Configure a cluster and workload for staging
Objectives
Learn some basic tasks for configuring a staging and testing cluster:Limit access to the cluster's administrative service, which is calledthecontrol plane. This prevents unauthorized users from viewing orchanging cluster and workload settings.
Specify that your app needs computing resources that efficiently scale upand down to meet demand.
Test autoscaling, which automatically replicates Pods when demand increasesbeyond a threshold you specify.
Adjust log retention so you only keep the logs you need.
Enable the GKE security posture dashboard.
These are just some of the tasks for promoting a cluster from developmentto staging. Read theGKE documentation for the fulllist of tasks to consider.
To follow step-by-step guidance for this task directly in the Google Cloud console, clickGuide me:
Costs
In this document, you use the following billable components of Google Cloud:
To generate a cost estimate based on your projected usage, use thepricing calculator.
When you finish the tasks that are described in this document, you can avoid continued billing by deleting the resources that you created. For more information, seeClean up.
Before you begin
Create a Kubernetes cluster and deploy a workload.Create a cluster and deploy a workloadshows you how.
Limit access to the control plane
To improve your security posture, allow only an authorized network andGoogle Cloud console and Cloud Shell to access your cluster'scontrol plane.
Configure an authorized network
In the Google Cloud console, go to theGKEClusters page.
In theName column, click the name of your cluster,hello-world-cluster.
In the
Control plane authorized networks row of the Networking table, clickEdit.In the Edit control plane authorized networks dialog, selectEnable control plane authorized networks.
SelectAllow access through Google Cloud public IP addresses.
This lets you manage the cluster from Google Cloud console andCloud Shell
ClickAdd authorized network.
Enter a name, such asMy example on-prem network.
InNetwork, enter the range of IP addresses that you want to grantaccess to your cluster's control plane. Use CIDR notation.
For example, enter the following range:
198.51.100.0/24ClickDone.
ClickSave changes.
This operation takes a few minutes to complete.
Click the
Notifications button and wait until you see a greencheck mark next toUpdate control plane authorized networks setting in Kubernetes Engine cluster "hello-world-cluster".
You have configured a cluster control plane that is accessible onlyfrom your authorized network and from Google Cloud public IPaddresses (which lets you manage the cluster fromGoogle Cloud console and Cloud Shell).
To see the IP address of your cluster's control plane and confirm the addressesof the authorized network, clickNext.
View IP addresses
Go to the GKEClusters page.
In theName column, click the name of your cluster,hello-world-cluster.
In theCluster basics table, theExternal endpoint row shows theIP address of the cluster's control plane.
In theNetworking table, theControl plane authorized networks rowshows the IP addresses of your authorized network.
Your cluster's control plane can now only be accessed from an authorized network,Google Cloud console, and Cloud Shell.
Specify a compute class
By default, GKE Autopilot Pods use compute resourcesthat are optimized for general-purpose workloads. For workloads that need toscale optimally or that have other unique requirements, you can specify adifferent compute class.
Update the Deployment specification
In the Google Cloud console, go to the GKEWorkloads page.
In theName column, click the name of the app you deployed,hello-world-app.
Click
Edit to edit the deployment specification.In theYAML tab, find the line that starts with
containers:Just above this line, add the following lines:
nodeSelector: cloud.google.com/compute-class: "Scale-Out"Make sure your file matches the indentation in the following example:
apiVersion: apps/v1 kind: Deployment ... spec: ... template: ... spec: nodeSelector: cloud.google.com/compute-class: "Scale-Out" containers: - name: hello-app image: us-docker.pkg.dev/google-samples/containers/gke/hello-app:1.0To download this file and use it as the basis for other workloadconfigurations, click
Download .ClickSave.
Any Pod replicas that are created to run your workload will use the computeclass you specified.
Test autoscaling
Now that you have a workload that can scale efficiently, update autoscalingsettings to more easily cause your workload to scale up. Then generate load totrigger autoscaling.
Update Pod autoscaling settings
Go to the GKEWorkloads page.
In theName column, click the name of your deployment,hello-world-app.
Click
Actions .SelectAutoscale and clickHorizontal pod autoscaling.
In theConfigure Horizontal Pod Autoscaler dialog, underAutoscaling metrics, clickCPU.
Change the value ofTarget to 2, which automatically scales up your Podswhen they use at least 2% of their configured CPU resources. This low targetvalue ensures that you can easily trigger autoscaling in the next step.
ClickSave.
To trigger autoscaling, clickNext.
Generate load to trigger autoscaling
Open Cloud Shell by clicking
CloudShell .Paste the following command into Cloud Shell:
for i in $(seq -s' ' 1 10000); do wget -q -O- <var>external-IP-address</var>; doneReplaceexternal-IP-address with the IP address that appearsin the
Endpoints column.Press Enter to run the command and send 10,000 requests to hello-world-app.
Wait for the
wgetcommand to finish running and the command-line prompt toreappear.You can close Cloud Shell when the
wgetcommand finishes.
To watch your workload scale to accommodate the increased traffic, clickNext.
Watch your workload scale
On theDeployment details page for your workload, look in the
CPU chart for a spike in CPU usage.You might need to wait up to 5 minutes to see the spike.
Click
Refresh to make sure theDeployment details page shows the latest data.Look in theManaged Pods table to see that three replicas of your workloadare now running.
You might initially see errors about unschedulable Pods, but these messagesare transient as the replicas start up.
You can wait for about 10 minutes, clickRefresh,and see that CPU usage has dropped and so the number of Pods inManaged Pods returns to one.
You have tested autoscaling and watched your workload scale.
Adjust logs retention
By default, Cloud Logging ingests all logs from your GKEclusters. Ingesting large amounts of logs data could result in a fee. To ensurethat you're only ingesting the logs data that you need for the staging environment,adjust logs retention.
Create a logs filter
In the Google Cloud console, go to theLogs Explorer page:
If you use the search bar to find this page, then select the result whose subheading isLogging.
Notice that the
Query results pane shows logs from all resources in your project.Above the query results:
Click
Resource .Search forKubernetes cluster, then click it.
Clickus-central-1.
Clickhello-world-cluster.
ClickApply.
Click
Severity andselectInfo (which changes toInfo and higher on hover).Click
Run query .Note thatQuery results now only contains INFO messages from yourstaging cluster.
Copy the query from the query editor. You'll paste this query when youcreate a filter for your log sink.
To create a log sink and storage bucket, clickNext.
Create a log sink and storage bucket
Go to the LoggingLog router page.
Click
Create sink .InName, enter the following name:
hello-world-cluster-sinkClickNext.
InSelect sink service, selectLogging bucket.
InSelect a log bucket, selectCreate new log bucket.
InBucket details, enter a unique name, such as:
hello-world-bucket-<var>user-id</var>ClickCreate bucket.
UnderSink destination, clickNext.
InBuild inclusion filter, paste the query you created in the Logs Explorer.
ClickCreate sink.
To view your cluster's logs, which are stored in the log bucket youcreated, clickNext.
View your cluster's logs
In the Google Cloud console, go to theLogs Explorer page:
If you use the search bar to find this page, then select the result whose subheading isLogging.
Click
Refine scope .SelectLog View.
Select the_AllLogs view for your log bucket.
ClickApply.
Query results shows only the logs that are stored in your log bucket.
You have adjusted the logs retention so your staging cluster doesn't storeDEBUG messages. You canset permissionsso that only certain users can view the logs in your cluster's bucket.
Enable the security posture dashboard
The security posture dashboard scans your GKEclusters and workloads to provide you with opinionated, actionablerecommendations to improve your security posture.
Explore any concerns
Go to the GKESecurity posture page.
If you are asked to enable the Container Security API, clickEnable.
TheDashboards tab summarizes concerns for your project's clusters andworkloads.
Click theConcerns tab.
If any concerns appear on the tab, click the concern for more information.
You have completed some of the basic tasks for configuring a cluster for staging andtesting your app.
What's next
Clean up to avoid billing charges.If you plan to take additional tutorials, wait until you finish those tutorialsbefore you clean up. You can use the sample Kubernetes cluster in mostGKE tutorials.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-10-27 UTC.