---
title: "Set up Anyscale on GKE"
description: "Set up an Anyscale cloud on an existing GKE cluster using the anyscale cloud setup command."
---

# Set up Anyscale on GKE

This page describes how to set up an Anyscale cloud on Google Kubernetes Engine (GKE) using the `anyscale cloud setup` command. This flow creates a working baseline so you can run jobs and services. You can customize networking, node pools, and security after setup.

:::important
The `anyscale cloud setup` CLI flow for Kubernetes is in beta. Anyscale recommends this flow for self-service onboarding. Clouds deployed with this flow are production-ready and eligible for support. All features available for Anyscale on GKE are available whether you use `anyscale cloud setup` or `anyscale cloud register`.

By default, this flow prompts you to install `ingress-nginx`. You can skip this and configure your own ingress or gateway controller. To fully customize the ingress setup, use [`anyscale cloud register`](/admin/cloud/create-gke-cloud.md) and configure your Helm chart manually. See [Anyscale on Kubernetes](/k8s.md).

Contact [Anyscale support](mailto:support@anyscale.com) for configuration and customization help.
:::

## Prerequisites

Before you start, ensure the following:

-   You are an Anyscale organization owner.
-   You have an existing GKE cluster with Workload Identity enabled. The cloud setup command uses this to bind a Google Cloud service account to the Anyscale operator's Kubernetes service account. To create a cluster, see [Create a zonal GKE cluster](https://cloud.google.com/kubernetes-engine/docs/how-to/creating-a-zonal-cluster) in the Google Cloud docs or use the [Anyscale Terraform module for GKE](https://github.com/anyscale/terraform-kubernetes-anyscale-foundation-modules/tree/main/examples/gcp/gke-new_cluster). To enable Workload Identity on an existing cluster, see [Use Workload Identity Federation for GKE](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) in the Google Cloud docs.
-   You have sufficient Google Cloud permissions to create GCS buckets, service accounts, and IAM bindings in your project.
-   The Anyscale CLI is installed with Google Cloud support: `pip install -U "anyscale[gcp]"`. Run `anyscale login` to authenticate.
-   The following CLI tools are installed: `gcloud`, `gsutil`, `kubectl`, `helm`. Run `gcloud auth login` and `gcloud auth application-default login` to authenticate.

## Cluster and cloud details

Enter the following values. You'll use them when connecting with `kubectl` and running cloud setup.

Google Cloud project ID `my-project`

Google Cloud region `us-central1`

GKE cluster name `my-gke-cluster`

Anyscale cloud name `my-gke-cloud`

## Connect to your GKE cluster

Configure `kubectl` to use your cluster:

```bash
gcloud container clusters get-credentials <cluster-name> --region <region> --project <project-id>
```

Verify the connection:

```bash
kubectl get nodes
```

## Run cloud setup

Run the cloud setup command:

```bash
anyscale cloud setup \
  --stack k8s \
  --cluster-name <cluster-name> \
  --project-id <project-id> \
  --functional-verify
```

The CLI prompts you for additional values to complete your cloud setup.

-   The `--functional-verify` runs a post-setup check to confirm the cloud can run a workload.

When prompted for a namespace, press Enter to use the default `anyscale-operator` or type a different namespace. Anyscale recommends a dedicated namespace per Anyscale cloud. See [Anyscale on Kubernetes](/k8s.md).

## What the CLI does

The CLI runs the following steps:

1.  **Discovery**: Validates the GKE cluster, retrieves cluster details and availability zones, and configures your kubeconfig.
2.  **Google Cloud resource creation**: Creates a GCS bucket for workload storage and a service account for the Anyscale operator. The CLI sets up a Workload Identity binding so the operator's Kubernetes service account can impersonate the Google Cloud service account, and grants the service account storage access to the bucket.
3.  **Cloud registration**: Registers the Anyscale cloud with the control plane using the new bucket and service account.
4.  **Operator install**: Generates a Helm values file and installs the Anyscale operator in your chosen namespace. The CLI prompts you to install `ingress-nginx` as the ingress controller for dashboards and Anyscale services. You can skip this step and configure your own ingress controller.
5.  **Verification**: If you used `--functional-verify`, runs a check to confirm the cloud is usable.

:::warning
If setup fails, the CLI doesn't automatically remove resources created in earlier steps. For troubleshooting and cleanup steps, contact [Anyscale support](mailto:support@anyscale.com) and provide the CLI output. You need sufficient Google Cloud permissions to clean up or retry.
:::

## Verify your cloud

If you didn't use `--functional-verify`, verify the cloud manually:

```bash
anyscale cloud verify --name <cloud-name>
```

You can also submit a small job to confirm the cloud works:

```bash
anyscale job submit --cloud <cloud-name> --working-dir https://github.com/anyscale/docs_examples/archive/refs/heads/main.zip -- python hello_world.py
```

## Next steps

-   **Customize the operator**: See [Configure the Helm chart for the Anyscale operator](/k8s/configure-helm.md).
-   **Manage IAM permissions**: See [Configure service accounts for clusters on Anyscale on GKE](/iam/gke.md).
-   **Access GCS buckets from workloads**: See [Access Google Cloud Storage buckets](/storage/gcs.md).
-   **Use Google Secret Manager**: See [Configure access to Google Secret Manager](/secrets/google-cloud.md).

---

Previous: [Configure Anyscale on Google Cloud VMs](/admin/cloud/configure-google-cloud.md) | Next: [Deploy Anyscale on GKE (cloud register)](/admin/cloud/create-gke-cloud.md)