diff --git a/main.tf b/main.tf
index fca170d..cd6b3dc 100644
--- a/main.tf
+++ b/main.tf
@@ -121,12 +121,29 @@ resource "google_project_service" "container" {
   disable_dependent_services = true
 }
 
+resource "google_project_service" "containerregistry" {
+  project                    = var.project
+  service                    = "containerregistry.googleapis.com"
+  disable_dependent_services = true
+}
+
 resource "google_service_account" "gke" {
   project      = var.project
   account_id   = "gke-service-account"
   display_name = "GKE Service Account"
 }
 
+# Allow GKE to access custom docker images in GCR
+resource "google_storage_bucket_iam_member" "gke_gcr" {
+  bucket = "artifacts.${google_service_account.gke.project}.appspot.com"
+  role   = "roles/storage.objectViewer"
+  member = "serviceAccount:${google_service_account.gke.email}"
+
+  depends_on = [
+    google_project_service.containerregistry
+  ]
+}
+
 resource "google_container_cluster" "primary" {
   project  = var.project
   name     = "gke-cluster"
@@ -135,6 +152,7 @@ resource "google_container_cluster" "primary" {
   remove_default_node_pool = true
   initial_node_count       = 1
   enable_shielded_nodes    = true
+  min_master_version       = "1.19.10-gke.1000"
 
   database_encryption {
     state    = "ENCRYPTED"
@@ -160,6 +178,15 @@ resource "google_container_cluster" "primary" {
     password = ""
   }
 
+  ip_allocation_policy {
+    cluster_ipv4_cidr_block  = "10.1.0.0/16"
+    services_ipv4_cidr_block = "10.2.0.0/20"
+  }
+
+  lifecycle {
+    prevent_destroy = true
+  }
+
   depends_on = [
     google_project_service.container,
     google_kms_key_ring_iam_policy.gke_db