gcloud container clusters create-auto - create an Autopilot cluster for running containers

gcloud container clusters create-autoNAME[--anonymous-authentication-config=ANONYMOUS_AUTHENTICATION_CONFIG][--async][--auto-monitoring-scope=AUTO_MONITORING_SCOPE][--autoprovisioning-enable-insecure-kubelet-readonly-port][--autoprovisioning-network-tags=TAGS,[TAGS,…]][--autoprovisioning-resource-manager-tags=[KEY=VALUE,…]][--binauthz-evaluation-mode=BINAUTHZ_EVALUATION_MODE][--boot-disk-kms-key=BOOT_DISK_KMS_KEY][--cluster-ipv4-cidr=CLUSTER_IPV4_CIDR][--cluster-secondary-range-name=NAME][--cluster-version=CLUSTER_VERSION][--containerd-config-from-file=PATH_TO_FILE][--create-subnetwork=[KEY=VALUE,…]][--database-encryption-key=DATABASE_ENCRYPTION_KEY][--disable-l4-lb-firewall-reconciliation][--enable-authorized-networks-on-private-endpoint][--enable-auto-ipam][--enable-backup-restore][--enable-cilium-clusterwide-network-policy][--enable-confidential-nodes][--enable-default-compute-class][--enable-dns-access][--enable-fleet][--enable-google-cloud-access][--enable-ip-access][--enable-k8s-certs-via-dns][--enable-k8s-tokens-via-dns][--enable-kernel-module-signature-enforcement][--enable-kubernetes-unstable-apis=API,[API,…]][--enable-legacy-lustre-port][--enable-lustre-csi-driver][--enable-master-global-access][--enable-multi-networking][--enable-ray-cluster-logging][--enable-ray-cluster-monitoring][--enable-ray-operator][--fleet-project=PROJECT_ID_OR_NUMBER][--hpa-profile=HPA_PROFILE][--labels=[KEY=VALUE,…]][--logging=[COMPONENT,…]][--membership-type=MEMBERSHIP_TYPE][--monitoring=[COMPONENT,…]][--network=NETWORK][--private-endpoint-subnetwork=NAME][--release-channel=CHANNEL][--security-group=SECURITY_GROUP][--security-posture=SECURITY_POSTURE][--services-ipv4-cidr=CIDR][--services-secondary-range-name=NAME][--subnetwork=SUBNETWORK][--tier=TIER][--workload-policies=WORKLOAD_POLICIES][--workload-vulnerability-scanning=WORKLOAD_VULNERABILITY_SCANNING][--additive-vpc-scope-dns-domain=ADDITIVE_VPC_SCOPE_DNS_DOMAIN    |--disable-additive-vpc-scope][--aggregation-ca=CA_POOL_PATH--cluster-ca=CA_POOL_PATH--control-plane-disk-encryption-key=KEY--etcd-api-ca=CA_POOL_PATH--etcd-peer-ca=CA_POOL_PATH--gkeops-etcd-backup-encryption-key=KEY--service-account-signing-keys=KEY_VERSION,[KEY_VERSION,…]--service-account-verification-keys=KEY_VERSION,[KEY_VERSION,…]][--dataplane-v2-observability-mode=DATAPLANE_V2_OBSERVABILITY_MODE    |--disable-dataplane-v2-flow-observability    |--enable-dataplane-v2-flow-observability][--enable-insecure-binding-system-authenticated--enable-insecure-binding-system-unauthenticated][--enable-master-authorized-networks--master-authorized-networks=NETWORK,[NETWORK,…]][--enable-private-endpoint--enable-private-nodes--master-ipv4-cidr=MASTER_IPV4_CIDR][--enable-secret-manager--enable-secret-manager-rotation--secret-manager-rotation-interval=SECRET_MANAGER_ROTATION_INTERVAL][--location=LOCATION    |--region=REGION    |--zone=ZONE,-zZONE][--scopes=[SCOPE,…]; default="gke-default"--service-account=SERVICE_ACCOUNT][GCLOUD_WIDE_FLAG …]

NAME

The name of the cluster to create.

The name may contain only lowercase alphanumerics and '-', must start with aletter and end with an alphanumeric, and must be no longer than 40 characters.

--anonymous-authentication-config=ANONYMOUS_AUTHENTICATION_CONFIG

Enable or restrict anonymous access to the cluster. When enabled, anonymoususers will be authenticated as system:anonymous with the groupsystem:unauthenticated. Limiting access restricts anonymous access to only thehealth check endpoints /readyz, /livez, and /healthz.

ANONYMOUS_AUTHENTICATION_CONFIG must be one of:

ENABLED

'ENABLED' enables anonymous calls.

LIMITED

'LIMITED' restricts anonymous access to the cluster. Only calls to the healthcheck endpoints are allowed anonymously, all other calls will be rejected.

--async

Return immediately, without waiting for the operation in progress to complete.

--auto-monitoring-scope=AUTO_MONITORING_SCOPE

Enables Auto-Monitoring for a specific scope within the cluster. ALL: EnablesAuto-Monitoring for all supported workloads within the cluster. NONE: DisablesAuto-Monitoring.AUTO_MONITORING_SCOPE must be one of:ALL,NONE.

--autoprovisioning-enable-insecure-kubelet-readonly-port

Enables the Kubelet's insecure read only port for Autoprovisioned Node Pools.

If not set, the value from nodePoolDefaults.nodeConfigDefaults will be used.

To disable the readonly port--no-autoprovisioning-enable-insecure-kubelet-readonly-port.

--autoprovisioning-network-tags=TAGS,[TAGS,…]

Applies the given Compute Engine tags (comma separated) on all nodes in theauto-provisioned node pools of the new Standard cluster or the new Autopilotcluster.

Examples:

gcloudcontainerclusterscreate-autoexample-cluster--autoprovisioning-network-tags=tag1,tag2

New nodes in auto-provisioned node pools, including ones created by resize orrecreate, will have these tags on the Compute Engine API instance object and canbe used in firewall rules. Seehttps://cloud.google.com/sdk/gcloud/reference/compute/firewall-rules/createfor examples.

--autoprovisioning-resource-manager-tags=[KEY=VALUE,…]

Applies the specified comma-separated resource manager tags that has theGCE_FIREWALL purpose to all nodes in the new Autopilot cluster or allauto-provisioned nodes in the new Standard cluster.

Examples:

gcloudcontainerclusterscreate-autoexample-cluster--autoprovisioning-resource-manager-tags=tagKeys/1234=tagValues/2345gcloudcontainerclusterscreate-autoexample-cluster--autoprovisioning-resource-manager-tags=my-project/key1=value1gcloudcontainerclusterscreate-autoexample-cluster--autoprovisioning-resource-manager-tags=12345/key1=value1,23456/key2=value2gcloudcontainerclusterscreate-autoexample-cluster--autoprovisioning-resource-manager-tags=

All nodes in an Autopilot cluster or all auto-provisioned nodes in a Standardcluster, including nodes that are resized or re-created, will have the specifiedtags on the corresponding Instance object in the Compute Engine API. You canreference these tags in network firewall policy rules. For instructions, seehttps://cloud.google.com/firewall/docs/use-tags-for-firewalls.

Flags for Binary Authorization:

--binauthz-evaluation-mode=BINAUTHZ_EVALUATION_MODE

Enable Binary Authorization for this cluster.BINAUTHZ_EVALUATION_MODE must be one of:disabled,project-singleton-policy-enforce.

--boot-disk-kms-key=BOOT_DISK_KMS_KEY

The Customer Managed Encryption Key used to encrypt the boot disk attached toeach node in the node pool. This should be of the formprojects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME].For more information about protecting resources with Cloud KMS Keys please see:https://cloud.google.com/compute/docs/disks/customer-managed-encryption

--cluster-ipv4-cidr=CLUSTER_IPV4_CIDR

The IP address range for the pods in this cluster in CIDR notation (e.g.10.0.0.0/14). Prior to Kubernetes version 1.7.0 this must be a subset of10.0.0.0/8; however, starting with version 1.7.0 can be any RFC 1918 IP range.

If you omit this option, a range is chosen automatically. The automaticallychosen range is randomly selected from 10.0.0.0/8 and will not include IPaddress ranges allocated to VMs, existing routes, or ranges allocated to otherclusters. The automatically chosen range might conflict with reserved IPaddresses, dynamic routes, or routes within VPCs that peer with this cluster.You should specify--cluster-ipv4-cidr to prevent conflicts.

This field is not applicable in a Shared VPC setup where the IP address rangefor the pods must be specified with--cluster-secondary-range-name

--cluster-secondary-range-name=NAME

Set the secondary range to be used as the source for pod IPs. Alias ranges willbe allocated from this secondary range. NAME must be the name of an existingsecondary range in the cluster subnetwork.

Cannot be used with '--create-subnetwork' option.

--cluster-version=CLUSTER_VERSION

The Kubernetes version to use for the master and nodes. Defaults toserver-specified.

The default Kubernetes version is available using the following command.

gcloudcontainerget-server-config

--containerd-config-from-file=PATH_TO_FILE

Path of the YAML file that contains containerd configuration entries likeconfiguring access to private image registries.

For detailed information on the configuration usage, please refer tohttps://cloud.google.com/kubernetes-engine/docs/how-to/customize-containerd-configuration.

Note: Updating the containerd configuration of an existing cluster or node poolrequires recreation of the existing nodes, which might cause disruptions inrunning workloads.

Use a full or relative path to a local file containing the value ofcontainerd_config.

--create-subnetwork=[KEY=VALUE,…]

Create a new subnetwork for the cluster. The name and range of the subnetworkcan be customized via optional 'name' and 'range' key-value pairs.

'name' specifies the name of the subnetwork to be created.

'range' specifies the IP range for the new subnetwork. This can either be anetmask size (e.g. '/20') or a CIDR range (e.g. '10.0.0.0/20'). If a netmasksize is specified, the IP is automatically taken from the free space in thecluster's network.

Examples:

Create a new subnetwork with a default name and size.

gcloudcontainerclusterscreate-auto--create-subnetwork""

Create a new subnetwork named "my-subnet" with netmask of size 21.

gcloudcontainerclusterscreate-auto--create-subnetworkname=my-subnet,range=/21

Create a new subnetwork with a default name with the primary range of10.100.0.0/16.

gcloudcontainerclusterscreate-auto--create-subnetworkrange=10.100.0.0/16

Create a new subnetwork with the name "my-subnet" with a default range.

gcloudcontainerclusterscreate-auto--create-subnetworkname=my-subnet

Cannot be used in conjunction with '--subnetwork' option.

--database-encryption-key=DATABASE_ENCRYPTION_KEY

Enable Database Encryption.

Enable database encryption that will be used to encrypt Kubernetes Secrets atthe application layer. The key provided should be the resource ID in the formatofprojects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME].For more information, seehttps://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets.

--disable-l4-lb-firewall-reconciliation

Disable reconciliation on the cluster for L4 Load Balancer VPC firewallstargeting ingress traffic.

--enable-authorized-networks-on-private-endpoint

Enable enforcement of --master-authorized-networks CIDR ranges for trafficreaching cluster's control plane via private IP.

--enable-auto-ipam

Enable the Auto IP Address Management (Auto IPAM) feature for the cluster.

--enable-backup-restore

Enable the Backup for GKE add-on. This add-on is disabled by default. To learnmore, see the Backup for GKE overview:https://cloud.google.com/kubernetes-engine/docs/add-on/backup-for-gke/concepts/backup-for-gke.

--enable-cilium-clusterwide-network-policy

Enable Cilium Clusterwide Network Policies on the cluster. Disabled by default.

--enable-confidential-nodes

Enable confidential nodes for the cluster. Enabling Confidential Nodes willcreate nodes using Confidential VMhttps://cloud.google.com/compute/confidential-vm/docs/about-cvm.

--enable-default-compute-class

Enable the default compute class to use for the cluster.

To disable Default Compute Class in an existing cluster, explicitly set flag--no-enable-default-compute-class.

--enable-dns-access

Enable access to the cluster's control plane over DNS-based endpoint.

DNS-based control plane access is recommended.

--enable-fleet

Set cluster project as the fleet host project. This will register the cluster tothe same project. To register the cluster to a fleet in a different project,please use--fleet-project=FLEET_HOST_PROJECT. Example: $ gcloudcontainer clusters create-auto --enable-fleet

--enable-google-cloud-access

When you enable Google Cloud Access, any public IP addresses owned by GoogleCloud can reach the public control plane endpoint of your cluster.

--enable-ip-access

Enable access to the cluster's control plane over private IP and public IP if--enable-private-endpoint is not enabled.

--enable-k8s-certs-via-dns

Enable K8s client certificates Authentication to the cluster's control planeover DNS-based endpoint.

--enable-k8s-tokens-via-dns

Enable K8s Service Account tokens Authentication to the cluster's control planeover DNS-based endpoint.

--enable-kernel-module-signature-enforcement

Enforces that kernel modules are signed on all new nodes in the cluster unlessexplicitly overridden with--no-enable-kernel-module-signature-enforcement when creating thenodepool. Use--no-enable-kernel-module-signature-enforcement todisable.

Examples:

gcloudcontainerclusterscreate-autoexample-cluster--enable-kernel-module-signature-enforcement

--enable-kubernetes-unstable-apis=API,[API,…]

Enable Kubernetes beta API features on this cluster. Beta APIs are not expectedto be production ready and should be avoided in production-grade environments.

--enable-legacy-lustre-port

Allow the Lustre CSI driver to initialize LNet (the virtual network layer forLustre kernel module) using port 6988. This flag is required to workaround aport conflict with the gke-metadata-server on GKE nodes.

--enable-lustre-csi-driver

Enable the Lustre CSI Driver GKE add-on. This add-on is disabled by default.

--enable-master-global-access

Use with private clusters to allow access to the master's private endpoint fromany Google Cloud region or on-premises environment regardless of the privatecluster's region.

--enable-multi-networking

Enables multi-networking on the cluster. Multi-networking is disabled bydefault.

--enable-ray-cluster-logging

Enable automatic log processing sidecar for Ray clusters.

--enable-ray-cluster-monitoring

Enable automatic metrics collection for Ray clusters.

--enable-ray-operator

Enable the Ray Operator GKE add-on. This add-on is disabled by default.

--fleet-project=PROJECT_ID_OR_NUMBER

Sets fleet host project for the cluster. If specified, the current cluster willbe registered as a fleet membership under the fleet host project.

Example: $ gcloud container clusters create-auto --fleet-project=my-project

--hpa-profile=HPA_PROFILE

Set Horizontal Pod Autoscaler behavior. Accepted values are: none, performance.For more information, seehttps://cloud.google.com/kubernetes-engine/docs/how-to/horizontal-pod-autoscaling#hpa-profile.

--labels=[KEY=VALUE,…]

Labels to apply to the Google Cloud resources in use by the Kubernetes Enginecluster. These are unrelated to Kubernetes labels.

Examples:

gcloudcontainerclusterscreate-autoexample-cluster--labels=label_a=value1,label_b=,label_c=value3

--logging=[COMPONENT,…]

Set the components that have logging enabled. Valid component values are:SYSTEM,WORKLOAD,API_SERVER,CONTROLLER_MANAGER,SCHEDULER

The default isSYSTEM,WORKLOAD. If this flag is set, thenSYSTEM must be included.

For more information, seehttps://cloud.google.com/kubernetes-engine/docs/concepts/about-logs#available-logs

Examples:

gcloudcontainerclusterscreate-auto--logging=SYSTEMgcloudcontainerclusterscreate-auto--logging=SYSTEM,WORKLOADgcloudcontainerclusterscreate-auto--logging=SYSTEM,WORKLOAD,API_SERVER,CONTROLLER_MANAGER,SCHEDULER

--membership-type=MEMBERSHIP_TYPE

Specify a membership type for the cluster's fleet membership. Example: $ gcloudcontainer clusters create-auto \ --membership-type=LIGHTWEIGHT.MEMBERSHIP_TYPE must be (only \ one value is supported):

LIGHTWEIGHT

Fleet membership representing this cluster will be lightweight.

--monitoring=[COMPONENT,…]

Set the components that have monitoring enabled. Valid component values are:SYSTEM,WORKLOAD (Deprecated),NONE,API_SERVER,CONTROLLER_MANAGER,SCHEDULER,DAEMONSET,DEPLOYMENT,HPA,POD,STATEFULSET,STORAGE,CADVISOR,KUBELET,DCGM,JOBSET

For more information, seehttps://cloud.google.com/kubernetes-engine/docs/how-to/configure-metrics#available-metrics

Examples:

gcloudcontainerclusterscreate-auto--monitoring=SYSTEM,API_SERVER,POD,DCGMgcloudcontainerclusterscreate-auto--monitoring=SYSTEM

--network=NETWORK

The Compute Engine Network that the cluster will connect to. Google KubernetesEngine will use this network when creating routes and firewalls for theclusters. Defaults to the 'default' network.

--private-endpoint-subnetwork=NAME

Sets the subnetwork GKE uses to provision the control plane's private endpoint.

--release-channel=CHANNEL

Release channel a cluster is subscribed to.

If left unspecified and a version is specified, the cluster is enrolled in themost mature release channel where the version is available (first checkingSTABLE, then REGULAR, and finally RAPID). Otherwise, if no release channel andno version is specified, the cluster is enrolled in the REGULAR channel with itsdefault version. When a cluster is subscribed to a release channel, Googlemaintains both the master version and the node version. Node auto-upgrade isenabled by default for release channel clusters and can be controlled viaupgrade-scopeexclusions.

CHANNEL must be one of:

extended

Clusters subscribed to 'extended' can remain on a minor version for 24 monthsfrom when the minor version is made available in the Regular channel.

rapid

'rapid' channel is offered on an early access basis for customers who want totest new releases.

WARNING: Versions available in the 'rapid' channel may be subject to unresolvedissues with no known workaround and are not subject to any SLAs.

regular

Clusters subscribed to 'regular' receive versions that are considered GAquality. 'regular' is intended for production users who want to take advantageof new features.

stable

Clusters subscribed to 'stable' receive versions that are known to be stable andreliable in production.

--security-group=SECURITY_GROUP

The name of the RBAC security group for use with Google security groups inKubernetes RBAC (https://kubernetes.io/docs/reference/access-authn-authz/rbac/).

To include group membership as part of the claims issued by Google duringauthentication, a group must be designated as a security group by including itas a direct member of this group.

If unspecified, no groups will be returned for use with RBAC.

--security-posture=SECURITY_POSTURE

Sets the mode of the Kubernetes security posture API's off-cluster features.

To enable advanced mode explicitly set the flag to--security-posture=enterprise.

To enable in standard mode explicitly set the flag to--security-posture=standard

To disable in an existing cluster, explicitly set the flag to--security-posture=disabled.

For more information on enablement, seehttps://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard#feature-enablement.

SECURITY_POSTURE must be one of:disabled,standard,enterprise.

--services-ipv4-cidr=CIDR

Set the IP range for the services IPs.

Can be specified as a netmask size (e.g. '/20') or as in CIDR notion (e.g.'10.100.0.0/20'). If given as a netmask size, the IP range will be chosenautomatically from the available space in the network.

If unspecified, the services CIDR range will be chosen with a default mask size.

--services-secondary-range-name=NAME

Set the secondary range to be used for services (e.g. ClusterIPs). NAME must bethe name of an existing secondary range in the cluster subnetwork.

Cannot be used with '--create-subnetwork' option.

--subnetwork=SUBNETWORK

The Google Compute Engine subnetwork(https://cloud.google.com/compute/docs/subnetworks) to which the cluster isconnected. The subnetwork must belong to the network specified by --network.

Cannot be used with the "--create-subnetwork" option.

--tier=TIER

(DEPRECATED) Set the desired tier for the cluster.

The--tier flag is deprecated. More info:https://cloud.google.com/kubernetes-engine/docs/release-notes#September_02_2025.TIER must be one of:standard,enterprise.

--workload-policies=WORKLOAD_POLICIES

Add Autopilot workload policies to the cluster.

Examples:

gcloudcontainerclusterscreate-autoexample-cluster--workload-policies=allow-net-admin

The only supported workload policy is 'allow-net-admin'.

--workload-vulnerability-scanning=WORKLOAD_VULNERABILITY_SCANNING

Sets the mode of the Kubernetes security posture API's workload vulnerabilityscanning.

To enable Advanced vulnerability insights mode explicitly set the flag to--workload-vulnerability-scanning=enterprise.

To enable in standard mode explicitly set the flag to--workload-vulnerability-scanning=standard.

To disable in an existing cluster, explicitly set the flag to--workload-vulnerability-scanning=disabled.

For more information on enablement, seehttps://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard#feature-enablement.

WORKLOAD_VULNERABILITY_SCANNING must be one of:disabled,standard,enterprise.

At most one of these can be specified:

--additive-vpc-scope-dns-domain=ADDITIVE_VPC_SCOPE_DNS_DOMAIN

The domain used in Additive VPC scope. Only works with Cluster Scope.

--disable-additive-vpc-scope

Disables Additive VPC Scope.

Control Plane Keys

--aggregation-ca=CA_POOL_PATH

The Certificate Authority Service caPool that will back the aggregation CA

--cluster-ca=CA_POOL_PATH

The Certificate Authority Service caPool that will back the cluster CA

--control-plane-disk-encryption-key=KEY

The Cloud KMS symmetric encryption cryptoKey that will be used to encrypt thecontrol plane disks

--etcd-api-ca=CA_POOL_PATH

The Certificate Authority Service caPool that will back the etcd API CA

--etcd-peer-ca=CA_POOL_PATH

The Certificate Authority Service caPool that will back the etcd peer CA

--gkeops-etcd-backup-encryption-key=KEY

The Cloud KMS symmetric encryption cryptoKey that will be used to encrypt thedisaster recovery etcd backups for the cluster

--service-account-signing-keys=KEY_VERSION,[KEY_VERSION,…]

A Cloud KMS asymmetric signing cryptoKeyVersion that will be used to signservice account tokens

--service-account-verification-keys=KEY_VERSION,[KEY_VERSION,…]

A Cloud KMS asymmetric signing cryptoKeyVersion that will be used to verifyservice account tokens. Maybe specified multiple times.

At most one of these can be specified:

--dataplane-v2-observability-mode=DATAPLANE_V2_OBSERVABILITY_MODE

(REMOVED) Select Advanced Datapath Observability mode for the cluster. DefaultstoDISABLED.

Advanced Datapath Observability allows for a real-time view into pod-to-podtraffic within your cluster.

Examples:

gcloudcontainerclusterscreate-auto--dataplane-v2-observability-mode=DISABLED

gcloudcontainerclusterscreate-auto--dataplane-v2-observability-mode=INTERNAL_VPC_LB

gcloudcontainerclusterscreate-auto--dataplane-v2-observability-mode=EXTERNAL_LB

Flag --dataplane-v2-observability-mode has been removed.

DATAPLANE_V2_OBSERVABILITY_MODE must be one of:

DISABLED

Disables Advanced Datapath Observability.

EXTERNAL_LB

Makes Advanced Datapath Observability available to the external network.

INTERNAL_VPC_LB

Makes Advanced Datapath Observability available from the VPC network.

--disable-dataplane-v2-flow-observability

Disables Advanced Datapath Observability.

--enable-dataplane-v2-flow-observability

Enables Advanced Datapath Observability which allows for a real-time view intopod-to-pod traffic within your cluster.

--enable-insecure-binding-system-authenticated

Allow usingsystem:authenticated as a subject inClusterRoleBindings and RoleBindings. Allowing bindings that referencesystem:authenticated is a security risk and is not recommended.

To disallow bindingsystem:authenticated in a cluster, explicitlyset the--no-enable-insecure-binding-system-authenticated flaginstead.

--enable-insecure-binding-system-unauthenticated

Allow usingsystem:unauthenticated andsystem:anonymous as subjects in ClusterRoleBindings andRoleBindings. Allowing bindings that referencesystem:unauthenticated andsystem:anonymous are asecurity risk and is not recommended.

To disallow bindingsystem:authenticated in a cluster, explicitlyset the--no-enable-insecure-binding-system-unauthenticated flaginstead.

Master Authorized Networks

--enable-master-authorized-networks

Allow only specified set of CIDR blocks (specified by the--master-authorized-networks flag) to connect to Kubernetes masterthrough HTTPS. Besides these blocks, the following have access as well:

1)Theprivatenetworktheclusterconnectstoif`--enable-private-nodes`isspecified.2)GoogleComputeEnginePublicIPsif`--enable-private-nodes`isnotspecified.

Use--no-enable-master-authorized-networks to disable. Whendisabled, public internet (0.0.0.0/0) is allowed to connect to Kubernetes masterthrough HTTPS.

--master-authorized-networks=NETWORK,[NETWORK,…]

The list of CIDR blocks (up to 100 for private cluster, 50 for public cluster)that are allowed to connect to Kubernetes master through HTTPS. Specified inCIDR notation (e.g. 1.2.3.4/30). Cannot be specified unless--enable-master-authorized-networks is also specified.

Private Clusters

--enable-private-endpoint

Cluster is managed using the private IP address of the master API endpoint.

--enable-private-nodes

Cluster is created with no public IP addresses on the cluster nodes.

--master-ipv4-cidr=MASTER_IPV4_CIDR

IPv4 CIDR range to use for the master network. This should have a netmask ofsize /28 and should be used in conjunction with the --enable-private-nodes flag.

Flags for Secret Manager configuration:

--enable-secret-manager

Enables the Secret Manager CSI driver provider component. Seehttps://secrets-store-csi-driver.sigs.k8s.io/introductionhttps://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp

--enable-secret-manager-rotation

Enables the rotation of secrets in the Secret Manager CSI driver providercomponent.

--secret-manager-rotation-interval=SECRET_MANAGER_ROTATION_INTERVAL

Set the rotation period for secrets in the Secret Manager CSI driver providercomponent. If you don't specify a time interval for the rotation, it willdefault to a rotation period of two minutes.

At most one of these can be specified:

--location=LOCATION

Compute zone or region (e.g. us-central1-a or us-central1) for the cluster.Overrides the default compute/region or compute/zone value for this commandinvocation. Prefer using this flag over the --region or --zone flags.

--region=REGION

Compute region (e.g. us-central1) for a regional cluster. Overrides the defaultcompute/region property value for this command invocation.

--zone=ZONE,-zZONE

Compute zone (e.g. us-central1-a) for a zonal cluster. Overrides the defaultcompute/zone property value for this command invocation.

Options to specify the node identity.

Scopes options.

--scopes=[SCOPE,…]; default="gke-default"

Specifies scopes for the node instances.

Examples:

gcloudcontainerclusterscreate-autoexample-cluster--scopes=https://www.googleapis.com/auth/devstorage.read_only

gcloudcontainerclusterscreate-autoexample-cluster--scopes=bigquery,storage-rw,compute-ro

Multiple scopes can be specified, separated by commas. Various scopes areautomatically added based on feature usage. Such scopes are not added if anequivalent scope already exists.

• monitoring-write: always added to ensure metrics can be written
• logging-write: added if Cloud Logging is enabled(--enable-cloud-logging/--logging)
• monitoring: added if Cloud Monitoring is enabled(--enable-cloud-monitoring/--monitoring)
• gke-default: added for Autopilot clusters that use the defaultservice account
• cloud-platform: added for Autopilot clusters that use any otherservice account

SCOPE can be either the full URI of the scope or an alias.Defaultscopes are assigned to all instances. Available aliases are:

Alias	URI
bigquery	https://www.googleapis.com/auth/bigquery
cloud-platform	https://www.googleapis.com/auth/cloud-platform
cloud-source-repos	https://www.googleapis.com/auth/source.full_control
cloud-source-repos-ro	https://www.googleapis.com/auth/source.read_only
compute-ro	https://www.googleapis.com/auth/compute.readonly
compute-rw	https://www.googleapis.com/auth/compute
datastore	https://www.googleapis.com/auth/datastore
default	https://www.googleapis.com/auth/devstorage.read_only
	https://www.googleapis.com/auth/logging.write
	https://www.googleapis.com/auth/monitoring.write
	https://www.googleapis.com/auth/pubsub
	https://www.googleapis.com/auth/service.management.readonly
	https://www.googleapis.com/auth/servicecontrol
	https://www.googleapis.com/auth/trace.append
gke-default	https://www.googleapis.com/auth/devstorage.read_only
	https://www.googleapis.com/auth/logging.write
	https://www.googleapis.com/auth/monitoring
	https://www.googleapis.com/auth/service.management.readonly
	https://www.googleapis.com/auth/servicecontrol
	https://www.googleapis.com/auth/trace.append
logging-write	https://www.googleapis.com/auth/logging.write
monitoring	https://www.googleapis.com/auth/monitoring
monitoring-read	https://www.googleapis.com/auth/monitoring.read
monitoring-write	https://www.googleapis.com/auth/monitoring.write
pubsub	https://www.googleapis.com/auth/pubsub
service-control	https://www.googleapis.com/auth/servicecontrol
service-management	https://www.googleapis.com/auth/service.management.readonly
sql (deprecated)	https://www.googleapis.com/auth/sqlservice
sql-admin	https://www.googleapis.com/auth/sqlservice.admin
storage-full	https://www.googleapis.com/auth/devstorage.full_control
storage-ro	https://www.googleapis.com/auth/devstorage.read_only
storage-rw	https://www.googleapis.com/auth/devstorage.read_write
taskqueue	https://www.googleapis.com/auth/taskqueue
trace	https://www.googleapis.com/auth/trace.append
userinfo-email	https://www.googleapis.com/auth/userinfo.email

DEPRECATION WARNING:https://www.googleapis.com/auth/sqlserviceaccount scope andsql alias do not provide SQL instance managementcapabilities and have been deprecated. Please, usehttps://www.googleapis.com/auth/sqlservice.adminorsql-admin to manage your Google SQL Service instances.

--service-account=SERVICE_ACCOUNT

The Google Cloud Platform Service Account to be used by the node VMs. If aservice account is specified, the cloud-platform and userinfo.email scopes areused. If no Service Account is specified, the project default service account isused.

Run$gcloud help for details.