Update clusters

After you create a cluster, you can change some aspects of the cluster'sconfiguration. For example you can:

  • Add, remove, or replace nodes.
  • Add or remove annotations to the cluster.
  • Modify the values of mutable fields in the cluster and node pool resources.
  • Modify other custom resources.

You can usebmctl or the Google Cloud CLI to make updates to a cluster. If youcreated an admin or user cluster using Terraform, then you can use Terraform toupdate the cluster. Note the following:

This page is for Admins and architects and Operators who manage thelifecycle of the underlying tech infrastructure. To learn more about commonroles and example tasks that we reference in Google Cloud content, seeCommonGKE Enterprise user roles andtasks.

How to update clusters

Generally, you do the following sequence of actions to update a cluster:

bmctl

  1. Change the values of the applicable fields in the cluster's configurationfile, which by default is located here:
    bmctl-workspace/CLUSTER-NAME/CLUSTER-NAME.yaml

  2. Update the cluster by running thebmctl update command:

    bmctlupdatecluster-cCLUSTER_NAME--kubeconfig=KUBECONFIG

    Replace the following:

    • CLUSTER_NAME: the name of the cluster you want toupdate.
    • KUBECONFIG: for admin, hybrid, or standaloneclusters, enter the path to the cluster's kubeconfig file. For a usercluster, enter the path to theadmin cluster's kubeconfig file.
Don't usebmctl update andkubectl apply -finterchangeably when editing the cluster configuration file. When thesecommands are used interchangeably, contents populated by the header of thecluster spec might be unintentionally removed. For example, you might usebmctl update to update the cluster configuration file toconfigure a registry mirror.The cluster then hasspec.nodeConfig.registryMirrors populatedafter reconciliation.

If you then attempt to make changes to the cluster using the clusterconfiguration with thekubectl apply -f command, thespec.nodeConfig.registryMirrors populated by the reconcileron the cluster is removed. This behavior happens because the configurationdoesn't exist in the cluster configuration spec, but it does in the cluster.

gcloud CLI

  1. Specify only the flags for the configuration that you want to modify.

  2. Run the applicable update command:

Terraform

  1. Change the values of the applicable fields in the Terraformconfiguration file that you used to create the cluster or node pool. Seethe Terraform reference documentation for detailed field descriptions:

  2. Update the configuration by running theterraform apply command.

The following sections outline some common examples for updating an existingcluster.

Add or remove nodes in a cluster

Anode pool is a group ofnodes within a cluster that have the same configuration. Keep in mind that anode always belongs to a node pool. To add a new node to a cluster, you needto add it to a particular node pool. Removing a node from a node pool amountsto removing the node from the cluster altogether.

There are three kinds of node pools in Google Distributed Cloud: control plane, loadbalancer, and worker node pools. The following sections describe how toadd or remove nodes from each kind of node pool.

bmctl

You add or remove a node from a node pool by adding or removing the IP addressof the node in a specific section of the cluster configuration file. Thefollowing list shows which section to edit for a given node pool:

  • Worker node pool: add or remove the IP address of the node in thespec.nodes section of theNodePool spec.
  • Control plane node pool: add or remove the IP address of the node in thespec.controlPlane.nodePoolSpec.nodes section of theCluster spec.
  • Load balancer node pool: add or remove the IP address of the node in thespec.loadBalancer.nodePoolSpec.nodes section of theCluster spec.

Example: remove a worker node

Here's a sample cluster configuration file that shows the specifications oftwo worker nodes:

---apiVersion:baremetal.cluster.gke.io/v1kind:NodePoolmetadata:name:nodepool1namespace:cluster-cluster1spec:clusterName:cluster1nodes:-address:192.0.2.1-address:192.0.2.2

To remove a node:

  1. (Optional) If the node that you're removing is running critical Pods,first put the node intomaintenance mode.

    You can monitor the node draining process for worker nodes by viewing thestatus.nodesDrained andstatus.nodesDraining fields on theNodePool resource.

  2. Edit the cluster configuration file todelete the IP address entry for thenode.

  3. Update the cluster:

    bmctlupdatecluster1\--kubeconfig=ADMIN_KUBECONFIG

gcloud CLI

You use anupdate command to add or remove nodes. Theupdate command thatyou use and the flag in which you specify the IP address depends on the typeof node pool that you want to update:

  • Worker node pool: Rungcloud container bare-metal node-pools update andspecify the IP address in the flag--node-configs 'node-ip=IP_ADDRESS'.

  • Control plane node pool on an admin cluster: Rungcloud container bare-metal admin-clusters update and specify the IPaddress in the flag--control-plane-node-configs 'node-ip=IP_ADDRESS'.

  • Control plane node pool on a user cluster: Rungcloud container bare-metal clusters update and specify the IPaddress in the flag--control-plane-node-configs 'node-ip=IP_ADDRESS'.

  • Load balancer node pool: Rungcloud container bare-metal clusters update and specify the IPaddress in the flag--metal-lb-load-balancer-node-configs 'node-ip=IP_ADDRESS'or
    --bgp-load-balancer-node-configs 'node-ip=IP_ADDRESS'

The flag in which you specify the IP address only accepts onenode-ip. Youinclude the flag for each IP address in the node pool.

Theupdate commands replace all IP addresses with the IP addresses thatyou specify. To add a node, include the IP addresses of the existingnodes and the IP address of the new node in theupdate command. Similarly,you remove nodes by only including the IP addresses of the nodes that youwant to keep.

Example: remove a worker node

This section shows how to remove a worker node from a node pool usingexample data. Additional gcloud CLI commands that you mightfind useful are also included in the following steps.

  1. (Optional) If the node that you're removing is running critical Pods,first put the node intomaintenance mode.

    You can monitor the node draining process for worker nodes by viewing thestatus.nodesDrained andstatus.nodesDraining fields on theNodePool resource.

  2. Run thelist command to list all the node pools in the cluster:

    gcloud container bare-metal node-pools list \    --cluster=abm-user-cluster1 \    --project=example-project-12345 \    --location=us-central1

    The output is similar to the following:

    NAME         LOCATION     STATEnode-pool-1  us-central1  RUNNINGnode-pool-2  asia-east1   RUNNING

  3. Run thedescribe command to list all the IP addresses in the node pool:

    gcloud container bare-metal node-pools describe node-pool-1 \    --cluster=abm-user-cluster1 \    --project=example-project-12345 \    --location=us-central1

    The following example output is truncated for readability:

    annotations:  ...  baremetal.cluster.gke.io/version: 1.33...name: projects/example-project-12345/locations/us-central1/bareMetalClusters/abm-user-cluster1/bareMetalNodePools/node-pool-1nodePoolConfig:  nodeConfigs:  - nodeIp: 192.0.2.1  - nodeIp: 192.0.2.2  operatingSystem: LINUXstate: RUNNING...

    Note the following in the example output:

    • Thename field contains the fully-qualified name of the node pool.When specifying the node pool name in a command, you can either specifythe fully-qualified name, or the node pool name, for example,node-pool-1, along with the--cluster,--project, and the--location flags.

    • ThenodeConfigs section contains twonodeIp fields with the IPaddresses of the nodes.

  4. Run the following command to remove the node with the IP address192.0.2.1:

    gcloud container bare-metal node-pools update node-pool-1 \    --cluster=abm-user-cluster1 \    --project=example-project-12345 \    --location=us-central1 \    --node-configs='node-ip=192.0.2.2'

    Theupdate command replaces all IP addresses with the IP addresses thatyou specify. Because 192.0.2.1 isn't included, the node is removed.

    The output of the command is similar to the following:

    Waiting for operation [projects/example-project-12345/locations/us-central1/operations/operation-1697154681749-6078d9def4030-76686d6e-9fcb1de9] to complete

    In the example output, the stringoperation-1697154681749-6078d9def4030-76686d6e-9fcb1de9is theOPERATION_ID of the long-running operation.You can find out the status of the operation by running the followingcommand in another terminal window:

    gcloud container bare-metal operations describe operation-1697154681749-6078d9def4030-76686d6e-9fcb1de9 \    --project= example-project-12345 \    --location=us-central1

    You can rerun the command every so often to check the status.

If the node removal fails, you can force its removal from the cluster.For details, seeReset a failed node in Google Distributed Cloud.

Replace HA control plane nodes

bmctl

You can usebmctl to replace high availability (HA) control plane nodes inall cluster types.

You replace a node in a cluster by performing the following steps:

  1. Remove the node's IP address from the cluster configuration file.
  2. Update the cluster.
  3. Check the status of nodes in the cluster.
  4. Add a new node's IP address to the same cluster configuration file.
  5. Update the cluster.

Example: replace a HA control plane node

Here's a sample cluster configuration file that shows three control planenodes in a user cluster:

---apiVersion:baremetal.cluster.gke.io/v1kind:Clustermetadata:name:user-clusternamespace:cluster-user-clusterspec:controlPlane:nodePoolSpec:nodes:-address:192.0.2.11-address:192.0.2.12-address:192.0.2.13

To replace the last node listed in thespec.controlPlane.nodePoolSpec.nodessection, perform the following steps:

  1. Remove the node by deleting its IP address entry in the clusterconfiguration file. After making this change, the cluster configuration fileshould look something like this:

    ---apiVersion:baremetal.cluster.gke.io/v1kind:Clustermetadata:name:user-clusternamespace:cluster-user-clusterspec:controlPlane:nodePoolSpec:nodes:-address:192.0.2.11-address:192.0.2.12

  2. Update the cluster by running the following command:

    bmctl update cluster -cCLUSTER_NAME \  --kubeconfig=KUBECONFIG

    Make the following changes:

    • ReplaceCLUSTER_NAME with the name of the cluster you want toupdate.
    • If the cluster is a self-managing cluster (such as admin or standalonecluster), replaceKUBECONFIG with the path to the cluster'skubeconfig file. If the cluster is a user cluster, as it is in thisexample, replaceKUBECONFIG with the path to theadmincluster's kubeconfig file.

  3. After thebmctl update command has executed successfully, it takes sometime to complete themachine-preflight andmachine-init jobs. You canview the status of nodes and their respective node pools by running thecommands described in theVerify your updates sectionof this document. After the node pool and nodes are in a ready state, youcan proceed to the next step.

  4. Add a new control plane node to the node pool by adding the IP address ofthe new control plane node to thespec.controlPlane.nodePoolSpec.nodessection of the cluster configuration file. After making this change, thecluster configuration file should look something like this:

    ---apiVersion:baremetal.cluster.gke.io/v1kind:Clustermetadata:name:user-clusternamespace:cluster-user-clusterspec:controlPlane:nodePoolSpec:nodes:-address:192.0.2.11-address:192.0.2.12-address:192.0.2.14

  5. Update the cluster by running the following command:

    bmctl update cluster -cCLUSTER_NAME \  --kubeconfig=KUBECONFIG

gcloud CLI

You can use the gcloud CLI to replace high availability (HA)control plane nodes in admin and user clusters.

You replace a node in a cluster by performing the following steps:

  1. Remove the node's IP address by running the applicableupdate command:

    • User cluster:gcloud container bare-metal clusters update
    • Admin cluster:gcloud container bare-metal admin-clusters update

  2. Check the status of the node removal in the cluster by runninggcloud container bare-metal operations describeOPERATION_ID.

  3. Add the new node's IP address by running the applicableupdate command.

Example: replace a HA control plane node

This section shows how to replace a control plane from a cluster usingexample data. Additional gcloud CLI commands that you mightfind useful are also included in the following steps.

  1. Run thelist command to list all the user clusters in aGoogle Cloud project:

    gcloud container bare-metal clusters list \    --project=example-project-12345 \    --location=-

    When you set--location=-, that means to list all clusters in allregions. If you need to scope down the list, set--location to aspecific region.

    The output is similar to the following:

    NAME                 LOCATION      VERSION   ADMIN_CLUSTER        STATEabm-user-cluster1a   us-central1   1.33      abm-admin-cluster1   RUNNINGabm-user-cluster1b   europe-west1  1.33      abm-admin-cluster1   RUNNING

  2. Run thedescribe command on the cluster:

    gcloud container bare-metal clusters describe abm-user-cluster1  \    --project=example-project-12345 \    --location=us-central1

    The example output is truncated for readability:

    ...controlPlane:  controlPlaneNodePoolConfig:    nodePoolConfig:      nodeConfigs:      - nodeIp: 192.0.2.11      - nodeIp: 192.0.2.12      - nodeIp: 192.0.2.13      operatingSystem: LINUX...name: projects/example-project-1234567/locations/us-central1/bareMetalClusters/abm-user-cluster1a...

    Note the following in the example output:

    • Thename field contains the fully-qualified name of the cluster.When specifying the cluster name in a command, you can either specifythe fully-qualified name, or the cluster name, for example,abm-user-cluster1a, along with the--project and the--location flags.

    • ThenodeConfigs section contains threenodeIp fields with the IPaddresses of the control plane nodes.

  3. Remove the node with the IP address192.0.2.13:

    gcloud container bare-metal cluster update abm-user-cluster1a \    --project=example-project-12345 \    --location=us-central1 \    --control-plane-node-configs 'node-ip=192.0.2.11'    --control-plane-node-configs 'node-ip=192.0.2.12'

    The output of the command is similar to the following:

    Waiting for operation [projects/example-project-12345/locations/us-central1/operations/operation-1956154681749-6078d9def4030-76686d6e-9fcb1d7] to complete

    In the example output, the stringoperation-1956154681749-6078d9def4030-76686d6e-9fcb1de7is theOPERATION_ID of the long-running operation.You can find out the status of the operation by running the followingcommand in another terminal window:

    gcloud container bare-metal operations describe operation-1956154681749-6078d9def4030-76686d6e-9fcb1de7 \    --project= example-project-12345 \    --location=us-central1

    You can rerun the command every so often to check the status.

  4. Add the new node with the IP address192.0.2.14:

    gcloud container bare-metal cluster update abm-user-cluster1a \    --project=example-project-12345 \    --location=us-central1 \    --control-plane-node-configs 'node-ip=192.0.2.11'    --control-plane-node-configs 'node-ip=192.0.2.12'    --control-plane-node-configs 'node-ip=192.0.2.14'

Verify your updates

kubectl

You can view the status of nodes and their respective node pools with thekubectl get command.

For example, the following command shows the status of the node pools in thecluster namespacecluster-my-cluster:

kubectl-ncluster-my-clustergetnodepools.baremetal.cluster.gke.io

The system returns results similar to the following:

NAME                    READY   RECONCILING   STALLED   UNDERMAINTENANCE   UNKNOWNcluster-my-cluster      3       0             0         0                  0cluster-my-cluster-lb   2       0             0         0                  0np1                     3       0             0         0                  0

Reconciling=1 means that the reconciliation step is still in progress. Youshould wait until the status changes toReconciling=0.

You can also check status of nodes in the a cluster by running followingcommand:

kubectlgetnodes--kubeconfig=KUBECONFIG

gcloud CLI

As described previously, after running anupdate command, you cancheck the status of the operation usinggcloud container bare-metaloperations describeOPERATIONS_ID. The output ofthe command gives the status of the nodes, for example:

  ...  metrics:  - intValue: '1'    metric: NODES_RECONCILING  - intValue: '2'    metric: NODES_HEALTHY  - intValue: '0'    metric: NODES_FAILED  - intValue: '0'    metric: NODES_IN_MAINTENANCE  - intValue: '3'    metric: NODES_TOTAL  stage: HEALTH_CHECK...

No matter which tool you use to update a node pool, you can get the currentstatus of a node pool by running the applicabledescribe command as shownpreviously.

If you need more information about how to diagnose your clusters, seeCreate snapshots for diagnosing clusters.

Load balancer address pools

bmctl

TheaddressPoolssection contains fields for specifying load-balancing pools for the MetalLBand Border Gateway Protocol (BGP) bundled load balancers. You can add moreload-balancing address pools at any time, but you can't remove any existingaddress pools. Starting with Google Distributed Cloud version 1.16.0, you canmodify the values foraddressPools.avoidBuggyIPs andaddressPools.manualAssign at any time.

addressPools:-name:pool1addresses:-198.51.100.0-198.51.100.4-198.51.100.240/28-name:pool2addresses:-198.51.100.224/28

gcloud CLI

You can add more load-balancing address pools at any time for the bundledload balancers, but you can't remove any existing address pools. The flag thatyou specify ingcloud container bare-metal clusters update to add an addresspool depends on the type of bundled load balancer:

  • MetalLB (layer 2): Use the--metal-lb-address-pools flag.
  • Border Gateway Protocol (BGP): Use the--bgp-address-pools flag.

The value for the flags have the following format:

'pool=NAME,avoid-buggy-ips=True|False,manual-assign=True|False,addresses=IP_ADDRESS_RANGE_1;IP_ADDRESS_RANGE_2;...' \

The value has segments that start with the keywordspool,avoid-buggy-ip,manual-assign, andaddresses. Separate each segmentwith a comma.

  • pool: A name of your choice for the pool.

  • avoid-buggy-ips: If you set this toTrue, the IP address management(IPAM) controller won't assign IP addresses ending in.0 or.255 toServices. This avoids the problem of buggy consumer devices mistakenlydropping traffic sent to those special IP addresses. If not specified,defaults toFalse. Starting with Google Distributed Cloud version 1.16.0,you can modify this value in an existing address pool.

  • manual-assign: If you don't want the IPAM controller toautomatically assign IP addresses from this pool to Services, setthis toTrue. Then a developer can create a Service of typeLoadBalancer and manually specify one of the addresses from thepool. If not specified,manual-assign is set toFalse.Starting with Google Distributed Cloud version 1.16.0, you can modifythis value in an existing address pool.

  • In the list ofaddresses: Each address must be a range either inCIDR orhyphenated-range format. To specify a single IP address in a pool(such as for the ingress VIP), use/32 in CIDR notation(for example, 192.0.2.1/32).

Note the following syntax rules:

  • Surround the entire value in single quotes.
  • Whitespace isn't allowed.
  • Separate each IP address range with a semicolon.

You can specify more than one instance of the flag, as shown in thefollowing example:

--metal-lb-address-pools='pool=pool2,avoid-buggy-ips=False,manual-assign=True,addresses=198.51.100.0/30;198.51.100.64-198.51.100.72'--metal-lb-address-pools='pool=pool3,avoid-buggy-ips=True,manual-assign=True,addresses=203.0.113.0/28'

For more information about load balancer address pools, seeloadBalancer.addressPoolsin Configure bundled load balancing.

Prevent inadvertent cluster deletion

bmctl

If you add thebaremetal.cluster.gke.io/prevent-deletion: "true" annotationto your cluster configuration file, you are prevented from deleting thecluster. For example, runningkubectl delete cluster orbmctl resetcluster produces an error.

apiVersion:baremetal.cluster.gke.io/v1kind:Clustermetadata:name:ci-10c3c6f4d9c698enamespace:cluster-ci-10c3c6f4d9c698eannotations:baremetal.cluster.gke.io/prevent-deletion:"true"spec:clusterNetwork:

gcloud CLI

If you specify the--add-annotations flag with the valuebaremetal.cluster.gke.io/prevent-deletion="true", you are prevented fromdeleting the cluster. For example:

  1. Add the annotation to prevent accidental cluster deletion:

    gcloud container bare-metal clusters update abm-user-cluster1a \    --project=example-project-12345 \    --location=us-central1 \    --add-annotations=baremetal.cluster.gke.io/prevent-deletion="true"

  2. Attempt to delete the user cluster:

    gcloud container bare-metal clusters delete abm-user-cluster1a \    --project=example-project-12345 \    --location=us-central1 \    --force \    --allow-missing

    The response from the command is similar to the following:

    ERROR: (gcloud.container.bare-metal.clusters.delete) INVALID_ARGUMENT:invalid request: admission webhook "vcluster.kb.io" denied the request:annotations[baremetal.cluster.gke.io/prevent-deletion]: Invalid value:"true": Annotation "baremetal.cluster.gke.io/prevent-deletion" should beremoved in order to delete this cluster

    To remove the annotation, specify--remove-annotations=baremetal.cluster.gke.io/prevent-deletion="true"in theupdate command.

Bypass preflight checks

This feature is available only withbmctl update.

The default value of thebypassPreflightCheckfield isfalse. If you set this field totrue in the cluster configurationfile, the internal preflight checks are ignored when you apply resources toexisting clusters.

apiVersion:baremetal.cluster.gke.io/v1kind:Clustermetadata:name:cluster1namespace:cluster-cluster1annotations:baremetal.cluster.gke.io/private-mode:"true"spec:bypassPreflightCheck:true

Add or remove cluster administrators

bmctl

You can add or remove a user or service account as a cluster administratorfor a user cluster by specifying email addresses in theclusterSecurity.authorization.clusterAdmin.gcpAccountssection of the cluster configuration file. The accounts are granted thecluster-admin role on the cluster, providing full access to the cluster.

apiVersion:baremetal.cluster.gke.io/v1kind:Clustermetadata:name:cluster1namespace:cluster-cluster1spec:clusterSecurity:authorization:clusterAdmin:gcpAccounts:-alex@example.com-hao@example.com-my-sa@example-project-12345.iam.gserviceaccount.com

When updating a user cluster to add an account, be sure to include allaccounts in the list (both existing and new accounts) becausebmctl updateoverwrites the list with what you specify in the configuration file. Toremove an account, remove it from the cluster configuration file and runbmctl update.

gcloud CLI

You can add or remove a user or service account as a cluster administratorby specifying an email addresses in the--admin-users flag. The flagaccepts only one email address. To add multiple users, specify one accountin each flag, for example:

gcloudcontainerbare-metalclustersupdateabm-user-cluster1a\--project=example-project-12345\--location=us-central1\--admin-users=alex@example.com\--admin-users=hao@example.com--admin-users=my-sa@example-project-12345.iam.gserviceaccount.com

Theupdate command overwrites the whole grant list. Specify all existing andnew users who you want to be cluster administrators.

Set a login user

You can specify a non-root username that you want to use for passwordlesssudocapability access to the node machines in your cluster. Your SSH key,sshPrivateKeyPath,must work for the specified user. The cluster create and update operations checkthat node machines can be accessed with the specified user and SSH key.

bmctl

apiVersion:baremetal.cluster.gke.io/v1kind:Clustermetadata:name:cluster1namespace:cluster-cluster1annotations:baremetal.cluster.gke.io/private-mode:"true"spec:nodeAccess:loginUser:abm

gcloud CLI

You specify the user that you want to use to access node machines in the--login-user flag, for example:

gcloudcontainerbare-metalclustersupdateabm-user-cluster1a\--project=example-project-12345\--location=us-central1\--login-user=abm

To enable passwordlesssudo access for a user, follow these steps on eachcluster node machine:

  1. Usesudo visudo to open the sudoers file for editing:

    sudovisudo-f/etc/sudoers

    Thevisudo command locks the sudoers file to prevent simultaneous editsand validates the syntax of the file upon saving.

  2. For your login user, add an entry to the sudoers file like the following:

    USERNAME ALL=(ALL) NOPASSWD: ALL

  3. Close and save the file.

  4. To run commands with the privileges of your login user, run the followingcommand:

    su-USERNAME

  5. To verify that a password isn't required for your login user to runsudocommands, run the followingsudo command:

    sudoipa

Advanced networking

You configure advanced networking features in various custom resources afterthe cluster is created. To use the custom resources and related networkingfeatures, you must enable advanced networking when youcreate your cluster.

bmctl

SetclusterNetwork.advancedNetworkingtotruein the cluster configuration when you create your cluster:

apiVersion:baremetal.cluster.gke.io/v1kind:Clustermetadata:name:cluster1namespace:cluster-cluster1spec:clusterNetwork:...advancedNetworking:true...

gcloud CLI

Include the--enable-advanced-networking flag inthegcloud container bare-metal clusters create command when you create your cluster.

After the cluster is created with advanced networking enabled, you canconfigure the custom resources described in this section usingkubectl apply.

Note: Thegcloud container bare-metal clusters update command doesn't supportconfiguring these custom resources.

NetworkGatewayGroup

TheNetworkGatewayGroup custom resource is used to provide floating IPaddresses for advanced networking features, such as theegress NAT gateway or thebundled load-balancing feature with BGP.

apiVersion:networking.gke.io/v1kind:NetworkGatewayGroupname:defaultnamespace:cluster-bmspec:floatingIPs:-10.0.1.100-10.0.2.100

BGP load balancing

You configure Border Gateway Protocol (BGP) load balancing in the clusterresource and other custom resources. Thegcloud container bare-metal clusterscreate and theupdate commands support configuring BGP in the clusterresource, but not the custom resources.

When you configure bundled load balancers with BGP, the data plane loadbalancing uses, by default, the same external peers that were specified forcontrol plane peering. Alternatively, you can configure the data plane loadbalancing separately, using theBGPLoadBalancer custom resource and theBGPPeer custom resource. For more information, seeConfigure bundled load balancers with BGP.

BGPLoadBalancer

apiVersion:networking.gke.io/v1kind:BGPLoadBalancermetadata:name:defaultnamespace:cluster-bmspec:peerSelector:cluster.baremetal.gke.io/default-peer:"true"

BGPPeer

apiVersion:networking.gke.io/v1kind:BGPPeermetadata:name:bgppeer1namespace:cluster-bmlabels:cluster.baremetal.gke.io/default-peer:"true"spec:localASN:65001peerASN:65002peerIP:10.0.3.254sessions:2

Increase service network range

To create more services than the initial limit, you can reduce the IPv4 serviceCIDR mask to increase the service network of your cluster. Reducing the mask(the value after "/") results in a bigger network range. You can onlyincrease the range of the IPv4 service CIDR. The network rangecan't be reduced, which means the mask (the value after "/") can't be increased.

bmctl

apiVersion:baremetal.cluster.gke.io/v1kind:Clustermetadata:name:cluster1namespace:cluster-cluster1spec:...clusterNetwork:services:cidrBlocks:-192.0.2.0/14...

gcloud CLI

To increase the range of the IPv4 service CIDR on a user cluster, specifythe new range in the--island-mode-service-address-cidr-blocks flag.

gcloudcontainerbare-metalclustersupdatecluster1\--project=example-project-12345\--location=us-central1\--island-mode-service-address-cidr-blocks=192.0.2.0/14

Configure kubelet image pull settings

The kubelet runs on each node of your cluster. The kubelet is responsible formonitoring containers on a node and making sure they are healthy. When needed,the kubelet queries and pulls images from the Artifact Registry.

Updating your kubelet configurations manually and keeping them synchronizedacross all of your cluster nodes can be challenging. To make matters worse,manual kubelet configuration changes on your nodes are lost when you upgradeyour cluster.

To help make synchronized updates easier and persistent, Google Distributed Cloudlets you specify some kubelet settings for each of your cluster node pools:control plane nodes, load balancer nodes, and worker nodes. The settings applyfor all nodes in a given pool and persist through cluster upgrades. The fieldsfor these settings are mutable, so you can update them at any time, not justduring cluster creation.

bmctl

The following supported fields control Artifact Registry pull operations forkubelet:

Warning: SettingregistryBurst orregistryPullQPS to a negative valueresults in update job failures for the kubelet configuration. To fix the issue,either update these fields to positive values or remove them from the spec. Ifthe update job is left to fail for a long time, it can fill up the machine diskspace with kubelet configuration backup files. You can find these backup filesin/var/lib/kubelet/config.yaml.bkup.*. If these backup files are taking uptoo much disk space, you can remove them.
  • registryBurst (default: 10)
  • registryPullQPS (default: 5)
  • serializeImagePulls (default: true)

For more information about each of the kubelet configuration fields, see theCluster configuration field reference.

You can specify these fields inkubeletConfig sections of the Cluster spec andthe NodePool spec for the following pools of nodes:

The following example shows the added fields with theirdefault values inthe cluster configuration file. Note that the annotationpreview.baremetal.cluster.gke.io/custom-kubelet: "enable" is required.

apiVersion:baremetal.cluster.gke.io/v1kind:Clustermetadata:name:cluster1namespace:cluster-cluster1annotations:preview.baremetal.cluster.gke.io/custom-kubelet:"enable"spec:...controlPlane:nodePoolSpec:kubeletConfig:registryBurst:10registryPullQPS:5serializeImagePulls:true...loadBalancer:nodePoolSpec:kubeletConfig:registryBurst:10registryPullQPS:5serializeImagePulls:true...apiVersion:baremetal.cluster.gke.io/v1kind:NodePoolmetadata:name:node-pool-newnamespace:cluster-cluster1spec:clusterName:cluster1...kubeletConfig:registryBurst:10registryPullQPS:5serializeImagePulls:true

In each case, the setting applies to all nodes in the pool.

gcloud CLI

The following flags control Artifact Registry pull operations forkubelet:

Warning: Setting the*-registryburst or*-registry-pull-qps flags to anegative value results in update job failures for the kubelet configuration.To fix the issue, update these fields to positive values. If the update job isleft to fail for a long time, it can fill up the machine disk space withkubelet configuration backup files. You can find these backup filesin/var/lib/kubelet/config.yaml.bkup.*. If these backup files are taking uptoo much disk space, you can remove them.

How to use

Here are some considerations for tuning image pulls:

Keepalived customization

Starting in version 1.32, Google Distributed Cloud provides some customization ofthe Keepalived configuration. With bundled load balancing, the control planeload balancer serves the control plane virtual IP (VIP) address.Google Distributed Cloud runs Keepalived and HAProxy as Kubernetes static Pods onthe load balancer nodes to announce the control plane VIP. Keepalived uses theVirtual Router Redundancy Protocol (VRRP) on the load balancer nodes for highavailability.

Version 1.32 and later clusters have the following Keepalived customizations:

Install or uninstall the bundled NVIDIA GPU Operator

Preview

This product or feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA products and features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

TheNVIDIA GPU Operatorlets you run GPU-related workloads in your clusters. Starting withGoogle Distributed Cloud version 1.33.0, clusters are bundled with a completeNVIDIA GPU Operator stack to provide a managed solution for handling the NVIDIAsoftware components needed to provision GPUs on your cluster worker nodes.

Important: Don't install the bundled NVIDIA GPU Operator if you intend to manuallyinstall and maintain the NVIDIA GPU Operator yourself. If you prefer to install andmanage the NVIDIA GPU Operator manually, seeSet up and use NVIDIAGPUs for instructions.

Prerequisites

Before installing the the bundled NVIDIA GPU Operator, make sure your environment meetsthe following requirements:

  • Operational cluster: You have a functional bare metal cluster createdwith Google Distributed Cloud.

  • NVIDIA GPUs: The NVIDIA GPUs are installed on your cluster worker nodes.The following section for installing the NVIDIA GPU Operator includes steps toverify that the GPUs are installed properly and recognized by your operatingsystem.

  • Compatible NVIDIA driver version: The NVIDIA driver version you use mustbe compatible with your GPU, your operating system, and the CUDA versionyour applications use. For more information, seeVersioninformation.

    You have the following NVIDIA driver installation options:

    The NVIDIA GPU driver must be installed and ready before you enable thebundled NVIDIA GPU Operator.

Version information

This section contains software version information for the bundled NVIDIA GPU Operator.

Software component versions

Google Distributed Cloud release version 1.33 bundles version 25.3.1 of theNVIDIA GPU Operator. In Google Distributed Cloud, the bundle contains the followingimages:

  • NVIDIA Container Toolkit version v1.17.8
  • NVIDIA DCGM Exporter v3.3.9-3.6.1
  • NVIDIA Kubernetes Device Plugin v0.17.1
  • Node Feature Discovery v0.17.2

The image versions bundled with Google Distributed Cloud release 1.33 might notmatch exactly with the software component versions listed in the25.3.1 releasenotes.

Driver compatibility

SeePlatform Support for version25.3.1on the NVIDIA Docs Hub for drivers compatibility information.

Updating the bundled NVIDIA GPU Operator

If you have installed NVIDIA GPU Operator on your cluster, when you upgrade to a newminor version, the latest bundled version of the NVIDIA GPU Operator is installed.

Install the bundled operator

While the bundled NVIDIA GPU Operator is in Preview, you install it by usingbmctl update to add the following annotation to the cluster that has GPUnodes:

apiVersion:baremetal.cluster.gke.io/v1kind:Clustermetadata:name:cluster1namespace:cluster-cluster1annotations:preview.baremetal.cluster.gke.io/nvidia-gpu-operator:"enable"spec:...

The NVIDIA GPU Operator stack is installed to the cluster when the annotation applied.

Uninstall the bundled operator

While the bundled NVIDIA GPU Operator is in Preview, you uninstall it by usingbmctl update to remove the following annotation from the cluster that has GPUnodes:

preview.baremetal.cluster.gke.io/nvidia-gpu-operator:"enable"

All components of the NVIDIA GPU Operator stack are removed from the cluster when theannotation is removed.

Enable dynamic resource allocation

Preview

This product or feature is subject to the "Pre-GA Offerings Terms" in the General Service Terms section of theService Specific Terms. Pre-GA products and features are available "as is" and might have limited support. For more information, see thelaunch stage descriptions.

Dynamic resource allocation is a Kubernetes API that lets you request and share genericresources, such as GPUs, among Pods and containers. Third-party drivers managethese resources. This capability helps you run AI workloads by dynamically andprecisely allocating the GPU resources within your bare metal clusters,improving resource utilization and performance for demanding workloads.

Dynamic resource allocation is available for preview for version 1.33 and later clusters. Thefollowing instructions describe how to configure your cluster to use dynamic resource allocation.After it's enabled, you can configure your GPU workloads to use dynamic resource allocation.

Configure your cluster to enable dynamic resource allocation:

  1. Edit your cluster configuration file to include thepreview.baremetal.cluster.gke.io/dynamic-resource-allocation: "enable"preview annotation and addDynamicResourceAllocation: true underfeatureGates in thekubeletConfig section:

    apiVersion:baremetal.cluster.gke.io/v1kind:Clustermetadata:name:dranamespace:cluster-draannotations:preview.baremetal.cluster.gke.io/dynamic-resource-allocation:"enable"spec:controlPlane:nodePoolSpec:kubeletConfig:featureGates:DynamicResourceAllocation:true# ... other cluster configuration

  2. Update the cluster by running thebmctl update command:

    bmctlupdatecluster-cCLUSTER_NAME\--kubeconfig=ADMIN_KUBECONFIG

    Replace the following:

    • CLUSTER_NAME: the ame of the user cluster you areupdating.

    • ADMIN_KUBECONFIG: the path of the admin clusterkubeconfig file.

    After you apply this configuration, theREADY field for your bare metalmachines might switch betweenTrue andFalse multiple times. Wait fortheREADY field to stabilize onTrue before proceeding.

  3. To enable theDynamicResourceAllocation feature gate in node pools that havenodes with GPUs, setDynamicResourceAllocation totrue in thefeatureGates section of thekubeletConfig section of the NodePool spec:

    For instructions to add and update a node pool, seeManage node pools in acluster.

    apiVersion:baremetal.cluster.gke.io/v1kind:NodePoolmetadata:name:npnamespace:cluster-draspec:clusterName:drakubeletConfig:featureGates:DynamicResourceAllocation:truenodes:# ... other node pool configuration

    After you have added or updated the node pool, wait for all bare metalmachines in the node pool to reach aReady status.

  4. To check the status of your cluster bare metal machines, use the following command:

    kubectlgetbaremetalmachines--kubeconfigADMIN_KUBECONFIG-A

    When the bare metal machines are ready, the response should look similar tothe following sample response:

    NAMESPACE          NAME         CLUSTER    READY   INSTANCEID               MACHINE      ABM VERSION        DESIRED ABM VERSIONcluster-admin      10.200.0.2   dra        true    baremetal://10.200.0.2   10.200.0.2    1.33.0-gke.793   1.33.0-gke.793cluster-user-dra   10.200.0.6   user-dra   true    baremetal://10.200.0.6   10.200.0.6    1.33.0-gke.793   1.33.0-gke.793cluster-user-dra   10.200.0.7   user-dra   true    baremetal://10.200.0.7   10.200.0.7    1.33.0-gke.793   1.33.0-gke.793cluster-user-dra   10.200.0.8   user-dra   true    baremetal://10.200.0.8   10.200.0.8    1.33.0-gke.793   1.33.0-gke.793

Limitations

The bundled NVIDIA GPU Operator has the following limitations:

  • The bundled NVIDIA GPU Operator supports the following NVIDIA software componentsonly:

    • NVIDIA Container Toolkit
    • NVIDIA DCGM Exporter
    • NVIDIA Kubernetes Device Plugin
    • NVIDIA MIG Manager for Kubernetes.

  • DuringPreview,the NVIDIA GPU Operator configuration is fixed. If you attempt to customize anysettings, they are reconciled back to the original installation settings.

  • The bundled NVIDIA GPU Operator can't be used to install NVIDIA GPU drivers.

  • During Preview, this feature uses theresource.k8s.io/v1beta1 API group,which differs from the open source Kubernetes API group for this feature,resource.k8s.io/v1. Thev1 open source API group provides more featuresand better stability than thev1beta1 API group.

What's next

Reference documentation

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-11-24 UTC.