diff --git a/modules/bastion/startup.sh b/modules/bastion/startup.sh
index b741919..dc2bf36 100644
--- a/modules/bastion/startup.sh
+++ b/modules/bastion/startup.sh
@@ -15,5 +15,15 @@ chmod 700 get_helm.sh
 ./get_helm.sh
 helm version
 
+sudo apt-get update -y
+sudo apt-get install apt-transport-https ca-certificates gnupg curl sudo -y
+curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo gpg --dearmor -o /usr/share/keyrings/cloud.google.gpg
+echo \
+  "deb [signed-by=/usr/share/keyrings/cloud.google.gpg] https://packages.cloud.google.com/apt cloud-sdk main" |
+  sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
+sudo apt-get update
+sudo apt-get install google-cloud-cli -y
+sudo apt-get install google-cloud-sdk-gke-gcloud-auth-plugin -y
+
 sudo apt-get update -y
 sudo apt-get install tinyproxy -y
diff --git a/modules/k8s/main.tf b/modules/k8s/main.tf
index 2b763f2..73be394 100644
--- a/modules/k8s/main.tf
+++ b/modules/k8s/main.tf
@@ -16,6 +16,7 @@ resource "google_project_iam_binding" "gke_sa_admin" {
 resource "google_container_cluster" "pwncorp_cluster" {
   name                = "pwncorp-cluster"
   location            = var.region
+  node_locations      = var.node_zones
   deletion_protection = false
   # We can't create a cluster with no node pool defined, but we want to only use
   # separately managed node pools. So we create the smallest possible default