Provisioning a GKE Cluster
This tutorial provisions a GKE cluster on Google Cloud using OpenTofu through the kb CLI. By the end you will have a running cluster and a kubectl context pointing at it.
Prerequisites
Section titled “Prerequisites”GCP project. You need an existing Google Cloud project. Find your project ID at console.cloud.google.com or run:
gcloud config get-value projectAuthenticated gcloud. Run the following if you haven’t already:
gcloud auth logingcloud auth application-default loginTools installed. The CLI requires tofu (OpenTofu) and gcloud on your PATH.
Set your project ID
Section titled “Set your project ID”The Google Cloud provider needs a project ID. The CLI checks for it before running any tofu command and exits with a clear error if it’s missing. Set it with an environment variable:
export GOOGLE_PROJECT=my-gcp-project-idAlternatively, set TF_VAR_project_id, or uncomment the project_id line in tofu/remote/google/terraform.tfvars:
# project_id = "my-gcp-project-id"Review the defaults
Section titled “Review the defaults”Open tofu/remote/google/terraform.tfvars to see what will be built. The defaults are:
| Variable | Default | Notes |
|---|---|---|
region | australia-southeast1 | Change for your location |
zone | australia-southeast1-a | Zonal cluster — free control plane tier |
machine_type | e2-medium | Worker node size |
node_count | 3 | Used only when autoscaling is off |
spot | true | Spot VMs reduce cost |
disk_size_gb | 30 | Per-node boot disk |
auto_scale | true | Autoscaling enabled by default |
min_nodes | 1 | Autoscaler lower bound |
max_nodes | 4 | Autoscaler upper bound |
The cluster name comes from tofu/remote/shared.tfvars, which is shared across all provider configurations.
The module provisions three resources: a VPC with a dedicated subnet (secondary ranges for pods and services), the GKE cluster itself, and an Artifact Registry repository for container images.
Initialize OpenTofu
Section titled “Initialize OpenTofu”Download the Google Cloud provider plugins:
kb infra gke initYou only need to run this once, or after upgrading provider versions.
Preview the plan
Section titled “Preview the plan”Before applying, inspect what OpenTofu will create:
kb infra gke planReview the output carefully. Expect resources for the VPC network, subnet, GKE cluster, node pool, and Artifact Registry repository.
Provision the cluster:
kb infra gke applyOpenTofu will prompt for confirmation before making changes. To skip the prompt:
kb infra gke apply --auto-approveGKE cluster creation takes several minutes. The node pool comes up after the control plane is ready.
Fetch credentials
Section titled “Fetch credentials”Once apply completes, write the kubectl context to your local kubeconfig:
kb infra gke kubeconfigThe CLI reads cluster_name and cluster_location from the OpenTofu outputs, then calls gcloud container clusters get-credentials with those values. On success it prints:
kubectl context set to GKE cluster "<name>" in <zone>Verify access:
kubectl get nodesList clusters
Section titled “List clusters”Confirm the cluster appears in your project:
kb infra gke clustersFor machine-readable output:
kb infra gke clusters --jsonkb infra gke clusters --yamlThe listing shows each cluster’s zone, Kubernetes version, status, and node pool details including machine type, disk size, spot flag, and autoscaling bounds.
Next steps
Section titled “Next steps”- Configure
GOOGLE_PROJECTin.env.json(SOPS-encrypted) so the project ID is always available:kb secrets edit .env.json - Adjust
terraform.tfvarsand re-runkb infra gke applyto change node count, machine type, or autoscaling limits - To tear down the cluster:
kb infra gke destroy --i-am-sure