gcloud beta container clusters update - update cluster settings for an existing container cluster

gcloud beta container clusters updateNAME(--anonymous-authentication-config=ANONYMOUS_AUTHENTICATION_CONFIG    |--autopilot-workload-policies=WORKLOAD_POLICIES    |--autoprovisioning-cgroup-mode=AUTOPROVISIONING_CGROUP_MODE    |--autoprovisioning-enable-insecure-kubelet-readonly-port    |--autoprovisioning-network-tags=[TAGS,…]    |--autoprovisioning-resource-manager-tags=[KEY=VALUE,…]    |--autoscaling-profile=AUTOSCALING_PROFILE    |--complete-credential-rotation    |--complete-ip-rotation    |--containerd-config-from-file=PATH_TO_FILE    |--database-encryption-key=DATABASE_ENCRYPTION_KEY    |--disable-database-encryption    |--disable-default-snat    |--disable-workload-identity    |--[no-]enable-autopilot-compatibility-auditing    |--enable-autoscaling    |--[no-]enable-cilium-clusterwide-network-policy    |--enable-cost-allocation    |--enable-default-compute-class    |--enable-fqdn-network-policy    |--enable-gke-oidc    |--enable-identity-service    |--enable-image-streaming    |--enable-insecure-kubelet-readonly-port    |--enable-intra-node-visibility    |--enable-kernel-module-signature-enforcement    |--enable-kubernetes-unstable-apis=API,[API,…]    |--enable-l4-ilb-subsetting    |--enable-legacy-authorization    |--enable-legacy-lustre-port    |--enable-logging-monitoring-system-only    |--enable-multi-networking    |--enable-network-policy    |--enable-pod-security-policy    |--enable-private-nodes    |--[no-]enable-ray-cluster-logging    |--[no-]enable-ray-cluster-monitoring    |--enable-service-externalips    |--enable-shielded-nodes    |--enable-stackdriver-kubernetes    |--enable-vertical-pod-autoscaling    |--gateway-api=GATEWAY_API    |--generate-password    |--hpa-profile=HPA_PROFILE    |--identity-provider=IDENTITY_PROVIDER    |--in-transit-encryption=IN_TRANSIT_ENCRYPTION    |--logging-variant=LOGGING_VARIANT    |--maintenance-window=START_TIME    |--network-performance-configs=[PROPERTY1=VALUE1,…]    |--notification-config=[pubsub=ENABLED|DISABLED,pubsub-topic=TOPIC,…]    |--patch-update=[PATCH_UPDATE]    |--private-ipv6-google-access-type=PRIVATE_IPV6_GOOGLE_ACCESS_TYPE    |--release-channel=CHANNEL    |--remove-autopilot-workload-policies=REMOVE_WORKLOAD_POLICIES    |--remove-labels=[KEY,…]    |--remove-workload-policies=REMOVE_WORKLOAD_POLICIES    |--security-group=SECURITY_GROUP    |--security-posture=SECURITY_POSTURE    |--set-password    |--stack-type=STACK_TYPE    |--start-credential-rotation    |--start-ip-rotation    |--tier=TIER    |--update-addons=[ADDON=ENABLED|DISABLED,…]    |--update-labels=[KEY=VALUE,…]    |--workload-policies=WORKLOAD_POLICIES    |--workload-pool=WORKLOAD_POOL    |--workload-vulnerability-scanning=WORKLOAD_VULNERABILITY_SCANNING    |--additional-ip-ranges=[subnetwork=NAME,pod-ipv4-range=NAME,…]--remove-additional-ip-ranges=[subnetwork=NAME,pod-ipv4-range=NAME,…]    |--additional-pod-ipv4-ranges=NAME,[NAME,…]--remove-additional-pod-ipv4-ranges=NAME,[NAME,…]    |--additional-zones=[ZONE,…]    |--node-locations=ZONE,[ZONE,…]    |--auto-monitoring-scope=AUTO_MONITORING_SCOPE--logging=[COMPONENT,…]--monitoring=[COMPONENT,…]--disable-managed-prometheus    |--enable-managed-prometheus    |--binauthz-policy-bindings=[name=BINAUTHZ_POLICY]--binauthz-evaluation-mode=BINAUTHZ_EVALUATION_MODE    |--enable-binauthz    |--clear-fleet-project--enable-fleet--fleet-project=PROJECT_ID_OR_NUMBER--membership-type=MEMBERSHIP_TYPE--unset-membership-type    |--clear-maintenance-window    |--remove-maintenance-exclusion=NAME    | [(--add-maintenance-exclusion-end=TIME_STAMP |--add-maintenance-exclusion-until-end-of-support) :--add-maintenance-exclusion-name=NAME--add-maintenance-exclusion-scope=SCOPE--add-maintenance-exclusion-start=TIME_STAMP]    |--maintenance-window-end=TIME_STAMP--maintenance-window-recurrence=RRULE--maintenance-window-start=TIME_STAMP    |--clear-resource-usage-bigquery-dataset    |--enable-network-egress-metering--enable-resource-consumption-metering--resource-usage-bigquery-dataset=RESOURCE_USAGE_BIGQUERY_DATASET    |--cluster-dns=CLUSTER_DNS--cluster-dns-domain=CLUSTER_DNS_DOMAIN--cluster-dns-scope=CLUSTER_DNS_SCOPE--additive-vpc-scope-dns-domain=ADDITIVE_VPC_SCOPE_DNS_DOMAIN    |--disable-additive-vpc-scope    |--dataplane-v2-observability-mode=DATAPLANE_V2_OBSERVABILITY_MODE    |--disable-dataplane-v2-flow-observability    |--enable-dataplane-v2-flow-observability--disable-dataplane-v2-metrics    |--enable-dataplane-v2-metrics    |--disable-auto-ipam    |--enable-auto-ipam    |--disable-l4-lb-firewall-reconciliation    |--enable-l4-lb-firewall-reconciliation    |--disable-pod-snapshots    |--enable-pod-snapshots    |--enable-authorized-networks-on-private-endpoint--enable-dns-access--enable-google-cloud-access--enable-ip-access--enable-k8s-certs-via-dns--enable-k8s-tokens-via-dns--enable-master-global-access--enable-private-endpoint--enable-master-authorized-networks--master-authorized-networks=NETWORK,[NETWORK,…]    |--enable-autoprovisioning--autoprovisioning-config-file=PATH_TO_FILE    |--autoprovisioning-image-type=AUTOPROVISIONING_IMAGE_TYPE--autoprovisioning-locations=ZONE,[ZONE,…]--autoprovisioning-min-cpu-platform=PLATFORM--max-cpu=MAX_CPU--max-memory=MAX_MEMORY--min-cpu=MIN_CPU--min-memory=MIN_MEMORY--autoprovisioning-max-surge-upgrade=AUTOPROVISIONING_MAX_SURGE_UPGRADE--autoprovisioning-max-unavailable-upgrade=AUTOPROVISIONING_MAX_UNAVAILABLE_UPGRADE--autoprovisioning-node-pool-soak-duration=AUTOPROVISIONING_NODE_POOL_SOAK_DURATION--autoprovisioning-standard-rollout-policy=[batch-node-count=BATCH_NODE_COUNT,batch-percent=BATCH_NODE_PERCENTAGE,batch-soak-duration=BATCH_SOAK_DURATION,…]--enable-autoprovisioning-blue-green-upgrade    |--enable-autoprovisioning-surge-upgrade--autoprovisioning-scopes=[SCOPE,…]--autoprovisioning-service-account=AUTOPROVISIONING_SERVICE_ACCOUNT--enable-autoprovisioning-autorepair--enable-autoprovisioning-autoupgrade [--max-accelerator=[type=TYPE,count=COUNT,…] :--min-accelerator=[type=TYPE,count=COUNT,…]]    |--enable-insecure-binding-system-authenticated--enable-insecure-binding-system-unauthenticated    |--logging-service=LOGGING_SERVICE--monitoring-service=MONITORING_SERVICE    |--[no-]enable-secret-manager--[no-]enable-secret-manager-rotation--secret-manager-rotation-interval=SECRET_MANAGER_ROTATION_INTERVAL    |--[no-]enable-secret-sync--[no-]enable-secret-sync-rotation--secret-sync-rotation-interval=SECRET_SYNC_ROTATION_INTERVAL    |--password=PASSWORD--enable-basic-auth    |--username=USERNAME,-uUSERNAME)[--async][--cloud-run-config=[load-balancer-type=EXTERNAL,…]][--istio-config=[auth=MTLS_PERMISSIVE,…]][--node-pool=NODE_POOL][--location=LOCATION    |--region=REGION    |--zone=ZONE,-zZONE][--location-policy=LOCATION_POLICY--max-nodes=MAX_NODES--min-nodes=MIN_NODES--total-max-nodes=TOTAL_MAX_NODES--total-min-nodes=TOTAL_MIN_NODES][GCLOUD_WIDE_FLAG …]

NAME

The name of the cluster to update.

Exactly one of these must be specified:

--anonymous-authentication-config=ANONYMOUS_AUTHENTICATION_CONFIG

Enable or restrict anonymous access to the cluster. When enabled, anonymoususers will be authenticated as system:anonymous with the groupsystem:unauthenticated. Limiting access restricts anonymous access to only thehealth check endpoints /readyz, /livez, and /healthz.

ANONYMOUS_AUTHENTICATION_CONFIG must be one of:

ENABLED

'ENABLED' enables anonymous calls.

LIMITED

'LIMITED' restricts anonymous access to the cluster. Only calls to the healthcheck endpoints are allowed anonymously, all other calls will be rejected.

--autopilot-workload-policies=WORKLOAD_POLICIES

Add Autopilot workload policies to the cluster.

Examples:

gcloudbetacontainerclustersupdateexample-cluster--autopilot-workload-policies=allow-net-admin

The only supported workload policy is 'allow-net-admin'.

--autoprovisioning-cgroup-mode=AUTOPROVISIONING_CGROUP_MODE

Sets the cgroup mode for auto-provisioned nodes.

Updating this flag triggers an update using surge upgrades of all existingauto-provisioned nodes to apply the new value of cgroup mode.

For an Autopilot cluster, the specified cgroup mode will be set on all existingand new nodes in the cluster. For a Standard cluster, the specified cgroup modewill be set on all existing and new auto-provisioned node pools in the cluster.

If not set, GKE uses cgroupv2 for new nodes when the cluster was created running1.26 or later, and cgroupv1 for clusters created running 1.25 or earlier. Tocheck your initial cluster version, rungcloud container clusters describe[NAME] --format="value(initialClusterVersion)"

For clusters created running version 1.26 or later, you can't set the cgroupmode to v1.

To learn more, see:https://cloud.google.com/kubernetes-engine/docs/how-to/migrate-cgroupv2.

AUTOPROVISIONING_CGROUP_MODE must be one of:default,v1,v2.

--autoprovisioning-enable-insecure-kubelet-readonly-port

Enables the Kubelet's insecure read only port for Autoprovisioned Node Pools.

If not set, the value from nodePoolDefaults.nodeConfigDefaults will be used.

To disable the readonly port--no-autoprovisioning-enable-insecure-kubelet-readonly-port.

--autoprovisioning-network-tags=[TAGS,…]

Replaces the user specified Compute Engine tags on all nodes in all the existingauto-provisioned node pools in the Standard cluster or the Autopilot with thegiven tags (comma separated).

Examples:

gcloudbetacontainerclustersupdateexample-cluster--autoprovisioning-network-tags=tag1,tag2

New nodes in auto-provisioned node pools, including ones created by resize orrecreate, will have these tags on the Compute Engine API instance object andthese tags can be used in firewall rules. Seehttps://cloud.google.com/sdk/gcloud/reference/compute/firewall-rules/createfor examples.

--autoprovisioning-resource-manager-tags=[KEY=VALUE,…]

For an Autopilot cluster, the specified comma-separated resource manager tagsthat has the GCP_FIREWALL purpose replace the existing tags on all nodes in thecluster.

For a Standard cluster, the specified comma-separated resource manager tags thathas the GCE_FIREWALL purpose are applied to all nodes in the new newly createdauto-provisioned node pools. Existing auto-provisioned node pools retain thetags that they had before the update. To update tags on an existingauto-provisioned node pool, use the node pool level flag'--resource-manager-tags'.

Examples:

gcloudbetacontainerclustersupdateexample-cluster--autoprovisioning-resource-manager-tags=tagKeys/1234=tagValues/2345gcloudbetacontainerclustersupdateexample-cluster--autoprovisioning-resource-manager-tags=my-project/key1=value1gcloudbetacontainerclustersupdateexample-cluster--autoprovisioning-resource-manager-tags=12345/key1=value1,23456/key2=value2gcloudbetacontainerclustersupdateexample-cluster--autoprovisioning-resource-manager-tags=

All nodes in an Autopilot cluster or all newly created auto-provisioned nodes ina Standard cluster, including nodes that are resized or re-created, will havethe specified tags on the corresponding Instance object in the Compute EngineAPI. You can reference these tags in network firewall policy rules. Forinstructions, seehttps://cloud.google.com/firewall/docs/use-tags-for-firewalls.

--autoscaling-profile=AUTOSCALING_PROFILE

Set autoscaling behaviour, choices are 'optimize-utilization' and 'balanced'.Default is 'balanced'.

--complete-credential-rotation

Complete the IP and credential rotation for this cluster. For example:

gcloudbetacontainerclustersupdateexample-cluster--complete-credential-rotation

This causes the cluster to stop serving its old IP, return to a single IP, andinvalidate old credentials. See documentation for more details:https://cloud.google.com/kubernetes-engine/docs/how-to/credential-rotation.

--complete-ip-rotation

Complete the IP rotation for this cluster. For example:

gcloudbetacontainerclustersupdateexample-cluster--complete-ip-rotation

This causes the cluster to stop serving its old IP, and return to a single IPstate. See documentation for more details:https://cloud.google.com/kubernetes-engine/docs/how-to/ip-rotation.

--containerd-config-from-file=PATH_TO_FILE

Path of the YAML file that contains containerd configuration entries likeconfiguring access to private image registries.

For detailed information on the configuration usage, please refer tohttps://cloud.google.com/kubernetes-engine/docs/how-to/customize-containerd-configuration.

Note: Updating the containerd configuration of an existing cluster or node poolrequires recreation of the existing nodes, which might cause disruptions inrunning workloads.

Use a full or relative path to a local file containing the value ofcontainerd_config.

--database-encryption-key=DATABASE_ENCRYPTION_KEY

Enable Database Encryption.

Enable database encryption that will be used to encrypt Kubernetes Secrets atthe application layer. The key provided should be the resource ID in the formatofprojects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME].For more information, seehttps://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets.

--disable-database-encryption

Disable database encryption.

Disable Database Encryption which encrypt Kubernetes Secrets at the applicationlayer. For more information, seehttps://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets.

--disable-default-snat

Disable default source NAT rules applied in cluster nodes.

By default, cluster nodes perform source network address translation (SNAT) forpackets sent from Pod IP address sources to destination IP addresses that arenot in the non-masquerade CIDRs list. For more details about SNAT and IPmasquerading, see:https://cloud.google.com/kubernetes-engine/docs/how-to/ip-masquerade-agent#how_ipmasq_worksSNAT changes the packet's source IP address to the node's internal IP address.

When this flag is set, GKE does not perform SNAT for packets sent to anydestination. You must set this flag if the cluster uses privately reused publicIPs.

The --disable-default-snat flag is only applicable to private GKE clusters,which are inherently VPC-native. Thus, --disable-default-snat requires that thecluster was created with both --enable-ip-alias and --enable-private-nodes.

--disable-workload-identity

Disable Workload Identity on the cluster.

For more information on Workload Identity, see

https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity

--[no-]enable-autopilot-compatibility-auditing

Lets you run thegcloudcontainer clusters check-autopilot-compatibility command to check whetheryour workloads are compatible with Autopilot mode. This flag is only applicableto clusters that run version 1.31.6-gke.1027000 or later.

Note: This flag causes a control plane restart.

Use--enable-autopilot-compatibility-auditing to enable and--no-enable-autopilot-compatibility-auditing to disable.

--enable-autoscaling

Enables autoscaling for a node pool.

Enables autoscaling in the node pool specified by --node-pool or the defaultnode pool if --node-pool is not provided. If not already, --max-nodes or--total-max-nodes must also be set.

--[no-]enable-cilium-clusterwide-network-policy

Enable Cilium Clusterwide Network Policies on the cluster. Use--enable-cilium-clusterwide-network-policy to enable and--no-enable-cilium-clusterwide-network-policy to disable.

--enable-cost-allocation

Enable the cost management feature.

When enabled, you can get informational GKE cost breakdowns by cluster,namespace and label in your billing data exported to BigQuery(https://cloud.google.com/billing/docs/how-to/export-data-bigquery).

Use --no-enable-cost-allocation to disable this feature.

--enable-default-compute-class

Enable the default compute class to use for the cluster.

To disable Default Compute Class in an existing cluster, explicitly set flag--no-enable-default-compute-class.

--enable-fqdn-network-policy

Enable FQDN Network Policies on the cluster. FQDN Network Policies are disabledby default.

--enable-gke-oidc

(DEPRECATED) Enable GKE OIDC authentication on the cluster.

When enabled, users would be able to authenticate to Kubernetes cluster afterproperly setting OIDC config.

GKE OIDC is by default disabled when creating a new cluster. To disable GKE OIDCin an existing cluster, explicitly set flag--no-enable-gke-oidc.

GKE OIDC is being replaced by Identity Service across Anthos and GKE. Thus, flag--enable-gke-oidc is also deprecated. Please use--enable-identity-service to enable the Identity Service component

--enable-identity-service

Enable Identity Service component on the cluster.

When enabled, users can authenticate to Kubernetes cluster with externalidentity providers.

Identity Service is by default disabled when creating a new cluster. To disableIdentity Service in an existing cluster, explicitly set flag--no-enable-identity-service.

--enable-image-streaming

Specifies whether to enable image streaming on cluster.

--enable-insecure-kubelet-readonly-port

Enables the Kubelet's insecure read only port.

To disable the readonly port on a cluster or node-pool set the flag to--no-enable-insecure-kubelet-readonly-port.

--enable-intra-node-visibility

Enable Intra-node visibility for this cluster.

Enabling intra-node visibility makes your intra-node pod-to-pod traffic visibleto the networking fabric. With this feature, you can use VPC flow logging orother VPC features for intra-node traffic.

Enabling it on an existing cluster causes the cluster master and the clusternodes to restart, which might cause a disruption.

--enable-kernel-module-signature-enforcement

Enforces that kernel modules are signed on all new nodes in the cluster unlessexplicitly overridden with--no-enable-kernel-module-signature-enforcement when creating thenodepool. Use--no-enable-kernel-module-signature-enforcement todisable.

Examples:

gcloudbetacontainerclustersupdateexample-cluster--enable-kernel-module-signature-enforcement

--enable-kubernetes-unstable-apis=API,[API,…]

Enable Kubernetes beta API features on this cluster. Beta APIs are not expectedto be production ready and should be avoided in production-grade environments.

--enable-l4-ilb-subsetting

Enable Subsetting for L4 ILB services created on this cluster.

--enable-legacy-authorization

Enables the legacy ABAC authentication for the cluster. User rights are grantedthrough the use of policies which combine attributes together. For a detailedlook at these properties and related formats, seehttps://kubernetes.io/docs/admin/authorization/abac/.To use RBAC permissions instead, create or update your cluster with the option--no-enable-legacy-authorization.

--enable-legacy-lustre-port

Allow the Lustre CSI driver to initialize LNet (the virtual network layer forLustre kernel module) using port 6988. This flag is required to workaround aport conflict with the gke-metadata-server on GKE nodes.

--enable-logging-monitoring-system-only

(DEPRECATED) Enable Cloud Operations system-only monitoring and logging.

The--enable-logging-monitoring-system-only flag is deprecated andwill be removed in an upcoming release. Please use--logging and--monitoring instead. For more information, please read:https://cloud.google.com/kubernetes-engine/docs/concepts/about-logsandhttps://cloud.google.com/kubernetes-engine/docs/how-to/configure-metrics.

--enable-multi-networking

Enables multi-networking on the cluster. Multi-networking is disabled bydefault.

--enable-network-policy

Enable network policy enforcement for this cluster. If you are enabling networkpolicy on an existing cluster the network policy addon must first be enabled onthe master by using --update-addons=NetworkPolicy=ENABLED flag.

--enable-pod-security-policy

Enables the pod security policy admission controller for the cluster. The podsecurity policy admission controller adds fine-grained pod create and updateauthorization controls through the PodSecurityPolicy API objects. For moreinformation, seehttps://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies.

--enable-private-nodes

Standard cluster: Enable private nodes as a default behavior for all newlycreated node pools, if--enable-private-nodes is not provided atnode pool creation time.

Modificationstothisflagdonotaffect`--enable-private-nodes`stateoftheexistingnodepools.

Autopilot cluster: Force new and existing workloads, without explicitcloud.google.com/private-node=true node selector, to run on nodeswith no public IP address.

Modificationstothisflagtriggerare-scheduleoperationonallexistngworkloadstorunondifferentnodeVMs.

--[no-]enable-ray-cluster-logging

Enable automatic log processing sidecar for Ray clusters. Use--enable-ray-cluster-logging to enable and--no-enable-ray-cluster-logging to disable.

--[no-]enable-ray-cluster-monitoring

Enable automatic metrics collection for Ray clusters. Use--enable-ray-cluster-monitoring to enable and--no-enable-ray-cluster-monitoring to disable.

--enable-service-externalips

Enables use of services with externalIPs field.

--enable-shielded-nodes

Enable Shielded Nodes for this cluster. Enabling Shielded Nodes will enable amore secure Node credential bootstrapping implementation. Starting with version1.18, clusters will have Shielded GKE nodes by default.

--enable-stackdriver-kubernetes

(DEPRECATED) Enable Cloud Operations for GKE.

The--enable-stackdriver-kubernetes flag is deprecated and will beremoved in an upcoming release. Please use--logging and--monitoring instead. For more information, please read:https://cloud.google.com/kubernetes-engine/docs/concepts/about-logsandhttps://cloud.google.com/kubernetes-engine/docs/how-to/configure-metrics.

Flags for vertical pod autoscaling:

At most one of these can be specified:

--enable-vertical-pod-autoscaling

Enable vertical pod autoscaling for a cluster.

--gateway-api=GATEWAY_API

Enables GKE Gateway controller in this cluster. The value of the flag specifieswhich Open Source Gateway API release channel will be used to define Gatewayresources.GATEWAY_API must be one of:

disabled

Gateway controller will be disabled in the cluster.

standard

Gateway controller will be enabled in the cluster. Resource definitions from thestandard OSS Gateway API release channel will be installed.

--generate-password

Ask the server to generate a secure password and use that as the basic authpassword, keeping the existing username.

--hpa-profile=HPA_PROFILE

Set Horizontal Pod Autoscaler behavior. Accepted values are: none, performance.For more information, seehttps://cloud.google.com/kubernetes-engine/docs/how-to/horizontal-pod-autoscaling#hpa-profile.

--identity-provider=IDENTITY_PROVIDER

Enable 3P identity provider on the cluster.

--in-transit-encryption=IN_TRANSIT_ENCRYPTION

Enable Dataplane V2 in-transit encryption. Dataplane v2 in-transit encryption isdisabled by default.IN_TRANSIT_ENCRYPTION must be oneof:inter-node-transparent,none.

--logging-variant=LOGGING_VARIANT

Specifies the logging variant that will be deployed on all the nodes in thecluster. Valid logging variants areMAX_THROUGHPUT,DEFAULT. If no value is specified, DEFAULT is used.LOGGING_VARIANT must be one of:

DEFAULT

'DEFAULT' variant requests minimal resources but may not guarantee highthroughput.

MAX_THROUGHPUT

'MAX_THROUGHPUT' variant requests more node resources and is able to achievelogging throughput up to 10MB per sec.

--maintenance-window=START_TIME

Set a time of day when you prefer maintenance to start on this cluster. Forexample:

gcloudbetacontainerclustersupdateexample-cluster--maintenance-window=12:43

The time corresponds to the UTC time zone, and must be in HH:MM format.

Non-emergency maintenance will occur in the 4 hour block starting at thespecified time.

This is mutually exclusive with the recurring maintenance windows and willoverwrite any existing window. Compatible with maintenance exclusions.

To remove an existing maintenance window from the cluster, use'--clear-maintenance-window'.

--network-performance-configs=[PROPERTY1=VALUE1,…]

Configures network performance settings for the cluster. Node pools can overridewith their own settings.

total-egress-bandwidth-tier

Total egress bandwidth is the available outbound bandwidth from a VM, regardlessof whether the traffic is going to internal IP or external IP destinations. Thefollowing tier values are allowed: [TIER_UNSPECIFIED,TIER_1].

Seehttps://cloud.google.com/compute/docs/networking/configure-vm-with-high-bandwidth-configurationfor more information.

--notification-config=[pubsub=ENABLED|DISABLED,pubsub-topic=TOPIC,…]

The notification configuration of the cluster. GKE supports publishing clusterupgrade notifications to any Pub/Sub topic you created in the same project.Create a subscription for the topic specified to receive notification messages.Seehttps://cloud.google.com/pubsub/docs/adminon how to manage Pub/Sub topics and subscriptions. You can also use the filteroption to specify which event types you'd like to receive from the followingoptions: SecurityBulletinEvent, UpgradeEvent, UpgradeInfoEvent,UpgradeAvailableEvent.

Examples:

gcloudbetacontainerclustersupdateexample-cluster--notification-config=pubsub=ENABLED,pubsub-topic=projects/{project}/topics/{topic-name}gcloudbetacontainerclustersupdateexample-cluster--notification-config=pubsub=ENABLED,pubsub-topic=projects/{project}/topics/{topic-name},filter="SecurityBulletinEvent|UpgradeEvent"

The project of the Pub/Sub topic must be the same one as the cluster. It can beeither the project ID or the project number.

--patch-update=[PATCH_UPDATE]

The patch update to use for the cluster.

Setting to 'accelerated' automatically upgrades the cluster to the latest patchavailable within the cluster's current minor version and release channel.Setting to 'default' automatically upgrades the cluster to the default patchupgrade targetversion available within the cluster's current minor version andrelease channel.

PATCH_UPDATE must be one of:accelerated,default.

--private-ipv6-google-access-type=PRIVATE_IPV6_GOOGLE_ACCESS_TYPE

Sets the type of private access to Google services over IPv6.

PRIVATE_IPV6_GOOGLE_ACCESS_TYPE must be one of:

bidirectionalAllowsGoogleservicestoinitiateconnectionstoGKEpodsinthiscluster.Thisisnotintendedforcommonuse,andrequirespreviousintegrationwithGoogleservices.

disabledDefaultvalue.DisablesprivateaccesstoGoogleservicesoverIPv6.

outbound-onlyAllowsGKEpodstomakefast,securerequeststoGoogleservicesoverIPv6.ThisisthemostcommonuseofprivateIPv6access.

gcloudalphacontainerclusterscreate--private-ipv6-google-access-type=disabledgcloudalphacontainerclusterscreate--private-ipv6-google-access-type=outbound-onlygcloudalphacontainerclusterscreate--private-ipv6-google-access-type=bidirectional

PRIVATE_IPV6_GOOGLE_ACCESS_TYPE must be one of:bidirectional,disabled,outbound-only.

--release-channel=CHANNEL

Subscribe or unsubscribe this cluster to a release channel.

When a cluster is subscribed to a release channel, Google maintains both themaster version and the node version. Node auto-upgrade is enabled by default forrelease channel clusters and can be controlled viaupgrade-scopeexclusions.

CHANNEL must be one of:

None

Use 'None' to opt-out of any release channel.

extended

Clusters subscribed to 'extended' can remain on a minor version for 24 monthsfrom when the minor version is made available in the Regular channel.

rapid

'rapid' channel is offered on an early access basis for customers who want totest new releases.

WARNING: Versions available in the 'rapid' channel may be subject to unresolvedissues with no known workaround and are not subject to any SLAs.

regular

Clusters subscribed to 'regular' receive versions that are considered GAquality. 'regular' is intended for production users who want to take advantageof new features.

stable

Clusters subscribed to 'stable' receive versions that are known to be stable andreliable in production.

--remove-autopilot-workload-policies=REMOVE_WORKLOAD_POLICIES

Remove Autopilot workload policies from the cluster.

Examples:

gcloudbetacontainerclustersupdateexample-cluster--remove-autopilot-workload-policies=allow-net-admin

The only supported workload policy is 'allow-net-admin'.

--remove-labels=[KEY,…]

Labels to remove from the Google Cloud resources in use by the Kubernetes Enginecluster. These are unrelated to Kubernetes labels.

Examples:

gcloudbetacontainerclustersupdateexample-cluster--remove-labels=label_a,label_b

--remove-workload-policies=REMOVE_WORKLOAD_POLICIES

Remove Autopilot workload policies from the cluster.

Examples:

gcloudbetacontainerclustersupdateexample-cluster--remove-workload-policies=allow-net-admin

The only supported workload policy is 'allow-net-admin'.

--security-group=SECURITY_GROUP

The name of the RBAC security group for use with Google security groups inKubernetes RBAC (https://kubernetes.io/docs/reference/access-authn-authz/rbac/).

To include group membership as part of the claims issued by Google duringauthentication, a group must be designated as a security group by including itas a direct member of this group.

If unspecified, no groups will be returned for use with RBAC.

--security-posture=SECURITY_POSTURE

Sets the mode of the Kubernetes security posture API's off-cluster features.

To enable advanced mode explicitly set the flag to--security-posture=enterprise.

To enable in standard mode explicitly set the flag to--security-posture=standard

To disable in an existing cluster, explicitly set the flag to--security-posture=disabled.

For more information on enablement, seehttps://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard#feature-enablement.

SECURITY_POSTURE must be one of:disabled,standard,enterprise.

--set-password

Set the basic auth password to the specified value, keeping the existingusername.

--stack-type=STACK_TYPE

IP stack type of the cluster nodes.STACK_TYPE must beone of:ipv4,ipv4-ipv6.

--start-credential-rotation

Start the rotation of IP and credentials for this cluster. For example:

gcloudbetacontainerclustersupdateexample-cluster--start-credential-rotation

This causes the cluster to serve on two IPs, and will initiate a node upgrade topoint to the new IP. See documentation for more details:https://cloud.google.com/kubernetes-engine/docs/how-to/credential-rotation.

--start-ip-rotation

Start the rotation of this cluster to a new IP. For example:

gcloudbetacontainerclustersupdateexample-cluster--start-ip-rotation

This causes the cluster to serve on two IPs, and will initiate a node upgrade topoint to the new IP. See documentation for more details:https://cloud.google.com/kubernetes-engine/docs/how-to/ip-rotation.

--tier=TIER

(DEPRECATED) Set the desired tier for the cluster.

The--tier flag is deprecated. More info:https://cloud.google.com/kubernetes-engine/docs/release-notes#September_02_2025.TIER must be one of:standard,enterprise.

--update-addons=[ADDON=ENABLED|DISABLED,…]

Cluster addons to enable or disable. Options areHorizontalPodAutoscaling=ENABLED|DISABLED HttpLoadBalancing=ENABLED|DISABLEDKubernetesDashboard=ENABLED|DISABLED Istio=ENABLED|DISABLEDBackupRestore=ENABLED|DISABLED NetworkPolicy=ENABLED|DISABLEDCloudRun=ENABLED|DISABLED ConfigConnector=ENABLED|DISABLEDNodeLocalDNS=ENABLED|DISABLED GcePersistentDiskCsiDriver=ENABLED|DISABLEDGcpFilestoreCsiDriver=ENABLED|DISABLED GcsFuseCsiDriver=ENABLED|DISABLED

--update-labels=[KEY=VALUE,…]

Labels to apply to the Google Cloud resources in use by the Kubernetes Enginecluster. These are unrelated to Kubernetes labels.

Examples:

gcloudbetacontainerclustersupdateexample-cluster--update-labels=label_a=value1,label_b=value2

--workload-policies=WORKLOAD_POLICIES

Add Autopilot workload policies to the cluster.

Examples:

gcloudbetacontainerclustersupdateexample-cluster--workload-policies=allow-net-admin

The only supported workload policy is 'allow-net-admin'.

--workload-pool=WORKLOAD_POOL

Enable Workload Identity on the cluster.

When enabled, Kubernetes service accounts will be able to act as Cloud IAMService Accounts, through the provided workload pool.

Currently, the only accepted workload pool is the workload pool of the Cloudproject containing the cluster,PROJECT_ID.svc.id.goog.

For more information on Workload Identity, see

https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity

--workload-vulnerability-scanning=WORKLOAD_VULNERABILITY_SCANNING

Sets the mode of the Kubernetes security posture API's workload vulnerabilityscanning.

To enable Advanced vulnerability insights mode explicitly set the flag to--workload-vulnerability-scanning=enterprise.

To enable in standard mode explicitly set the flag to--workload-vulnerability-scanning=standard.

To disable in an existing cluster, explicitly set the flag to--workload-vulnerability-scanning=disabled.

For more information on enablement, seehttps://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard#feature-enablement.

WORKLOAD_VULNERABILITY_SCANNING must be one of:disabled,standard,enterprise.

--additional-ip-ranges=[subnetwork=NAME,pod-ipv4-range=NAME,…]

Add additional subnetworks named "my-subnet" with pod ipv4 range named"my-range" to the cluster.

Examples:

gcloudbetacontainerclustersupdateexample-cluster--additional-ip-ranges=subnetwork=my-subnet,pod-ipv4-range=my-range

--remove-additional-ip-ranges=[subnetwork=NAME,pod-ipv4-range=NAME,…]

Additional subnetworks to be removed from the cluster.

Examples:

Remove pod range named "my-range" under additional subnetwork named "my-subnet"from the cluster.

gcloudbetacontainerclustersupdateexample-cluster--remove-additional-ip-ranges=subnetwork=my-subnet,pod-ipv4-range=my-range

Remove additional subnetwork named "my-subnet", including all the pod ipv4ranges under the subnetwork.

gcloudbetacontainerclustersupdateexample-cluster--remove-additional-ip-ranges=subnetwork=my-subnet

--additional-pod-ipv4-ranges=NAME,[NAME,…]

Additional IP address ranges(by name) for pods that need to be added to thecluster.

Examples:

gcloudbetacontainerclustersupdateexample-cluster--additional-pod-ipv4-ranges=range1,range2

--remove-additional-pod-ipv4-ranges=NAME,[NAME,…]

Previously added additional pod ranges(by name) for pods that are to be removedfrom the cluster.

Examples:

gcloudbetacontainerclustersupdateexample-cluster--remove-additional-pod-ipv4-ranges=range1,range2

At most one of these can be specified:

--additional-zones=[ZONE,…]

(DEPRECATED) The set of additional zones in which the cluster's node footprintshould be replicated. All zones must be in the same region as the cluster'sprimary zone.

Note that the exact same footprint will be replicated in all zones, such that ifyou created a cluster with 4 nodes in a single zone and then use this option tospread across 2 more zones, 8 additional nodes will be created.

Multiple locations can be specified, separated by commas. For example:

gcloudbetacontainerclustersupdateexample-cluster--zoneus-central1-a--additional-zonesus-central1-b,us-central1-c

To remove all zones other than the cluster's primary zone, pass the empty stringto the flag. For example:

gcloudbetacontainerclustersupdateexample-cluster--zoneus-central1-a--additional-zones""

This flag is deprecated. Use --node-locations=PRIMARY_ZONE,[ZONE,…]instead.

--node-locations=ZONE,[ZONE,…]

The set of zones in which the specified node footprint should be replicated. Allzones must be in the same region as the cluster's master(s), specified by the-location,--zone, or--region flag.Additionally, for zonal clusters,--node-locations must contain thecluster's primary zone. If not specified, all nodes will be in the cluster'sprimary zone (for zonal clusters) or spread across three randomly chosen zoneswithin the cluster's region (for regional clusters).

Note thatNUM_NODES nodes will be created in each zone, such thatif you specify--num-nodes=4 and choose two locations, 8 nodes willbe created.

Multiple locations can be specified, separated by commas. For example:

gcloudbetacontainerclustersupdateexample-cluster--locationus-central1-a--node-locationsus-central1-a,us-central1-b

--auto-monitoring-scope=AUTO_MONITORING_SCOPE

Enables Auto-Monitoring for a specific scope within the cluster. ALL: EnablesAuto-Monitoring for all supported workloads within the cluster. NONE: DisablesAuto-Monitoring.AUTO_MONITORING_SCOPE must be one of:ALL,NONE.

--logging=[COMPONENT,…]

Set the components that have logging enabled. Valid component values are:SYSTEM,WORKLOAD,API_SERVER,CONTROLLER_MANAGER,SCHEDULER,NONE

For more information, seehttps://cloud.google.com/kubernetes-engine/docs/concepts/about-logs#available-logs

Examples:

gcloudbetacontainerclustersupdate--logging=SYSTEMgcloudbetacontainerclustersupdate--logging=SYSTEM,API_SERVER,WORKLOADgcloudbetacontainerclustersupdate--logging=NONE

--monitoring=[COMPONENT,…]

Set the components that have monitoring enabled. Valid component values are:SYSTEM,WORKLOAD (Deprecated),NONE,API_SERVER,CONTROLLER_MANAGER,SCHEDULER,DAEMONSET,DEPLOYMENT,HPA,POD,STATEFULSET,STORAGE,CADVISOR,KUBELET,DCGM,JOBSET

For more information, seehttps://cloud.google.com/kubernetes-engine/docs/how-to/configure-metrics#available-metrics

Examples:

gcloudbetacontainerclustersupdate--monitoring=SYSTEM,API_SERVER,PODgcloudbetacontainerclustersupdate--monitoring=NONE

At most one of these can be specified:

--disable-managed-prometheus

Disable managed collection for Managed Service for Prometheus.

--enable-managed-prometheus

Enables managed collection for Managed Service for Prometheus in the cluster.

Seehttps://cloud.google.com/stackdriver/docs/managed-prometheus/setup-managed#enable-mgdcoll-gkefor more info.

Enabled by default for cluster versions 1.27 or greater, use--no-enable-managed-prometheus to disable.

Flags for Binary Authorization:

--binauthz-policy-bindings=[name=BINAUTHZ_POLICY]

The relative resource name of the Binary Authorization policy to audit and/orenforce. GKE policies have the following format:projects/{project_number}/platforms/gke/policies/{policy_id}.

At most one of these can be specified:

--binauthz-evaluation-mode=BINAUTHZ_EVALUATION_MODE

Enable Binary Authorization for this cluster.BINAUTHZ_EVALUATION_MODE must be one of:disabled,policy-bindings,policy-bindings-and-project-singleton-policy-enforce,project-singleton-policy-enforce.

--enable-binauthz

(DEPRECATED) Enable Binary Authorization for this cluster.

The--enable-binauthz flag is deprecated. Please use--binauthz-evaluation-mode instead.

--clear-fleet-project

Remove the cluster from current fleet host project. Example: $ gcloud betacontainer clusters update --clear-fleet-project

--enable-fleet

Set cluster project as the fleet host project. This will register the cluster tothe same project. To register the cluster to a fleet in a different project,please use--fleet-project=FLEET_HOST_PROJECT. Example: $ gcloudbeta container clusters update --enable-fleet

--fleet-project=PROJECT_ID_OR_NUMBER

Sets fleet host project for the cluster. If specified, the current cluster willbe registered as a fleet membership under the fleet host project.

Example: $ gcloud beta container clusters update --fleet-project=my-project

--membership-type=MEMBERSHIP_TYPE

Specify a membership type for the cluster's fleet membership. Example: $ gcloudbeta container clusters update \ --membership-type=LIGHTWEIGHT.MEMBERSHIP_TYPE must be (only \ one value is supported):

LIGHTWEIGHT

Fleet membership representing this cluster will be lightweight.

--unset-membership-type

Set the membership type for the cluster's fleet membership to empty. Example: $gcloud beta container clusters update --unset-membership-type

At most one of these can be specified:

--clear-maintenance-window

If set, remove the maintenance window that was set with --maintenance-windowfamily of flags.

--remove-maintenance-exclusion=NAME

Name of a maintenance exclusion to remove. If you hadn't specified a name, onewas auto-generated. Get it with $gcloud containerclusters describe.

Sets a period of time in which maintenance should not occur. This is compatiblewith both daily and recurring maintenance windows. If--add-maintenance-exclusion-scope is not specified, the exclusionwill exclude all upgrades.

Examples:

gcloudbetacontainerclustersupdateexample-cluster--add-maintenance-exclusion-name=holidays-2000--add-maintenance-exclusion-start=2000-11-20T00:00:00--add-maintenance-exclusion-end=2000-12-31T23:59:59--add-maintenance-exclusion-scope=no_upgrades

--add-maintenance-exclusion-name=NAME

A descriptor for the exclusion that can be used to remove it. If not specified,it will be autogenerated.

--add-maintenance-exclusion-scope=SCOPE

Scope of the exclusion window to specify the type of upgrades that the exclusionwill apply to. Must be in one of no_upgrades, no_minor_upgrades orno_minor_or_node_upgrades. If not specified in an exclusion, defaults tono_upgrades.

--add-maintenance-exclusion-start=TIME_STAMP

Start time of the exclusion window (can occur in the past). If not specified,the current time will be used. See $gcloud topic datetimes forinformation on time formats.

Exactly one of these must be specified:

--add-maintenance-exclusion-end=TIME_STAMP

End time of the exclusion window. Must take place after the start time. See $gcloud topic datetimes forinformation on time formats.

--add-maintenance-exclusion-until-end-of-support

End time of the exclusion window is the end of the cluster's support.

Set a flexible maintenance window by specifying a window that recurs per an RFC5545 RRULE. Non-emergency maintenance will occur in the recurring windows.

Examples:

For a 9-5 Mon-Wed UTC-4 maintenance window:

gcloudbetacontainerclustersupdateexample-cluster--maintenance-window-start=2000-01-01T09:00:00-04:00--maintenance-window-end=2000-01-01T17:00:00-04:00--maintenance-window-recurrence='FREQ=WEEKLY;BYDAY=MO,TU,WE'

For a daily window from 22:00 - 04:00 UTC:

gcloudbetacontainerclustersupdateexample-cluster--maintenance-window-start=2000-01-01T22:00:00Z--maintenance-window-end=2000-01-02T04:00:00Z--maintenance-window-recurrence=FREQ=DAILY

--maintenance-window-end=TIME_STAMP

The end time for calculating the duration of the maintenance window, asexpressed by the amount of time after the START_TIME, in the same format. Thevalue for END_TIME must be in the future, relative to START_TIME. This onlycalculates the duration of the window, and doesn't set when the maintenancewindow stops recurring. Maintenance windows only stop recurring when they'reremoved. See $gcloud topicdatetimes for information on time formats.

This flag argument must be specified if any of the other arguments in this groupare specified.

This flag argument must be specified if any of the other arguments in this groupare specified.

--maintenance-window-recurrence=RRULE

An RFC 5545 RRULE, specifying how the window will recur. Note that minimumrequirements for maintenance periods will be enforced. Note that FREQ=SECONDLY,MINUTELY, and HOURLY are not supported.

This flag argument must be specified if any of the other arguments in this groupare specified.

--maintenance-window-start=TIME_STAMP

Start time of the first window (can occur in the past). The start timeinfluences when the window will start for recurrences. See $gcloud topic datetimes for information ontime formats.

This flag argument must be specified if any of the other arguments in this groupare specified.

Exports cluster's usage of cloud resources

At most one of these can be specified:

--clear-resource-usage-bigquery-dataset

Disables exporting cluster resource usage to BigQuery.

--enable-network-egress-metering

Enable network egress metering on this cluster.

When enabled, a DaemonSet is deployed into the cluster. Each DaemonSet podmeters network egress traffic by collecting data from the conntrack table, andexports the metered metrics to the specified destination.

Network egress metering is disabled if this flag is omitted, or when--no-enable-network-egress-metering is set.

--enable-resource-consumption-metering

Enable resource consumption metering on this cluster.

When enabled, a table will be created in the specified BigQuery dataset to storeresource consumption data. The resulting table can be joined with the resourceusage table or with BigQuery billing export.

To disable resource consumption metering, set--no-enable-resource-consumption- metering. If this flag isomitted, then resource consumption metering will remain enabled or disableddepending on what is already configured for this cluster.

--resource-usage-bigquery-dataset=RESOURCE_USAGE_BIGQUERY_DATASET

The name of the BigQuery dataset to which the cluster's usage of cloud resourcesis exported. A table will be created in the specified dataset to store clusterresource usage. The resulting table can be joined with BigQuery Billing Exportto produce a fine-grained cost breakdown.

Examples:

gcloudbetacontainerclustersupdateexample-cluster--resource-usage-bigquery-dataset=example_bigquery_dataset_name

ClusterDNS

--cluster-dns=CLUSTER_DNS

DNS provider to use for this cluster.CLUSTER_DNS mustbe one of:

clouddns

Selects Cloud DNS as the DNS provider for the cluster.

default

Selects the default DNS provider (kube-dns) for the cluster.

kubedns

Selects Kube DNS as the DNS provider for the cluster.

--cluster-dns-domain=CLUSTER_DNS_DOMAIN

DNS domain for this cluster. The default value iscluster.local.This is configurable when--cluster-dns=clouddns and--cluster-dns-scope=vpc are set. The value must be a valid DNSsubdomain as defined in RFC 1123.

--cluster-dns-scope=CLUSTER_DNS_SCOPE

DNS scope for the Cloud DNS zone created - valid only with--cluster-dns=clouddns. Defaults to cluster.

CLUSTER_DNS_SCOPE must be one of:

cluster

Configures the Cloud DNS zone to be private to the cluster.

vpc

Configures the Cloud DNS zone to be private to the VPC Network.

At most one of these can be specified:

--additive-vpc-scope-dns-domain=ADDITIVE_VPC_SCOPE_DNS_DOMAIN

The domain used in Additive VPC scope. Only works with Cluster Scope.

--disable-additive-vpc-scope

Disables Additive VPC Scope.

At most one of these can be specified:

--dataplane-v2-observability-mode=DATAPLANE_V2_OBSERVABILITY_MODE

(REMOVED) Select Advanced Datapath Observability mode for the cluster. DefaultstoDISABLED.

Advanced Datapath Observability allows for a real-time view into pod-to-podtraffic within your cluster.

Examples:

gcloudbetacontainerclustersupdate--dataplane-v2-observability-mode=DISABLED

gcloudbetacontainerclustersupdate--dataplane-v2-observability-mode=INTERNAL_VPC_LB

gcloudbetacontainerclustersupdate--dataplane-v2-observability-mode=EXTERNAL_LB

Flag --dataplane-v2-observability-mode has been removed.

DATAPLANE_V2_OBSERVABILITY_MODE must be one of:

DISABLED

Disables Advanced Datapath Observability.

EXTERNAL_LB

Makes Advanced Datapath Observability available to the external network.

INTERNAL_VPC_LB

Makes Advanced Datapath Observability available from the VPC network.

--disable-dataplane-v2-flow-observability

Disables Advanced Datapath Observability.

--enable-dataplane-v2-flow-observability

Enables Advanced Datapath Observability which allows for a real-time view intopod-to-pod traffic within your cluster.

At most one of these can be specified:

--disable-dataplane-v2-metrics

Stops exposing advanced datapath flow metrics on node port.

--enable-dataplane-v2-metrics

Exposes advanced datapath flow metrics on node port.

At most one of these can be specified:

--disable-auto-ipam

Disable the Auto IP Address Management (Auto IPAM) feature for the cluster.

--enable-auto-ipam

Enable the Auto IP Address Management (Auto IPAM) feature for the cluster.

At most one of these can be specified:

--disable-l4-lb-firewall-reconciliation

Disable reconciliation on the cluster for L4 Load Balancer VPC firewallstargeting ingress traffic.

--enable-l4-lb-firewall-reconciliation

Enable reconciliation on the cluster for L4 Load Balancer VPC firewallstargeting ingress traffic. L4 LB VPC firewall reconciliation is enabled bydefault.

At most one of these can be specified:

--disable-pod-snapshots

Disable the Pod Snapshot feature on the cluster.

--enable-pod-snapshots

Enable the Pod Snapshot feature on the cluster.

--enable-authorized-networks-on-private-endpoint

Enable enforcement of --master-authorized-networks CIDR ranges for trafficreaching cluster's control plane via private IP.

--enable-dns-access

Enable access to the cluster's control plane over DNS-based endpoint.

DNS-based control plane access is recommended.

--enable-google-cloud-access

When you enable Google Cloud Access, any public IP addresses owned by GoogleCloud can reach the public control plane endpoint of your cluster.

--enable-ip-access

Enable access to the cluster's control plane over private IP and public IP if--enable-private-endpoint is not enabled.

--enable-k8s-certs-via-dns

Enable K8s client certificates Authentication to the cluster's control planeover DNS-based endpoint.

--enable-k8s-tokens-via-dns

Enable K8s Service Account tokens Authentication to the cluster's control planeover DNS-based endpoint.

--enable-master-global-access

Use with private clusters to allow access to the master's private endpoint fromany Google Cloud region or on-premises environment regardless of the privatecluster's region.

--enable-private-endpoint

Enables cluster's control plane to be accessible using private IP address only.

Master Authorized Networks

--enable-master-authorized-networks

Allow only specified set of CIDR blocks (specified by the--master-authorized-networks flag) to connect to Kubernetes masterthrough HTTPS. Besides these blocks, the following have access as well:

1)Theprivatenetworktheclusterconnectstoif`--enable-private-nodes`isspecified.2)GoogleComputeEnginePublicIPsif`--enable-private-nodes`isnotspecified.

Use--no-enable-master-authorized-networks to disable. Whendisabled, public internet (0.0.0.0/0) is allowed to connect to Kubernetes masterthrough HTTPS.

--master-authorized-networks=NETWORK,[NETWORK,…]

The list of CIDR blocks (up to 100 for private cluster, 50 for public cluster)that are allowed to connect to Kubernetes master through HTTPS. Specified inCIDR notation (e.g. 1.2.3.4/30). Cannot be specified unless--enable-master-authorized-networks is also specified.

Node autoprovisioning

--enable-autoprovisioning

Enables node autoprovisioning for a cluster.

Cluster Autoscaler will be able to create new node pools. Requires maximum CPUand memory limits to be specified.

At most one of these can be specified:

--autoprovisioning-config-file=PATH_TO_FILE

Path of the JSON/YAML file which contains information about the cluster's nodeautoprovisioning configuration. Currently it contains a list of resource limits,identity defaults for autoprovisioning, node upgrade settings, node managementsettings, minimum cpu platform, image type, node locations for autoprovisioning,disk type and size configuration, Shielded instance settings, andcustomer-managed encryption keys settings.

Resource limits are specified in the field 'resourceLimits'. Each resourcelimits definition contains three fields: resourceType, maximum and minimum.Resource type can be "cpu", "memory" or an accelerator (e.g. "nvidia-tesla-t4"for NVIDIA T4). Use gcloud compute accelerator-types list to learn aboutavailable accelerator types. Maximum is the maximum allowed amount with the unitof the resource. Minimum is the minimum allowed amount with the unit of theresource.

Identity default contains at most one of the below fields: serviceAccount: TheGoogle Cloud Platform Service Account to be used by node VMs in autoprovisionednode pools. If not specified, the project's default service account is used.scopes: A list of scopes to be used by node instances in autoprovisioned nodepools. Multiple scopes can be specified, separated by commas. For information ondefaults, look at:https://cloud.google.com/sdk/gcloud/reference/container/clusters/create#--scopes

Node Upgrade settings are specified under the field 'upgradeSettings', which hasthe following fields: maxSurgeUpgrade: Number of extra (surge) nodes to becreated on each upgrade of an autoprovisioned node pool. maxUnavailableUpgrade:Number of nodes that can be unavailable at the same time on each upgrade of anautoprovisioned node pool.

Node Management settings are specified under the field 'management', which hasthe following fields: autoUpgrade: A boolean field that indicates if nodeautoupgrade is enabled for autoprovisioned node pools. autoRepair: A booleanfield that indicates if node autorepair is enabled for autoprovisioned nodepools.

minCpuPlatform (deprecated): If specified, new autoprovisioned nodes will bescheduled on host with specified CPU architecture or a newer one. Note: Min CPUplatform can only be specified in Beta and Alpha.

Autoprovisioned node image is specified under the 'imageType' field. If notspecified the default value will be applied.

Autoprovisioning locations is a set of zones where new node pools can be createdby Autoprovisioning. Autoprovisioning locations are specified in the field'autoprovisioningLocations'. All zones must be in the same region as thecluster's master(s).

Disk type and size are specified under the 'diskType' and 'diskSizeGb' fields,respectively. If specified, new autoprovisioned nodes will be created withcustom boot disks configured by these settings.

Shielded instance settings are specified under the 'shieldedInstanceConfig'field, which has the following fields: enableSecureBoot: A boolean field thatindicates if secure boot is enabled for autoprovisioned nodes.enableIntegrityMonitoring: A boolean field that indicates if integritymonitoring is enabled for autoprovisioned nodes.

Customer Managed Encryption Keys (CMEK) used by new auto-provisioned node poolscan be specified in the 'bootDiskKmsKey' field.

Use a full or relative path to a local file containing the value ofautoprovisioning_config_file.

Flags to configure autoprovisioned nodes

--autoprovisioning-image-type=AUTOPROVISIONING_IMAGE_TYPE

Node Autoprovisioning will create new nodes with the specified image type

--autoprovisioning-locations=ZONE,[ZONE,…]

Set of zones where new node pools can be created by autoprovisioning. All zonesmust be in the same region as the cluster's master(s). Multiple locations can bespecified, separated by commas.

--autoprovisioning-min-cpu-platform=PLATFORM

(DEPRECATED) If specified, new autoprovisioned nodes will be scheduled on hostwith specified CPU architecture or a newer one.

The--autoprovisioning-min-cpu-platform flag is deprecated and willbe removed in an upcoming release. More info:https://cloud.google.com/kubernetes-engine/docs/release-notes#March_08_2022

--max-cpu=MAX_CPU

Maximum number of cores in the cluster.

Maximum number of cores to which the cluster can scale.

--max-memory=MAX_MEMORY

Maximum memory in the cluster.

Maximum number of gigabytes of memory to which the cluster can scale.

--min-cpu=MIN_CPU

Minimum number of cores in the cluster.

Minimum number of cores to which the cluster can scale.

--min-memory=MIN_MEMORY

Minimum memory in the cluster.

Minimum number of gigabytes of memory to which the cluster can scale.

Flags to specify upgrade settings for autoprovisioned nodes:

--autoprovisioning-max-surge-upgrade=AUTOPROVISIONING_MAX_SURGE_UPGRADE

Number of extra (surge) nodes to be created on each upgrade of anautoprovisioned node pool.

--autoprovisioning-max-unavailable-upgrade=AUTOPROVISIONING_MAX_UNAVAILABLE_UPGRADE

Number of nodes that can be unavailable at the same time on each upgrade of anautoprovisioned node pool.

--autoprovisioning-node-pool-soak-duration=AUTOPROVISIONING_NODE_POOL_SOAK_DURATION

Time in seconds to be spent waiting during blue-green upgrade before deletingthe blue pool and completing the update. This argument should be used inconjunction with--enable-autoprovisioning-blue-green-upgrade totake effect.

--autoprovisioning-standard-rollout-policy=[batch-node-count=BATCH_NODE_COUNT,batch-percent=BATCH_NODE_PERCENTAGE,batch-soak-duration=BATCH_SOAK_DURATION,…]

Standard rollout policy options for blue-green upgrade. This argument should beused in conjunction with--enable-autoprovisioning-blue-green-upgrade to take effect.

Batch sizes are specified by one of, batch-node-count or batch-percent. Theduration between batches is specified by batch-soak-duration.

Example:--standard-rollout-policy=batch-node-count=3,batch-soak-duration=60s--standard-rollout-policy=batch-percent=0.05,batch-soak-duration=180s

Flag group to choose the top level upgrade option:

At most one of these can be specified:

--enable-autoprovisioning-blue-green-upgrade

Whether to use blue-green upgrade for the autoprovisioned node pool.

--enable-autoprovisioning-surge-upgrade

Whether to use surge upgrade for the autoprovisioned node pool.

Flags to specify identity for autoprovisioned nodes:

--autoprovisioning-scopes=[SCOPE,…]

The scopes to be used by node instances in autoprovisioned node pools. Multiplescopes can be specified, separated by commas. For information on defaults, lookat:https://cloud.google.com/sdk/gcloud/reference/container/clusters/create#--scopes

--autoprovisioning-service-account=AUTOPROVISIONING_SERVICE_ACCOUNT

The Google Cloud Platform Service Account to be used by node VMs inautoprovisioned node pools. If not specified, the project default serviceaccount is used.

Flags to specify node management settings for autoprovisioned nodes:

--enable-autoprovisioning-autorepair

Enable node autorepair for autoprovisioned node pools. Use--no-enable-autoprovisioning-autorepair to disable.

This flag argument must be specified if any of the other arguments in this groupare specified.

--enable-autoprovisioning-autoupgrade

Enable node autoupgrade for autoprovisioned node pools. Use--no-enable-autoprovisioning-autoupgrade to disable.

This flag argument must be specified if any of the other arguments in this groupare specified.

Arguments to set limits on accelerators:

--max-accelerator=[type=TYPE,count=COUNT,…]

Sets maximum limit for a single type of accelerators (e.g. GPUs) in cluster.

type

(Required) The specific type (e.g. nvidia-tesla-t4 for NVIDIA T4) of acceleratorfor which the limit is set. Usegcloud compute accelerator-typeslist to learn about all available accelerator types.

count

(Required) The maximum number of accelerators to which the cluster can bescaled.

This flag argument must be specified if any of the other arguments in this groupare specified.

--min-accelerator=[type=TYPE,count=COUNT,…]

Sets minimum limit for a single type of accelerators (e.g. GPUs) in cluster.Defaults to 0 for all accelerator types if it isn't set.

type

(Required) The specific type (e.g. nvidia-tesla-t4 for NVIDIA T4) of acceleratorfor which the limit is set. Usegcloud compute accelerator-typeslist to learn about all available accelerator types.

count

(Required) The minimum number of accelerators to which the cluster can bescaled.

--enable-insecure-binding-system-authenticated

Allow usingsystem:authenticated as a subject inClusterRoleBindings and RoleBindings. Allowing bindings that referencesystem:authenticated is a security risk and is not recommended.

To disallow bindingsystem:authenticated in a cluster, explicitlyset the--no-enable-insecure-binding-system-authenticated flaginstead.

--enable-insecure-binding-system-unauthenticated

Allow usingsystem:unauthenticated andsystem:anonymous as subjects in ClusterRoleBindings andRoleBindings. Allowing bindings that referencesystem:unauthenticated andsystem:anonymous are asecurity risk and is not recommended.

To disallow bindingsystem:authenticated in a cluster, explicitlyset the--no-enable-insecure-binding-system-unauthenticated flaginstead.

--logging-service=LOGGING_SERVICE

(DEPRECATED) Logging service to use for the cluster. Options are:"logging.googleapis.com/kubernetes" (the Google Cloud Logging service withKubernetes-native resource model enabled), "logging.googleapis.com" (the GoogleCloud Logging service), "none" (logs will not be exported from the cluster)

The--logging-service flag is deprecated and will be removed in anupcoming release. Please use--logging instead. For moreinformation, please read:https://cloud.google.com/kubernetes-engine/docs/concepts/about-logs.

--monitoring-service=MONITORING_SERVICE

(DEPRECATED) Monitoring service to use for the cluster. Options are:"monitoring.googleapis.com/kubernetes" (the Google Cloud Monitoring service withKubernetes-native resource model enabled), "monitoring.googleapis.com" (theGoogle Cloud Monitoring service), "none" (no metrics will be exported from thecluster)

The--monitoring-service flag is deprecated and will be removed inan upcoming release. Please use--monitoring instead. For moreinformation, please read:https://cloud.google.com/kubernetes-engine/docs/how-to/configure-metrics.

Flags for Secret Manager configuration:

--[no-]enable-secret-manager

Enables the Secret Manager CSI driver provider component. Seehttps://secrets-store-csi-driver.sigs.k8s.io/introductionhttps://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp.Use--enable-secret-manager to enable and--no-enable-secret-manager to disable.

--[no-]enable-secret-manager-rotation

Enables the rotation of secrets in the Secret Manager CSI driver providercomponent. Use--enable-secret-manager-rotation to enable and--no-enable-secret-manager-rotation to disable.

--secret-manager-rotation-interval=SECRET_MANAGER_ROTATION_INTERVAL

Set the rotation period for secrets in the Secret Manager CSI driver providercomponent. If you don't specify a time interval for the rotation, it willdefault to a rotation period of two minutes.

Flags for Secret Sync configuration:

--[no-]enable-secret-sync

Enables the Secret Sync component. Seehttps://cloud.google.com/secret-manager/docs/sync-k8-secrets.Use--enable-secret-sync to enable and--no-enable-secret-sync to disable.

--[no-]enable-secret-sync-rotation

Enables the rotation of secrets in the Secret Sync component. providercomponent. Use--enable-secret-sync-rotation to enable and--no-enable-secret-sync-rotation to disable.

--secret-sync-rotation-interval=SECRET_SYNC_ROTATION_INTERVAL

Set the rotation period for secrets in the Secret Sync component.

Basic auth

--password=PASSWORD

The password to use for cluster auth. Defaults to a server-specifiedrandomly-generated string.

Options to specify the username.

At most one of these can be specified:

--enable-basic-auth

Enable basic (username/password) auth for the cluster.--enable-basic-auth is an alias for--username=admin;--no-enable-basic-auth is an alias for--username="".Use--password to specify a password; if not, the server willrandomly generate one. For cluster versions before 1.12, if neither--enable-basic-auth nor--username is specified,--enable-basic-auth will default totrue. After 1.12,--enable-basic-auth will default tofalse.

--username=USERNAME,-uUSERNAME

The user name to use for basic auth for the cluster. Use--passwordto specify a password; if not, the server will randomly generate one.

--async

Return immediately, without waiting for the operation in progress to complete.

--cloud-run-config=[load-balancer-type=EXTERNAL,…]

Configurations for Cloud Run addon, requires--addons=CloudRun forcreate and--update-addons=CloudRun=ENABLED for update.

load-balancer-type

(Optional) Type of load-balancer-type EXTERNAL or INTERNAL.

Examples:

gcloudbetacontainerclustersupdateexample-cluster--cloud-run-config=load-balancer-type=INTERNAL

--istio-config=[auth=MTLS_PERMISSIVE,…]

(REMOVED) Configurations for Istio addon, requires --addons contains Istio forcreate, or --update-addons Istio=ENABLED for update.

auth

(Optional) Type of auth MTLS_PERMISSIVE or MTLS_STRICT.

Examples:

gcloudbetacontainerclustersupdateexample-cluster--istio-config=auth=MTLS_PERMISSIVE

The--istio-config flag is no longer supported. For moreinformation and migration, seehttps://cloud.google.com/istio/docs/istio-on-gke/migrate-to-anthos-service-mesh.

--node-pool=NODE_POOL

Node pool to be updated.

At most one of these can be specified:

--location=LOCATION

Compute zone or region (e.g. us-central1-a or us-central1) for the cluster.Overrides the default compute/region or compute/zone value for this commandinvocation. Prefer using this flag over the --region or --zone flags.

--region=REGION

Compute region (e.g. us-central1) for a regional cluster. Overrides the defaultcompute/region property value for this command invocation.

--zone=ZONE,-zZONE

Compute zone (e.g. us-central1-a) for a zonal cluster. Overrides the defaultcompute/zone property value for this command invocation.

Cluster autoscaling

--location-policy=LOCATION_POLICY

Location policy specifies the algorithm used when scaling-up the node pool.

• BALANCED - Is a best effort policy that aims to balance the sizesof available zones.
• ANY - Instructs the cluster autoscaler to prioritize utilization ofunused reservations, and reduces preemption risk for Spot VMs.

LOCATION_POLICY must be one of:BALANCED,ANY.

--max-nodes=MAX_NODES

Maximum number of nodes per zone in the node pool.

Maximum number of nodes per zone to which the node pool specified by --node-pool(or default node pool if unspecified) can scale. Ignored unless--enable-autoscaling is also specified.

--min-nodes=MIN_NODES

Minimum number of nodes per zone in the node pool.

Minimum number of nodes per zone to which the node pool specified by --node-pool(or default node pool if unspecified) can scale. Ignored unless--enable-autoscaling is also specified.

--total-max-nodes=TOTAL_MAX_NODES

Maximum number of all nodes in the node pool.

Maximum number of all nodes to which the node pool specified by --node-pool (ordefault node pool if unspecified) can scale. Ignored unless --enable-autoscalingis also specified.

--total-min-nodes=TOTAL_MIN_NODES

Minimum number of all nodes in the node pool.

Minimum number of all nodes to which the node pool specified by --node-pool (ordefault node pool if unspecified) can scale. Ignored unless --enable-autoscalingis also specified.

Run$gcloud help for details.