mutable String
The path of acredentials configuration filethat holds the username and password of an account that Google Distributed Cloud
can use to access your private registry.
When the container runtime pulls an image from your private registry, the
registry must prove its identity by presenting a certificate. The registry's
certificate is signed by a certificate authority (CA). The container runtime
uses the CA's certificate to validate the registry's certificate.
Set this field to the path of the CA's certificate.
When you fill in thegkeConnectsection, the admin cluster is automatically
registered to afleetafter it is
created. This section holds information about the Google Cloud project and service
account needed to register the cluster.
During cluster creation or update, severalRBAC policiesare
configured on the admin cluster. These RBAC policies are needed so that you can
create user clusters in the Google Cloud console.
gkeConnect.projectID
Required Immutable String
The ID of yourfleet host project.
For new clusters, this project ID must be the same as the ID set instackdriver.projectIDandcloudAuditLogging.projectID. If the project IDs
aren't the same, cluster creation fails. This requirement isn't applied to
existing clusters.
Example:
gkeConnect:
projectID: "my-fleet-host-project"
gkeConnect.location
Optional ImmutableString Default: global
Each cluster's fleet membership is managed by the Fleet service
(gkehub.googleapis.com) and the Connect service
(gkeconnect.googleapis.com). The location of the services can be global
or regional. In 1.28 and later, you can optionally specify the Google Cloud
region in which the Fleet and the Connect services run. If not specified,
the global instances of the services are used. Note the following:
Admin clusters created prior to 1.28 are managed by the global Fleet and
Connect services.
For new clusters, if you include this field, the region that you specify must
be the same as the region configured incloudAuditLogging.clusterLocation,stackdriver.clusterLocation, andgkeOnPremAPI.location. If the regions
aren't the same, cluster creation fails.
In 1.16 and later, if the GKE On-Prem API is enabled in your
Google Cloud project, all clusters in the project areenrolled in the GKE On-Prem APIautomatically in the region configured instackdriver.clusterLocation.
If you want to enroll all clusters in the project in the GKE On-Prem API,
be sure to do the steps inBefore you beginto
activate and use the GKE On-Prem API in the project.
If you don't want to enroll the cluster in the GKE On-Prem API, include
this section and setgkeOnPremAPI.enabledtofalse. If you don't
want to enroll any clusters in the project, disablegkeonprem.googleapis.com(the service name for the GKE On-Prem API)
in the project. For instructions, seeDisabling services.
Enrolling your admin cluster in the GKE On-Prem API lets you use standard
tools—the Google Cloud console, the Google Cloud CLI, orTerraform—to upgrade
user clusters that the admin cluster manages. Enrolling your cluster also lets
you rungcloudcommands toget information about your clusters.
After you add this section and create or update the admin cluster, if
subsequently you remove the section and update the cluster, the update will
fail.
gkeOnPremAPI.enabled
Required if thegkeOnPremAPIsection is included. Mutable Boolean Default:true
By default, the cluster is enrolled in the GKE On-Prem API if the
GKE On-Prem API is enabled in your project. Set tofalseif you
don't want to enroll the cluster.
After the cluster is enrolled in the GKE On-Prem API, if you need to
unenroll the cluster, make the following change and then update the cluster:
The Google Cloud region where the GKE On-Prem API runs and stores
cluster metadata. Choose one of thesupported regions.
You must use the same region that is configured incloudAuditLogging.clusterLocation,gkeConnect.location,
andstackdriver.clusterLocation. IfgkeOnPremAPI.enabledisfalse,
don't include this field.
This section is required by default. That is, if you don't include this section,
you must include the--skip-validation-stackdriverflag when you rungkectl create admin.
Required for Logging and Monitoring Immutable String
The ID of yourfleet host project.
For new clusters, this project ID must be the same as the ID set ingkeConnect.projectIDandcloudAuditLogging.projectID. If the project IDs
aren't the same, cluster creation fails. This requirement isn't applied to
existing clusters.
If needed, you can configure a log router in this project to route logs into
log buckets in another project. For information on how to configure the log
router, seeSupported destinations.
Example:
stackdriver:
projectID: "my-fleet-host-project"
stackdriver.clusterLocation
Required for Logging and Monitoring ImmutableString Prepopulated: "us-central1"
The Google Cloud region where you want to route and store
Cloud Monitoring metrics. We recommend that you choose a region that's near
your on-premises data center.
You specify the Cloud Logging logs routing and storage location in the
Log Router configuration. For more information about logs routing, seeRouting and storage overview.
The Stackdriver Operator (stackdriver-operator) attaches the value from this
field to each log entry and metric before they're routed to Google Cloud. These
attached labels can be useful for filtering your logs and metrics in the
Logs Explorer and Metrics Explorer respectively.
For new clusters, if you include thegkeOnPremAPIandcloudAuditLoggingsections in the configuration file, the region that you set here must be
the same region that you set incloudAuditLogging.clusterLocation,gkeConnect.location, andgkeOnPremAPI.location. If the regions aren't
the same, cluster creation fails.
Example:
stackdriver:
clusterLocation: "us-central1"
stackdriver.enableVPC
Optional ImmutableBoolean Prepopulated: false
If your cluster's network is controlled by aVPC, set this totrue.
This ensures that all telemetry flows through Google's restricted IP addresses.
Otherwise, set this tofalse.
Example:
stackdriver:
enableVPC: false
stackdriver.serviceAccountKeyPath
Required for Logging and Monitoring Mutable String
The path of the JSON key file for your logging-monitoring service account.
If you will be creating the cluster withenableAdvancedClusterset totrue(which is required forsetting up topology domains),
thenstackdriver.serviceAccountKeyPathmust be the same ascloudAuditLogging.serviceAccountKeyPath.
If you want to integrate the audit logs from your cluster's Kubernetes API
server with Cloud Audit Logs, fill in this section. Otherwise, remove this
section or leave it commented out. Mutable
The ID of yourfleet host project.
For new clusters, this project ID must be the same as the ID set ingkeConnect.projecIDandstackdriver.projectID. If the project IDs
aren't the same, cluster creation fails. This requirement isn't applied to
existing clusters.
If needed, you can configure a log router in this project to route logs into
log buckets in another project. For information on how to configure the log
router, seeSupported destinations.
The Google Cloud region where you want to store audit logs. It is
a good idea to choose a region that is near your on-premises data center
For new clusters, if you include thegkeOnPremAPIandstackdriversections in the configuration file, the region that you set here must be
the same region that you set ingkeConnect.location,gkeOnPremAPI.location,
andstackdriver.clusterLocation. If the regions aren't the same, cluster
creation fails.
Example:
cloudAuditLogging:
clusterLocation: "us-central1"
cloudAuditLogging.serviceAccountKeyPath
Required for Cloud Audit Logs Mutable String
The path of the JSON key file for your audit-logging service account.
If you will be creating the cluster withenableAdvancedClusterset totrue(which is required forsetting up topology domains),
thencloudAuditLogging.serviceAccountKeyPathmust be the same asstackdriver.serviceAccountKeyPath.
By default, cluster backup tar files are saved to the directorygkectl-workspace/backupson your admin workstation. If you want to store
cluster backup files in vSphere, set this field to the vSphere datastore where
you want to save the backups.
Example:
clusterBackup:datastore:"my-datastore"
Note the following support differences for this field:
For advanced clusters:
Version 1.31: removeclusterBackup.datastorefrom your configuration file.
Backing up clusters to a vSphere datastore isn't supported.
Version 1.32:clusterBackup.datastoreis in Preview
Version 1.33 and higher:clusterBackup.datastoreis GA.
For non-advanced clusters,clusterBackup.datastoreremains in Preview.
Set this totrueto enablenode auto repair.
Otherwise, set this tofalse.
To update the value of this field, usegkectl update admin.
Example:
autoRepair:
enabled: true
secretsEncryption
If you want to encrypt Secrets without the need for an external KMS
(Key Management Service), or any other dependencies, fill in this section.
Otherwise, remove this section or leave it commented out.Immutable
If you will be creating the cluster withenableAdvancedClusterset totrue(which is required forsetting up topology domains),
then remove this section. This feature isn't supported with advanced clusters.
secretsEncryption.mode
Required for Secrets encryption Immutable String Possible value: "GeneratedKey" Prepopulated: "GeneratedKey"
The Secret encryption mode.
secretsEncryption:
mode: "GeneratedKey"
secretsEncryption.generatedKey.keyVersion
Required for Secrets encryption MutableInteger Prepopulated: 1
An integer of your choice to use for the key version number. We recommended that
you start with1.
Example:
secretsEncryption:
generatedKey:
keyVersion: 1
secretsEncryption.generatedKey.disabled
Optional for Secrets encryption MutableBoolean Prepopulated: false
Set this totrueto disable Secrets encryption. Otherwise set it tofalse.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-12-17 UTC."],[],[]]
