SkillRepo
Sign InSign Up
Catalog
google/gke-golden-path

google

gke-golden-path

Provides GKE golden path configuration defaults, production readiness checklists, and cluster default patterns. Use when designing GKE clusters, verifying GKE production readiness, or checking configurations against GKE defaults. Don't use for setting up node autoscaling specifically (use gke-scaling instead).

global
New~1.4k
v1.0Saved Jun 24, 2026

GKE Golden Path Configuration

The golden path is the recommended Autopilot configuration for production clusters. It defines sensible defaults — when the user requests different settings, apply them and note relevant trade-offs.

MCP Tools: get_cluster, create_cluster, update_cluster

Rules

  1. Default to the golden path. Use golden path values unless the user requests otherwise. When deviating, note trade-offs but respect the user's choice.
  2. Day-0 vs Day-1. Flag Day-0 decisions (networking, private nodes, subnets, IP allocation) prominently — they are hard/impossible to change after creation.
  3. Tool preference: MCP > gcloud > kubectl. See the gke-basics skill's CLI reference for full coverage matrix and override options. If the user says "use gcloud" or "use kubectl", respect that for the session.
  4. Document decisions and rationale, especially for Day-0 choices and golden path deviations.

Required Inputs

If the user is unsure, use golden path defaults.

  • Project ID (required)
  • Region (required, e.g., us-central1)
  • Cluster name (required)
  • Environment type: dev/test or production (defaults to production)
  • Networking: bring-your-own VPC/subnet or auto-create (default: auto-create)
  • Scale expectations: expected node/pod count, workload types
  • Cost constraints: Spot VM tolerance, budget considerations

Always-Apply Defaults

Recommended best practices applied by default. If the user requests a different setting, apply it and briefly note the security or operational trade-off.

Setting Golden Path Value
autopilot.enabled true
privateClusterConfig.enablePrivateNodes true
masterAuthorizedNetworksConfig.privateEndpointEnforcementEnabled true
secretManagerConfig.enabled + rotationInterval: 120s true
rbacBindingConfig.enableInsecureBinding* false (both)
workloadIdentityConfig.workloadPool enabled
networkConfig.datapathProvider ADVANCED_DATAPATH
networkConfig.dnsConfig.clusterDns CLOUD_DNS
autoscaling.autoscalingProfile OPTIMIZE_UTILIZATION
verticalPodAutoscaling.enabled true
monitoringConfig components SYSTEM_COMPONENTS, STORAGE, POD, DEPLOYMENT, STATEFULSET, DAEMONSET, HPA, JOBSET, CADVISOR, KUBELET, DCGM, APISERVER, SCHEDULER, CONTROLLER_MANAGER
advancedDatapathObservabilityConfig.enableMetrics true
nodeConfig.shieldedInstanceConfig.enableSecureBoot true
nodeConfig.workloadMetadataConfig.mode GKE_METADATA
nodeConfig.gcfsConfig.enabled / gvnic.enabled true / true
addonsConfig.statefulHaConfig.enabled true
Storage CSI drivers (Filestore, GCS FUSE, Parallelstore) enabled
Pod Security Standards restricted on production namespaces

Customer-Configurable Settings

These have golden path defaults but customers may deviate with valid justification. Ask before changing.

Setting Default Why Deviate
dnsEndpointConfig.allowExternalTraffic true Restrict if cluster only accessed from within VPC
autoIpamConfig / createSubnetwork true / true Customer has pre-existing VPC/subnets
maxPodsPerNode 48 110 for high pod-density (costs more CIDR space)
subnetwork auto-created Customer brings existing subnets
Maintenance exclusion windows configured (NO_MINOR_UPGRADES, 1yr) Customer-specific scheduling
nodeConfig.bootDisk.diskType pd-balanced pd-ssd for I/O-intensive, pd-standard for cost
nodeConfig.machineType ek-standard-8 (Autopilot) Varies by workload; use ComputeClasses

Guardrails

  • Do not request or output secrets (tokens, keys, service account JSON).
  • Discover project/cluster context via MCP tools or gcloud config get-value project — don't ask users to paste project IDs.
  • For Day-0 decisions, always ask clarifying questions before proceeding.
  • For Day-1 features, propose golden path defaults with trade-offs and let the customer confirm.
  • Do not promise zero downtime; advise PDBs, health probes, replicas, and staged upgrades.
  • When auditing existing clusters, compare against golden path and report deviations with severity and remediation.

Golden Path Config

See golden-path-autopilot.yaml for the full cluster-level policy settings.

Files2
2 files · 14.7 KB

Select a file to preview

Overall Score

82/100

Grade

B

Good

Safety

88

Quality

82

Clarity

88

Completeness

71

Summary

This skill provides GKE golden path configuration defaults and production readiness guidance for Google Kubernetes Engine Autopilot clusters. It prescribes recommended security, networking, and operational settings (e.g., private nodes, workload identity, secret rotation), documents customer-configurable deviations, and guides agents through cluster design decisions with an emphasis on Day-0 irreversible choices.

Detected Capabilities

cluster configuration discovery via MCP toolscluster creation and update guidancedocumentation of architecture decisionssecurity policy defaults and recommendationsconfiguration comparison and deviation auditing

Trigger Keywords

Phrases that MCP clients use to match this skill to user intent.

gke cluster designproduction readinessgolden path defaultsgke configuration auditkubernetes security defaultsautopilot cluster setupgke day-0 decisions

Risk Signals

INFO

No security-critical patterns detected. The skill references MCP tools and gcloud but provides guidance only — does not execute code or shell commands directly.

overall
INFO

Explicitly disclaims requesting or outputting secrets: 'Do not request or output secrets (tokens, keys, service account JSON)'

Guardrails section
INFO

References external documentation (gke-basics skill) and a supporting YAML config file but does not execute scripts or download arbitrary code.

MCP Tools and golden-path-autopilot.yaml

Referenced Domains

External domains referenced in skill content, detected by static analysis.

www.apache.org

Use Cases

  • Designing production GKE clusters with secure, operable defaults
  • Verifying existing GKE cluster configurations against golden path recommendations
  • Understanding trade-offs when deviating from GKE best practices
  • Planning cluster networking, security posture, and scalability settings before creation
  • Auditing GKE clusters for production readiness and compliance alignment

Quality Notes

  • Strong clarity and structure: headings clearly delineate rules, required inputs, always-apply defaults, customer-configurable settings, and guardrails
  • Comprehensive golden path defaults table with explicit rationale for each setting, aiding decision-making
  • Thoughtful Day-0 vs Day-1 framing helps users understand which decisions are irreversible and require careful planning
  • Supports multiple tool modalities (MCP > gcloud > kubectl) and explicitly defers to user preferences, enhancing flexibility
  • Well-scoped guardrails explicitly forbid secrets handling and guide interaction patterns
  • Supporting YAML asset is concrete and reference-able, though some fields are marked as 'customer-configurable' without inline guidance for when to deviate
  • Links to external skill (gke-basics) but does not embed that content, potentially requiring users to context-switch
  • Maintenance and upgrade sections are brief; could benefit from more detailed guidance on zero-downtime strategies and staged rollout patterns
Model: claude-haiku-4-5-20251001Analyzed: Jun 24, 2026

Reviews

Add this skill to your library to leave a review.

No reviews yet

Be the first to share your experience.

Add google/gke-golden-path to your library

Get Started Free

Command Palette

Search for a command to run...