gcloud container clusters create - create a cluster for running containers

gcloud container clusters createNAME[--accelerator=[type=TYPE,[count=COUNT,gpu-driver-version=GPU_DRIVER_VERSION,gpu-partition-size=GPU_PARTITION_SIZE,gpu-sharing-strategy=GPU_SHARING_STRATEGY,max-shared-clients-per-gpu=MAX_SHARED_CLIENTS_PER_GPU],…]][--additional-zones=ZONE,[ZONE,…]][--addons=[ADDON[=ENABLED|DISABLED],…]][--alpha-cluster-feature-gates=[FEATURE=true|false,…]][--anonymous-authentication-config=ANONYMOUS_AUTHENTICATION_CONFIG][--async][--auto-monitoring-scope=AUTO_MONITORING_SCOPE][--autopilot-workload-policies=WORKLOAD_POLICIES][--autoprovisioning-enable-insecure-kubelet-readonly-port][--autoprovisioning-network-tags=TAGS,[TAGS,…]][--autoprovisioning-resource-manager-tags=[KEY=VALUE,…]][--autoscaling-profile=AUTOSCALING_PROFILE][--boot-disk-kms-key=BOOT_DISK_KMS_KEY][--cloud-run-config=[load-balancer-type=EXTERNAL,…]][--cluster-ipv4-cidr=CLUSTER_IPV4_CIDR][--cluster-secondary-range-name=NAME][--cluster-version=CLUSTER_VERSION][--confidential-node-type=CONFIDENTIAL_NODE_TYPE][--containerd-config-from-file=PATH_TO_FILE][--create-subnetwork=[KEY=VALUE,…]][--data-cache-count=DATA_CACHE_COUNT][--database-encryption-key=DATABASE_ENCRYPTION_KEY][--default-max-pods-per-node=DEFAULT_MAX_PODS_PER_NODE][--disable-default-snat][--disable-l4-lb-firewall-reconciliation][--disk-size=DISK_SIZE][--disk-type=DISK_TYPE][--enable-authorized-networks-on-private-endpoint][--enable-auto-ipam][--enable-autorepair][--no-enable-autoupgrade][--enable-cilium-clusterwide-network-policy][--enable-cloud-logging][--enable-cloud-monitoring][--enable-cloud-run-alpha][--enable-confidential-nodes][--enable-confidential-storage][--enable-cost-allocation][--enable-dataplane-v2][--enable-default-compute-class][--enable-dns-access][--enable-fleet][--enable-fqdn-network-policy][--enable-google-cloud-access][--enable-gvnic][--enable-identity-service][--enable-image-streaming][--enable-insecure-kubelet-readonly-port][--enable-intra-node-visibility][--enable-ip-access][--enable-ip-alias][--enable-k8s-certs-via-dns][--enable-k8s-tokens-via-dns][--enable-kernel-module-signature-enforcement][--enable-kubernetes-alpha][--enable-kubernetes-unstable-apis=API,[API,…]][--enable-l4-ilb-subsetting][--enable-legacy-authorization][--enable-legacy-lustre-port][--enable-managed-prometheus][--enable-master-global-access][--enable-multi-networking][--enable-nested-virtualization][--enable-network-policy][--enable-ray-cluster-logging][--enable-ray-cluster-monitoring][--enable-service-externalips][--enable-shielded-nodes][--enable-stackdriver-kubernetes][--enable-vertical-pod-autoscaling][--fleet-project=PROJECT_ID_OR_NUMBER][--gateway-api=GATEWAY_API][--hpa-profile=HPA_PROFILE][--image-type=IMAGE_TYPE][--in-transit-encryption=IN_TRANSIT_ENCRYPTION][--ipv6-access-type=IPV6_ACCESS_TYPE][--issue-client-certificate][--labels=[KEY=VALUE,…]][--logging=[COMPONENT,…]][--logging-variant=LOGGING_VARIANT][--machine-type=MACHINE_TYPE,-mMACHINE_TYPE][--max-nodes-per-pool=MAX_NODES_PER_POOL][--max-pods-per-node=MAX_PODS_PER_NODE][--max-surge-upgrade=MAX_SURGE_UPGRADE; default=1][--max-unavailable-upgrade=MAX_UNAVAILABLE_UPGRADE][--membership-type=MEMBERSHIP_TYPE][--metadata=KEY=VALUE,[KEY=VALUE,…]][--metadata-from-file=KEY=LOCAL_FILE_PATH,[…]][--min-cpu-platform=PLATFORM][--monitoring=[COMPONENT,…]][--network=NETWORK][--network-performance-configs=[PROPERTY1=VALUE1,…]][--node-labels=[NODE_LABEL,…]][--node-locations=ZONE,[ZONE,…]][--node-taints=[NODE_TAINT,…]][--node-version=NODE_VERSION][--notification-config=[pubsub=ENABLED|DISABLED,pubsub-topic=TOPIC,…]][--num-nodes=NUM_NODES; default=3][--patch-update=[PATCH_UPDATE]][--performance-monitoring-unit=PERFORMANCE_MONITORING_UNIT][--placement-policy=PLACEMENT_POLICY][--placement-type=PLACEMENT_TYPE][--preemptible][--private-endpoint-subnetwork=NAME][--private-ipv6-google-access-type=PRIVATE_IPV6_GOOGLE_ACCESS_TYPE][--release-channel=CHANNEL][--resource-manager-tags=[KEY=VALUE,…]][--security-group=SECURITY_GROUP][--security-posture=SECURITY_POSTURE][--services-ipv4-cidr=CIDR][--services-secondary-range-name=NAME][--shielded-integrity-monitoring][--shielded-secure-boot][--spot][--stack-type=STACK_TYPE][--storage-pools=STORAGE_POOL,[…]][--subnetwork=SUBNETWORK][--system-config-from-file=PATH_TO_FILE][--tags=TAG,[TAG,…]][--threads-per-core=THREADS_PER_CORE][--tier=TIER][--workload-metadata=WORKLOAD_METADATA][--workload-pool=WORKLOAD_POOL][--workload-vulnerability-scanning=WORKLOAD_VULNERABILITY_SCANNING][--aggregation-ca=CA_POOL_PATH--cluster-ca=CA_POOL_PATH--control-plane-disk-encryption-key=KEY--etcd-api-ca=CA_POOL_PATH--etcd-peer-ca=CA_POOL_PATH--gkeops-etcd-backup-encryption-key=KEY--service-account-signing-keys=KEY_VERSION,[KEY_VERSION,…]--service-account-verification-keys=KEY_VERSION,[KEY_VERSION,…]][--binauthz-evaluation-mode=BINAUTHZ_EVALUATION_MODE    |--enable-binauthz][--boot-disk-provisioned-iops=BOOT_DISK_PROVISIONED_IOPS--boot-disk-provisioned-throughput=BOOT_DISK_PROVISIONED_THROUGHPUT][--cluster-dns=CLUSTER_DNS--cluster-dns-domain=CLUSTER_DNS_DOMAIN--cluster-dns-scope=CLUSTER_DNS_SCOPE--additive-vpc-scope-dns-domain=ADDITIVE_VPC_SCOPE_DNS_DOMAIN    |--disable-additive-vpc-scope][--dataplane-v2-observability-mode=DATAPLANE_V2_OBSERVABILITY_MODE    |--disable-dataplane-v2-flow-observability    |--enable-dataplane-v2-flow-observability][--disable-dataplane-v2-metrics    |--enable-dataplane-v2-metrics][[--enable-autoprovisioning :--autoprovisioning-config-file=PATH_TO_FILE | [--max-cpu=MAX_CPU--max-memory=MAX_MEMORY :--autoprovisioning-image-type=AUTOPROVISIONING_IMAGE_TYPE--autoprovisioning-locations=ZONE,[ZONE,…]--autoprovisioning-min-cpu-platform=PLATFORM--min-cpu=MIN_CPU--min-memory=MIN_MEMORY--autoprovisioning-max-surge-upgrade=AUTOPROVISIONING_MAX_SURGE_UPGRADE--autoprovisioning-max-unavailable-upgrade=AUTOPROVISIONING_MAX_UNAVAILABLE_UPGRADE--autoprovisioning-node-pool-soak-duration=AUTOPROVISIONING_NODE_POOL_SOAK_DURATION--autoprovisioning-standard-rollout-policy=[batch-node-count=BATCH_NODE_COUNT,batch-percent=BATCH_NODE_PERCENTAGE,batch-soak-duration=BATCH_SOAK_DURATION,…]--enable-autoprovisioning-blue-green-upgrade |--enable-autoprovisioning-surge-upgrade--autoprovisioning-scopes=[SCOPE,…]--autoprovisioning-service-account=AUTOPROVISIONING_SERVICE_ACCOUNT--enable-autoprovisioning-autorepair--enable-autoprovisioning-autoupgrade [--max-accelerator=[type=TYPE,count=COUNT,…] :--min-accelerator=[type=TYPE,count=COUNT,…]]]]][--enable-autoscaling--location-policy=LOCATION_POLICY--max-nodes=MAX_NODES--min-nodes=MIN_NODES--total-max-nodes=TOTAL_MAX_NODES--total-min-nodes=TOTAL_MIN_NODES][--enable-insecure-binding-system-authenticated--enable-insecure-binding-system-unauthenticated][--enable-master-authorized-networks--master-authorized-networks=NETWORK,[NETWORK,…]][--enable-network-egress-metering--enable-resource-consumption-metering--resource-usage-bigquery-dataset=RESOURCE_USAGE_BIGQUERY_DATASET][--enable-private-endpoint--enable-private-nodes--master-ipv4-cidr=MASTER_IPV4_CIDR][--enable-secret-manager--enable-secret-manager-rotation--secret-manager-rotation-interval=SECRET_MANAGER_ROTATION_INTERVAL][--ephemeral-storage-local-ssd[=[count=COUNT]]    |--local-nvme-ssd-block[=[count=COUNT]]    |--local-ssd-count=LOCAL_SSD_COUNT][--location=LOCATION    |--region=REGION    |--zone=ZONE,-zZONE][--maintenance-window=START_TIME    |--maintenance-window-end=TIME_STAMP--maintenance-window-recurrence=RRULE--maintenance-window-start=TIME_STAMP][--password=PASSWORD--enable-basic-auth    |--username=USERNAME,-uUSERNAME][--reservation=RESERVATION--reservation-affinity=RESERVATION_AFFINITY][--scopes=[SCOPE,…]; default="gke-default"--service-account=SERVICE_ACCOUNT][GCLOUD_WIDE_FLAG …]

NAME

The name of the cluster to create.

The name may contain only lowercase alphanumerics and '-', must start with aletter and end with an alphanumeric, and must be no longer than 40 characters.

--accelerator=[type=TYPE,[count=COUNT,gpu-driver-version=GPU_DRIVER_VERSION,gpu-partition-size=GPU_PARTITION_SIZE,gpu-sharing-strategy=GPU_SHARING_STRATEGY,max-shared-clients-per-gpu=MAX_SHARED_CLIENTS_PER_GPU],…]

Attaches accelerators (e.g. GPUs) to all nodes.

type

(Required) The specific type (e.g. nvidia-tesla-t4 for NVIDIA T4) of acceleratorto attach to the instances. Usegcloud compute accelerator-typeslist to learn about all available accelerator types.

count

(Optional) The number of accelerators to attach to the instances. The defaultvalue is 1.

gpu-driver-version

(Optional) The NVIDIA driver version to install. GPU_DRIVER_VERSION must be oneof:

`default`:InstallthedefaultdriverversionforthisGKEversion.ForGKEversion1.30.1-gke.1156000andlater,thisisthedefaultoption.

`latest`:InstallthelatestdriverversionavailableforthisGKEversion.CanonlybeusedfornodesthatuseContainer-OptimizedOS.

`disabled`:Skipautomaticdriverinstallation.Youmustmanuallyinstalladriverafteryoucreatethecluster.ForGKEversion1.30.1-gke.1156000andearlier,thisisthedefaultoption.TomanuallyinstalltheGPUdriver,refertohttps://cloud.google.com/kubernetes-engine/docs/how-to/gpus#installing_drivers.

gpu-partition-size

(Optional) The GPU partition size used when running multi-instance GPUs. Forinformation about multi-instance GPUs, refer to:https://cloud.google.com/kubernetes-engine/docs/how-to/gpus-multi

gpu-sharing-strategy

(Optional) The GPU sharing strategy (e.g. time-sharing) to use. For informationabout GPU sharing, refer to:https://cloud.google.com/kubernetes-engine/docs/concepts/timesharing-gpus

max-shared-clients-per-gpu

(Optional) The max number of containers allowed to share each GPU on the node.This field is used together withgpu-sharing-strategy.

--additional-zones=ZONE,[ZONE,…]

(DEPRECATED) The set of additional zones in which the specified node footprintshould be replicated. All zones must be in the same region as the cluster'sprimary zone. If additional-zones is not specified, all nodes will be in thecluster's primary zone.

Note thatNUM_NODES nodes will be created in each zone, such thatif you specify--num-nodes=4 and choose one additional zone, 8nodes will be created.

Multiple locations can be specified, separated by commas. For example:

gcloudcontainerclusterscreateexample-cluster--zoneus-central1-a--additional-zonesus-central1-b,us-central1-c

This flag is deprecated. Use --node-locations=PRIMARY_ZONE,[ZONE,…]instead.

--addons=[ADDON[=ENABLED|DISABLED],…]

Addons(https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.locations.clusters#Cluster.AddonsConfig)are additional Kubernetes cluster components. Addons specified by this flag willbe enabled. The others will be disabled. Default addons: HttpLoadBalancing,HorizontalPodAutoscaling. The Istio addon is deprecated and removed. For moreinformation and migration, seehttps://cloud.google.com/istio/docs/istio-on-gke/migrate-to-anthos-service-mesh.ADDON must be one of: HttpLoadBalancing, HorizontalPodAutoscaling,KubernetesDashboard, NetworkPolicy, NodeLocalDNS, ConfigConnector,GcePersistentDiskCsiDriver, GcpFilestoreCsiDriver, BackupRestore,GcsFuseCsiDriver, ParallelstoreCsiDriver, HighScaleCheckpointing,LustreCsiDriver, RayOperator, CloudRun.

--alpha-cluster-feature-gates=[FEATURE=true|false,…]

Selectively enable or disable Kubernetes alpha and beta kubernetesfeature gateson alpha GKE cluster. Alpha clusters are not covered by the Kubernetes EngineSLA and should not be used for production workloads.

--anonymous-authentication-config=ANONYMOUS_AUTHENTICATION_CONFIG

Enable or restrict anonymous access to the cluster. When enabled, anonymoususers will be authenticated as system:anonymous with the groupsystem:unauthenticated. Limiting access restricts anonymous access to only thehealth check endpoints /readyz, /livez, and /healthz.

ANONYMOUS_AUTHENTICATION_CONFIG must be one of:

ENABLED

'ENABLED' enables anonymous calls.

LIMITED

'LIMITED' restricts anonymous access to the cluster. Only calls to the healthcheck endpoints are allowed anonymously, all other calls will be rejected.

--async

Return immediately, without waiting for the operation in progress to complete.

--auto-monitoring-scope=AUTO_MONITORING_SCOPE

Enables Auto-Monitoring for a specific scope within the cluster. ALL: EnablesAuto-Monitoring for all supported workloads within the cluster. NONE: DisablesAuto-Monitoring.AUTO_MONITORING_SCOPE must be one of:ALL,NONE.

--autopilot-workload-policies=WORKLOAD_POLICIES

Add Autopilot workload policies to the cluster.

Examples:

gcloudcontainerclusterscreateexample-cluster--autopilot-workload-policies=allow-net-admin

The only supported workload policy is 'allow-net-admin'.

--autoprovisioning-enable-insecure-kubelet-readonly-port

Enables the Kubelet's insecure read only port for Autoprovisioned Node Pools.

If not set, the value from nodePoolDefaults.nodeConfigDefaults will be used.

To disable the readonly port--no-autoprovisioning-enable-insecure-kubelet-readonly-port.

--autoprovisioning-network-tags=TAGS,[TAGS,…]

Applies the given Compute Engine tags (comma separated) on all nodes in theauto-provisioned node pools of the new Standard cluster or the new Autopilotcluster.

Examples:

gcloudcontainerclusterscreateexample-cluster--autoprovisioning-network-tags=tag1,tag2

New nodes in auto-provisioned node pools, including ones created by resize orrecreate, will have these tags on the Compute Engine API instance object and canbe used in firewall rules. Seehttps://cloud.google.com/sdk/gcloud/reference/compute/firewall-rules/createfor examples.

--autoprovisioning-resource-manager-tags=[KEY=VALUE,…]

Applies the specified comma-separated resource manager tags that has theGCE_FIREWALL purpose to all nodes in the new Autopilot cluster or allauto-provisioned nodes in the new Standard cluster.

Examples:

gcloudcontainerclusterscreateexample-cluster--autoprovisioning-resource-manager-tags=tagKeys/1234=tagValues/2345gcloudcontainerclusterscreateexample-cluster--autoprovisioning-resource-manager-tags=my-project/key1=value1gcloudcontainerclusterscreateexample-cluster--autoprovisioning-resource-manager-tags=12345/key1=value1,23456/key2=value2gcloudcontainerclusterscreateexample-cluster--autoprovisioning-resource-manager-tags=

All nodes in an Autopilot cluster or all auto-provisioned nodes in a Standardcluster, including nodes that are resized or re-created, will have the specifiedtags on the corresponding Instance object in the Compute Engine API. You canreference these tags in network firewall policy rules. For instructions, seehttps://cloud.google.com/firewall/docs/use-tags-for-firewalls.

--autoscaling-profile=AUTOSCALING_PROFILE

Set autoscaling behaviour, choices are 'optimize-utilization' and 'balanced'.Default is 'balanced'.

--boot-disk-kms-key=BOOT_DISK_KMS_KEY

The Customer Managed Encryption Key used to encrypt the boot disk attached toeach node in the node pool. This should be of the formprojects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME].For more information about protecting resources with Cloud KMS Keys please see:https://cloud.google.com/compute/docs/disks/customer-managed-encryption

--cloud-run-config=[load-balancer-type=EXTERNAL,…]

Configurations for Cloud Run addon, requires--addons=CloudRun forcreate and--update-addons=CloudRun=ENABLED for update.

load-balancer-type

(Optional) Type of load-balancer-type EXTERNAL or INTERNAL.

Examples:

gcloudcontainerclusterscreateexample-cluster--cloud-run-config=load-balancer-type=INTERNAL

--cluster-ipv4-cidr=CLUSTER_IPV4_CIDR

The IP address range for the pods in this cluster in CIDR notation (e.g.10.0.0.0/14). Prior to Kubernetes version 1.7.0 this must be a subset of10.0.0.0/8; however, starting with version 1.7.0 can be any RFC 1918 IP range.

If you omit this option, a range is chosen automatically. The automaticallychosen range is randomly selected from 10.0.0.0/8 and will not include IPaddress ranges allocated to VMs, existing routes, or ranges allocated to otherclusters. The automatically chosen range might conflict with reserved IPaddresses, dynamic routes, or routes within VPCs that peer with this cluster.You should specify--cluster-ipv4-cidr to prevent conflicts.

This field is not applicable in a Shared VPC setup where the IP address rangefor the pods must be specified with--cluster-secondary-range-name

--cluster-secondary-range-name=NAME

Set the secondary range to be used as the source for pod IPs. Alias ranges willbe allocated from this secondary range. NAME must be the name of an existingsecondary range in the cluster subnetwork.Cannot be specified unless '--enable-ip-alias' option is also specified. Cannotbe used with '--create-subnetwork' option.

--cluster-version=CLUSTER_VERSION

The Kubernetes version to use for the master and nodes. Defaults toserver-specified.

The default Kubernetes version is available using the following command.

gcloudcontainerget-server-config

--confidential-node-type=CONFIDENTIAL_NODE_TYPE

Enable confidential nodes for the cluster. Enabling Confidential Nodes willcreate nodes using Confidential VMhttps://cloud.google.com/compute/confidential-vm/docs/about-cvm.CONFIDENTIAL_NODE_TYPE must be one of:sev,sev_snp,tdx.

--containerd-config-from-file=PATH_TO_FILE

Path of the YAML file that contains containerd configuration entries likeconfiguring access to private image registries.

For detailed information on the configuration usage, please refer tohttps://cloud.google.com/kubernetes-engine/docs/how-to/customize-containerd-configuration.

Note: Updating the containerd configuration of an existing cluster or node poolrequires recreation of the existing nodes, which might cause disruptions inrunning workloads.

Use a full or relative path to a local file containing the value ofcontainerd_config.

--create-subnetwork=[KEY=VALUE,…]

Create a new subnetwork for the cluster. The name and range of the subnetworkcan be customized via optional 'name' and 'range' key-value pairs.

'name' specifies the name of the subnetwork to be created.

'range' specifies the IP range for the new subnetwork. This can either be anetmask size (e.g. '/20') or a CIDR range (e.g. '10.0.0.0/20'). If a netmasksize is specified, the IP is automatically taken from the free space in thecluster's network.

Examples:

Create a new subnetwork with a default name and size.

gcloudcontainerclusterscreate--create-subnetwork""

Create a new subnetwork named "my-subnet" with netmask of size 21.

gcloudcontainerclusterscreate--create-subnetworkname=my-subnet,range=/21

Create a new subnetwork with a default name with the primary range of10.100.0.0/16.

gcloudcontainerclusterscreate--create-subnetworkrange=10.100.0.0/16

Create a new subnetwork with the name "my-subnet" with a default range.

gcloudcontainerclusterscreate--create-subnetworkname=my-subnet

Cannot be specified unless '--enable-ip-alias' option is also specified. Cannotbe used in conjunction with '--subnetwork' option.

--data-cache-count=DATA_CACHE_COUNT

Specifies the number of local SSDs to be utilized for GKE Data Cache in thecluster.

--database-encryption-key=DATABASE_ENCRYPTION_KEY

Enable Database Encryption.

Enable database encryption that will be used to encrypt Kubernetes Secrets atthe application layer. The key provided should be the resource ID in the formatofprojects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME].For more information, seehttps://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets.

--default-max-pods-per-node=DEFAULT_MAX_PODS_PER_NODE

The default max number of pods per node for node pools in the cluster.

This flag sets the default max-pods-per-node for node pools in the cluster. If--max-pods-per-node is not specified explicitly for a node pool, this flag valuewill be used.

Must be used in conjunction with '--enable-ip-alias'.

--disable-default-snat

Disable default source NAT rules applied in cluster nodes.

By default, cluster nodes perform source network address translation (SNAT) forpackets sent from Pod IP address sources to destination IP addresses that arenot in the non-masquerade CIDRs list. For more details about SNAT and IPmasquerading, see:https://cloud.google.com/kubernetes-engine/docs/how-to/ip-masquerade-agent#how_ipmasq_worksSNAT changes the packet's source IP address to the node's internal IP address.

When this flag is set, GKE does not perform SNAT for packets sent to anydestination. You must set this flag if the cluster uses privately reused publicIPs.

The --disable-default-snat flag is only applicable to private GKE clusters,which are inherently VPC-native. Thus, --disable-default-snat requires that youalso set --enable-ip-alias and --enable-private-nodes.

--disable-l4-lb-firewall-reconciliation

Disable reconciliation on the cluster for L4 Load Balancer VPC firewallstargeting ingress traffic.

--disk-size=DISK_SIZE

Size for node VM boot disks in GB. Defaults to 100GB.

--disk-type=DISK_TYPE

Type of the node VM boot disk. For version 1.24 and later, defaults topd-balanced. For versions earlier than 1.24, defaults to pd-standard.DISK_TYPE must be one of:pd-standard,pd-ssd,pd-balanced,hyperdisk-balanced,hyperdisk-extreme,hyperdisk-throughput.

--enable-authorized-networks-on-private-endpoint

Enable enforcement of --master-authorized-networks CIDR ranges for trafficreaching cluster's control plane via private IP.

--enable-auto-ipam

Enable the Auto IP Address Management (Auto IPAM) feature for the cluster.

--enable-autorepair

Enable node autorepair feature for a cluster's default node pool(s).

gcloudcontainerclusterscreateexample-cluster--enable-autorepair

Node autorepair is enabled by default for clusters using COS, COS_CONTAINERD,UBUNTU or UBUNTU_CONTAINERD as a base image, use --no-enable-autorepair todisable.

Seehttps://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-repairfor more info.

--enable-autoupgrade

Sets autoupgrade feature for a cluster's default node pool(s).

gcloudcontainerclusterscreateexample-cluster--enable-autoupgrade

Seehttps://cloud.google.com/kubernetes-engine/docs/node-auto-upgradesfor more info.

Enabled by default, use--no-enable-autoupgrade to disable.

--enable-cilium-clusterwide-network-policy

Enable Cilium Clusterwide Network Policies on the cluster. Disabled by default.

--enable-cloud-logging

(DEPRECATED) Automatically send logs from the cluster to the Google CloudLogging API.

Legacy Logging and Monitoring is deprecated. Thus, flag--enable-cloud-logging is also deprecated and will be removed in anupcoming release. Please use--logging (optionally with--monitoring). For more details, please read:https://cloud.google.com/kubernetes-engine/docs/concepts/about-logsandhttps://cloud.google.com/kubernetes-engine/docs/how-to/configure-metrics.

--enable-cloud-monitoring

(DEPRECATED) Automatically send metrics from pods in the cluster to the GoogleCloud Monitoring API. VM metrics will be collected by Google Compute Engineregardless of this setting.

Legacy Logging and Monitoring is deprecated. Thus, flag--enable-cloud-monitoring is also deprecated. Please use--monitoring (optionally with--logging). For moredetails, please read:https://cloud.google.com/kubernetes-engine/docs/how-to/configure-metricsandhttps://cloud.google.com/kubernetes-engine/docs/concepts/about-logs.

--enable-cloud-run-alpha

Enable Cloud Run alpha features on this cluster. Selecting this option willresult in the cluster having all Cloud Run alpha API groups and features turnedon.

Cloud Run alpha clusters are not covered by the Cloud Run SLA and should not beused for production workloads.

--enable-confidential-nodes

Enable confidential nodes for the cluster. Enabling Confidential Nodes willcreate nodes using Confidential VMhttps://cloud.google.com/compute/confidential-vm/docs/about-cvm.

--enable-confidential-storage

Enable confidential storage for the cluster. Enabling Confidential Storage willcreate boot disk with confidential mode

--enable-cost-allocation

Enable the cost management feature.

When enabled, you can get informational GKE cost breakdowns by cluster,namespace and label in your billing data exported to BigQuery(https://cloud.google.com/billing/docs/how-to/export-data-bigquery).

--enable-dataplane-v2

Enables the new eBPF dataplane for GKE clusters that is required for networksecurity, scalability and visibility features.

--enable-default-compute-class

Enable the default compute class to use for the cluster.

To disable Default Compute Class in an existing cluster, explicitly set flag--no-enable-default-compute-class.

--enable-dns-access

Enable access to the cluster's control plane over DNS-based endpoint.

DNS-based control plane access is recommended.

--enable-fleet

Set cluster project as the fleet host project. This will register the cluster tothe same project. To register the cluster to a fleet in a different project,please use--fleet-project=FLEET_HOST_PROJECT. Example: $ gcloudcontainer clusters create --enable-fleet

--enable-fqdn-network-policy

Enable FQDN Network Policies on the cluster. FQDN Network Policies are disabledby default.

--enable-google-cloud-access

When you enable Google Cloud Access, any public IP addresses owned by GoogleCloud can reach the public control plane endpoint of your cluster.

--enable-gvnic

Enable the use of GVNIC for this cluster. Requires re-creation of nodes usingeither a node-pool upgrade or node-pool creation.

--enable-identity-service

Enable Identity Service component on the cluster.

When enabled, users can authenticate to Kubernetes cluster with externalidentity providers.

Identity Service is by default disabled when creating a new cluster. To disableIdentity Service in an existing cluster, explicitly set flag--no-enable-identity-service.

--enable-image-streaming

Specifies whether to enable image streaming on cluster.

--enable-insecure-kubelet-readonly-port

Enables the Kubelet's insecure read only port.

To disable the readonly port on a cluster or node-pool set the flag to--no-enable-insecure-kubelet-readonly-port.

--enable-intra-node-visibility

Enable Intra-node visibility for this cluster.

Enabling intra-node visibility makes your intra-node pod-to-pod traffic visibleto the networking fabric. With this feature, you can use VPC flow logging orother VPC features for intra-node traffic.

Enabling it on an existing cluster causes the cluster master and the clusternodes to restart, which might cause a disruption.

--enable-ip-access

Enable access to the cluster's control plane over private IP and public IP if--enable-private-endpoint is not enabled.

--enable-ip-alias

--enable-ip-alias creates a VPC-native cluster. If you set this option, you canoptionally specify the IP address ranges to use for Pods and Services. Forinstructions, seehttps://cloud.google.com/kubernetes-engine/docs/how-to/alias-ips.

--no-enable-ip-alias creates a routes-based cluster. This type of cluster routestraffic between Pods using Google Cloud Routes. This option is not recommended;use the default VPC-native cluster type instead. For instructions, seehttps://cloud.google.com/kubernetes-engine/docs/how-to/routes-based-cluster

Note: For IPv6-only clusters, these flags are a no-op as IP Aliases do notapply, and any specified IP address ranges for Pods and Services will beignored.

You can't specify both --enable-ip-alias and --no-enable-ip-alias. If you omitboth --enable-ip-alias and --no-enable-ip-alias, the default is a VPC-nativecluster.

--enable-k8s-certs-via-dns

Enable K8s client certificates Authentication to the cluster's control planeover DNS-based endpoint.

--enable-k8s-tokens-via-dns

Enable K8s Service Account tokens Authentication to the cluster's control planeover DNS-based endpoint.

--enable-kernel-module-signature-enforcement

Enforces that kernel modules are signed on all new nodes in the cluster unlessexplicitly overridden with--no-enable-kernel-module-signature-enforcement when creating thenodepool. Use--no-enable-kernel-module-signature-enforcement todisable.

Examples:

gcloudcontainerclusterscreateexample-cluster--enable-kernel-module-signature-enforcement

--enable-kubernetes-alpha

Enable Kubernetes alpha features on this cluster. Selecting this option willresult in the cluster having all Kubernetes alpha API groups and features turnedon. Cluster upgrades (both manual and automatic) will be disabled and thecluster will be automatically deleted after 30 days.

Alpha clusters are not covered by the Kubernetes Engine SLA and should not beused for production workloads.

--enable-kubernetes-unstable-apis=API,[API,…]

Enable Kubernetes beta API features on this cluster. Beta APIs are not expectedto be production ready and should be avoided in production-grade environments.

--enable-l4-ilb-subsetting

Enable Subsetting for L4 ILB services created on this cluster.

--enable-legacy-authorization

Enables the legacy ABAC authentication for the cluster. User rights are grantedthrough the use of policies which combine attributes together. For a detailedlook at these properties and related formats, seehttps://kubernetes.io/docs/admin/authorization/abac/.To use RBAC permissions instead, create or update your cluster with the option--no-enable-legacy-authorization.

--enable-legacy-lustre-port

Allow the Lustre CSI driver to initialize LNet (the virtual network layer forLustre kernel module) using port 6988. This flag is required to workaround aport conflict with the gke-metadata-server on GKE nodes.

--enable-managed-prometheus

Enables managed collection for Managed Service for Prometheus in the cluster.

Seehttps://cloud.google.com/stackdriver/docs/managed-prometheus/setup-managed#enable-mgdcoll-gkefor more info.

Enabled by default for cluster versions 1.27 or greater, use--no-enable-managed-prometheus to disable.

--enable-master-global-access

Use with private clusters to allow access to the master's private endpoint fromany Google Cloud region or on-premises environment regardless of the privatecluster's region.

--enable-multi-networking

Enables multi-networking on the cluster. Multi-networking is disabled bydefault.

--enable-nested-virtualization

Enables the use of nested virtualization on the default initial node pool.Defaults tofalse. Can only be enabled on UBUNTU_CONTAINERD baseimage or COS_CONTAINERD base image with version 1.28.4-gke.1083000 and above.

--enable-network-policy

Enable network policy enforcement for this cluster. If you are enabling networkpolicy on an existing cluster the network policy addon must first be enabled onthe master by using --update-addons=NetworkPolicy=ENABLED flag.

--enable-ray-cluster-logging

Enable automatic log processing sidecar for Ray clusters.

--enable-ray-cluster-monitoring

Enable automatic metrics collection for Ray clusters.

--enable-service-externalips

Enables use of services with externalIPs field.

--enable-shielded-nodes

Enable Shielded Nodes for this cluster. Enabling Shielded Nodes will enable amore secure Node credential bootstrapping implementation. Starting with version1.18, clusters will have Shielded GKE nodes by default.

--enable-stackdriver-kubernetes

(DEPRECATED) Enable Cloud Operations for GKE.

The--enable-stackdriver-kubernetes flag is deprecated and will beremoved in an upcoming release. Please use--logging and--monitoring instead. For more information, please read:https://cloud.google.com/kubernetes-engine/docs/concepts/about-logsandhttps://cloud.google.com/kubernetes-engine/docs/how-to/configure-metrics.

Flags for vertical pod autoscaling:

--enable-vertical-pod-autoscaling

Enable vertical pod autoscaling for a cluster.

--fleet-project=PROJECT_ID_OR_NUMBER

Sets fleet host project for the cluster. If specified, the current cluster willbe registered as a fleet membership under the fleet host project.

Example: $ gcloud container clusters create --fleet-project=my-project

--gateway-api=GATEWAY_API

Enables GKE Gateway controller in this cluster. The value of the flag specifieswhich Open Source Gateway API release channel will be used to define Gatewayresources.GATEWAY_API must be one of:

disabled

Gateway controller will be disabled in the cluster.

standard

Gateway controller will be enabled in the cluster. Resource definitions from thestandard OSS Gateway API release channel will be installed.

--hpa-profile=HPA_PROFILE

Set Horizontal Pod Autoscaler behavior. Accepted values are: none, performance.For more information, seehttps://cloud.google.com/kubernetes-engine/docs/how-to/horizontal-pod-autoscaling#hpa-profile.

--image-type=IMAGE_TYPE

The image type to use for the cluster. Defaults to server-specified.

Image Type specifies the base OS that the nodes in the cluster will run on. Ifan image type is specified, that will be assigned to the cluster and all futureupgrades will use the specified image type. If it is not specified the serverwill pick the default image type.

The default image type and the list of valid image types are available using thefollowing command.

gcloudcontainerget-server-config

--in-transit-encryption=IN_TRANSIT_ENCRYPTION

Enable Dataplane V2 in-transit encryption. Dataplane v2 in-transit encryption isdisabled by default.IN_TRANSIT_ENCRYPTION must be oneof:inter-node-transparent,none.

--ipv6-access-type=IPV6_ACCESS_TYPE

IPv6 access type of the subnetwork. Defaults to 'external'.IPV6_ACCESS_TYPE must be one of:external,internal.

--issue-client-certificate

Issue a TLS client certificate with admin permissions.

When enabled, the certificate and private key pair will be present in MasterAuthfield of the Cluster object. For cluster versions before 1.12, a clientcertificate will be issued by default. As of 1.12, client certificates aredisabled by default.

--labels=[KEY=VALUE,…]

Labels to apply to the Google Cloud resources in use by the Kubernetes Enginecluster. These are unrelated to Kubernetes labels.

Examples:

gcloudcontainerclusterscreateexample-cluster--labels=label_a=value1,label_b=,label_c=value3

--logging=[COMPONENT,…]

Set the components that have logging enabled. Valid component values are:SYSTEM,WORKLOAD,API_SERVER,CONTROLLER_MANAGER,SCHEDULER,NONE

For more information, seehttps://cloud.google.com/kubernetes-engine/docs/concepts/about-logs#available-logs

Examples:

gcloudcontainerclusterscreate--logging=SYSTEMgcloudcontainerclusterscreate--logging=SYSTEM,API_SERVER,WORKLOADgcloudcontainerclusterscreate--logging=NONE

--logging-variant=LOGGING_VARIANT

Specifies the logging variant that will be deployed on all the nodes in thecluster. Valid logging variants areMAX_THROUGHPUT,DEFAULT. If no value is specified, DEFAULT is used.LOGGING_VARIANT must be one of:

DEFAULT

'DEFAULT' variant requests minimal resources but may not guarantee highthroughput.

MAX_THROUGHPUT

'MAX_THROUGHPUT' variant requests more node resources and is able to achievelogging throughput up to 10MB per sec.

--machine-type=MACHINE_TYPE,-mMACHINE_TYPE

The type of machine to use for nodes. Defaults to e2-medium. The list ofpredefined machine types is available using the following command:

gcloudcomputemachine-typeslist

You can also specify custom machine types by providing a string with the format"custom-CPUS-RAM" where "CPUS" is the number of virtual CPUs and "RAM" is theamount of RAM in MiB.

For example, to create a node pool using custom machines with 2 vCPUs and 12 GBof RAM:

gcloudcontainerclusterscreatehigh-mem-pool--machine-type=custom-2-12288

--max-nodes-per-pool=MAX_NODES_PER_POOL

The maximum number of nodes to allocate per default initial node pool.Kubernetes Engine will automatically create enough nodes pools such that eachnode pool contains less than--max-nodes-per-pool nodes. Defaultsto 1000 nodes, but can be set as low as 100 nodes per pool on initial create.

--max-pods-per-node=MAX_PODS_PER_NODE

The max number of pods per node for this node pool.

This flag sets the maximum number of pods that can be run at the same time on anode. This will override the value given with --default-max-pods-per-node flagset at the cluster level.

Must be used in conjunction with '--enable-ip-alias'.

--max-surge-upgrade=MAX_SURGE_UPGRADE; default=1

Number of extra (surge) nodes to be created on each upgrade of a node pool.

Specifies the number of extra (surge) nodes to be created during this nodepool's upgrades. For example, running the following command will result increating an extra node each time the node pool is upgraded:

gcloudcontainerclusterscreateexample-cluster--max-surge-upgrade=1--max-unavailable-upgrade=0

Must be used in conjunction with '--max-unavailable-upgrade'.

--max-unavailable-upgrade=MAX_UNAVAILABLE_UPGRADE

Number of nodes that can be unavailable at the same time on each upgrade of anode pool.

Specifies the number of nodes that can be unavailable at the same time whilethis node pool is being upgraded. For example, running the following commandwill result in having 3 nodes being upgraded in parallel (1 + 2), but keepingalways at least 3 (5 - 2) available each time the node pool is upgraded:

gcloudcontainerclusterscreateexample-cluster--num-nodes=5--max-surge-upgrade=1--max-unavailable-upgrade=2

Must be used in conjunction with '--max-surge-upgrade'.

--membership-type=MEMBERSHIP_TYPE

Specify a membership type for the cluster's fleet membership. Example: $ gcloudcontainer clusters create --membership-type=LIGHTWEIGHT. \MEMBERSHIP_TYPE must be (only one value is supported):

LIGHTWEIGHT

Fleet membership representing this cluster will be lightweight.

--metadata=KEY=VALUE,[KEY=VALUE,…]

Compute Engine metadata to be made available to the guest operating systemrunning on nodes within the node pool.

Each metadata entry is a key/value pair separated by an equals sign. Metadatakeys must be unique and less than 128 bytes in length. Values must be less thanor equal to 32,768 bytes in length. The total size of all keys and values mustbe less than 512 KB. Multiple arguments can be passed to this flag. For example:

--metadatakey-1=value-1,key-2=value-2,key-3=value-3

Additionally, the following keys are reserved for use by Kubernetes Engine:

• cluster-location
• cluster-name
• cluster-uid
• configure-sh
• enable-os-login
• gci-update-strategy
• gci-ensure-gke-docker
• instance-template
• kube-env
• startup-script
• user-data

Google Kubernetes Engine sets the following keys by default:

• serial-port-logging-enable

See also Compute Engine'sdocumentationon storing and retrieving instance metadata.

--metadata-from-file=KEY=LOCAL_FILE_PATH,[…]

Same as--metadata except that the valuefor the entry will be read from a local file.

--min-cpu-platform=PLATFORM

When specified, the nodes for the new cluster's default node pool will bescheduled on host with specified CPU architecture or a newer one.

Examples:

gcloudcontainerclusterscreateexample-cluster--min-cpu-platform=PLATFORM

To list available CPU platforms in given zone, run:

gcloudbetacomputezonesdescribeZONE--format="value(availableCpuPlatforms)"

CPU platform selection is available only in selected zones.

--monitoring=[COMPONENT,…]

Set the components that have monitoring enabled. Valid component values are:SYSTEM,WORKLOAD (Deprecated),NONE,API_SERVER,CONTROLLER_MANAGER,SCHEDULER,DAEMONSET,DEPLOYMENT,HPA,POD,STATEFULSET,STORAGE,CADVISOR,KUBELET,DCGM,JOBSET

For more information, seehttps://cloud.google.com/kubernetes-engine/docs/how-to/configure-metrics#available-metrics

Examples:

gcloudcontainerclusterscreate--monitoring=SYSTEM,API_SERVER,PODgcloudcontainerclusterscreate--monitoring=NONE

--network=NETWORK

The Compute Engine Network that the cluster will connect to. Google KubernetesEngine will use this network when creating routes and firewalls for theclusters. Defaults to the 'default' network.

--network-performance-configs=[PROPERTY1=VALUE1,…]

Configures network performance settings for the cluster. Node pools can overridewith their own settings.

total-egress-bandwidth-tier

Total egress bandwidth is the available outbound bandwidth from a VM, regardlessof whether the traffic is going to internal IP or external IP destinations. Thefollowing tier values are allowed: [TIER_UNSPECIFIED,TIER_1].

Seehttps://cloud.google.com/compute/docs/networking/configure-vm-with-high-bandwidth-configurationfor more information.

--node-labels=[NODE_LABEL,…]

Applies the given Kubernetes labels on all nodes in the new node pool.

Examples:

gcloudcontainerclusterscreateexample-cluster--node-labels=label-a=value1,label-2=value2

Updating the node pool's --node-labels flag applies the labels to the KubernetesNode objects for existing nodes in-place; it does not re-create or replacenodes. New nodes, including ones created by resizing or re-creating nodes, willhave these labels on the Kubernetes API Node object. The labels can be used inthenodeSelector field. Seehttps://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/for examples.

Note that Kubernetes labels, intended to associate cluster components andresources with one another and manage resource lifecycles, are different fromGoogle Kubernetes Engine labels that are used for the purpose of trackingbilling and usage information.

--node-locations=ZONE,[ZONE,…]

The set of zones in which the specified node footprint should be replicated. Allzones must be in the same region as the cluster's master(s), specified by the-location,--zone, or--region flag.Additionally, for zonal clusters,--node-locations must contain thecluster's primary zone. If not specified, all nodes will be in the cluster'sprimary zone (for zonal clusters) or spread across three randomly chosen zoneswithin the cluster's region (for regional clusters).

Note thatNUM_NODES nodes will be created in each zone, such thatif you specify--num-nodes=4 and choose two locations, 8 nodes willbe created.

Multiple locations can be specified, separated by commas. For example:

gcloudcontainerclusterscreateexample-cluster--locationus-central1-a--node-locationsus-central1-a,us-central1-b

--node-taints=[NODE_TAINT,…]

Applies the given kubernetes taints on all nodes in default node pool(s) in newcluster, which can be used with tolerations for pod scheduling.

Examples:

gcloudcontainerclusterscreateexample-cluster--node-taints=key1=val1:NoSchedule,key2=val2:PreferNoSchedule

To read more about node-taints, seehttps://cloud.google.com/kubernetes-engine/docs/node-taints.

--node-version=NODE_VERSION

The Kubernetes version to use for nodes. Defaults to server-specified.

The default Kubernetes version is available using the following command.

gcloudcontainerget-server-config

--notification-config=[pubsub=ENABLED|DISABLED,pubsub-topic=TOPIC,…]

The notification configuration of the cluster. GKE supports publishing clusterupgrade notifications to any Pub/Sub topic you created in the same project.Create a subscription for the topic specified to receive notification messages.Seehttps://cloud.google.com/pubsub/docs/adminon how to manage Pub/Sub topics and subscriptions. You can also use the filteroption to specify which event types you'd like to receive from the followingoptions: SecurityBulletinEvent, UpgradeEvent, UpgradeInfoEvent,UpgradeAvailableEvent.

Examples:

gcloudcontainerclusterscreateexample-cluster--notification-config=pubsub=ENABLED,pubsub-topic=projects/{project}/topics/{topic-name}gcloudcontainerclusterscreateexample-cluster--notification-config=pubsub=ENABLED,pubsub-topic=projects/{project}/topics/{topic-name},filter="SecurityBulletinEvent|UpgradeEvent"

The project of the Pub/Sub topic must be the same one as the cluster. It can beeither the project ID or the project number.

--num-nodes=NUM_NODES; default=3

The number of nodes to be created in each of the cluster's zones.

--patch-update=[PATCH_UPDATE]

The patch update to use for the cluster.

Setting to 'accelerated' automatically upgrades the cluster to the latest patchavailable within the cluster's current minor version and release channel.Setting to 'default' automatically upgrades the cluster to the default patchupgrade targetversion available within the cluster's current minor version andrelease channel.

PATCH_UPDATE must be one of:accelerated,default.

--performance-monitoring-unit=PERFORMANCE_MONITORING_UNIT

Sets the Performance Monitoring Unit level. Valid values arearchitectural,standard andenhanced.PERFORMANCE_MONITORING_UNIT must be one of:

architectural

Enables architectural PMU events tied to non last level cache (LLC) events.

enhanced

Enables most documented core/L2 and LLC PMU events.

standard

Enables most documented core/L2 PMU events.

--placement-policy=PLACEMENT_POLICY

Indicates the desired resource policy to use.

gcloudcontainerclusterscreatenode-pool-1--cluster=example-cluster--placement-policymy-placement

--placement-type=PLACEMENT_TYPE

Placement type allows to define the type of node placement within the defaultnode pool of this cluster.

UNSPECIFIED - No requirements on the placement of nodes. This isthe default option.

COMPACT - GKE will attempt to place the nodes in a close proximityto each other. This helps to reduce the communication latency between the nodes,but imposes additional limitations on the node pool size.

gcloudcontainerclusterscreateexample-cluster--placement-type=COMPACT

PLACEMENT_TYPE must be one of:UNSPECIFIED,COMPACT.

--preemptible

Create nodes using preemptible VM instances in the new cluster.

gcloudcontainerclusterscreateexample-cluster--preemptible

New nodes, including ones created by resize or recreate, will use preemptible VMinstances. Seehttps://cloud.google.com/kubernetes-engine/docs/preemptible-vmfor more information on how to use Preemptible VMs with Kubernetes Engine.

--private-endpoint-subnetwork=NAME

Sets the subnetwork GKE uses to provision the control plane's private endpoint.

--private-ipv6-google-access-type=PRIVATE_IPV6_GOOGLE_ACCESS_TYPE

Sets the type of private access to Google services over IPv6.

PRIVATE_IPV6_GOOGLE_ACCESS_TYPE must be one of:

bidirectionalAllowsGoogleservicestoinitiateconnectionstoGKEpodsinthiscluster.Thisisnotintendedforcommonuse,andrequirespreviousintegrationwithGoogleservices.

disabledDefaultvalue.DisablesprivateaccesstoGoogleservicesoverIPv6.

outbound-onlyAllowsGKEpodstomakefast,securerequeststoGoogleservicesoverIPv6.ThisisthemostcommonuseofprivateIPv6access.

gcloudalphacontainerclusterscreate--private-ipv6-google-access-type=disabledgcloudalphacontainerclusterscreate--private-ipv6-google-access-type=outbound-onlygcloudalphacontainerclusterscreate--private-ipv6-google-access-type=bidirectional

PRIVATE_IPV6_GOOGLE_ACCESS_TYPE must be one of:bidirectional,disabled,outbound-only.

--release-channel=CHANNEL

Release channel a cluster is subscribed to.

If left unspecified and a version is specified, the cluster is enrolled in themost mature release channel where the version is available (first checkingSTABLE, then REGULAR, and finally RAPID). Otherwise, if no release channel andno version is specified, the cluster is enrolled in the REGULAR channel with itsdefault version. When a cluster is subscribed to a release channel, Googlemaintains both the master version and the node version. Node auto-upgrade isenabled by default for release channel clusters and can be controlled viaupgrade-scopeexclusions.

CHANNEL must be one of:

None

Use 'None' to opt-out of any release channel.

extended

Clusters subscribed to 'extended' can remain on a minor version for 24 monthsfrom when the minor version is made available in the Regular channel.

rapid

'rapid' channel is offered on an early access basis for customers who want totest new releases.

WARNING: Versions available in the 'rapid' channel may be subject to unresolvedissues with no known workaround and are not subject to any SLAs.

regular

Clusters subscribed to 'regular' receive versions that are considered GAquality. 'regular' is intended for production users who want to take advantageof new features.

stable

Clusters subscribed to 'stable' receive versions that are known to be stable andreliable in production.

--resource-manager-tags=[KEY=VALUE,…]

Applies the specified comma-separated resource manager tags that has theGCE_FIREWALL purpose to all nodes in the new default node pool(s) of a newcluster.

Examples:

gcloudcontainerclusterscreateexample-cluster--resource-manager-tags=tagKeys/1234=tagValues/2345gcloudcontainerclusterscreateexample-cluster--resource-manager-tags=my-project/key1=value1gcloudcontainerclusterscreateexample-cluster--resource-manager-tags=12345/key1=value1,23456/key2=value2gcloudcontainerclusterscreateexample-cluster--resource-manager-tags=

All nodes, including nodes that are resized or re-created, will have thespecified tags on the corresponding Instance object in the Compute Engine API.You can reference these tags in network firewall policy rules. For instructions,seehttps://cloud.google.com/firewall/docs/use-tags-for-firewalls.

--security-group=SECURITY_GROUP

The name of the RBAC security group for use with Google security groups inKubernetes RBAC (https://kubernetes.io/docs/reference/access-authn-authz/rbac/).

To include group membership as part of the claims issued by Google duringauthentication, a group must be designated as a security group by including itas a direct member of this group.

If unspecified, no groups will be returned for use with RBAC.

--security-posture=SECURITY_POSTURE

Sets the mode of the Kubernetes security posture API's off-cluster features.

To enable advanced mode explicitly set the flag to--security-posture=enterprise.

To enable in standard mode explicitly set the flag to--security-posture=standard

To disable in an existing cluster, explicitly set the flag to--security-posture=disabled.

For more information on enablement, seehttps://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard#feature-enablement.

SECURITY_POSTURE must be one of:disabled,standard,enterprise.

--services-ipv4-cidr=CIDR

Set the IP range for the services IPs.

Can be specified as a netmask size (e.g. '/20') or as in CIDR notion (e.g.'10.100.0.0/20'). If given as a netmask size, the IP range will be chosenautomatically from the available space in the network.

If unspecified, the services CIDR range will be chosen with a default mask size.

Cannot be specified unless '--enable-ip-alias' option is also specified.

--services-secondary-range-name=NAME

Set the secondary range to be used for services (e.g. ClusterIPs). NAME must bethe name of an existing secondary range in the cluster subnetwork.Cannot be specified unless '--enable-ip-alias' option is also specified. Cannotbe used with '--create-subnetwork' option.

--shielded-integrity-monitoring

Enables monitoring and attestation of the boot integrity of the instance. Theattestation is performed against the integrity policy baseline. This baseline isinitially derived from the implicitly trusted boot image when the instance iscreated.

--shielded-secure-boot

The instance will boot with secure boot enabled.

--spot

Create nodes using spot VM instances in the new cluster.

gcloudcontainerclusterscreateexample-cluster--spot

New nodes, including ones created by resize or recreate, will use spot VMinstances.

--stack-type=STACK_TYPE

IP stack type of the cluster nodes.STACK_TYPE must beone of:ipv4,ipv4-ipv6.

--storage-pools=STORAGE_POOL,[…]

A list of storage pools where the cluster's boot disks will be provisioned.

STORAGE_POOL must be in the formatprojects/project/zones/zone/storagePools/storagePool

--subnetwork=SUBNETWORK

The Google Compute Engine subnetwork(https://cloud.google.com/compute/docs/subnetworks) to which the cluster isconnected. The subnetwork must belong to the network specified by --network.

Cannot be used with the "--create-subnetwork" option.

--system-config-from-file=PATH_TO_FILE

Path of the YAML/JSON file that contains the node configuration, including Linuxkernel parameters (sysctls) and kubelet configs.

Examples:

kubeletConfig:cpuManagerPolicy:staticmemoryManager:policy:StatictopologyManager:policy:BestEffortscope:podlinuxConfig:sysctl:net.core.somaxconn:'2048'net.ipv4.tcp_rmem:'4096 87380 6291456'hugepageConfig:hugepage_size2m:'1024'hugepage_size1g:'2'swapConfig:enabled:truebootDiskProfile:swapSizeGib:8cgroupMode:'CGROUP_MODE_V2'

List of supported kubelet configs in 'kubeletConfig'.

KEY	VALUE
cpuManagerPolicy	either 'static' or 'none'
cpuCFSQuota	true or false (enabled by default)
cpuCFSQuotaPeriod	interval (e.g., '100ms'. The value must be between 1ms and 1 second, inclusive.)
memoryManager	specify memory manager policy
topologyManager	specify topology manager policy and scope
podPidsLimit	integer (The value must be greater than or equal to 1024 and less than 4194304.)
containerLogMaxSize	positive number plus unit suffix (e.g., '100Mi', '0.2Gi'. The value must be between 10Mi and 500Mi, inclusive.)
containerLogMaxFiles	integer (The value must be between [2, 10].)
imageGcLowThresholdPercent	integer (The value must be between [10, 85], and lower than imageGcHighThresholdPercent.)
imageGcHighThresholdPercent	integer (The value must be between [10, 85], and greater than imageGcLowThresholdPercent.)
imageMinimumGcAge	interval (e.g., '100s', '1m'. The value must be less than '2m'.)
imageMaximumGcAge	interval (e.g., '100s', '1m'. The value must be greater than imageMinimumGcAge.)
evictionSoft	specify eviction soft thresholds
evictionSoftGracePeriod	specify eviction soft grace period
evictionMinimumReclaim	specify eviction minimum reclaim thresholds
evictionMaxPodGracePeriodSeconds	integer (Max grace period for pod termination during eviction, in seconds. The value must be between [0, 300].)
allowedUnsafeSysctls	list of sysctls (Allowlisted groups: 'kernel.shm*', 'kernel.msg*', 'kernel.sem', 'fs.mqueue.*', and 'net.*', and sysctls under the groups.)
singleProcessOomKill	true or false
maxParallelImagePulls	integer (The value must be between [2, 5].)

List of supported keys in memoryManager in 'kubeletConfig'.

KEY	VALUE
policy	either 'Static' or 'None'

List of supported keys in topologyManager in 'kubeletConfig'.

KEY	VALUE
policy	either 'none' or 'best-effort' or 'single-numa-node' or 'restricted'
scope	either 'pod' or 'container'

List of supported keys in evictionSoft in 'kubeletConfig'.

KEY	VALUE
memoryAvailable	quantity (e.g., '100Mi', '1Gi'. Represents the amount of memory available before soft eviction. The value must be at least 100Mi and less than 50% of the node's memory.)
nodefsAvailable	percentage (e.g., '20%'. Represents the nodefs available before soft eviction. The value must be between 10% and 50%, inclusive.)
nodefsInodesFree	percentage (e.g., '20%'. Represents the nodefs inodes free before soft eviction. The value must be between 5% and 50%, inclusive.)
imagefsAvailable	percentage (e.g., '20%'. Represents the imagefs available before soft eviction. The value must be between 15% and 50%, inclusive.)
imagefsInodesFree	percentage (e.g., '20%'. Represents the imagefs inodes free before soft eviction. The value must be between 5% and 50%, inclusive.)
pidAvailable	percentage (e.g., '20%'. Represents the pid available before soft eviction. The value must be between 10% and 50%, inclusive.)

List of supported keys in evictionSoftGracePeriod in 'kubeletConfig'.

KEY	VALUE
memoryAvailable	duration (e.g., '30s', '1m'. The grace period for soft eviction for this resource. The value must be positive and no more than '5m'.)
nodefsAvailable	duration (e.g., '30s', '1m'. The grace period for soft eviction for this resource. The value must be positive and no more than '5m'.)
nodefsInodesFree	duration (e.g., '30s', '1m'. The grace period for soft eviction for this resource. The value must be positive and no more than '5m'.)
imagefsAvailable	duration (e.g., '30s', '1m'. The grace period for soft eviction for this resource. The value must be positive and no more than '5m'.)
imagefsInodesFree	duration (e.g., '30s', '1m'. The grace period for soft eviction for this resource. The value must be positive and no more than '5m'.)
pidAvailable	duration (e.g., '30s', '1m'. The grace period for soft eviction for this resource. The value must be positive and no more than '5m'.)

List of supported keys in evictionMinimumReclaim in 'kubeletConfig'.

KEY	VALUE
memoryAvailable	percentage (e.g., '5%'. Represents the minimum reclaim threshold for memory available. The value must be positive and no more than 10%.)
nodefsAvailable	percentage (e.g., '5%'. Represents the minimum reclaim threshold for nodefs available. The value must be positive and no more than 10%.)
nodefsInodesFree	percentage (e.g., '5%'. Represents the minimum reclaim threshold for nodefs inodes free. The value must be positive and no more than 10%.)
imagefsAvailable	percentage (e.g., '5%'. Represents the minimum reclaim threshold for imagefs available. The value must be positive and no more than 10%.)
imagefsInodesFree	percentage (e.g., '5%'. Represents the minimum reclaim threshold for imagefs inodes free. The value must be positive and no more than 10%.)
pidAvailable	percentage (e.g., '5%'. Represents the minimum reclaim threshold for pid available. The value must be positive and no more than 10%.)

List of supported sysctls in 'linuxConfig'.

KEY	VALUE
net.core.netdev_max_backlog	Any positive integer, less than 2147483647
net.core.rmem_default	Must be between [2304, 2147483647]
net.core.rmem_max	Must be between [2304, 2147483647]
net.core.wmem_default	Must be between [4608, 2147483647]
net.core.wmem_max	Must be between [4608, 2147483647]
net.core.optmem_max	Any positive integer, less than 2147483647
net.core.somaxconn	Must be between [128, 2147483647]
net.ipv4.tcp_rmem	Any positive integer tuple
net.ipv4.tcp_wmem	Any positive integer tuple
net.ipv4.tcp_tw_reuse	Must be {0, 1, 2}
net.ipv4.tcp_mtu_probing	Must be {0, 1, 2}
net.ipv4.tcp_max_orphans	Must be between [16384, 262144]
net.ipv4.tcp_max_tw_buckets	Must be between [4096, 2147483647]
net.ipv4.tcp_syn_retries	Must be between [1, 127]
net.ipv4.tcp_ecn	Must be {0, 1, 2}
net.ipv4.tcp_congestion_control	Supported values for COS: 'reno', 'cubic', 'bbr', 'lp', 'htcp'. Supported values for Ubuntu: 'reno', 'cubic', 'bbr', 'lp', 'htcp', 'vegas', 'dctcp', 'bic', 'cdg', 'highspeed', 'hybla', 'illinois', 'nv', 'scalable', 'veno', 'westwood', 'yeah'.
net.netfilter.nf_conntrack_max	Must be between [65536, 4194304]
net.netfilter.nf_conntrack_buckets	Must be between [65536, 524288]. Recommend setting: nf_conntrack_max = nf_conntrack_buckets * 4
net.netfilter.nf_conntrack_tcp_timeout_close_wait	Must be between [60, 3600]
net.netfilter.nf_conntrack_tcp_timeout_time_wait	Must be between [1, 600]
net.netfilter.nf_conntrack_tcp_timeout_established	Must be between [600, 86400]
net.netfilter.nf_conntrack_acct	Must be {0, 1}
kernel.shmmni	Must be between [4096, 32768]
kernel.shmmax	Must be between [0, 18446744073692774399]
kernel.shmall	Must be between [0, 18446744073692774399]
kernel.perf_event_paranoid	Must be {-1, 0, 1, 2, 3}
kernel.sched_rt_runtime_us	Must be [-1, 1000000]
kernel.softlockup_panic	Must be {0, 1}
kernel.yama.ptrace_scope	Must be {0, 1, 2, 3}
kernel.kptr_restrict	Must be {0, 1, 2}
kernel.dmesg_restrict	Must be {0, 1}
kernel.sysrq	Must be [0, 511]
fs.aio-max-nr	Must be between [65536, 4194304]
fs.file-max	Must be between [104857, 67108864]
fs.inotify.max_user_instances	Must be between [8192, 1048576]
fs.inotify.max_user_watches	Must be between [8192, 1048576]
fs.nr_open	Must be between [1048576, 2147483584]
vm.dirty_background_ratio	Must be between [1, 100]
vm.dirty_background_bytes	Must be between [0, 68719476736]
vm.dirty_expire_centisecs	Must be between [0, 6000]
vm.dirty_ratio	Must be between [1, 100]
vm.dirty_bytes	Must be between [0, 68719476736]
vm.dirty_writeback_centisecs	Must be between [0, 1000]
vm.max_map_count	Must be between [65536, 2147483647]
vm.overcommit_memory	Must be one of {0, 1, 2}
vm.overcommit_ratio	Must be between [0, 100]
vm.vfs_cache_pressure	Must be between [0, 100]
vm.swappiness	Must be between [0, 200]
vm.watermark_scale_factor	Must be between [10, 3000]
vm.min_free_kbytes	Must be between [67584, 1048576]

List of supported hugepage size in 'hugepageConfig'.

KEY	VALUE
hugepage_size2m	Number of 2M huge pages, any positive integer
hugepage_size1g	Number of 1G huge pages, any positive integer

List of supported keys in 'swapConfig' under 'linuxConfig'.

KEY	VALUE
enabled	boolean
encryptionConfig	specify encryption settings for the swap space
bootDiskProfile	specify swap on the node's boot disk
ephemeralLocalSsdProfile	specify swap on the local SSD shared with pod ephemeral storage
dedicatedLocalSsdProfile	specify swap on a new, separate local NVMe SSD exclusively for swap

List of supported keys in 'encryptionConfig' under 'swapConfig'.

KEY	VALUE
disabled	boolean

List of supported keys in 'bootDiskProfile' under 'swapConfig'.

KEY	VALUE
swapSizeGib	integer
swapSizePercent	integer

List of supported keys in 'ephemeralLocalSsdProfile' under 'swapConfig'.

KEY	VALUE
swapSizeGib	integer
swapSizePercent	integer

List of supported keys in 'dedicatedLocalSsdProfile' under 'swapConfig'.

KEY	VALUE
diskCount	integer

Allocated hugepage size should not exceed 60% of available memory on the node.For example, c2d-highcpu-4 has 8GB memory, total allocated hugepage of 2m and 1gshould not exceed 8GB * 0.6 = 4.8GB.

1G hugepages are only available in following machine familes: c3, m2, c2d, c3d,h3, m3, a2, a3, g2.

Supported values for 'cgroupMode' under 'linuxConfig'.

• CGROUP_MODE_V1: Use cgroupv1 on the node pool.
• CGROUP_MODE_V2: Use cgroupv2 on the node pool.
• CGROUP_MODE_UNSPECIFIED: Use the default GKE cgroup configuration.

Supported values for 'transparentHugepageEnabled' under 'linuxConfig' whichcontrols transparent hugepage support for anonymous memory.

• TRANSPARENT_HUGEPAGE_ENABLED_ALWAYS: Transparent hugepage isenabled system wide.
• TRANSPARENT_HUGEPAGE_ENABLED_MADVISE: Transparent hugepage isenabled inside MADV_HUGEPAGE regions. This is the default kernel configuration.
• TRANSPARENT_HUGEPAGE_ENABLED_NEVER: Transparent hugepage isdisabled.
• TRANSPARENT_HUGEPAGE_ENABLED_UNSPECIFIED: Default value. GKE willnot modify the kernel configuration.

Supported values for 'transparentHugepageDefrag' under 'linuxConfig' whichdefines the transparent hugepage defrag configuration on the node.

• TRANSPARENT_HUGEPAGE_DEFRAG_ALWAYS: It means that an applicationrequesting THP will stall on allocation failure and directly reclaim pages andcompact memory in an effort to allocate a THP immediately.
• TRANSPARENT_HUGEPAGE_DEFRAG_DEFER: It means that an applicationwill wake kswapd in the background to reclaim pages and wake kcompactd tocompact memory so that THP is available in the near future. It is theresponsibility of khugepaged to then install the THP pages later.
• TRANSPARENT_HUGEPAGE_DEFRAG_DEFER_WITH_MADVISE: It means that anapplication will enter direct reclaim and compaction like always, but only forregions that have used madvise(MADV_HUGEPAGE); all other regions will wakekswapd in the background to reclaim pages and wake kcompactd to compact memoryso that THP is available in the near future.
• TRANSPARENT_HUGEPAGE_DEFRAG_MADVISE: It means that an applicationwill enter direct reclaim and compaction like always, but only for regions thathave used madvise(MADV_HUGEPAGE); all other regions will wake kswapd in thebackground to reclaim pages and wake kcompactd to compact memory so that THP isavailable in the near future.
• TRANSPARENT_HUGEPAGE_DEFRAG_NEVER: It means that an applicationwill never enter direct reclaim or compaction.
• TRANSPARENT_HUGEPAGE_DEFRAG_UNSPECIFIED: Default value. GKE willnot modify the kernel configuration.

Note, updating the system configuration of an existing node pool requiresrecreation of the nodes which which might cause a disruption.

Use a full or relative path to a local file containing the value ofsystem_config.

--tags=TAG,[TAG,…]

Applies the given Compute Engine tags (comma separated) on all nodes in the newnode-pool.

Examples:

gcloudcontainerclusterscreateexample-cluster--tags=tag1,tag2

New nodes, including ones created by resize or recreate, will have these tags onthe Compute Engine API instance object and can be used in firewall rules. Seehttps://cloud.google.com/sdk/gcloud/reference/compute/firewall-rules/createfor examples.

--threads-per-core=THREADS_PER_CORE

The number of visible threads per physical core for each node. To disablesimultaneous multithreading (SMT) set this to 1.

--tier=TIER

(DEPRECATED) Set the desired tier for the cluster.

The--tier flag is deprecated. More info:https://cloud.google.com/kubernetes-engine/docs/release-notes#September_02_2025.TIER must be one of:standard,enterprise.

--workload-metadata=WORKLOAD_METADATA

Type of metadata server available to pods running in the node pool.WORKLOAD_METADATA must be one of:

GCE_METADATA

Pods running in this node pool have access to the node's underlying ComputeEngine Metadata Server.

GKE_METADATA

Run the Kubernetes Engine Metadata Server on this node. The Kubernetes EngineMetadata Server exposes a metadata API to workloads that is compatible with theV1 Compute Metadata APIs exposed by the Compute Engine and App Engine MetadataServers. This feature can only be enabled if Workload Identity is enabled at thecluster level.

--workload-pool=WORKLOAD_POOL

Enable Workload Identity on the cluster.

When enabled, Kubernetes service accounts will be able to act as Cloud IAMService Accounts, through the provided workload pool.

Currently, the only accepted workload pool is the workload pool of the Cloudproject containing the cluster,PROJECT_ID.svc.id.goog.

For more information on Workload Identity, see

https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity

--workload-vulnerability-scanning=WORKLOAD_VULNERABILITY_SCANNING

Sets the mode of the Kubernetes security posture API's workload vulnerabilityscanning.

To enable Advanced vulnerability insights mode explicitly set the flag to--workload-vulnerability-scanning=enterprise.

To enable in standard mode explicitly set the flag to--workload-vulnerability-scanning=standard.

To disable in an existing cluster, explicitly set the flag to--workload-vulnerability-scanning=disabled.

For more information on enablement, seehttps://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard#feature-enablement.

WORKLOAD_VULNERABILITY_SCANNING must be one of:disabled,standard,enterprise.

Control Plane Keys

--aggregation-ca=CA_POOL_PATH

The Certificate Authority Service caPool that will back the aggregation CA

--cluster-ca=CA_POOL_PATH

The Certificate Authority Service caPool that will back the cluster CA

--control-plane-disk-encryption-key=KEY

The Cloud KMS symmetric encryption cryptoKey that will be used to encrypt thecontrol plane disks

--etcd-api-ca=CA_POOL_PATH

The Certificate Authority Service caPool that will back the etcd API CA

--etcd-peer-ca=CA_POOL_PATH

The Certificate Authority Service caPool that will back the etcd peer CA

--gkeops-etcd-backup-encryption-key=KEY

The Cloud KMS symmetric encryption cryptoKey that will be used to encrypt thedisaster recovery etcd backups for the cluster

--service-account-signing-keys=KEY_VERSION,[KEY_VERSION,…]

A Cloud KMS asymmetric signing cryptoKeyVersion that will be used to signservice account tokens

--service-account-verification-keys=KEY_VERSION,[KEY_VERSION,…]

A Cloud KMS asymmetric signing cryptoKeyVersion that will be used to verifyservice account tokens. Maybe specified multiple times.

Flags for Binary Authorization:

At most one of these can be specified:

--binauthz-evaluation-mode=BINAUTHZ_EVALUATION_MODE

Enable Binary Authorization for this cluster.BINAUTHZ_EVALUATION_MODE must be one of:disabled,project-singleton-policy-enforce.

--enable-binauthz

(DEPRECATED) Enable Binary Authorization for this cluster.

The--enable-binauthz flag is deprecated. Please use--binauthz-evaluation-mode instead.

Configure boot disk options.

--boot-disk-provisioned-iops=BOOT_DISK_PROVISIONED_IOPS

Configure the Provisioned IOPS for the node pool boot disks. Only valid forhyperdisk-balanced boot disks.

--boot-disk-provisioned-throughput=BOOT_DISK_PROVISIONED_THROUGHPUT

Configure the Provisioned Throughput for the node pool boot disks. Only validfor hyperdisk-balanced boot disks.

ClusterDNS

--cluster-dns=CLUSTER_DNS

DNS provider to use for this cluster.CLUSTER_DNS mustbe one of:

clouddns

Selects Cloud DNS as the DNS provider for the cluster.

default

Selects the default DNS provider (kube-dns) for the cluster.

kubedns

Selects Kube DNS as the DNS provider for the cluster.

--cluster-dns-domain=CLUSTER_DNS_DOMAIN

DNS domain for this cluster. The default value iscluster.local.This is configurable when--cluster-dns=clouddns and--cluster-dns-scope=vpc are set. The value must be a valid DNSsubdomain as defined in RFC 1123.

--cluster-dns-scope=CLUSTER_DNS_SCOPE

DNS scope for the Cloud DNS zone created - valid only with--cluster-dns=clouddns. Defaults to cluster.

CLUSTER_DNS_SCOPE must be one of:

cluster

Configures the Cloud DNS zone to be private to the cluster.

vpc

Configures the Cloud DNS zone to be private to the VPC Network.

At most one of these can be specified:

--additive-vpc-scope-dns-domain=ADDITIVE_VPC_SCOPE_DNS_DOMAIN

The domain used in Additive VPC scope. Only works with Cluster Scope.

--disable-additive-vpc-scope

Disables Additive VPC Scope.

At most one of these can be specified:

--dataplane-v2-observability-mode=DATAPLANE_V2_OBSERVABILITY_MODE

(REMOVED) Select Advanced Datapath Observability mode for the cluster. DefaultstoDISABLED.

Advanced Datapath Observability allows for a real-time view into pod-to-podtraffic within your cluster.

Examples:

gcloudcontainerclusterscreate--dataplane-v2-observability-mode=DISABLED

gcloudcontainerclusterscreate--dataplane-v2-observability-mode=INTERNAL_VPC_LB

gcloudcontainerclusterscreate--dataplane-v2-observability-mode=EXTERNAL_LB

Flag --dataplane-v2-observability-mode has been removed.

DATAPLANE_V2_OBSERVABILITY_MODE must be one of:

DISABLED

Disables Advanced Datapath Observability.

EXTERNAL_LB

Makes Advanced Datapath Observability available to the external network.

INTERNAL_VPC_LB

Makes Advanced Datapath Observability available from the VPC network.

--disable-dataplane-v2-flow-observability

Disables Advanced Datapath Observability.

--enable-dataplane-v2-flow-observability

Enables Advanced Datapath Observability which allows for a real-time view intopod-to-pod traffic within your cluster.

At most one of these can be specified:

--disable-dataplane-v2-metrics

Stops exposing advanced datapath flow metrics on node port.

--enable-dataplane-v2-metrics

Exposes advanced datapath flow metrics on node port.

Node autoprovisioning

--enable-autoprovisioning

Enables node autoprovisioning for a cluster.

Cluster Autoscaler will be able to create new node pools. Requires maximum CPUand memory limits to be specified.

This flag argument must be specified if any of the other arguments in this groupare specified.

At most one of these can be specified:

--autoprovisioning-config-file=PATH_TO_FILE

Path of the JSON/YAML file which contains information about the cluster's nodeautoprovisioning configuration. Currently it contains a list of resource limits,identity defaults for autoprovisioning, node upgrade settings, node managementsettings, minimum cpu platform, image type, node locations for autoprovisioning,disk type and size configuration, Shielded instance settings, andcustomer-managed encryption keys settings.

Resource limits are specified in the field 'resourceLimits'. Each resourcelimits definition contains three fields: resourceType, maximum and minimum.Resource type can be "cpu", "memory" or an accelerator (e.g. "nvidia-tesla-t4"for NVIDIA T4). Use gcloud compute accelerator-types list to learn aboutavailable accelerator types. Maximum is the maximum allowed amount with the unitof the resource. Minimum is the minimum allowed amount with the unit of theresource.

Identity default contains at most one of the below fields: serviceAccount: TheGoogle Cloud Platform Service Account to be used by node VMs in autoprovisionednode pools. If not specified, the project's default service account is used.scopes: A list of scopes to be used by node instances in autoprovisioned nodepools. Multiple scopes can be specified, separated by commas. For information ondefaults, look at:https://cloud.google.com/sdk/gcloud/reference/container/clusters/create#--scopes

Node Upgrade settings are specified under the field 'upgradeSettings', which hasthe following fields: maxSurgeUpgrade: Number of extra (surge) nodes to becreated on each upgrade of an autoprovisioned node pool. maxUnavailableUpgrade:Number of nodes that can be unavailable at the same time on each upgrade of anautoprovisioned node pool.

Node Management settings are specified under the field 'management', which hasthe following fields: autoUpgrade: A boolean field that indicates if nodeautoupgrade is enabled for autoprovisioned node pools. autoRepair: A booleanfield that indicates if node autorepair is enabled for autoprovisioned nodepools.

minCpuPlatform (deprecated): If specified, new autoprovisioned nodes will bescheduled on host with specified CPU architecture or a newer one. Note: Min CPUplatform can only be specified in Beta and Alpha.

Autoprovisioned node image is specified under the 'imageType' field. If notspecified the default value will be applied.

Autoprovisioning locations is a set of zones where new node pools can be createdby Autoprovisioning. Autoprovisioning locations are specified in the field'autoprovisioningLocations'. All zones must be in the same region as thecluster's master(s).

Disk type and size are specified under the 'diskType' and 'diskSizeGb' fields,respectively. If specified, new autoprovisioned nodes will be created withcustom boot disks configured by these settings.

Shielded instance settings are specified under the 'shieldedInstanceConfig'field, which has the following fields: enableSecureBoot: A boolean field thatindicates if secure boot is enabled for autoprovisioned nodes.enableIntegrityMonitoring: A boolean field that indicates if integritymonitoring is enabled for autoprovisioned nodes.

Customer Managed Encryption Keys (CMEK) used by new auto-provisioned node poolscan be specified in the 'bootDiskKmsKey' field.

Use a full or relative path to a local file containing the value ofautoprovisioning_config_file.

Flags to configure autoprovisioned nodes

--max-cpu=MAX_CPU

Maximum number of cores in the cluster.

Maximum number of cores to which the cluster can scale.

This flag argument must be specified if any of the other arguments in this groupare specified.

--max-memory=MAX_MEMORY

Maximum memory in the cluster.

Maximum number of gigabytes of memory to which the cluster can scale.

This flag argument must be specified if any of the other arguments in this groupare specified.

--autoprovisioning-image-type=AUTOPROVISIONING_IMAGE_TYPE

Node Autoprovisioning will create new nodes with the specified image type

--autoprovisioning-locations=ZONE,[ZONE,…]

Set of zones where new node pools can be created by autoprovisioning. All zonesmust be in the same region as the cluster's master(s). Multiple locations can bespecified, separated by commas.

--autoprovisioning-min-cpu-platform=PLATFORM

(DEPRECATED) If specified, new autoprovisioned nodes will be scheduled on hostwith specified CPU architecture or a newer one.

The--autoprovisioning-min-cpu-platform flag is deprecated and willbe removed in an upcoming release. More info:https://cloud.google.com/kubernetes-engine/docs/release-notes#March_08_2022

--min-cpu=MIN_CPU

Minimum number of cores in the cluster.

Minimum number of cores to which the cluster can scale.

--min-memory=MIN_MEMORY

Minimum memory in the cluster.

Minimum number of gigabytes of memory to which the cluster can scale.

Flags to specify upgrade settings for autoprovisioned nodes:

--autoprovisioning-max-surge-upgrade=AUTOPROVISIONING_MAX_SURGE_UPGRADE

Number of extra (surge) nodes to be created on each upgrade of anautoprovisioned node pool.

--autoprovisioning-max-unavailable-upgrade=AUTOPROVISIONING_MAX_UNAVAILABLE_UPGRADE

Number of nodes that can be unavailable at the same time on each upgrade of anautoprovisioned node pool.

--autoprovisioning-node-pool-soak-duration=AUTOPROVISIONING_NODE_POOL_SOAK_DURATION

Time in seconds to be spent waiting during blue-green upgrade before deletingthe blue pool and completing the update. This argument should be used inconjunction with--enable-autoprovisioning-blue-green-upgrade totake effect.

--autoprovisioning-standard-rollout-policy=[batch-node-count=BATCH_NODE_COUNT,batch-percent=BATCH_NODE_PERCENTAGE,batch-soak-duration=BATCH_SOAK_DURATION,…]

Standard rollout policy options for blue-green upgrade. This argument should beused in conjunction with--enable-autoprovisioning-blue-green-upgrade to take effect.

Batch sizes are specified by one of, batch-node-count or batch-percent. Theduration between batches is specified by batch-soak-duration.

Example:--standard-rollout-policy=batch-node-count=3,batch-soak-duration=60s--standard-rollout-policy=batch-percent=0.05,batch-soak-duration=180s

Flag group to choose the top level upgrade option:

At most one of these can be specified:

--enable-autoprovisioning-blue-green-upgrade

Whether to use blue-green upgrade for the autoprovisioned node pool.

--enable-autoprovisioning-surge-upgrade

Whether to use surge upgrade for the autoprovisioned node pool.

Flags to specify identity for autoprovisioned nodes:

--autoprovisioning-scopes=[SCOPE,…]

The scopes to be used by node instances in autoprovisioned node pools. Multiplescopes can be specified, separated by commas. For information on defaults, lookat:https://cloud.google.com/sdk/gcloud/reference/container/clusters/create#--scopes

--autoprovisioning-service-account=AUTOPROVISIONING_SERVICE_ACCOUNT

The Google Cloud Platform Service Account to be used by node VMs inautoprovisioned node pools. If not specified, the project default serviceaccount is used.

Flags to specify node management settings for autoprovisioned nodes:

--enable-autoprovisioning-autorepair

Enable node autorepair for autoprovisioned node pools. Use--no-enable-autoprovisioning-autorepair to disable.

This flag argument must be specified if any of the other arguments in this groupare specified.

--enable-autoprovisioning-autoupgrade

Enable node autoupgrade for autoprovisioned node pools. Use--no-enable-autoprovisioning-autoupgrade to disable.

This flag argument must be specified if any of the other arguments in this groupare specified.

Arguments to set limits on accelerators:

--max-accelerator=[type=TYPE,count=COUNT,…]

Sets maximum limit for a single type of accelerators (e.g. GPUs) in cluster.

type

(Required) The specific type (e.g. nvidia-tesla-t4 for NVIDIA T4) of acceleratorfor which the limit is set. Usegcloud compute accelerator-typeslist to learn about all available accelerator types.

count

(Required) The maximum number of accelerators to which the cluster can bescaled.

This flag argument must be specified if any of the other arguments in this groupare specified.

--min-accelerator=[type=TYPE,count=COUNT,…]

Sets minimum limit for a single type of accelerators (e.g. GPUs) in cluster.Defaults to 0 for all accelerator types if it isn't set.

type

(Required) The specific type (e.g. nvidia-tesla-t4 for NVIDIA T4) of acceleratorfor which the limit is set. Usegcloud compute accelerator-typeslist to learn about all available accelerator types.

count

(Required) The minimum number of accelerators to which the cluster can bescaled.

Cluster autoscaling

--enable-autoscaling

Enables autoscaling for a node pool.

Enables autoscaling in the node pool specified by --node-pool or the defaultnode pool if --node-pool is not provided. If not already, --max-nodes or--total-max-nodes must also be set.

--location-policy=LOCATION_POLICY

Location policy specifies the algorithm used when scaling-up the node pool.

• BALANCED - Is a best effort policy that aims to balance the sizesof available zones.
• ANY - Instructs the cluster autoscaler to prioritize utilization ofunused reservations, and reduces preemption risk for Spot VMs.

LOCATION_POLICY must be one of:BALANCED,ANY.

--max-nodes=MAX_NODES

Maximum number of nodes per zone in the node pool.

Maximum number of nodes per zone to which the node pool specified by --node-pool(or default node pool if unspecified) can scale. Ignored unless--enable-autoscaling is also specified.

--min-nodes=MIN_NODES

Minimum number of nodes per zone in the node pool.

Minimum number of nodes per zone to which the node pool specified by --node-pool(or default node pool if unspecified) can scale. Ignored unless--enable-autoscaling is also specified.

--total-max-nodes=TOTAL_MAX_NODES

Maximum number of all nodes in the node pool.

Maximum number of all nodes to which the node pool specified by --node-pool (ordefault node pool if unspecified) can scale. Ignored unless --enable-autoscalingis also specified.

--total-min-nodes=TOTAL_MIN_NODES

Minimum number of all nodes in the node pool.

Minimum number of all nodes to which the node pool specified by --node-pool (ordefault node pool if unspecified) can scale. Ignored unless --enable-autoscalingis also specified.

--enable-insecure-binding-system-authenticated

Allow usingsystem:authenticated as a subject inClusterRoleBindings and RoleBindings. Allowing bindings that referencesystem:authenticated is a security risk and is not recommended.

To disallow bindingsystem:authenticated in a cluster, explicitlyset the--no-enable-insecure-binding-system-authenticated flaginstead.

--enable-insecure-binding-system-unauthenticated

Allow usingsystem:unauthenticated andsystem:anonymous as subjects in ClusterRoleBindings andRoleBindings. Allowing bindings that referencesystem:unauthenticated andsystem:anonymous are asecurity risk and is not recommended.

To disallow bindingsystem:authenticated in a cluster, explicitlyset the--no-enable-insecure-binding-system-unauthenticated flaginstead.

Master Authorized Networks

--enable-master-authorized-networks

Allow only specified set of CIDR blocks (specified by the--master-authorized-networks flag) to connect to Kubernetes masterthrough HTTPS. Besides these blocks, the following have access as well:

1)Theprivatenetworktheclusterconnectstoif`--enable-private-nodes`isspecified.2)GoogleComputeEnginePublicIPsif`--enable-private-nodes`isnotspecified.

Use--no-enable-master-authorized-networks to disable. Whendisabled, public internet (0.0.0.0/0) is allowed to connect to Kubernetes masterthrough HTTPS.

--master-authorized-networks=NETWORK,[NETWORK,…]

The list of CIDR blocks (up to 100 for private cluster, 50 for public cluster)that are allowed to connect to Kubernetes master through HTTPS. Specified inCIDR notation (e.g. 1.2.3.4/30). Cannot be specified unless--enable-master-authorized-networks is also specified.

Exports cluster's usage of cloud resources

--enable-network-egress-metering

Enable network egress metering on this cluster.

When enabled, a DaemonSet is deployed into the cluster. Each DaemonSet podmeters network egress traffic by collecting data from the conntrack table, andexports the metered metrics to the specified destination.

Network egress metering is disabled if this flag is omitted, or when--no-enable-network-egress-metering is set.

--enable-resource-consumption-metering

Enable resource consumption metering on this cluster.

When enabled, a table will be created in the specified BigQuery dataset to storeresource consumption data. The resulting table can be joined with the resourceusage table or with BigQuery billing export.

Resource consumption metering is enabled unless--no-enable-resource-consumption-metering is set.

--resource-usage-bigquery-dataset=RESOURCE_USAGE_BIGQUERY_DATASET

The name of the BigQuery dataset to which the cluster's usage of cloud resourcesis exported. A table will be created in the specified dataset to store clusterresource usage. The resulting table can be joined with BigQuery Billing Exportto produce a fine-grained cost breakdown.

Examples:

gcloudcontainerclusterscreateexample-cluster--resource-usage-bigquery-dataset=example_bigquery_dataset_name

Private Clusters

--enable-private-endpoint

Cluster is managed using the private IP address of the master API endpoint.

--enable-private-nodes

Cluster is created with no public IP addresses on the cluster nodes.

--master-ipv4-cidr=MASTER_IPV4_CIDR

IPv4 CIDR range to use for the master network. This should have a netmask ofsize /28 and should be used in conjunction with the --enable-private-nodes flag.

Flags for Secret Manager configuration:

--enable-secret-manager

Enables the Secret Manager CSI driver provider component. Seehttps://secrets-store-csi-driver.sigs.k8s.io/introductionhttps://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp

--enable-secret-manager-rotation

Enables the rotation of secrets in the Secret Manager CSI driver providercomponent.

--secret-manager-rotation-interval=SECRET_MANAGER_ROTATION_INTERVAL

Set the rotation period for secrets in the Secret Manager CSI driver providercomponent. If you don't specify a time interval for the rotation, it willdefault to a rotation period of two minutes.

At most one of these can be specified:

--ephemeral-storage-local-ssd[=[count=COUNT]]

Parameters for the ephemeral storage filesystem. If unspecified, ephemeralstorage is backed by the boot disk.

Examples:

gcloudcontainerclusterscreateexample_cluster--ephemeral-storage-local-ssdcount=2

'count' specifies the number of local SSDs to use to back ephemeral storage.Local SDDs use NVMe interfaces. For first- and second-generation machine types,a nonzero count field is required for local ssd to be configured. Forthird-generation machine types, the count field is optional because the count isinferred from the machine type.

Seehttps://cloud.google.com/compute/docs/disks/local-ssdfor more information.

--local-nvme-ssd-block[=[count=COUNT]]

Adds the requested local SSDs on all nodes in default node pool(s) in the newcluster.

Examples:

gcloudcontainerclusterscreateexample_cluster--local-nvme-ssd-blockcount=2

'count' must be between 1-8New nodes, including ones created by resize or recreate, will have these localSSDs.

For first- and second-generation machine types, a nonzero count field isrequired for local ssd to be configured. For third-generation machine types, thecount field is optional because the count is inferred from the machine type.

Seehttps://cloud.google.com/compute/docs/disks/local-ssdfor more information.

--local-ssd-count=LOCAL_SSD_COUNT

The number of local SSD disks to provision on each node, formatted and mountedin the filesystem.

Local SSDs have a fixed 375 GB capacity per device. The number of disks that canbe attached to an instance is limited by the maximum number of disks availableon a machine, which differs by compute zone. Seehttps://cloud.google.com/compute/docs/disks/local-ssdfor more information.

At most one of these can be specified:

--location=LOCATION

Compute zone or region (e.g. us-central1-a or us-central1) for the cluster.Overrides the default compute/region or compute/zone value for this commandinvocation. Prefer using this flag over the --region or --zone flags.

--region=REGION

Compute region (e.g. us-central1) for a regional cluster. Overrides the defaultcompute/region property value for this command invocation.

--zone=ZONE,-zZONE

Compute zone (e.g. us-central1-a) for a zonal cluster. Overrides the defaultcompute/zone property value for this command invocation.

One of either maintenance-window or the group of maintenance-window flags can beset.At most one of these can be specified:

--maintenance-window=START_TIME

Set a time of day when you prefer maintenance to start on this cluster. Forexample:

gcloudcontainerclusterscreateexample-cluster--maintenance-window=12:43

The time corresponds to the UTC time zone, and must be in HH:MM format.

Non-emergency maintenance will occur in the 4 hour block starting at thespecified time.

This is mutually exclusive with the recurring maintenance windows and willoverwrite any existing window. Compatible with maintenance exclusions.

Set a flexible maintenance window by specifying a window that recurs per an RFC5545 RRULE. Non-emergency maintenance will occur in the recurring windows.

Examples:

For a 9-5 Mon-Wed UTC-4 maintenance window:

gcloudcontainerclusterscreateexample-cluster--maintenance-window-start=2000-01-01T09:00:00-04:00--maintenance-window-end=2000-01-01T17:00:00-04:00--maintenance-window-recurrence='FREQ=WEEKLY;BYDAY=MO,TU,WE'

For a daily window from 22:00 - 04:00 UTC:

gcloudcontainerclusterscreateexample-cluster--maintenance-window-start=2000-01-01T22:00:00Z--maintenance-window-end=2000-01-02T04:00:00Z--maintenance-window-recurrence=FREQ=DAILY

--maintenance-window-end=TIME_STAMP

The end time for calculating the duration of the maintenance window, asexpressed by the amount of time after the START_TIME, in the same format. Thevalue for END_TIME must be in the future, relative to START_TIME. This onlycalculates the duration of the window, and doesn't set when the maintenancewindow stops recurring. Maintenance windows only stop recurring when they'reremoved. See $gcloud topicdatetimes for information on time formats.

This flag argument must be specified if any of the other arguments in this groupare specified.

This flag argument must be specified if any of the other arguments in this groupare specified.

--maintenance-window-recurrence=RRULE

An RFC 5545 RRULE, specifying how the window will recur. Note that minimumrequirements for maintenance periods will be enforced. Note that FREQ=SECONDLY,MINUTELY, and HOURLY are not supported.

This flag argument must be specified if any of the other arguments in this groupare specified.

--maintenance-window-start=TIME_STAMP

Start time of the first window (can occur in the past). The start timeinfluences when the window will start for recurrences. See $gcloud topic datetimes for information ontime formats.

This flag argument must be specified if any of the other arguments in this groupare specified.

Basic auth

--password=PASSWORD

The password to use for cluster auth. Defaults to a server-specifiedrandomly-generated string.

Options to specify the username.

At most one of these can be specified:

--enable-basic-auth

Enable basic (username/password) auth for the cluster.--enable-basic-auth is an alias for--username=admin;--no-enable-basic-auth is an alias for--username="".Use--password to specify a password; if not, the server willrandomly generate one. For cluster versions before 1.12, if neither--enable-basic-auth nor--username is specified,--enable-basic-auth will default totrue. After 1.12,--enable-basic-auth will default tofalse.

--username=USERNAME,-uUSERNAME

The user name to use for basic auth for the cluster. Use--passwordto specify a password; if not, the server will randomly generate one.

Specifies the reservation for the default initial node pool.

--reservation=RESERVATION

The name of the reservation, required when--reservation-affinity=specific.

--reservation-affinity=RESERVATION_AFFINITY

The type of the reservation for the default initial node pool.RESERVATION_AFFINITY must be one of:any,none,specific.

Options to specify the node identity.

Scopes options.

--scopes=[SCOPE,…]; default="gke-default"

Specifies scopes for the node instances.

Examples:

gcloudcontainerclusterscreateexample-cluster--scopes=https://www.googleapis.com/auth/devstorage.read_only

gcloudcontainerclusterscreateexample-cluster--scopes=bigquery,storage-rw,compute-ro

Multiple scopes can be specified, separated by commas. Various scopes areautomatically added based on feature usage. Such scopes are not added if anequivalent scope already exists.

• monitoring-write: always added to ensure metrics can be written
• logging-write: added if Cloud Logging is enabled(--enable-cloud-logging/--logging)
• monitoring: added if Cloud Monitoring is enabled(--enable-cloud-monitoring/--monitoring)
• gke-default: added for Autopilot clusters that use the defaultservice account
• cloud-platform: added for Autopilot clusters that use any otherservice account

SCOPE can be either the full URI of the scope or an alias.Defaultscopes are assigned to all instances. Available aliases are:

Alias	URI
bigquery	https://www.googleapis.com/auth/bigquery
cloud-platform	https://www.googleapis.com/auth/cloud-platform
cloud-source-repos	https://www.googleapis.com/auth/source.full_control
cloud-source-repos-ro	https://www.googleapis.com/auth/source.read_only
compute-ro	https://www.googleapis.com/auth/compute.readonly
compute-rw	https://www.googleapis.com/auth/compute
datastore	https://www.googleapis.com/auth/datastore
default	https://www.googleapis.com/auth/devstorage.read_only
	https://www.googleapis.com/auth/logging.write
	https://www.googleapis.com/auth/monitoring.write
	https://www.googleapis.com/auth/pubsub
	https://www.googleapis.com/auth/service.management.readonly
	https://www.googleapis.com/auth/servicecontrol
	https://www.googleapis.com/auth/trace.append
gke-default	https://www.googleapis.com/auth/devstorage.read_only
	https://www.googleapis.com/auth/logging.write
	https://www.googleapis.com/auth/monitoring
	https://www.googleapis.com/auth/service.management.readonly
	https://www.googleapis.com/auth/servicecontrol
	https://www.googleapis.com/auth/trace.append
logging-write	https://www.googleapis.com/auth/logging.write
monitoring	https://www.googleapis.com/auth/monitoring
monitoring-read	https://www.googleapis.com/auth/monitoring.read
monitoring-write	https://www.googleapis.com/auth/monitoring.write
pubsub	https://www.googleapis.com/auth/pubsub
service-control	https://www.googleapis.com/auth/servicecontrol
service-management	https://www.googleapis.com/auth/service.management.readonly
sql (deprecated)	https://www.googleapis.com/auth/sqlservice
sql-admin	https://www.googleapis.com/auth/sqlservice.admin
storage-full	https://www.googleapis.com/auth/devstorage.full_control
storage-ro	https://www.googleapis.com/auth/devstorage.read_only
storage-rw	https://www.googleapis.com/auth/devstorage.read_write
taskqueue	https://www.googleapis.com/auth/taskqueue
trace	https://www.googleapis.com/auth/trace.append
userinfo-email	https://www.googleapis.com/auth/userinfo.email

DEPRECATION WARNING:https://www.googleapis.com/auth/sqlserviceaccount scope andsql alias do not provide SQL instance managementcapabilities and have been deprecated. Please, usehttps://www.googleapis.com/auth/sqlservice.adminorsql-admin to manage your Google SQL Service instances.

--service-account=SERVICE_ACCOUNT

The Google Cloud Platform Service Account to be used by the node VMs. If aservice account is specified, the cloud-platform and userinfo.email scopes areused. If no Service Account is specified, the project default service account isused.

Run$gcloud help for details.