Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

googlecloudplatform/gke-networking-edge

Name: gke-networking-edge
Author: googlecloudplatform

skills/gke-networking-edge/SKILL.md

npx skillsauth add googlecloudplatform/gke-mcp gke-networking-edge

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

GKE Networking Edge Skill

This skill provides workflows for exposing applications running on GKE securely to the internet or internal networks.

Workflows

1. Configure Gateway API (Recommended)

The Gateway API is the modern way to manage routing in Kubernetes.

Prerequisites: Gateway API must be enabled on the cluster (enabled by default in GKE 1.24+).

Example Gateway Manifest:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: my-gateway
  namespace: my-namespace
spec:
  gatewayClassName: gke-l7-global-external-managed # GKE managed external L7 load balancer
  listeners:
    - name: http
      protocol: HTTP
      port: 80

Example HTTPRoute Manifest:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: my-route
  namespace: my-namespace
spec:
  parentRefs:
    - name: my-gateway
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: my-service
          port: 80

2. Configure Standard GKE Ingress

Use standard Ingress for simpler use cases or legacy setups.

Example Ingress Manifest:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress
  namespace: my-namespace
  annotations:
    kubernetes.io/ingress.class: "gce"
spec:
  rules:
    - http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: my-service
                port:
                  number: 80

3. Secure with Cloud Armor

Cloud Armor provides WAF and DDoS protection.

Enable Cloud Armor via BackendConfig:

Create a Security Policy in Cloud Armor (usually via gcloud or Terraform).
Reference it in a BackendConfig in GKE.

Example BackendConfig:

apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: my-backend-config
  namespace: my-namespace
spec:
  securityPolicy:
    name: my-cloud-armor-policy

Associate BackendConfig with your Service via annotations.

4. Configure Google-Managed SSL Certificates

Automatically provision and renew SSL certificates.

Example ManagedCertificate (Legacy Ingress):

apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
  name: my-certificate
spec:
  domains:
    - example.com

Reference it in Ingress annotations: networking.gke.io/managed-certificates: my-certificate.

Gateway API Approach: Use the gateway.networking.k8s.io API with certificate management integration.

5. Enable Container-Native Load Balancing (Recommended)

Container-native load balancing allows load balancers to target Kubernetes Pods directly, rather than targeting nodes. This improves latency and distribution.

Prerequisites: Cluster must be VPC-native.

How it works:

For GKE Ingress and Gateway API, container-native load balancing is enabled by default via Network Endpoint Groups (NEGs).
To verify or explicitly enable it for a Service, use the cloud.google.com/neg annotation.

Example Service Manifest:

apiVersion: v1
kind: Service
metadata:
  name: my-service
  annotations:
    cloud.google.com/neg: '{"ingress": true}' # Enabled for Ingress
spec:
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8080
  selector:
    app: my-app
  type: ClusterIP

6. Configure Private Service Connect (PSC)

Private Service Connect allows you to expose services in one VPC to consumers in another VPC securely, without VPC peering.

Steps:

Create an internal load balancer for your service.
Create a ServiceAttachment referencing the load balancer.

Example ServiceAttachment Manifest:

apiVersion: networking.gke.io/v1
kind: ServiceAttachment
metadata:
  name: my-psc-attachment
  namespace: my-namespace
spec:
  connectionPreference: ACCEPT_AUTOMATIC
  natSubnets:
    - my-psc-nat-subnet # Subnet dedicated for PSC NAT
  targetService:
    name: my-service
    namespace: my-namespace

Share the ServiceAttachment URI with consumers to create a PSC endpoint in their VPC.

Best Practices

Prefer Gateway API: It offers more flexibility and role separation than Ingress.
Enable Cloud Armor: Always protect public-facing endpoints with Cloud Armor.
Use Managed Certificates: Avoid managing certificate renewals manually.
Use Container-Native Load Balancing: Always use NEGs for HTTP(S) load balancing to reduce latency and improve traffic distribution.

googlecloudplatform/gke-networking-edge

skills/gke-networking-edge/SKILL.md

Workflows for configuring edge networking, ingress, and security on GKE.

141 stars

testing

Updated Apr 18, 2026

$ install --global

skillsauth

npx skillsauth add googlecloudplatform/gke-mcp gke-networking-edge

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 18, 2026, 7:36 AM34.7s1 file scanned

SKILL.md

name:: gke-networking-edge
description:: Workflows for configuring edge networking, ingress, and security on GKE.

GKE Networking Edge Skill

This skill provides workflows for exposing applications running on GKE securely to the internet or internal networks.

Workflows

1. Configure Gateway API (Recommended)

The Gateway API is the modern way to manage routing in Kubernetes.

Prerequisites: Gateway API must be enabled on the cluster (enabled by default in GKE 1.24+).

Example Gateway Manifest:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: my-gateway
  namespace: my-namespace
spec:
  gatewayClassName: gke-l7-global-external-managed # GKE managed external L7 load balancer
  listeners:
    - name: http
      protocol: HTTP
      port: 80

Example HTTPRoute Manifest:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: my-route
  namespace: my-namespace
spec:
  parentRefs:
    - name: my-gateway
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: my-service
          port: 80

2. Configure Standard GKE Ingress

Use standard Ingress for simpler use cases or legacy setups.

Example Ingress Manifest:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress
  namespace: my-namespace
  annotations:
    kubernetes.io/ingress.class: "gce"
spec:
  rules:
    - http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: my-service
                port:
                  number: 80

3. Secure with Cloud Armor

Cloud Armor provides WAF and DDoS protection.

Enable Cloud Armor via BackendConfig:

Create a Security Policy in Cloud Armor (usually via gcloud or Terraform).
Reference it in a BackendConfig in GKE.

Example BackendConfig:

apiVersion: cloud.google.com/v1
kind: BackendConfig
metadata:
  name: my-backend-config
  namespace: my-namespace
spec:
  securityPolicy:
    name: my-cloud-armor-policy

Associate BackendConfig with your Service via annotations.

4. Configure Google-Managed SSL Certificates

Automatically provision and renew SSL certificates.

Example ManagedCertificate (Legacy Ingress):

apiVersion: networking.gke.io/v1
kind: ManagedCertificate
metadata:
  name: my-certificate
spec:
  domains:
    - example.com

Reference it in Ingress annotations: networking.gke.io/managed-certificates: my-certificate.

Gateway API Approach: Use the gateway.networking.k8s.io API with certificate management integration.

5. Enable Container-Native Load Balancing (Recommended)

Container-native load balancing allows load balancers to target Kubernetes Pods directly, rather than targeting nodes. This improves latency and distribution.

Prerequisites: Cluster must be VPC-native.

How it works:

For GKE Ingress and Gateway API, container-native load balancing is enabled by default via Network Endpoint Groups (NEGs).
To verify or explicitly enable it for a Service, use the cloud.google.com/neg annotation.

Example Service Manifest:

apiVersion: v1
kind: Service
metadata:
  name: my-service
  annotations:
    cloud.google.com/neg: '{"ingress": true}' # Enabled for Ingress
spec:
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8080
  selector:
    app: my-app
  type: ClusterIP

6. Configure Private Service Connect (PSC)

Private Service Connect allows you to expose services in one VPC to consumers in another VPC securely, without VPC peering.

Steps:

Create an internal load balancer for your service.
Create a ServiceAttachment referencing the load balancer.

Example ServiceAttachment Manifest:

apiVersion: networking.gke.io/v1
kind: ServiceAttachment
metadata:
  name: my-psc-attachment
  namespace: my-namespace
spec:
  connectionPreference: ACCEPT_AUTOMATIC
  natSubnets:
    - my-psc-nat-subnet # Subnet dedicated for PSC NAT
  targetService:
    name: my-service
    namespace: my-namespace

Share the ServiceAttachment URI with consumers to create a PSC endpoint in their VPC.

Best Practices

Prefer Gateway API: It offers more flexibility and role separation than Ingress.
Enable Cloud Armor: Always protect public-facing endpoints with Cloud Armor.
Use Managed Certificates: Avoid managing certificate renewals manually.
Use Container-Native Load Balancing: Always use NEGs for HTTP(S) load balancing to reduce latency and improve traffic distribution.

Related Skills

googlecloudplatform/gke-ai-troubleshooting-jobset-interruption

data-ai

VerifiedTrustedCommunity

Systematically diagnose GKE JobSet interruptions, restarts, and preemptions for AI/ML training workloads. Identifies preemption events, maintenance interruptions, bad host VMs, unhealthy pods, and coordinator worker failures.

158SKILL.mdUpdated Jun 4, 2026

googlecloudplatform/gke-ai-troubleshooting-jobset-interruption

googlecloudplatform/gke-ai-troubleshooting-tpu-connection-failure-vbar-oom

development

VerifiedTrustedCommunity

Diagnose and prevent `vbar_control_agent` segfaults and OOMs caused by race conditions during TPU device resets and frequent metrics collection (e.g. every 3s). Use when TPU slice initialization fails or `vbar_control_agent` crashes on TPU v6e nodes.

148SKILL.mdUpdated May 5, 2026

googlecloudplatform/gke-ai-troubleshooting-tpu-connection-failure-vbar-oom

googlecloudplatform/gke-ai-troubleshooting-skill-creation-guide

development

VerifiedTrustedCommunity

Expert instructions for building high-quality GKE troubleshooting skills. Codifies Step 0 context rules, zero-hallucination signatures, and explicit LQL/PromQL query requirements.

148SKILL.mdUpdated May 2, 2026

googlecloudplatform/gke-ai-troubleshooting-skill-creation-guide

googlecloudplatform/gke-productionize

tools

VerifiedTrustedCommunity

Assists in preparing applications and clusters on GKE for production.

148SKILL.mdUpdated Apr 18, 2026

googlecloudplatform/gke-productionize

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/googlecloudplatform/gke-mcp.git

# Copy into Claude Code skills folder (global)
cp -r gke-mcp/skills/gke-networking-edge ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

googlecloudplatform/gke-mcp

141 stars

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT