Configuring a custom boot disk

This page shows you how to customize a node boot disk in yourGoogle Kubernetes Engine (GKE)clusters andnode pools.

Overview

When you create a GKE cluster or node pool, you can choosethe type of Persistent Disk onto which the Kubernetes node file system isinstalled for each node. By default, GKE uses balancedPersistent Disks in version 1.24 or later. You can also specify otherPersistent Disk types, such as standard or SSD. For more information, seeStorage options.

Note: This feature differs fromLocal SSD, which can't be used as a bootdisk.

Balanced and SSD Persistent Disks have disk quotas which are differentfrom standard Persistent Disk quotas. If you are switching from standard tobalanced Persistent Disks, you may need to request for quota increases. Formore information, seeResource quotas.

Benefits of using an SSD boot disk

Using an SSD Persistent Disk as a boot disk for your nodes offers someperformance benefits:

  • Nodes have faster boot times.
  • Binaries and files served from containers are available to the node faster.This can increase performance for I/O-intensiveworkloads, such asweb-serving applications that host static files or short-running,I/O-intensivebatch jobs.
  • Files stored on the node's local media (exposed throughhostPath oremptyDirvolumes) can see improved I/O performance.

Specifying a node boot disk type

You can specify the boot disk type when you create a cluster or node pool.

gcloud

To create a cluster with a custom boot disk, run the following command.

[DISK-TYPE] can be one of the following values:

  • pd-balanced (the default in version 1.24 or later)
  • pd-standard (the default in version 1.23 or earlier)
  • pd-ssd
  • hyperdisk-balanced
Note: Hyperdisk support is based on the machine type of your nodes. For the most up-to-date information, seeMachine type support in the Compute Engine documentation.

For more information, seePersistent Disk types.

gcloud container clusters create[CLUSTER_NAME] --disk-type[DISK_TYPE]

To create a node pool in an existing cluster:

gcloud container node-pools create[POOL_NAME] --disk-type[DISK_TYPE]

For example, the following command creates a cluster,example-cluster,with the SSD Persistent Disk type,pd-ssd:

gcloud container clusters create example-cluster --disk-type pd-ssd

Console

To select the boot disk when creating your cluster with the Google Cloud console:

  1. In the Google Cloud console, go to theCreate a Kubernetes cluster page.

    Go to Create a Kubernetes cluster

  2. Configure your cluster as needed.

  3. From the navigation menu, expanddefault-pool and clickNodes.

  4. In theBoot disk type drop-down list, select a Persistent Disk type.

  5. ClickCreate.

To create a node pool with a custom boot disk for an existing cluster:

  1. Go to theGoogle Kubernetes Engine page in the Google Cloud console.

    Go to Google Kubernetes Engine

  2. In the cluster list, click the name of the cluster you want to modify.

  3. ClickAdd Node Pool.

  4. Configure your node pool as needed.

  5. From the navigation menu, clickNodes.

  6. In theBoot disk type drop-down list, select a Persistent Disk type.

  7. ClickCreate.

Protecting node boot disks

A node boot disk stores your container image, some system process logs, Podlogs, and the writable container layer by default.

If your workloads useconfigMap,emptyDir, orhostPath volumes, your Podscould write additional data to node boot disks. You can configureemptyDir tobe backed by tmpfs to stop this. To learn how, see theKubernetes documentation.Sincesecret,downwardAPI, andprojected volumes are backed bytmpfs the Pods using them don't write data to the node boot disk.

By default, Google Cloudencrypts customer content at restincluding your node boot disks, and GKE manages encryption foryou without any action on your part.

However, when using volumes that write to the node boot disk, you may want tofurther control how your workload data is protected in GKE. Youcan do this by eitherpreventing Pods from writing to node boot disks, orusing Customer Managed Encryption Keys (CMEK) for node boot disks.

Prevent Pods from writing to boot disks

To prevent Pods from writing data directly to the node boot disk, use one of thefollowing methods.

Policy Controller

Policy Controller is a feature of GKE Enterprise that lets you declare andenforce custom policies at scale across your GKE clusters infleets.

  1. Install Policy Controller.
  2. Define a constraint that restricts the following volume types by using thek8sPspVolumeTypes constraint template:

The following example constraint restricts these volume types in all Pods in thecluster:

apiVersion:constraints.gatekeeper.sh/v1beta1kind:K8sPSPVolumeTypesmetadata:name:deny-boot-disk-writesspec:match:kinds:-apiGroups:[""]kinds:["Pod"]parameters:volumes:-configMap-emptyDir-hostPath

PodSecurity admission controller

The built-in Kubernetes PodSecurity admission controller lets you enforcedifferent levels of the Pod Security Standards in specific namespaces or in thecluster. The Restricted policy prevents Pods from writing to the node boot disk.

To use the PodSecurity admission controller, seeApply predefined Pod-level security policies using PodSecurity.

Customer-managed encryption

If you want to control and manage encryption key rotation yourself, you can useCustomer Managed Encryption Keys (CMEK). These keys are used to encrypt the dataencryption keys that encrypt your data. To learn how to use CMEK for node bootdisks, seeUsing customer-managedencryption keys.

A limitation of CMEK for node boot disks is that it cannot be changed afternode pool creation. This means:

  • If the node pool was created with customer-managed encryption, you cannotsubsequently disable encryption on the boot disks.
  • If the node pool was created without customer-managed encryption, you cannotsubsequently enable encryption on the boot disks. However, you can create a newnode pool with customer-managed encryption enabled and delete the previous node pool.

Limitations

Before configuring a custom boot disk, consider the following limitations:

  • TheC3,G2, andG4 machine seriesdon't support thepd-standard node boot disk type.

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-10-24 UTC.