Configure a zonal GKE cluster-scoped zone

This page describes how to use Cloud DNS to configure a zonalGoogle Kubernetes Engine (GKE) cluster-scope zone.

To configure a zonal GKE cluster-scoped DNS zone usingCloud DNS, first choose an existing private DNS zone or create a newprivate DNS zone to which to attach a specific GKE cluster. Next,configure the DNS zone to reference the GKE cluster's name.

For an overview of zonal Cloud DNS zones, seeZonalCloud DNS zones. To learnmore about scopes, seeScopes and hierarchies.

Create a zonal private zone for the zonal GKE cluster

To create a new managed zonal private zone using Cloud DNS for the zonalGKE cluster, follow this step.

gcloud

Run thegcloud dns managed-zones createcommand:

gcloud dns managed-zones createNAME \    --description=DESCRIPTION \    --visibility=private \    --gkeclusters=GKE_CLUSTER \    --location=LOCATION

Replace the following:

  • NAME: a name for your zone
  • DESCRIPTION: a description for your zone
  • GKE_CLUSTER: the fully qualified resource path of aGKE cluster, such asprojects/my-project/locations/us-east1-b/clusters/my-cluster
  • LOCATION: the location of the GKEcluster, specifically theGoogle Cloudzone where the cluster islocated, such asus-east1-b

API

Send aPOST request by using themanagedZones.create method:

POST https://dns.googleapis.com/dns/v1/projects/PROJECT_ID/managedZones{"name": "NAME","description": "DESCRIPTION","dnsName": "DNS_NAME","visibility": "private""privateVisibilityConfig": {    "kind": "dns#managedZonePrivateVisibilityConfig",    "gkeClusters": [{            "kind": "dns#managedZonePrivateVisibilityConfigGKEClusters",            "gkeClusterName":GKE_CLUSTER_NAME_1        },        {            "kind": "dns#managedZonePrivateVisibilityConfigGKEClusters",            "gkeClusterName":GKE_CLUSTER_NAME_2        },        ....    ]  }}

Replace the following:

  • PROJECT_ID: the ID of the project where you havecreated the managed zone
  • NAME: a name for your zone
  • DESCRIPTION: a description for your zone
  • DNS_NAME: the DNS suffix for your zone, such asexample.private
  • GKE_CLUSTER_NAME_1 andGKE_CLUSTER_NAME_2:the fully qualified resource path of a GKE cluster, suchasprojects/my-project/locations/us-east1-b/clusters/my-cluster

Authorize the zonal GKE cluster to query a Cloud DNS private zone

To authorize the zonal GKEcluster to query an existing Cloud DNS private zone, follow this step.

gcloud

Run thegcloud dns managed-zones updatecommand:

gcloud dns managed-zones updateNAME \    --gkeclusters=GKE_CLUSTER  \    --location=LOCATION

Replace the following:

  • NAME: the name of your zone, such asmy-zone
  • GKE_CLUSTER: the fully qualified resource path of aGKE cluster, such asprojects/my-project/locations/us-east1-b/clusters/my-cluster
  • LOCATION: the location of the GKEcluster, specifically theGoogle Cloudzone where the cluster islocated, such asus-east1-b. The managed zone is only visible in thisGoogle Cloud zone.

API

Send aPATCH request by using themanagedZones.patch method:

PATCH https://dns.googleapis.com/dns/v1/projects/PROJECT_ID/managedZones/NAME{"privateVisibilityConfig": {    "gkeClusters": [{            "kind": "dns#managedZonePrivateVisibilityConfigGKEClusters",            "gkeClusterName":GKE_CLUSTER_NAME_1        },        {            "kind": "dns#managedZonePrivateVisibilityConfigGKEClusters",            "gkeClusterName":GKE_CLUSTER_NAME_2        },        ....    ]  }}

Replace the following:

  • PROJECT_ID: the ID of the project where you havecreated the managed zone
  • NAME: the name of your zone, such asmy-zone
  • GKE_CLUSTER_NAME_1 andGKE_CLUSTER_NAME_2:the fully qualified resource path of a GKE cluster, suchasprojects/my-project/locations/us-east1-b/clusters/my-cluster

Configure the zonal GKE cluster to query a zonal response policy

To configure the zonal GKEcluster to query a zonal response policy, follow this step.

gcloud

Run thegcloud dns response-policies createcommand:

gcloud dns response-policies createNAME \    --description=DESCRIPTION \    --gkeclusters=GKE_CLUSTER  \    --location=LOCATION

Replace the following:

  • NAME: a name for your response policy, such asmy-response-policy
  • DESCRIPTION: a description for your response policy,such asmy-response-policy-for-gke-5
  • GKE_CLUSTER: the fully qualified resource path of aGKE cluster, such asprojects/my-project/locations/us-east1-b/clusters/my-cluster
  • LOCATION: the location of the GKEcluster, specifically theGoogle Cloudzone where the cluster islocated, such asus-east1-b. The managed zone is only visible in thisGoogle Cloud zone.

API

Send aPOST request by using theresponsePolicies.create method:

POST https://dns.googleapis.com/dns/v1/projects/PROJECT_ID/responsePolicies{  "responsePolicyName": "NAME",  "description": "DESCRIPTION",  "gkeClusters": [    {      "kind": "dns#responsePolicyGKECluster",      "gkeClusterName": "GKE_CLUSTER"    },  ]}

Replace the following:

  • NAME: a name for your response policy, such asmy-response-policy
  • DESCRIPTION: a description for your response policy,such asmy-response-policy-for-gke-5
  • GKE_CLUSTER: the fully qualified resource path of aGKE cluster, such asprojects/my-project/locations/us-east1-b/clusters/my-cluster

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.