File: //snap/google-cloud-cli/current/help/man/man1/gcloud_beta_container_clusters_create-auto.1
.TH "GCLOUD_BETA_CONTAINER_CLUSTERS_CREATE\-AUTO" 1
.SH "NAME"
.HP
gcloud beta container clusters create\-auto \- create an Autopilot cluster for running containers
.SH "SYNOPSIS"
.HP
\f5gcloud beta container clusters create\-auto\fR \fINAME\fR [\fB\-\-anonymous\-authentication\-config\fR=\fIANONYMOUS_AUTHENTICATION_CONFIG\fR] [\fB\-\-async\fR] [\fB\-\-auto\-monitoring\-scope\fR=\fIAUTO_MONITORING_SCOPE\fR] [\fB\-\-autoprovisioning\-enable\-insecure\-kubelet\-readonly\-port\fR] [\fB\-\-autoprovisioning\-network\-tags\fR=\fITAGS\fR,[\fITAGS\fR,...]] [\fB\-\-autoprovisioning\-resource\-manager\-tags\fR=[\fIKEY\fR=\fIVALUE\fR,...]] [\fB\-\-boot\-disk\-kms\-key\fR=\fIBOOT_DISK_KMS_KEY\fR] [\fB\-\-cluster\-ipv4\-cidr\fR=\fICLUSTER_IPV4_CIDR\fR] [\fB\-\-cluster\-secondary\-range\-name\fR=\fINAME\fR] [\fB\-\-cluster\-version\fR=\fICLUSTER_VERSION\fR] [\fB\-\-containerd\-config\-from\-file\fR=\fIPATH_TO_FILE\fR] [\fB\-\-create\-subnetwork\fR=[\fIKEY\fR=\fIVALUE\fR,...]] [\fB\-\-database\-encryption\-key\fR=\fIDATABASE_ENCRYPTION_KEY\fR] [\fB\-\-disable\-l4\-lb\-firewall\-reconciliation\fR] [\fB\-\-enable\-authorized\-networks\-on\-private\-endpoint\fR] [\fB\-\-enable\-auto\-ipam\fR] [\fB\-\-enable\-backup\-restore\fR] [\fB\-\-enable\-cilium\-clusterwide\-network\-policy\fR] [\fB\-\-enable\-confidential\-nodes\fR] [\fB\-\-enable\-default\-compute\-class\fR] [\fB\-\-enable\-dns\-access\fR] [\fB\-\-enable\-fleet\fR] [\fB\-\-enable\-google\-cloud\-access\fR] [\fB\-\-enable\-ip\-access\fR] [\fB\-\-enable\-k8s\-certs\-via\-dns\fR] [\fB\-\-enable\-k8s\-tokens\-via\-dns\fR] [\fB\-\-enable\-kubernetes\-unstable\-apis\fR=\fIAPI\fR,[\fIAPI\fR,...]] [\fB\-\-enable\-legacy\-lustre\-port\fR] [\fB\-\-enable\-lustre\-csi\-driver\fR] [\fB\-\-enable\-master\-global\-access\fR] [\fB\-\-enable\-multi\-networking\fR] [\fB\-\-enable\-ray\-cluster\-logging\fR] [\fB\-\-enable\-ray\-cluster\-monitoring\fR] [\fB\-\-enable\-ray\-operator\fR] [\fB\-\-fleet\-project\fR=\fIPROJECT_ID_OR_NUMBER\fR] [\fB\-\-hpa\-profile\fR=\fIHPA_PROFILE\fR] [\fB\-\-labels\fR=[\fIKEY\fR=\fIVALUE\fR,...]] [\fB\-\-logging\fR=[\fICOMPONENT\fR,...]] [\fB\-\-membership\-type\fR=\fIMEMBERSHIP_TYPE\fR] [\fB\-\-monitoring\fR=[\fICOMPONENT\fR,...]] [\fB\-\-network\fR=\fINETWORK\fR] [\fB\-\-private\-endpoint\-subnetwork\fR=\fINAME\fR] [\fB\-\-release\-channel\fR=\fICHANNEL\fR] [\fB\-\-security\-group\fR=\fISECURITY_GROUP\fR] [\fB\-\-security\-posture\fR=\fISECURITY_POSTURE\fR] [\fB\-\-services\-ipv4\-cidr\fR=\fICIDR\fR] [\fB\-\-services\-secondary\-range\-name\fR=\fINAME\fR] [\fB\-\-subnetwork\fR=\fISUBNETWORK\fR] [\fB\-\-tier\fR=\fITIER\fR] [\fB\-\-workload\-policies\fR=\fIWORKLOAD_POLICIES\fR] [\fB\-\-workload\-vulnerability\-scanning\fR=\fIWORKLOAD_VULNERABILITY_SCANNING\fR] [\fB\-\-additive\-vpc\-scope\-dns\-domain\fR=\fIADDITIVE_VPC_SCOPE_DNS_DOMAIN\fR\ |\ \fB\-\-disable\-additive\-vpc\-scope\fR] [\fB\-\-aggregation\-ca\fR=\fICA_POOL_PATH\fR\ \fB\-\-cluster\-ca\fR=\fICA_POOL_PATH\fR\ \fB\-\-control\-plane\-disk\-encryption\-key\fR=\fIKEY\fR\ \fB\-\-etcd\-api\-ca\fR=\fICA_POOL_PATH\fR\ \fB\-\-etcd\-peer\-ca\fR=\fICA_POOL_PATH\fR\ \fB\-\-gkeops\-etcd\-backup\-encryption\-key\fR=\fIKEY\fR\ \fB\-\-service\-account\-signing\-keys\fR=\fIKEY_VERSION\fR,[\fIKEY_VERSION\fR,...]\ \fB\-\-service\-account\-verification\-keys\fR=\fIKEY_VERSION\fR,[\fIKEY_VERSION\fR,...]] [\fB\-\-binauthz\-evaluation\-mode\fR=\fIBINAUTHZ_EVALUATION_MODE\fR\ \fB\-\-binauthz\-policy\-bindings\fR=[\fIname\fR=\fIBINAUTHZ_POLICY\fR]] [\fB\-\-dataplane\-v2\-observability\-mode\fR=\fIDATAPLANE_V2_OBSERVABILITY_MODE\fR\ |\ \fB\-\-disable\-dataplane\-v2\-flow\-observability\fR\ |\ \fB\-\-enable\-dataplane\-v2\-flow\-observability\fR] [\fB\-\-enable\-insecure\-binding\-system\-authenticated\fR\ \fB\-\-enable\-insecure\-binding\-system\-unauthenticated\fR] [\fB\-\-enable\-master\-authorized\-networks\fR\ \fB\-\-master\-authorized\-networks\fR=\fINETWORK\fR,[\fINETWORK\fR,...]] [\fB\-\-enable\-private\-endpoint\fR\ \fB\-\-enable\-private\-nodes\fR\ \fB\-\-master\-ipv4\-cidr\fR=\fIMASTER_IPV4_CIDR\fR] [\fB\-\-enable\-secret\-manager\fR\ \fB\-\-enable\-secret\-manager\-rotation\fR\ \fB\-\-secret\-manager\-rotation\-interval\fR=\fISECRET_MANAGER_ROTATION_INTERVAL\fR] [\fB\-\-enable\-secret\-sync\fR\ \fB\-\-enable\-secret\-sync\-rotation\fR\ \fB\-\-secret\-sync\-rotation\-interval\fR=\fISECRET_SYNC_ROTATION_INTERVAL\fR] [\fB\-\-location\fR=\fILOCATION\fR\ |\ \fB\-\-region\fR=\fIREGION\fR\ |\ \fB\-\-zone\fR=\fIZONE\fR,\ \fB\-z\fR\ \fIZONE\fR] [\fB\-\-scopes\fR=[\fISCOPE\fR,...];\ default="gke\-default"\ \fB\-\-service\-account\fR=\fISERVICE_ACCOUNT\fR] [\fIGCLOUD_WIDE_FLAG\ ...\fR]
.SH "DESCRIPTION"
\fB(BETA)\fR Create an Autopilot cluster for running containers.
.SH "EXAMPLES"
To create a cluster with the default configuration, run:
.RS 2m
$ gcloud beta container clusters create\-auto sample\-cluster
.RE
.SH "POSITIONAL ARGUMENTS"
.RS 2m
.TP 2m
\fINAME\fR
The name of the cluster to create.
The name may contain only lowercase alphanumerics and '\-', must start with a
letter and end with an alphanumeric, and must be no longer than 40 characters.
.RE
.sp
.SH "FLAGS"
.RS 2m
.TP 2m
\fB\-\-anonymous\-authentication\-config\fR=\fIANONYMOUS_AUTHENTICATION_CONFIG\fR
Enable or restrict anonymous access to the cluster. When enabled, anonymous
users will be authenticated as system:anonymous with the group
system:unauthenticated. Limiting access restricts anonymous access to only the
health check endpoints /readyz, /livez, and /healthz.
\fIANONYMOUS_AUTHENTICATION_CONFIG\fR must be one of:
.RS 2m
.TP 2m
\fBENABLED\fR
\'ENABLED' enables anonymous calls.
.TP 2m
\fBLIMITED\fR
\'LIMITED' restricts anonymous access to the cluster. Only calls to the health
check endpoints are allowed anonymously, all other calls will be rejected.
.RE
.sp
.TP 2m
\fB\-\-async\fR
Return immediately, without waiting for the operation in progress to complete.
.TP 2m
\fB\-\-auto\-monitoring\-scope\fR=\fIAUTO_MONITORING_SCOPE\fR
Enables Auto\-Monitoring for a specific scope within the cluster. ALL: Enables
Auto\-Monitoring for all supported workloads within the cluster. NONE: Disables
Auto\-Monitoring. \fIAUTO_MONITORING_SCOPE\fR must be one of: \fBALL\fR,
\fBNONE\fR.
.TP 2m
\fB\-\-autoprovisioning\-enable\-insecure\-kubelet\-readonly\-port\fR
Enables the Kubelet's insecure read only port for Autoprovisioned Node Pools.
If not set, the value from nodePoolDefaults.nodeConfigDefaults will be used.
To disable the readonly port
\f5\-\-no\-autoprovisioning\-enable\-insecure\-kubelet\-readonly\-port\fR.
.TP 2m
\fB\-\-autoprovisioning\-network\-tags\fR=\fITAGS\fR,[\fITAGS\fR,...]
Applies the given Compute Engine tags (comma separated) on all nodes in the
auto\-provisioned node pools of the new Standard cluster or the new Autopilot
cluster.
Examples:
.RS 2m
$ gcloud beta container clusters create\-auto example\-cluster \e
\-\-autoprovisioning\-network\-tags=tag1,tag2
.RE
New nodes in auto\-provisioned node pools, including ones created by resize or
recreate, will have these tags on the Compute Engine API instance object and can
be used in firewall rules. See
https://cloud.google.com/sdk/gcloud/reference/compute/firewall\-rules/create for
examples.
.TP 2m
\fB\-\-autoprovisioning\-resource\-manager\-tags\fR=[\fIKEY\fR=\fIVALUE\fR,...]
Applies the specified comma\-separated resource manager tags that has the
GCE_FIREWALL purpose to all nodes in the new Autopilot cluster or all
auto\-provisioned nodes in the new Standard cluster.
Examples:
.RS 2m
$ gcloud beta container clusters create\-auto example\-cluster \e
\-\-autoprovisioning\-resource\-manager\-tags=tagKeys/\e
1234=tagValues/2345
$ gcloud beta container clusters create\-auto example\-cluster \e
\-\-autoprovisioning\-resource\-manager\-tags=my\-project/key1=value1
$ gcloud beta container clusters create\-auto example\-cluster \e
\-\-autoprovisioning\-resource\-manager\-tags=12345/key1=value1,\e
23456/key2=value2
$ gcloud beta container clusters create\-auto example\-cluster \e
\-\-autoprovisioning\-resource\-manager\-tags=
.RE
All nodes in an Autopilot cluster or all auto\-provisioned nodes in a Standard
cluster, including nodes that are resized or re\-created, will have the
specified tags on the corresponding Instance object in the Compute Engine API.
You can reference these tags in network firewall policy rules. For instructions,
see https://cloud.google.com/firewall/docs/use\-tags\-for\-firewalls.
.TP 2m
\fB\-\-boot\-disk\-kms\-key\fR=\fIBOOT_DISK_KMS_KEY\fR
The Customer Managed Encryption Key used to encrypt the boot disk attached to
each node in the node pool. This should be of the form
projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME].
For more information about protecting resources with Cloud KMS Keys please see:
https://cloud.google.com/compute/docs/disks/customer\-managed\-encryption
.TP 2m
\fB\-\-cluster\-ipv4\-cidr\fR=\fICLUSTER_IPV4_CIDR\fR
The IP address range for the pods in this cluster in CIDR notation (e.g.
10.0.0.0/14). Prior to Kubernetes version 1.7.0 this must be a subset of
10.0.0.0/8; however, starting with version 1.7.0 can be any RFC 1918 IP range.
If you omit this option, a range is chosen automatically. The automatically
chosen range is randomly selected from 10.0.0.0/8 and will not include IP
address ranges allocated to VMs, existing routes, or ranges allocated to other
clusters. The automatically chosen range might conflict with reserved IP
addresses, dynamic routes, or routes within VPCs that peer with this cluster.
You should specify \f5\-\-cluster\-ipv4\-cidr\fR to prevent conflicts.
This field is not applicable in a Shared VPC setup where the IP address range
for the pods must be specified with \f5\-\-cluster\-secondary\-range\-name\fR
.TP 2m
\fB\-\-cluster\-secondary\-range\-name\fR=\fINAME\fR
Set the secondary range to be used as the source for pod IPs. Alias ranges will
be allocated from this secondary range. NAME must be the name of an existing
secondary range in the cluster subnetwork.
Cannot be used with '\-\-create\-subnetwork' option.
.TP 2m
\fB\-\-cluster\-version\fR=\fICLUSTER_VERSION\fR
The Kubernetes version to use for the master and nodes. Defaults to
server\-specified.
The default Kubernetes version is available using the following command.
.RS 2m
$ gcloud container get\-server\-config
.RE
.TP 2m
\fB\-\-containerd\-config\-from\-file\fR=\fIPATH_TO_FILE\fR
Path of the YAML file that contains containerd configuration entries like
configuring access to private image registries.
For detailed information on the configuration usage, please refer to
https://cloud.google.com/kubernetes\-engine/docs/how\-to/customize\-containerd\-configuration.
Note: Updating the containerd configuration of an existing cluster or node pool
requires recreation of the existing nodes, which might cause disruptions in
running workloads.
Use a full or relative path to a local file containing the value of
containerd_config.
.TP 2m
\fB\-\-create\-subnetwork\fR=[\fIKEY\fR=\fIVALUE\fR,...]
Create a new subnetwork for the cluster. The name and range of the subnetwork
can be customized via optional 'name' and 'range' key\-value pairs.
\'name' specifies the name of the subnetwork to be created.
\'range' specifies the IP range for the new subnetwork. This can either be a
netmask size (e.g. '/20') or a CIDR range (e.g. '10.0.0.0/20'). If a netmask
size is specified, the IP is automatically taken from the free space in the
cluster's network.
Examples:
Create a new subnetwork with a default name and size.
.RS 2m
$ gcloud beta container clusters create\-auto \-\-create\-subnetwork ""
.RE
Create a new subnetwork named "my\-subnet" with netmask of size 21.
.RS 2m
$ gcloud beta container clusters create\-auto \e
\-\-create\-subnetwork name=my\-subnet,range=/21
.RE
Create a new subnetwork with a default name with the primary range of
10.100.0.0/16.
.RS 2m
$ gcloud beta container clusters create\-auto \e
\-\-create\-subnetwork range=10.100.0.0/16
.RE
Create a new subnetwork with the name "my\-subnet" with a default range.
.RS 2m
$ gcloud beta container clusters create\-auto \e
\-\-create\-subnetwork name=my\-subnet
.RE
Cannot be used in conjunction with '\-\-subnetwork' option.
.TP 2m
\fB\-\-database\-encryption\-key\fR=\fIDATABASE_ENCRYPTION_KEY\fR
Enable Database Encryption.
Enable database encryption that will be used to encrypt Kubernetes Secrets at
the application layer. The key provided should be the resource ID in the format
of
\f5projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]\fR.
For more information, see
https://cloud.google.com/kubernetes\-engine/docs/how\-to/encrypting\-secrets.
.TP 2m
\fB\-\-disable\-l4\-lb\-firewall\-reconciliation\fR
Disable reconciliation on the cluster for L4 Load Balancer VPC firewalls
targeting ingress traffic.
.TP 2m
\fB\-\-enable\-authorized\-networks\-on\-private\-endpoint\fR
Enable enforcement of \-\-master\-authorized\-networks CIDR ranges for traffic
reaching cluster's control plane via private IP.
.TP 2m
\fB\-\-enable\-auto\-ipam\fR
Enable the Auto IP Address Management (Auto IPAM) feature for the cluster.
.TP 2m
\fB\-\-enable\-backup\-restore\fR
Enable the Backup for GKE add\-on. This add\-on is disabled by default. To learn
more, see the Backup for GKE overview:
https://cloud.google.com/kubernetes\-engine/docs/add\-on/backup\-for\-gke/concepts/backup\-for\-gke.
.TP 2m
\fB\-\-enable\-cilium\-clusterwide\-network\-policy\fR
Enable Cilium Clusterwide Network Policies on the cluster. Disabled by default.
.TP 2m
\fB\-\-enable\-confidential\-nodes\fR
Enable confidential nodes for the cluster. Enabling Confidential Nodes will
create nodes using Confidential VM
https://cloud.google.com/compute/confidential\-vm/docs/about\-cvm.
.TP 2m
\fB\-\-enable\-default\-compute\-class\fR
Enable the default compute class to use for the cluster.
To disable Default Compute Class in an existing cluster, explicitly set flag
\f5\-\-no\-enable\-default\-compute\-class\fR.
.TP 2m
\fB\-\-enable\-dns\-access\fR
Enable access to the cluster's control plane over DNS\-based endpoint.
DNS\-based control plane access is recommended.
.TP 2m
\fB\-\-enable\-fleet\fR
Set cluster project as the fleet host project. This will register the cluster to
the same project. To register the cluster to a fleet in a different project,
please use \f5\-\-fleet\-project=FLEET_HOST_PROJECT\fR. Example: $ gcloud beta
container clusters create\-auto \-\-enable\-fleet
.TP 2m
\fB\-\-enable\-google\-cloud\-access\fR
When you enable Google Cloud Access, any public IP addresses owned by Google
Cloud can reach the public control plane endpoint of your cluster.
.TP 2m
\fB\-\-enable\-ip\-access\fR
Enable access to the cluster's control plane over private IP and public IP if
\-\-enable\-private\-endpoint is not enabled.
.TP 2m
\fB\-\-enable\-k8s\-certs\-via\-dns\fR
Enable K8s client certificates Authentication to the cluster's control plane
over DNS\-based endpoint.
.TP 2m
\fB\-\-enable\-k8s\-tokens\-via\-dns\fR
Enable K8s Service Account tokens Authentication to the cluster's control plane
over DNS\-based endpoint.
.TP 2m
\fB\-\-enable\-kubernetes\-unstable\-apis\fR=\fIAPI\fR,[\fIAPI\fR,...]
Enable Kubernetes beta API features on this cluster. Beta APIs are not expected
to be production ready and should be avoided in production\-grade environments.
.TP 2m
\fB\-\-enable\-legacy\-lustre\-port\fR
Allow the Lustre CSI driver to initialize LNet (the virtual network layer for
Lustre kernel module) using port 6988. This flag is required to workaround a
port conflict with the gke\-metadata\-server on GKE nodes.
.TP 2m
\fB\-\-enable\-lustre\-csi\-driver\fR
Enable the Lustre CSI Driver GKE add\-on. This add\-on is disabled by default.
.TP 2m
\fB\-\-enable\-master\-global\-access\fR
Use with private clusters to allow access to the master's private endpoint from
any Google Cloud region or on\-premises environment regardless of the private
cluster's region.
.TP 2m
\fB\-\-enable\-multi\-networking\fR
Enables multi\-networking on the cluster. Multi\-networking is disabled by
default.
.TP 2m
\fB\-\-enable\-ray\-cluster\-logging\fR
Enable automatic log processing sidecar for Ray clusters.
.TP 2m
\fB\-\-enable\-ray\-cluster\-monitoring\fR
Enable automatic metrics collection for Ray clusters.
.TP 2m
\fB\-\-enable\-ray\-operator\fR
Enable the Ray Operator GKE add\-on. This add\-on is disabled by default.
.TP 2m
\fB\-\-fleet\-project\fR=\fIPROJECT_ID_OR_NUMBER\fR
Sets fleet host project for the cluster. If specified, the current cluster will
be registered as a fleet membership under the fleet host project.
Example: $ gcloud beta container clusters create\-auto \e
\-\-fleet\-project=my\-project
.TP 2m
\fB\-\-hpa\-profile\fR=\fIHPA_PROFILE\fR
Set Horizontal Pod Autoscaler behavior. Accepted values are: none, performance.
For more information, see
https://cloud.google.com/kubernetes\-engine/docs/how\-to/horizontal\-pod\-autoscaling#hpa\-profile.
.TP 2m
\fB\-\-labels\fR=[\fIKEY\fR=\fIVALUE\fR,...]
Labels to apply to the Google Cloud resources in use by the Kubernetes Engine
cluster. These are unrelated to Kubernetes labels.
Examples:
.RS 2m
$ gcloud beta container clusters create\-auto example\-cluster \e
\-\-labels=label_a=value1,label_b=,label_c=value3
.RE
.TP 2m
\fB\-\-logging\fR=[\fICOMPONENT\fR,...]
Set the components that have logging enabled. Valid component values are:
\f5SYSTEM\fR, \f5WORKLOAD\fR, \f5API_SERVER\fR, \f5CONTROLLER_MANAGER\fR,
\f5SCHEDULER\fR
The default is \f5SYSTEM,WORKLOAD\fR. If this flag is set, then \f5SYSTEM\fR
must be included.
For more information, see
https://cloud.google.com/kubernetes\-engine/docs/concepts/about\-logs#available\-logs
Examples:
.RS 2m
$ gcloud beta container clusters create\-auto \-\-logging=SYSTEM
$ gcloud beta container clusters create\-auto \e
\-\-logging=SYSTEM,WORKLOAD
$ gcloud beta container clusters create\-auto \e
\-\-logging=SYSTEM,WORKLOAD,API_SERVER,CONTROLLER_MANAGER,\e
SCHEDULER
.RE
.TP 2m
\fB\-\-membership\-type\fR=\fIMEMBERSHIP_TYPE\fR
Specify a membership type for the cluster's fleet membership. Example: $ gcloud
beta container clusters create\-auto \e \-\-membership\-type=LIGHTWEIGHT.
\fIMEMBERSHIP_TYPE\fR must be (only \e one value is supported):
.RS 2m
.TP 2m
\fBLIGHTWEIGHT\fR
Fleet membership representing this cluster will be lightweight.
.RE
.sp
.TP 2m
\fB\-\-monitoring\fR=[\fICOMPONENT\fR,...]
Set the components that have monitoring enabled. Valid component values are:
\f5SYSTEM\fR, \f5WORKLOAD\fR (Deprecated), \f5NONE\fR, \f5API_SERVER\fR,
\f5CONTROLLER_MANAGER\fR, \f5SCHEDULER\fR, \f5DAEMONSET\fR, \f5DEPLOYMENT\fR,
\f5HPA\fR, \f5POD\fR, \f5STATEFULSET\fR, \f5STORAGE\fR, \f5CADVISOR\fR,
\f5KUBELET\fR, \f5DCGM\fR, \f5JOBSET\fR
For more information, see
https://cloud.google.com/kubernetes\-engine/docs/how\-to/configure\-metrics#available\-metrics
Examples:
.RS 2m
$ gcloud beta container clusters create\-auto \e
\-\-monitoring=SYSTEM,API_SERVER,POD,DCGM
$ gcloud beta container clusters create\-auto \-\-monitoring=SYSTEM
.RE
.TP 2m
\fB\-\-network\fR=\fINETWORK\fR
The Compute Engine Network that the cluster will connect to. Google Kubernetes
Engine will use this network when creating routes and firewalls for the
clusters. Defaults to the 'default' network.
.TP 2m
\fB\-\-private\-endpoint\-subnetwork\fR=\fINAME\fR
Sets the subnetwork GKE uses to provision the control plane's private endpoint.
.TP 2m
\fB\-\-release\-channel\fR=\fICHANNEL\fR
Release channel a cluster is subscribed to.
If left unspecified and a version is specified, the cluster is enrolled in the
most mature release channel where the version is available (first checking
STABLE, then REGULAR, and finally RAPID). Otherwise, if no release channel and
no version is specified, the cluster is enrolled in the REGULAR channel with its
default version. When a cluster is subscribed to a release channel, Google
maintains both the master version and the node version. Node auto\-upgrade is
enabled by default for release channel clusters and can be controlled via
upgrade\-scope exclusions
(https://cloud.google.com/kubernetes\-engine/docs/concepts/maintenance\-windows\-and\-exclusions#scope_of_maintenance_to_exclude).
\fICHANNEL\fR must be one of:
.RS 2m
.TP 2m
\fBextended\fR
Clusters subscribed to 'extended' can remain on a minor version for 24 months
from when the minor version is made available in the Regular channel.
.TP 2m
\fBrapid\fR
\'rapid' channel is offered on an early access basis for customers who want to
test new releases.
WARNING: Versions available in the 'rapid' channel may be subject to unresolved
issues with no known workaround and are not subject to any SLAs.
.TP 2m
\fBregular\fR
Clusters subscribed to 'regular' receive versions that are considered GA
quality. 'regular' is intended for production users who want to take advantage
of new features.
.TP 2m
\fBstable\fR
Clusters subscribed to 'stable' receive versions that are known to be stable and
reliable in production.
.RE
.sp
.TP 2m
\fB\-\-security\-group\fR=\fISECURITY_GROUP\fR
The name of the RBAC security group for use with Google security groups in
Kubernetes RBAC
(https://kubernetes.io/docs/reference/access\-authn\-authz/rbac/).
To include group membership as part of the claims issued by Google during
authentication, a group must be designated as a security group by including it
as a direct member of this group.
If unspecified, no groups will be returned for use with RBAC.
.TP 2m
\fB\-\-security\-posture\fR=\fISECURITY_POSTURE\fR
Sets the mode of the Kubernetes security posture API's off\-cluster features.
To enable advanced mode explicitly set the flag to
\f5\-\-security\-posture=enterprise\fR.
To enable in standard mode explicitly set the flag to
\f5\-\-security\-posture=standard\fR
To disable in an existing cluster, explicitly set the flag to
\f5\-\-security\-posture=disabled\fR.
For more information on enablement, see
https://cloud.google.com/kubernetes\-engine/docs/concepts/about\-security\-posture\-dashboard#feature\-enablement.
\fISECURITY_POSTURE\fR must be one of: \fBdisabled\fR, \fBstandard\fR,
\fBenterprise\fR.
.TP 2m
\fB\-\-services\-ipv4\-cidr\fR=\fICIDR\fR
Set the IP range for the services IPs.
Can be specified as a netmask size (e.g. '/20') or as in CIDR notion (e.g.
\'10.100.0.0/20'). If given as a netmask size, the IP range will be chosen
automatically from the available space in the network.
If unspecified, the services CIDR range will be chosen with a default mask size.
.TP 2m
\fB\-\-services\-secondary\-range\-name\fR=\fINAME\fR
Set the secondary range to be used for services (e.g. ClusterIPs). NAME must be
the name of an existing secondary range in the cluster subnetwork.
Cannot be used with '\-\-create\-subnetwork' option.
.TP 2m
\fB\-\-subnetwork\fR=\fISUBNETWORK\fR
The Google Compute Engine subnetwork
(https://cloud.google.com/compute/docs/subnetworks) to which the cluster is
connected. The subnetwork must belong to the network specified by \-\-network.
Cannot be used with the "\-\-create\-subnetwork" option.
.TP 2m
\fB\-\-tier\fR=\fITIER\fR
(DEPRECATED) Set the desired tier for the cluster.
The \f5\-\-tier\fR flag is deprecated. More info:
https://cloud.google.com/kubernetes\-engine/docs/release\-notes#September_02_2025.
\fITIER\fR must be one of: \fBstandard\fR, \fBenterprise\fR.
.TP 2m
\fB\-\-workload\-policies\fR=\fIWORKLOAD_POLICIES\fR
Add Autopilot workload policies to the cluster.
Examples:
.RS 2m
$ gcloud beta container clusters create\-auto example\-cluster \e
\-\-workload\-policies=allow\-net\-admin
.RE
The only supported workload policy is 'allow\-net\-admin'.
.TP 2m
\fB\-\-workload\-vulnerability\-scanning\fR=\fIWORKLOAD_VULNERABILITY_SCANNING\fR
Sets the mode of the Kubernetes security posture API's workload vulnerability
scanning.
To enable Advanced vulnerability insights mode explicitly set the flag to
\f5\-\-workload\-vulnerability\-scanning=enterprise\fR.
To enable in standard mode explicitly set the flag to
\f5\-\-workload\-vulnerability\-scanning=standard\fR.
To disable in an existing cluster, explicitly set the flag to
\f5\-\-workload\-vulnerability\-scanning=disabled\fR.
For more information on enablement, see
https://cloud.google.com/kubernetes\-engine/docs/concepts/about\-security\-posture\-dashboard#feature\-enablement.
\fIWORKLOAD_VULNERABILITY_SCANNING\fR must be one of: \fBdisabled\fR,
\fBstandard\fR, \fBenterprise\fR.
.TP 2m
At most one of these can be specified:
.RS 2m
.TP 2m
\fB\-\-additive\-vpc\-scope\-dns\-domain\fR=\fIADDITIVE_VPC_SCOPE_DNS_DOMAIN\fR
The domain used in Additive VPC scope. Only works with Cluster Scope.
.TP 2m
\fB\-\-disable\-additive\-vpc\-scope\fR
Disables Additive VPC Scope.
.RE
.sp
.TP 2m
Control Plane Keys
.RS 2m
.TP 2m
\fB\-\-aggregation\-ca\fR=\fICA_POOL_PATH\fR
The Certificate Authority Service caPool that will back the aggregation CA
.TP 2m
\fB\-\-cluster\-ca\fR=\fICA_POOL_PATH\fR
The Certificate Authority Service caPool that will back the cluster CA
.TP 2m
\fB\-\-control\-plane\-disk\-encryption\-key\fR=\fIKEY\fR
The Cloud KMS symmetric encryption cryptoKey that will be used to encrypt the
control plane disks
.TP 2m
\fB\-\-etcd\-api\-ca\fR=\fICA_POOL_PATH\fR
The Certificate Authority Service caPool that will back the etcd API CA
.TP 2m
\fB\-\-etcd\-peer\-ca\fR=\fICA_POOL_PATH\fR
The Certificate Authority Service caPool that will back the etcd peer CA
.TP 2m
\fB\-\-gkeops\-etcd\-backup\-encryption\-key\fR=\fIKEY\fR
The Cloud KMS symmetric encryption cryptoKey that will be used to encrypt the
disaster recovery etcd backups for the cluster
.TP 2m
\fB\-\-service\-account\-signing\-keys\fR=\fIKEY_VERSION\fR,[\fIKEY_VERSION\fR,...]
A Cloud KMS asymmetric signing cryptoKeyVersion that will be used to sign
service account tokens
.TP 2m
\fB\-\-service\-account\-verification\-keys\fR=\fIKEY_VERSION\fR,[\fIKEY_VERSION\fR,...]
A Cloud KMS asymmetric signing cryptoKeyVersion that will be used to verify
service account tokens. Maybe specified multiple times.
.RE
.sp
.TP 2m
Flags for Binary Authorization:
.RS 2m
.TP 2m
\fB\-\-binauthz\-evaluation\-mode\fR=\fIBINAUTHZ_EVALUATION_MODE\fR
Enable Binary Authorization for this cluster. \fIBINAUTHZ_EVALUATION_MODE\fR
must be one of: \fBdisabled\fR, \fBpolicy\-bindings\fR,
\fBpolicy\-bindings\-and\-project\-singleton\-policy\-enforce\fR,
\fBproject\-singleton\-policy\-enforce\fR.
.TP 2m
\fB\-\-binauthz\-policy\-bindings\fR=[\fIname\fR=\fIBINAUTHZ_POLICY\fR]
The relative resource name of the Binary Authorization policy to audit and/or
enforce. GKE policies have the following format:
\f5projects/{project_number}/platforms/gke/policies/{policy_id}\fR.
.RE
.sp
.TP 2m
At most one of these can be specified:
.RS 2m
.TP 2m
\fB\-\-dataplane\-v2\-observability\-mode\fR=\fIDATAPLANE_V2_OBSERVABILITY_MODE\fR
(REMOVED) Select Advanced Datapath Observability mode for the cluster. Defaults
to \f5DISABLED\fR.
Advanced Datapath Observability allows for a real\-time view into pod\-to\-pod
traffic within your cluster.
Examples:
.RS 2m
$ gcloud beta container clusters create\-auto \e
\-\-dataplane\-v2\-observability\-mode=DISABLED
.RE
.RS 2m
$ gcloud beta container clusters create\-auto \e
\-\-dataplane\-v2\-observability\-mode=INTERNAL_VPC_LB
.RE
.RS 2m
$ gcloud beta container clusters create\-auto \e
\-\-dataplane\-v2\-observability\-mode=EXTERNAL_LB
.RE
Flag \-\-dataplane\-v2\-observability\-mode has been removed.
\fIDATAPLANE_V2_OBSERVABILITY_MODE\fR must be one of:
.RS 2m
.TP 2m
\fBDISABLED\fR
Disables Advanced Datapath Observability.
.TP 2m
\fBEXTERNAL_LB\fR
Makes Advanced Datapath Observability available to the external network.
.TP 2m
\fBINTERNAL_VPC_LB\fR
Makes Advanced Datapath Observability available from the VPC network.
.RE
.sp
.TP 2m
\fB\-\-disable\-dataplane\-v2\-flow\-observability\fR
Disables Advanced Datapath Observability.
.TP 2m
\fB\-\-enable\-dataplane\-v2\-flow\-observability\fR
Enables Advanced Datapath Observability which allows for a real\-time view into
pod\-to\-pod traffic within your cluster.
.RE
.sp
.TP 2m
\fB\-\-enable\-insecure\-binding\-system\-authenticated\fR
Allow using \f5system:authenticated\fR as a subject in ClusterRoleBindings and
RoleBindings. Allowing bindings that reference \f5system:authenticated\fR is a
security risk and is not recommended.
To disallow binding \f5system:authenticated\fR in a cluster, explicitly set the
\f5\-\-no\-enable\-insecure\-binding\-system\-authenticated\fR flag instead.
.TP 2m
\fB\-\-enable\-insecure\-binding\-system\-unauthenticated\fR
Allow using \f5system:unauthenticated\fR and \f5system:anonymous\fR as subjects
in ClusterRoleBindings and RoleBindings. Allowing bindings that reference
\f5system:unauthenticated\fR and \f5system:anonymous\fR are a security risk and
is not recommended.
To disallow binding \f5system:authenticated\fR in a cluster, explicitly set the
\f5\-\-no\-enable\-insecure\-binding\-system\-unauthenticated\fR flag instead.
.TP 2m
Master Authorized Networks
.RS 2m
.TP 2m
\fB\-\-enable\-master\-authorized\-networks\fR
Allow only specified set of CIDR blocks (specified by the
\f5\-\-master\-authorized\-networks\fR flag) to connect to Kubernetes master
through HTTPS. Besides these blocks, the following have access as well:
.RS 2m
1) The private network the cluster connects to if
`\-\-enable\-private\-nodes` is specified.
2) Google Compute Engine Public IPs if `\-\-enable\-private\-nodes` is not
specified.
.RE
Use \f5\-\-no\-enable\-master\-authorized\-networks\fR to disable. When
disabled, public internet (0.0.0.0/0) is allowed to connect to Kubernetes master
through HTTPS.
.TP 2m
\fB\-\-master\-authorized\-networks\fR=\fINETWORK\fR,[\fINETWORK\fR,...]
The list of CIDR blocks (up to 100 for private cluster, 50 for public cluster)
that are allowed to connect to Kubernetes master through HTTPS. Specified in
CIDR notation (e.g. 1.2.3.4/30). Cannot be specified unless
\f5\-\-enable\-master\-authorized\-networks\fR is also specified.
.RE
.sp
.TP 2m
Private Clusters
.RS 2m
.TP 2m
\fB\-\-enable\-private\-endpoint\fR
Cluster is managed using the private IP address of the master API endpoint.
.TP 2m
\fB\-\-enable\-private\-nodes\fR
Cluster is created with no public IP addresses on the cluster nodes.
.TP 2m
\fB\-\-master\-ipv4\-cidr\fR=\fIMASTER_IPV4_CIDR\fR
IPv4 CIDR range to use for the master network. This should have a netmask of
size /28 and should be used in conjunction with the \-\-enable\-private\-nodes
flag.
.RE
.sp
.TP 2m
Flags for Secret Manager configuration:
.RS 2m
.TP 2m
\fB\-\-enable\-secret\-manager\fR
Enables the Secret Manager CSI driver provider component. See
https://secrets\-store\-csi\-driver.sigs.k8s.io/introduction
https://github.com/GoogleCloudPlatform/secrets\-store\-csi\-driver\-provider\-gcp
.TP 2m
\fB\-\-enable\-secret\-manager\-rotation\fR
Enables the rotation of secrets in the Secret Manager CSI driver provider
component.
.TP 2m
\fB\-\-secret\-manager\-rotation\-interval\fR=\fISECRET_MANAGER_ROTATION_INTERVAL\fR
Set the rotation period for secrets in the Secret Manager CSI driver provider
component. If you don't specify a time interval for the rotation, it will
default to a rotation period of two minutes.
.RE
.sp
.TP 2m
Flags for Secret Sync configuration:
.RS 2m
.TP 2m
\fB\-\-enable\-secret\-sync\fR
Enables the Secret Sync component. See
https://cloud.google.com/secret\-manager/docs/sync\-k8\-secrets
.TP 2m
\fB\-\-enable\-secret\-sync\-rotation\fR
Enables the rotation of secrets in the Secret Sync component. provider
component.
.TP 2m
\fB\-\-secret\-sync\-rotation\-interval\fR=\fISECRET_SYNC_ROTATION_INTERVAL\fR
Set the rotation period for secrets in the Secret Sync component.
.RE
.sp
.TP 2m
At most one of these can be specified:
.RS 2m
.TP 2m
\fB\-\-location\fR=\fILOCATION\fR
Compute zone or region (e.g. us\-central1\-a or us\-central1) for the cluster.
Overrides the default compute/region or compute/zone value for this command
invocation. Prefer using this flag over the \-\-region or \-\-zone flags.
.TP 2m
\fB\-\-region\fR=\fIREGION\fR
Compute region (e.g. us\-central1) for a regional cluster. Overrides the default
compute/region property value for this command invocation.
.TP 2m
\fB\-\-zone\fR=\fIZONE\fR, \fB\-z\fR \fIZONE\fR
Compute zone (e.g. us\-central1\-a) for a zonal cluster. Overrides the default
compute/zone property value for this command invocation.
.RE
.sp
.TP 2m
Options to specify the node identity.
.RS 2m
.TP 2m
Scopes options.
.RS 2m
.TP 2m
\fB\-\-scopes\fR=[\fISCOPE\fR,...]; default="gke\-default"
Specifies scopes for the node instances.
Examples:
.RS 2m
$ gcloud beta container clusters create\-auto example\-cluster \e
\-\-scopes=https://www.googleapis.com/auth/devstorage.read_only
.RE
.RS 2m
$ gcloud beta container clusters create\-auto example\-cluster \e
\-\-scopes=bigquery,storage\-rw,compute\-ro
.RE
Multiple scopes can be specified, separated by commas. Various scopes are
automatically added based on feature usage. Such scopes are not added if an
equivalent scope already exists.
.RS 2m
.IP "\(em" 2m
\f5monitoring\-write\fR: always added to ensure metrics can be written
.IP "\(em" 2m
\f5logging\-write\fR: added if Cloud Logging is enabled
(\f5\-\-enable\-cloud\-logging\fR/\f5\-\-logging\fR)
.IP "\(em" 2m
\f5monitoring\fR: added if Cloud Monitoring is enabled
(\f5\-\-enable\-cloud\-monitoring\fR/\f5\-\-monitoring\fR)
.IP "\(em" 2m
\f5gke\-default\fR: added for Autopilot clusters that use the default service
account
.IP "\(em" 2m
\f5cloud\-platform\fR: added for Autopilot clusters that use any other service
account
.RE
.sp
SCOPE can be either the full URI of the scope or an alias. \fBDefault\fR scopes
are assigned to all instances. Available aliases are:
.TS
tab( );
lB lB
l l.
Alias URI
bigquery https://www.googleapis.com/auth/bigquery
cloud-platform https://www.googleapis.com/auth/cloud-platform
cloud-source-repos https://www.googleapis.com/auth/source.full_control
cloud-source-repos-ro https://www.googleapis.com/auth/source.read_only
compute-ro https://www.googleapis.com/auth/compute.readonly
compute-rw https://www.googleapis.com/auth/compute
datastore https://www.googleapis.com/auth/datastore
default https://www.googleapis.com/auth/devstorage.read_only
https://www.googleapis.com/auth/logging.write
https://www.googleapis.com/auth/monitoring.write
https://www.googleapis.com/auth/pubsub
https://www.googleapis.com/auth/service.management.readonly
https://www.googleapis.com/auth/servicecontrol
https://www.googleapis.com/auth/trace.append
gke-default https://www.googleapis.com/auth/devstorage.read_only
https://www.googleapis.com/auth/logging.write
https://www.googleapis.com/auth/monitoring
https://www.googleapis.com/auth/service.management.readonly
https://www.googleapis.com/auth/servicecontrol
https://www.googleapis.com/auth/trace.append
logging-write https://www.googleapis.com/auth/logging.write
monitoring https://www.googleapis.com/auth/monitoring
monitoring-read https://www.googleapis.com/auth/monitoring.read
monitoring-write https://www.googleapis.com/auth/monitoring.write
pubsub https://www.googleapis.com/auth/pubsub
service-control https://www.googleapis.com/auth/servicecontrol
service-management https://www.googleapis.com/auth/service.management.readonly
sql (deprecated) https://www.googleapis.com/auth/sqlservice
sql-admin https://www.googleapis.com/auth/sqlservice.admin
storage-full https://www.googleapis.com/auth/devstorage.full_control
storage-ro https://www.googleapis.com/auth/devstorage.read_only
storage-rw https://www.googleapis.com/auth/devstorage.read_write
taskqueue https://www.googleapis.com/auth/taskqueue
trace https://www.googleapis.com/auth/trace.append
userinfo-email https://www.googleapis.com/auth/userinfo.email
.TE
DEPRECATION WARNING: https://www.googleapis.com/auth/sqlservice account scope
and \f5sql\fR alias do not provide SQL instance management capabilities and have
been deprecated. Please, use https://www.googleapis.com/auth/sqlservice.admin or
\f5sql\-admin\fR to manage your Google SQL Service instances.
.RE
.sp
.TP 2m
\fB\-\-service\-account\fR=\fISERVICE_ACCOUNT\fR
The Google Cloud Platform Service Account to be used by the node VMs. If a
service account is specified, the cloud\-platform and userinfo.email scopes are
used. If no Service Account is specified, the project default service account is
used.
.RE
.RE
.sp
.SH "GCLOUD WIDE FLAGS"
These flags are available to all commands: \-\-access\-token\-file, \-\-account,
\-\-billing\-project, \-\-configuration, \-\-flags\-file, \-\-flatten,
\-\-format, \-\-help, \-\-impersonate\-service\-account, \-\-log\-http,
\-\-project, \-\-quiet, \-\-trace\-token, \-\-user\-output\-enabled,
\-\-verbosity.
Run \fB$ gcloud help\fR for details.
.SH "NOTES"
This command is currently in beta and might change without notice. These
variants are also available:
.RS 2m
$ gcloud container clusters create\-auto
.RE
.RS 2m
$ gcloud alpha container clusters create\-auto
.RE