gcloud beta run deploy - create or update a Cloud Run service

gcloud beta run deploy[[SERVICE]--namespace=NAMESPACE][--[no-]allow-unauthenticated][--async][--breakglass=JUSTIFICATION][--clear-vpc-connector][--concurrency=CONCURRENCY][--container=CONTAINER][--[no-]cpu-boost][--[no-]cpu-throttling][--[no-]default-url][--[no-]deploy-health-check][--description=DESCRIPTION][--execution-environment=EXECUTION_ENVIRONMENT][--gpu-type=GPU_TYPE][--[no-]gpu-zonal-redundancy][--[no-]iap][--ingress=INGRESS; default="all"][--[no-]invoker-iam-check][--max=MAX][--max-instances=MAX_INSTANCES][--mesh=MESH][--min=MIN][--min-instances=MIN_INSTANCES][--region=REGION][--regions=REGIONS][--remove-containers=[CONTAINER,…]][--revision-suffix=REVISION_SUFFIX][--scaling=SCALING][--service-account=SERVICE_ACCOUNT][--[no-]session-affinity][--tag=TAG][--timeout=TIMEOUT][--no-traffic][--vpc-connector=VPC_CONNECTOR][--vpc-egress=VPC_EGRESS][--add-cloudsql-instances=[CLOUDSQL-INSTANCES,…]    |--clear-cloudsql-instances    |--remove-cloudsql-instances=[CLOUDSQL-INSTANCES,…]    |--set-cloudsql-instances=[CLOUDSQL-INSTANCES,…]][--add-custom-audiences=[CUSTOM-AUDIENCES,…]    |--clear-custom-audiences    |--remove-custom-audiences=[CUSTOM-AUDIENCES,…]    |--set-custom-audiences=[CUSTOM-AUDIENCES,…]][--add-volume=[KEY=VALUE,…]--clear-volumes--remove-volume=[VOLUME,…]][--add-volume-mount=[volume=NAME,mount-path=MOUNT_PATH,…]--args=[ARG,…]--[no-]automatic-updates--clear-volume-mounts--cpu=CPU--depends-on=[CONTAINER,…]--gpu=GPU--liveness-probe=[KEY=VALUE,…]--memory=MEMORY--port=PORT--readiness-probe=[KEY=VALUE,…]--remove-volume-mount=[MOUNT_PATH,…]--startup-probe=[KEY=VALUE,…]--[no-]use-http2--base-image=BASE_IMAGE    |--clear-base-image--build-env-vars-file=FILE_PATH    |--clear-build-env-vars    |--set-build-env-vars=[KEY=VALUE,…]    |--remove-build-env-vars=[KEY,…]--update-build-env-vars=[KEY=VALUE,…]--build-service-account=BUILD_SERVICE_ACCOUNT    |--clear-build-service-account--build-worker-pool=BUILD_WORKER_POOL    |--clear-build-worker-pool--clear-env-vars    |--env-vars-file=FILE_PATH    |--set-env-vars=[KEY=VALUE,…]    |--remove-env-vars=[KEY,…]--update-env-vars=[KEY=VALUE,…]--clear-secrets    |--set-secrets=[KEY=VALUE,…]    |--remove-secrets=[KEY,…]--update-secrets=[KEY=VALUE,…]--command=[COMMAND,…]    |--function=FUNCTION--no-build--image=IMAGE--source=SOURCE][--binary-authorization=POLICY    |--clear-binary-authorization][--clear-encryption-key-shutdown-hours    |--encryption-key-shutdown-hours=ENCRYPTION_KEY_SHUTDOWN_HOURS][--clear-key    |--key=KEY][--clear-labels    |--remove-labels=[KEY,…]--labels=[KEY=VALUE,…]    |--update-labels=[KEY=VALUE,…]][--clear-network    |--network=NETWORK--subnet=SUBNET--clear-network-tags    |--network-tags=[TAG,…]][--clear-post-key-revocation-action-type    |--post-key-revocation-action-type=POST_KEY_REVOCATION_ACTION_TYPE][GCLOUD_WIDE_FLAG …]

gcloudbetarundeploymy-backend--image=us-docker.pkg.dev/project/image

You may also omit the service name. Then a prompt will be displayed with asuggested default value:

gcloudbetarundeploy--image=us-docker.pkg.dev/project/image

To deploy to Cloud Run on Kubernetes Engine, you need to specify a cluster:

gcloudbetarundeploy--image=us-docker.pkg.dev/project/image--cluster=my-cluster

Service resource - Service to deploy to. The arguments in this group can be usedto specify the attributes of this resource.

[SERVICE]

ID of the service or fully qualified identifier for the service.

To set theservice attribute:

• provide the argumentSERVICE on the command line;
• specify the service name from an interactive prompt.

--namespace=NAMESPACE

Specific to Cloud Run for Anthos: Kubernetes namespace for the service.

To set thenamespace attribute:

• provide the argumentSERVICE on the command line with a fullyspecified name;
• specify the service name from an interactive prompt with a fully specified name;
• provide the argument--namespace on the command line;
• set the propertyrun/namespace;
• For Cloud Run on Kubernetes Engine, defaults to "default". Otherwise, defaultsto project ID.;
• provide the argumentproject on the command line;
• set the propertycore/project.

--[no-]allow-unauthenticated

Whether to enable allowing unauthenticated access to the service. This may takea few moments to take effect. Use--allow-unauthenticated to enableand--no-allow-unauthenticated to disable.

--async

Return immediately, without waiting for the operation in progress to complete.

--breakglass=JUSTIFICATION

Justification to bypass Binary Authorization policy constraints and allow theoperation. Seehttps://cloud.google.com/binary-authorization/docs/using-breakglassfor more information. Next update or deploy command will automatically clearexisting breakglass justification.

--clear-vpc-connector

Remove the VPC connector for this resource.

--concurrency=CONCURRENCY

Set the maximum number of concurrent requests allowed per container instance.Leave concurrency unspecified or provide the special value 'default' to receivethe server default value.

--container=CONTAINER

Specifies a container by name. Flags following --container will apply to thespecified container.

Flags that are not container-specific must be specified before --container.

--[no-]cpu-boost

Whether to allocate extra CPU to containers on startup to reduce the perceivedlatency of a cold start request. Enabled by default when unspecified on newservices. Use--cpu-boost to enable and--no-cpu-boostto disable.

--[no-]cpu-throttling

Whether to throttle the CPU when the container is not actively serving requests.Use--cpu-throttling to enable and--no-cpu-throttlingto disable.

--[no-]default-url

Toggles the default url for a run service. This is enabled by default if notspecified. Use--default-url to enable and--no-default-url to disable.

--[no-]deploy-health-check

Schedules a single instance of the Revision and waits for it to pass its startupprobe for the deployment to succeed. If disabled, the startup probe runs onlywhen the revision is first started via invocation or by setting min-instances.This check is enabled by default when unspecified. Use--deploy-health-check to enable and--no-deploy-health-check to disable.

--description=DESCRIPTION

Provides an optional, human-readable description of the service.

--execution-environment=EXECUTION_ENVIRONMENT

Selects the execution environment where the application will run.EXECUTION_ENVIRONMENT must be one of:

gen1

Run the application in a first generation execution environment.

gen2

Run the application in a second generation execution environment.

--gpu-type=GPU_TYPE

The GPU type to use.

--[no-]gpu-zonal-redundancy

Set GPU zonal redundancy. Use--gpu-zonal-redundancy to enable and--no-gpu-zonal-redundancy to disable.

--[no-]iap

Whether to enable IAP for the Service. Use--iap to enable and--no-iap to disable.

--ingress=INGRESS; default="all"

Set the ingress traffic sources allowed to call the service. For Cloud Run the--[no-]allow-unauthenticated flag separately controls theidentities allowed to call the service.INGRESS must beone of:

all

Inbound requests from all sources are allowed.

internal

For Cloud Run, only inbound requests from VPC networks in the same project orVPC Service Controls perimeter, as well as Pub/Sub subscriptions and Eventarcevents in the same project or VPC Service Controls perimeter are allowed. Allother requests are rejected. Seehttps://cloud.google.com/run/docs/securing/ingressfor full details on the definition of internal traffic for Cloud Run.

internal-and-cloud-load-balancing

Only inbound requests from Google Cloud Load Balancing or a traffic sourceallowed by the internal option are allowed.

--[no-]invoker-iam-check

Optionally disable invoker IAM checks. This feature is available by invitationonly. More info athttps://cloud.google.com/run/docs/securing/managing-access#invoker_check.Use--invoker-iam-check to enable and--no-invoker-iam-check to disable.

--max=MAX

The maximum number of container instances to run for this Service. This instancelimit will be divided among all Revisions receiving a percentage of traffic andcan be modified without deploying a new Revision.

--max-instances=MAX_INSTANCES

The maximum number of container instances for this Revision to run or 'default'to remove. This setting is immutably set on each new Revision and modifying itsvalue will deploy another Revision.

--mesh=MESH

Enables Cloud Service Mesh using the specified mesh resource name. Mesh resourcename must be in the format of projects/PROJECT/locations/global/meshes/MESH_NAMEor MESH_NAME. Will default to the current project if only MESH_NAME is provided.

--min=MIN

The minimum number of container instances to run for this Service or 'default'to remove. These instances will be divided among all Revisions receiving apercentage of traffic and can be modified without deploying a new Revision.

--min-instances=MIN_INSTANCES

The minimum number of container instances to run for this Revision or 'default'to remove. This setting is immutably set on each new Revision and modifying itsvalue will deploy a another Revision. Consider using --min to set the minimumnumber of instances across all revisions of the Service which may be modifieddynamically.

--region=REGION

Region in which the resource can be found. Alternatively, set the property[run/region].

--regions=REGIONS

Comma-separated list of regions in which the multi-region Service can be found.

--remove-containers=[CONTAINER,…]

List of containers to remove.

--revision-suffix=REVISION_SUFFIX

Specify the suffix of the revision name. Revision names always start with theservice name automatically. For example, specifying [--revision-suffix=v1] for aservice named 'helloworld', would lead to a revision named 'helloworld-v1'. Setempty string to clear the suffix and resume server-assigned naming.

--scaling=SCALING

The scaling mode to use for this resource. Flag value could be either "auto" forautomatic scaling, or a positive integer to configure manual scaling with thegiven integer as a fixed instance count.

--service-account=SERVICE_ACCOUNT

the email address of an IAM service account associated with the revision of theservice. The service account represents the identity of the running revision,and determines what permissions the revision has.

--[no-]session-affinity

Whether to enable session affinity for connections to the service. Use--session-affinity to enable and--no-session-affinityto disable.

--tag=TAG

Traffic tag to assign to the newly created revision.

--timeout=TIMEOUT

Set the maximum request execution time (timeout). It is specified as a duration;for example, "10m5s" is ten minutes, and five seconds. If you don't specify aunit, seconds is assumed. For example, "10" is 10 seconds.

--no-traffic

True to avoid sending traffic to the revision being deployed. Setting this flagassigns any traffic assigned to the LATEST revision to the specific revisionbound to LATEST before the deployment. The effect is that the revision beingdeployed will not receive traffic.

After a deployment with this flag the LATEST revision will not receive trafficon future deployments. To restore sending traffic to the LATEST revision bydefault, run thegcloud run servicesupdate-traffic command with--to-latest.

--vpc-connector=VPC_CONNECTOR

Set a VPC connector for this resource.

--vpc-egress=VPC_EGRESS

Specify which of the outbound traffic to send through Direct VPC egress or theVPC connector for this resource. This resource must have Direct VPC egressenabled or a VPC connector to set this flag.VPC_EGRESSmust be one of:

all

(DEPRECATED) Sends all outbound traffic through Direct VPC egress or the VPCconnector. Provides the same functionality as 'all-traffic'. Prefer to use'all-traffic' instead.

all-traffic

Sends all outbound traffic through Direct VPC egress or the VPC connector.

private-ranges-only

Default option. Sends outbound traffic to private IP addresses (RFC 1918 andPrivate Google Access IPs) through Direct VPC egress or the VPC connector.

Traffic to other Cloud Run services might require additional configuration. Seehttps://cloud.google.com/run/docs/securing/private-networking#send_requests_to_other_services_and_servicesfor more information.

These flags modify the Cloud SQL instances this Service connects to. You canspecify a name of a Cloud SQL instance if it's in the same project and region asyour Cloud Run service; otherwise specify<project>:<region>:<instance> for the instance.

At most one of these can be specified:

--add-cloudsql-instances=[CLOUDSQL-INSTANCES,…]

Append the given values to the current Cloud SQL instances.

--clear-cloudsql-instances

Empty the current Cloud SQL instances.

--remove-cloudsql-instances=[CLOUDSQL-INSTANCES,…]

Remove the given values from the current Cloud SQL instances.

--set-cloudsql-instances=[CLOUDSQL-INSTANCES,…]

Completely replace the current Cloud SQL instances with the given values.

These flags modify the custom audiences that can be used in the audience fieldof ID token for authenticated requests.

At most one of these can be specified:

--add-custom-audiences=[CUSTOM-AUDIENCES,…]

Append the given values to the current custom audiences.

--clear-custom-audiences

Empty the current custom audiences.

--remove-custom-audiences=[CUSTOM-AUDIENCES,…]

Remove the given values from the current custom audiences.

--set-custom-audiences=[CUSTOM-AUDIENCES,…]

Completely replace the current custom audiences with the given values.

--add-volume=[KEY=VALUE,…]

Adds a volume to the Cloud Run resource. To add more than one volume, specifythis flag multiple times. Volumes must have atype key. Volumesmust have aname key ifmount-path is not specified. Aname key is optional ifmount-path is specified.Onlycertain values are supported fortype. Depending on the providedtype, other keys will be required. The following types are supported with thespecified additional keys:

cloud-storage: A volume representing a Cloud Storage bucket. Thisvolume type is mounted using Cloud Storage FUSE. Seehttps://cloud.google.com/storage/docs/gcs-fusefor the details and limitations of this filesystem. Additional keys:

• bucket: (required) the name of the bucket to use as the source of this volume
• readonly: (optional) A boolean. If true, this volume will be read-only from allmounts.
• mount-options: (optional) A list of flags to pass to GCSFuse. Flags should bespecified without leading dashes and separated by semicolons.
• mount-path: (optional) The path at which the volume should be mounted. Themount-path parameter is only supported for single containerservices which do not make use of the --container flag. For multi-containerservices, specify themount-path parameter under the--add-volume-mount flag.

in-memory: An ephemeral volume that stores data in the instance'smemory. With this type of volume, data is not shared between instances and alldata will be lost when the instance it is on is terminated. Additional keys:

• mount-path: (optional) The path at which the volume should be mounted. Themount-path parameter is only supported for single containerservices which do not make use of the --container flag. For multi-containerservices, specify themount-path parameter under the--add-volume-mount flag.
• size-limit: (optional) A quantity representing the maximum amount of memoryallocated to this volume, such as "512Mi" or "3G". Data stored in an in-memoryvolume consumes the memory allocation of the container that wrote the data. Ifsize-limit is not specified, the maximum size will be half the total memorylimit of all containers.

nfs: Represents a volume backed by an NFS server. Additional keys:

• location: (required) The location of the NFS Server, in the form SERVER:/PATH
• mount-path: (optional) The path at which the volume should be mounted. Themount-path parameter is only supported for single containerservices which do not make use of the --container flag. For multi-containerservices, specify themount-path parameter under the--add-volume-mount flag.
• readonly: (optional) A boolean. If true, this volume will be read-only from allmounts.

--clear-volumes

Remove all existing volumes from the Cloud Run resource, including volumesmounted as secrets

--remove-volume=[VOLUME,…]

Removes volumes from the Cloud Run resource.

The following flags apply to a single container. If the --container flag isspecified these flags may only be specified after a --container flag. Otherwisethey will apply to the primary ingress container.

--add-volume-mount=[volume=NAME,mount-path=MOUNT_PATH,…]

Adds a mount to the current container. Must contain the keysvolume=NAME andmount-path=/PATH where NAME is thename of a volume on this resource and PATH is the path within the container'sfilesystem to mount this volume.

--args=[ARG,…]

Comma-separated arguments passed to the command run by the container image. Ifnot specified and no '--command' is provided, the container image's default Cmdis used. Otherwise, if not specified, no arguments are passed. To reset thisfield to its default, pass an empty string.

--[no-]automatic-updates

Indicates whether automatic base image updates should be enabled for an imagebuilt from source. Use--automatic-updates to enable and--no-automatic-updates to disable.

--clear-volume-mounts

Remove all existing mounts from the current container.

--cpu=CPU

Set a CPU limit in Kubernetes cpu units.

Cloud Run supports values fractional values below 1, 1, 2, 4, and 8. Some CPUvalues requires a minimum Memory--memory value.

--depends-on=[CONTAINER,…]

List of container dependencies to add to the current container.

--gpu=GPU

Cloud Run supports values 0 or 1. 1 gpu also requires a minimum 4--cpu value and a minimum 16Gi--memory value.

--liveness-probe=[KEY=VALUE,…]

Comma separated settings for liveness probe in the form KEY=VALUE. Each keystands for a field of the probe described inhttps://cloud.google.com/run/docs/reference/rest/v1/Container#Probe.Currently supported keys are: initialDelaySeconds, timeoutSeconds,periodSeconds, failureThreshold, httpGet.port, httpGet.path, grpc.port,grpc.service.

For example, to set a probe with 10s timeout and HTTP probe requests sent to8080 port of the container:

--liveness-probe=timeoutSeconds=10,httpGet.port=8080

To remove existing probe:

--liveness-probe=""

--memory=MEMORY

Set a memory limit. Ex: 1024Mi, 4Gi.

--port=PORT

Container port to receive requests at. Also sets the $PORT environment variable.Must be a number between 1 and 65535, inclusive. To unset this field, pass thespecial value "default". If updating an existing service with a TCP startupprobe pointing to the previous container port, this will also update the probeport.

--readiness-probe=[KEY=VALUE,…]

Comma separated settings for readiness probe in the form KEY=VALUE. Each keystands for a field of the probe described inhttps://cloud.google.com/run/docs/reference/rest/v1/Container#Probe.Currently supported keys are: timeoutSeconds, periodSeconds, failureThreshold,successThreshold, httpGet.port, httpGet.path, grpc.port, grpc.service.

For example, to set a probe with 10s timeout and HTTP probe requests sent to8080 port of the container:

--readiness-probe=timeoutSeconds=10,httpGet.port=8080

To remove existing probe:

--readiness-probe=""

--remove-volume-mount=[MOUNT_PATH,…]

Removes the volume mounted at the specified path from the current container.

--startup-probe=[KEY=VALUE,…]

Comma separated settings for startup probe in the form KEY=VALUE. Each keystands for a field of the probe described inhttps://cloud.google.com/run/docs/reference/rest/v1/Container#Probe.Currently supported keys are: initialDelaySeconds, timeoutSeconds,periodSeconds, failureThreshold, httpGet.port, httpGet.path, grpc.port,grpc.service, tcpSocket.port.

For example, to set a probe with 10s timeout and HTTP probe requests sent to8080 port of the container:

--startup-probe=timeoutSeconds=10,httpGet.port=8080

To remove existing probe:

--startup-probe=""

--[no-]use-http2

Whether to use HTTP/2 for connections to the service. Use--use-http2 to enable and--no-use-http2 to disable.

At most one of these can be specified:

--base-image=BASE_IMAGE

Specifies the base image to be used for automatic base image updates. Whendeploying from source using the Google Cloud buildpacks, this flag will alsooverride the base image used for the application image. Seehttps://cloud.google.com/run/docs/configuring/services/automatic-base-image-updatesfor more details.

--clear-base-image

Opts out of automatic base image updates.

At most one of these can be specified:

--build-env-vars-file=FILE_PATH

Path to a local YAML file with definitions for all build environment variables.All existing build environment variables will be removed before the new buildenvironment variables are added. Example YAML content:

KEY_1:"value1"KEY_2:"value 2"

--clear-build-env-vars

Remove all build environment variables.

--set-build-env-vars=[KEY=VALUE,…]

List of key-value pairs to set as build environment variables. All existingbuild environment variables will be removed first.

Only --update-build-env-vars and --remove-build-env-vars can be used together.If both are specified, --remove-build-env-vars will be applied first.

--remove-build-env-vars=[KEY,…]

List of build environment variables to be removed.

--update-build-env-vars=[KEY=VALUE,…]

List of key-value pairs to set as build environment variables.

At most one of these can be specified:

--build-service-account=BUILD_SERVICE_ACCOUNT

Specifies the service account to use to execute the build. Applies only tosource deploy builds using the Build API.

--clear-build-service-account

Clears the Cloud Build service account field.

At most one of these can be specified:

--build-worker-pool=BUILD_WORKER_POOL

Name of the Cloud Build Custom Worker Pool that should be used to build thefunction. The format of this field isprojects/${PROJECT}/locations/${LOCATION}/workerPools/${WORKERPOOL}where ${PROJECT} is the project id and ${LOCATION} is the location where theworker pool is defined and ${WORKERPOOL} is the short name of the worker pool.

--clear-build-worker-pool

Clears the Cloud Build Custom Worker Pool field.

At most one of these can be specified:

--clear-env-vars

Remove all environment variables.

--env-vars-file=FILE_PATH

Path to a local YAML or ENV file with definitions for all environment variables.All existing environment variables will be removed before the new environmentvariables are added. Example YAML content:

KEY_1:"value1"KEY_2:"value 2"ExampleENVcontent:

KEY_1="value1"KEY_2="value 2"

--set-env-vars=[KEY=VALUE,…]

List of key-value pairs to set as environment variables. All existingenvironment variables will be removed first.

Only --update-env-vars and --remove-env-vars can be used together. If both arespecified, --remove-env-vars will be applied first.

--remove-env-vars=[KEY,…]

List of environment variables to be removed.

--update-env-vars=[KEY=VALUE,…]

List of key-value pairs to set as environment variables.

Specify secrets to mount or provide as environment variables. Keys starting witha forward slash '/' are mount paths. All other keys correspond to environmentvariables. Values should be in the form SECRET_NAME:SECRET_VERSION. For example:'--update-secrets=/secrets/api/key=mysecret:latest,ENV=othersecret:1' will mounta volume at '/secrets/api' containing a file 'key' with the latest version ofsecret 'mysecret'. An environment variable named ENV will also be created whosevalue is version 1 of secret 'othersecret'.

At most one of these can be specified:

--clear-secrets

Remove all secrets.

--set-secrets=[KEY=VALUE,…]

List of key-value pairs to set as secrets. All existing secrets will be removedfirst.

Only --update-secrets and --remove-secrets can be used together. If both arespecified, --remove-secrets will be applied first.

--remove-secrets=[KEY,…]

List of secrets to be removed.

--update-secrets=[KEY=VALUE,…]

List of key-value pairs to set as secrets.

At most one of these can be specified:

--command=[COMMAND,…]

Entrypoint for the container image. If not specified, the container image'sdefault Entrypoint is run. To reset this field to its default, pass an emptystring.

--function=FUNCTION

Specifies that the deployed object is a function. If a value is provided, thatvalue is used as the entrypoint.

--no-build

When set, the cloud build step will be skipped and the provided source code willbe extracted directly on the base image. Your source code must contain all thedependencies for your application. Seehttps://cloud.google.com/run/docs/deploying-source-codefor more details.

--image=IMAGE

Name of the container image to deploy (e.g.us-docker.pkg.dev/cloudrun/container/hello:latest). When used with--source, the image must be the URI of an Artifact Registry Docker repository inthe Docker format ($REGION-docker.pkg.dev/$PROJECT/$REPOSITORY") or($REGION-docker.pkg.dev/$PROJECT/$REPOSITORY/$IMAGE_NAME"). The image name mustbe the same as the name of the service.

--source=SOURCE

The location of the source to build. If a Dockerfile is present in the sourcecode directory, it will be built using that Dockerfile, otherwise it will useGoogle Cloud buildpacks. Seehttps://cloud.google.com/run/docs/deploying-source-codefor more details. The location can be a directory on a local disk or a gzippedarchive file (.tar.gz) in Google Cloud Storage. If the source is a localdirectory, this command skips the files specified in the--ignore-file. If--ignore-file is not specified, use.gcloudignore file. If a.gcloudignore file is absentand a.gitignore file is present in the local source directory,gcloud will use a generated Git-compatible.gcloudignore file thatrespects your .gitignored files. The global.gitignore is notrespected. For more information on.gcloudignore, seegcloud topicgcloudignore.

At most one of these can be specified:

--binary-authorization=POLICY

Binary Authorization policy to check against. This must be set to "default".

--clear-binary-authorization

Remove any previously set Binary Authorization policy.

At most one of these can be specified:

--clear-encryption-key-shutdown-hours

Remove any previously set CMEK key shutdown hours setting.

--encryption-key-shutdown-hours=ENCRYPTION_KEY_SHUTDOWN_HOURS

The number of hours to wait before an automatic shutdown server after CMEK keyrevocation is detected.

At most one of these can be specified:

--clear-key

Remove any previously set CMEK key reference.

--key=KEY

CMEK key reference to encrypt the container with.

At most one of these can be specified:

--clear-labels

Remove all labels. If--update-labels is also specified then--clear-labels is applied first.

For example, to remove all labels:

gcloudbetarundeploy--clear-labels

To remove all existing labels and create two new labels,foo andbaz:

gcloudbetarundeploy--clear-labels--update-labelsfoo=bar,baz=qux

--remove-labels=[KEY,…]

List of label keys to remove. If a label does not exist it is silently ignored.If--update-labels is also specified then--update-labels is applied first.

At most one of these can be specified:

--labels=[KEY=VALUE,…]

List of label KEY=VALUE pairs to add.

An alias to --update-labels.

--update-labels=[KEY=VALUE,…]

List of label KEY=VALUE pairs to update. If a label exists, its value ismodified. Otherwise, a new label is created.

At most one of these can be specified:

--clear-network

Disconnect this Cloud Run service from the VPC network it is connected to.

Direct VPC egress setting flags group.

--network=NETWORK

The VPC network that the Cloud Run service will be able to send traffic to. If--subnet is also specified, subnet must be a subnetwork of the network specifiedby this --network flag. To clear existing VPC network settings, use--clear-network.

--subnet=SUBNET

The VPC subnetwork that the Cloud Run service will get IPs from. The subnetworkmust be/26 or larger. If --network is also specified, subnet mustbe a subnetwork of the network specified by the --network flag. If --network isnot specified, network will be looked up from this subnetwork. To clear existingVPC network settings, use --clear-network.

At most one of these can be specified:

--clear-network-tags

Clears all existing network tags from the Cloud Run service.

--network-tags=[TAG,…]

Applies the given network tags (comma separated) to the Cloud Run service. Toclear existing tags, use --clear-network-tags.

At most one of these can be specified:

--clear-post-key-revocation-action-type

Remove any previously set post CMEK key revocation action type.

--post-key-revocation-action-type=POST_KEY_REVOCATION_ACTION_TYPE

Action type after CMEK key revocation.POST_KEY_REVOCATION_ACTION_TYPE must be one of:

prevent-new

No new instances will be started after CMEK key revocation.

shut-down

No new instances will be started and the existing instances will be shut downafter CMEK key revocation.

Run$gcloud help for details.