fix: Default to ClusterIP so GKE deployment isn't publicly exposed by default

sasha-gitg · copybara-github · commit f7359e3fd40e · 2026-03-26T13:43:21.000-07:00
Co-authored-by: Sasha Sobran &lt;asobran@google.com&gt;
PiperOrigin-RevId: 890025323
diff --git a/src/google/adk/cli/cli_deploy.py b/src/google/adk/cli/cli_deploy.py
@@ -22,6 +22,7 @@
 import sys
 import traceback
 from typing import Final
+from typing import Literal
 from typing import Optional
 import warnings
 
@@ -1170,6 +1171,9 @@ def to_gke(
     memory_service_uri: Optional[str] = None,
     use_local_storage: bool = False,
     a2a: bool = False,
+    service_type: Literal[
+        'ClusterIP', 'NodePort', 'LoadBalancer'
+    ] = 'ClusterIP',
 ):
   """Deploys an agent to Google Kubernetes Engine(GKE).
 
@@ -1197,6 +1201,7 @@ def to_gke(
     artifact_service_uri: The URI of the artifact service.
     memory_service_uri: The URI of the memory service.
     use_local_storage: Whether to use local .adk storage in the container.
+    service_type: The Kubernetes Service type (default: ClusterIP).
   """
   click.secho(
       '\n🚀 Starting ADK Agent Deployment to GKE...', fg='cyan', bold=True
@@ -1334,7 +1339,7 @@ def to_gke(
 metadata:
   name: {service_name}
 spec:
-  type: LoadBalancer
+  type: {service_type}
   selector:
     app: {service_name}
   ports:
@@ -1388,3 +1393,11 @@ def to_gke(
   click.secho(
       '\n🎉 Deployment to GKE finished successfully!', fg='cyan', bold=True
   )
+  if service_type == 'ClusterIP':
+    click.echo(
+        '\nThe service is only reachable from within the cluster.'
+        ' To access it locally, run:'
+        f'\n  kubectl port-forward svc/{service_name} {port}:{port}'
+        '\n\nTo expose the service externally, add a Gateway or'
+        ' re-deploy with --service_type=LoadBalancer.'
+    )
diff --git a/src/google/adk/cli/cli_tools_click.py b/src/google/adk/cli/cli_tools_click.py
@@ -2238,6 +2238,17 @@ def cli_deploy_agent_engine(
     default="INFO",
     help="Optional. Set the logging level",
 )
+@click.option(
+    "--service_type",
+    type=click.Choice(["ClusterIP", "LoadBalancer"], case_sensitive=True),
+    default="ClusterIP",
+    show_default=True,
+    help=(
+        "Optional. The Kubernetes Service type for the deployed agent."
+        " ClusterIP (default) keeps the service cluster-internal;"
+        " use LoadBalancer to expose a public IP."
+    ),
+)
 @click.option(
     "--temp_folder",
     type=str,
@@ -2281,6 +2292,7 @@ def cli_deploy_gke(
     otel_to_cloud: bool,
     with_ui: bool,
     adk_version: str,
+    service_type: str,
     log_level: Optional[str] = None,
     session_service_uri: Optional[str] = None,
     artifact_service_uri: Optional[str] = None,
@@ -2312,6 +2324,7 @@ def cli_deploy_gke(
         with_ui=with_ui,
         log_level=log_level,
         adk_version=adk_version,
+        service_type=service_type,
         session_service_uri=session_service_uri,
         artifact_service_uri=artifact_service_uri,
         memory_service_uri=memory_service_uri,
diff --git a/tests/unittests/cli/utils/test_cli_deploy.py b/tests/unittests/cli/utils/test_cli_deploy.py
@@ -508,7 +508,7 @@ def mock_subprocess_run(*args, **kwargs):
   assert "image: gcr.io/gke-proj/gke-svc" in yaml_content
   assert f"containerPort: 9090" in yaml_content
   assert f"targetPort: 9090" in yaml_content
-  assert "type: LoadBalancer" in yaml_content
+  assert "type: ClusterIP" in yaml_content
 
   # 4. Verify cleanup
   assert str(rmtree_recorder.get_last_call_args()[0]) == str(tmp_path)
