GKE Cluster Component

The GKE component provisions a Google Kubernetes Engine Autopilot cluster with private nodes, Workload Identity, and security features.

Architecture

Why Autopilot?

GKE Autopilot provides:

Automatic Node Management: No node pool configuration needed
Cost Optimization: Pay per pod, not per node
Security Hardening: Pre-configured security policies
Automatic Upgrades: Managed control plane and nodes
SLA Guaranteed: 99.9% uptime SLA

Resources Created

Resource	Purpose
GKE Cluster	Autopilot Kubernetes cluster
Workload Identity Pool	GCP-Kubernetes identity federation

Configuration

# Pulumi.dev.yaml (Development/Test)
config:
  serko-northsky:gkeReleaseChannel: "REGULAR"

# Pulumi.prod.yaml (Production)
config:
  serko-northsky:gkeReleaseChannel: "STABLE"

Release Channels

Channel	Description	Use Case
`RAPID`	Latest features	Experimentation
`REGULAR`	Balanced stability	Dev/Test
`STABLE`	Most stable	Production

Cluster Features

Security Configuration

Private Nodes: Nodes have no public IPs
Binary Authorization: Enforce signed container images
Shielded Nodes: Hardware-backed security
Workload Identity: Secure GCP service access

Networking

VPC-Native: Uses alias IPs for pods
Network Policy: Calico-based pod network policies
Private Endpoint: Optional private control plane access

Monitoring

Managed Prometheus: Built-in metrics collection
Cloud Logging: Centralized log management
Cloud Monitoring: Infrastructure and application metrics

Outputs

interface GkeOutputs {
  clusterName: string;
  clusterEndpoint: string;
  clusterCaCertificate: string;
  workloadIdentityPool: string;
}

Workload Identity

Workload Identity allows Kubernetes service accounts to act as GCP service accounts:

# Kubernetes ServiceAccount
apiVersion: v1
kind: ServiceAccount
metadata:
  name: backend
  annotations:
    iam.gke.io/gcp-service-account: app@PROJECT_ID.iam.gserviceaccount.com

The binding is created in the IAM component:

// IAM binding for Workload Identity
new gcp.serviceaccount.IAMMember('workload-identity-binding', {
  serviceAccountId: appServiceAccount.name,
  role: 'roles/iam.workloadIdentityUser',
  member: pulumi.interpolate`serviceAccount:${projectId}.svc.id.goog[default/backend]`,
});

Connecting to the Cluster

After deployment, configure kubectl:

# Get credentials
gcloud container clusters get-credentials serko-northsky-cluster \
  --region us-central1 \
  --project PROJECT_ID

# Verify connection
kubectl get nodes

Environment Differences

Feature	Dev/Test	Production
Release Channel	REGULAR	STABLE
Deletion Protection	Disabled	Enabled
Node Locations	Single zone	Multi-zone

Architecture​

Why Autopilot?​

Resources Created​

Configuration​

Release Channels​

Cluster Features​

Security Configuration​

Networking​

Monitoring​

Outputs​

Workload Identity​

Connecting to the Cluster​

Environment Differences​