GKE Add-ons

GKE add-ons are Kubernetes software components that extend cluster functionality. GKE provides managed add-ons for essential components like CoreDNS, kube-proxy, and HTTP(S) Load Balancing Ingress controller, plus support for installing popular third-party add-ons for monitoring, networking, security, and more.

GKE Add-ons Overview

GKE add-ons extend cluster functionality:

GKE Managed Add-ons

CoreDNS

CoreDNS provides DNS resolution for pods and services within the cluster.

Features:

• Service discovery
• Pod DNS resolution
• Custom DNS entries
• Health checks

Configuration:

apiVersion: v1
kind: ConfigMap
metadata:
  name: coredns
  namespace: kube-system
data:
  Corefile: |
    .:53 {
        errors
        health {
           lameduck 5s
        }
        ready
        kubernetes cluster.local in-addr.arpa ip6.arpa {
           pods insecure
           fallthrough in-addr.arpa ip6.arpa
           ttl 30
        }
        prometheus :9153
        forward . /etc/resolv.conf
        cache 30
        loop
        reload
        loadbalance
    }

kube-proxy

kube-proxy maintains network rules for service networking and load balancing.

Features:

• Service IP management
• Load balancing
• Network rules
• iptables/ipvs mode

HTTP(S) Load Balancing Ingress Controller

GKE provides built-in HTTP(S) Load Balancing via Ingress:

Features:

• HTTP(S) Load Balancing
• SSL/TLS termination
• Path-based routing
• Host-based routing
• Custom static IPs
• Managed SSL certificates

Usage:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: web-ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: my-static-ip
    networking.gke.io/managed-certificates: my-ssl-cert
spec:
  rules:
  - host: example.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: web-service
            port:
              number: 80

Network Policy

Network Policy provides pod-to-pod network isolation.

Enabling:

# Enable network policy when creating cluster
gcloud container clusters create my-cluster \
  --zone us-central1-a \
  --enable-network-policy

Features:

• Pod-to-pod isolation
• Namespace isolation
• Ingress and egress rules
• Policy enforcement

Node Local DNS

Node Local DNS improves DNS performance:

Features:

• Local DNS caching
• Reduced DNS latency
• Reduced API server load
• Better performance

Enabling:

# Enable Node Local DNS
gcloud container clusters update my-cluster \
  --zone us-central1-a \
  --enable-node-local-dns

Popular Third-Party Add-ons

Prometheus and Grafana

Monitoring and alerting stack:

# Add Helm repository
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update

# Install Prometheus and Grafana
helm install prometheus prometheus-community/kube-prometheus-stack \
  --namespace monitoring \
  --create-namespace

Calico

Advanced networking and network policies:

# Install Calico
kubectl apply -f https://docs.projectcalico.org/manifests/calico.yaml

External Secrets Operator

Sync secrets from Google Secret Manager:

# Add Helm repository
helm repo add external-secrets https://charts.external-secrets.io
helm repo update

# Install External Secrets Operator
helm install external-secrets external-secrets/external-secrets \
  -n external-secrets-system \
  --create-namespace

Cert-Manager

Automatic TLS certificate management:

# Add Helm repository
helm repo add jetstack https://charts.jetstack.io
helm repo update

# Install cert-manager
helm install cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --set installCRDs=true

Add-on Management

Installing Add-ons

Using Helm:

# Add Helm repository
helm repo add <repo-name> <repo-url>
helm repo update

# Install add-on
helm install <release-name> <repo-name>/<chart-name> \
  --namespace <namespace> \
  --create-namespace

Using kubectl:

# Apply manifest
kubectl apply -f https://example.com/addon.yaml

Updating Add-ons

Using Helm:

# Update add-on
helm upgrade <release-name> <repo-name>/<chart-name> \
  --namespace <namespace>

Using kubectl:

# Update manifest
kubectl apply -f updated-addon.yaml

Removing Add-ons

Using Helm:

# Uninstall add-on
helm uninstall <release-name> \
  --namespace <namespace>

Using kubectl:

# Delete add-on
kubectl delete -f addon.yaml

Best Practices

1. Use GKE Managed Add-ons - For core components when possible

2. Keep Add-ons Updated - Regularly update to latest versions

3. Test Updates - Test add-on updates in non-production first

4. Document Customizations - Keep track of configuration changes

5. Use Workload Identity - For Google Cloud integrations

6. Monitor Add-on Health - Set up monitoring for add-on components

7. Version Control - Store add-on configurations in Git

8. Namespace Isolation - Install add-ons in appropriate namespaces

9. Resource Limits - Set resource limits for add-on pods

10. Backup Configurations - Backup add-on configurations before updates

Common Issues

Add-on Installation Fails

Problem: Add-on fails to install

Solutions:

• Check service account permissions
• Verify namespace exists
• Check resource quotas
• Review Cloud Logging for errors

Add-on Not Working

Problem: Add-on installed but not functioning

Solutions:

• Check pod status
• Review add-on logs
• Verify configuration
• Check service account permissions
• Verify network policies

See Also

• Cluster Setup - Initial add-on installation
• Networking - Ingress controller configuration
• Observability - Monitoring add-ons