--accelerator <type=TYPE,[count=COUNT]> | Attaches accelerators (e.g. GPUs) to all nodes.
+
*type*::: (Required) The specific type (e.g. nvidia-tesla-k80 for nVidia Tesla K80)
of accelerator to attach to the instances. Use ```gcloud compute
accelerator-types list``` to learn about all available accelerator types.
+
*count*::: (Optional) The number of accelerators to attach to the
instances. The default value is 1 |
--account <ACCOUNT> | Google Cloud Platform user account to use for invocation. Overrides the default *core/account* property value for this command invocation |
--additional-zones <ZONE> | (DEPRECATED) The set of additional zones in which the specified node footprint should be
replicated. All zones must be in the same region as the cluster's primary zone.
If additional-zones is not specified, all nodes will be in the cluster's primary
zone.
+
Note that `NUM_NODES` nodes will be created in each zone, such that if you
specify `--num-nodes=4` and choose one additional zone, 8 nodes will be created.
+
Multiple locations can be specified, separated by commas. For example:
+
$ {command} example-cluster --zone us-central1-a --additional-zones us-central1-b,us-central1-c
+
This flag is deprecated. Use --node-locations=PRIMARY_ZONE,[ZONE,...] instead |
--addons <ADDON> | Addons
(https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.locations.clusters#Cluster.AddonsConfig)
are additional Kubernetes cluster components. Addons specified by this flag will
be enabled. The others will be disabled. Default addons: HttpLoadBalancing, HorizontalPodAutoscaling. _ADDON_ must be one of: *HttpLoadBalancing*, *HorizontalPodAutoscaling*, *KubernetesDashboard*, *NetworkPolicy*, *CloudRun*, *NodeLocalDNS*, *ConfigConnector* |
--async | Return immediately, without waiting for the operation in progress to
complete |
--autoprovisioning-config-file <AUTOPROVISIONING_CONFIG_FILE> | Path of the JSON/YAML file which contains information about the
cluster's node autoprovisioning configuration. Currently it contains
a list of resource limits, identity defaults for autoprovisioning, node upgrade
settings, node management settings, minimum cpu platform, node locations for
autoprovisioning, disk type and size configuration, shielded instance settings,
and customer-managed encryption keys settings.
+
Resource limits are specified in the field 'resourceLimits'.
Each resource limits definition contains three fields:
resourceType, maximum and minimum.
Resource type can be "cpu", "memory" or an accelerator (e.g.
"nvidia-tesla-k80" for nVidia Tesla K80). Use gcloud compute accelerator-types
list to learn about available accelerator types.
Maximum is the maximum allowed amount with the unit of the resource.
Minimum is the minimum allowed amount with the unit of the resource.
+
Identity default contains at most one of the below fields:
serviceAccount: The Google Cloud Platform Service Account to be used by node VMs in
autoprovisioned node pools. If not specified, the project's default service account
is used.
scopes: A list of scopes to be used by node instances in autoprovisioned node pools.
Multiple scopes can be specified, separated by commas. For information on defaults,
look at:
https://cloud.google.com/sdk/gcloud/reference/container/clusters/create#--scopes
+
Node Upgrade settings are specified under the field
'upgradeSettings', which has the following fields:
maxSurgeUpgrade: Number of extra (surge) nodes to be created on
each upgrade of an autoprovisioned node pool.
maxUnavailableUpgrade: Number of nodes that can be unavailable at the
same time on each upgrade of an autoprovisioned node pool.
+
Node Management settings are specified under the field
'nodeManagement', which has the following fields:
enableAutoUpgrade: A boolean field that indicates if node
autoupgrade is enabled for autoprovisioned node pools.
enableAutoRepair: A boolean field that indicates if node
autorepair is enabled for autoprovisioned node pools.
+
minCpuPlatform: If specified, new autoprovisioned nodes will be
scheduled on host with specified CPU architecture or a newer one.
Note: Min CPU platform can only be specified in Beta and Alpha.
+
Autoprovisioning locations is a set of zones where new node pools
can be created by Autoprovisioning. Autoprovisioning locations are
specified in the field 'autoprovisioningLocations'. All zones must
be in the same region as the cluster's master(s).
+
Disk type and size are specified under the 'diskType' and 'diskSizeGb' fields,
respectively. If specified, new autoprovisioned nodes will be created with
custom boot disks configured by these settings.
+
Shielded instance settings are specified under the 'shieldedInstanceConfig'
field, which has the following fields:
enableSecureBoot: A boolean field that indicates if secure boot is enabled for
autoprovisioned nodes.
enableIntegrityMonitoring: A boolean field that indicates if integrity
monitoring is enabled for autoprovisioned nodes.
+
Customer Managed Encryption Keys (CMEK) used by new auto-provisioned node pools
can be specified in the 'bootDiskKmsKey' field |
--autoprovisioning-locations <ZONE> | Set of zones where new node pools can be created by autoprovisioning.
All zones must be in the same region as the cluster's master(s).
Multiple locations can be specified, separated by commas |
--autoprovisioning-max-surge-upgrade <AUTOPROVISIONING_MAX_SURGE_UPGRADE> | Number of extra (surge) nodes to be created on each upgrade of an
autoprovisioned node pool |
--autoprovisioning-max-unavailable-upgrade <AUTOPROVISIONING_MAX_UNAVAILABLE_UPGRADE> | Number of nodes that can be unavailable at the same time on each
upgrade of an autoprovisioned node pool |
--autoprovisioning-min-cpu-platform <PLATFORM> | If specified, new autoprovisioned nodes will be scheduled on host with
specified CPU architecture or a newer one |
--autoprovisioning-scopes <SCOPE> | The scopes be used by node instances in autoprovisioned node pools.
Multiple scopes can be specified, separated by commas. For information
on defaults, look at:
https://cloud.google.com/sdk/gcloud/reference/container/clusters/create#--scopes |
--autoprovisioning-service-account <AUTOPROVISIONING_SERVICE_ACCOUNT> | The Google Cloud Platform Service Account to be used by node VMs in
autoprovisioned node pools. If not specified, the project default
service account is used |
--billing-project <BILLING_PROJECT> | The Google Cloud Platform project that will be charged quota for operations performed in gcloud. If you need to operate on one project, but need quota against a different project, you can use this flag to specify the billing project. If both `billing/quota_project` and `--billing-project` are specified, `--billing-project` takes precedence. Run `$ gcloud config set --help` to see more information about `billing/quota_project` |
--boot-disk-kms-key <BOOT_DISK_KMS_KEY> | The Customer Managed Encryption Key used to encrypt the boot disk attached
to each node in the node pool. This should be of the form
projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME].
For more information about protecting resources with Cloud KMS Keys please
see:
https://cloud.google.com/compute/docs/disks/customer-managed-encryption |
--cloud-run-config <load-balancer-type=EXTERNAL> | Configurations for Cloud Run addon, requires `--addons=CloudRun` for create
and `--update-addons=CloudRun=ENABLED` for update.
+
*load-balancer-type*:::Optional Type of load-balancer-type EXTERNAL or INTERNAL
Example:
+
$ {command} example-cluster --cloud-run-config=load-balancer-type=INTERNAL |
--cluster-ipv4-cidr <CLUSTER_IPV4_CIDR> | The IP address range for the pods in this cluster in CIDR notation (e.g.
10.0.0.0/14). Prior to Kubernetes version 1.7.0 this must be a subset of
10.0.0.0/8; however, starting with version 1.7.0 can be any RFC 1918 IP range.
+
If you omit this option, a range is chosen automatically. The automatically
chosen range is randomly selected from 1.0.0.0/8 and will not include IP
address ranges allocated to VMs, existing routes, or ranges allocated to other
clusters. The automatically chosen range might conflict with reserved IP
addresses, dynamic routes, or routes within VPCs that peer with this cluster.
You should specify `--cluster-ipv4-cidr` to prevent conflicts |
--cluster-secondary-range-name <NAME> | Set the secondary range to be used as the source for pod IPs. Alias
ranges will be allocated from this secondary range. NAME must be the
name of an existing secondary range in the cluster subnetwork.
+
Must be used in conjunction with '--enable-ip-alias'. Cannot be used
with --create-subnetwork |
--cluster-version <CLUSTER_VERSION> | The Kubernetes version to use for the master and nodes. Defaults to
server-specified.
+
The default Kubernetes version is available using the following command.
+
$ gcloud container get-server-config |
--configuration <CONFIGURATION> | The configuration to use for this command invocation. For more
information on how to use configurations, run:
`gcloud topic configurations`. You can also use the CLOUDSDK_ACTIVE_CONFIG_NAME environment
variable to set the equivalent of this flag for a terminal
session |
--create-subnetwork <KEY=VALUE> | Create a new subnetwork for the cluster. The name and range of the
subnetwork can be customized via optional 'name' and 'range' key-value
pairs.
+
'name' specifies the name of the subnetwork to be created.
+
'range' specifies the IP range for the new subnetwork. This can either
be a netmask size (e.g. '/20') or a CIDR range (e.g. '10.0.0.0/20').
If a netmask size is specified, the IP is automatically taken from the
free space in the cluster's network.
+
Examples:
+
Create a new subnetwork with a default name and size.
+
$ {command} --create-subnetwork ""
+
Create a new subnetwork named "my-subnet" with netmask of size 21.
+
$ {command} --create-subnetwork name=my-subnet,range=/21
+
Create a new subnetwork with a default name with the primary range of
10.100.0.0/16.
+
$ {command} --create-subnetwork range=10.100.0.0/16
+
Create a new subnetwork with the name "my-subnet" with a default range.
+
$ {command} --create-subnetwork name=my-subnet
+
Can not be specified unless '--enable-ip-alias' is also specified. Can
not be used in conjunction with the '--subnetwork' option |
--database-encryption-key <DATABASE_ENCRYPTION_KEY> | Enable Database Encryption.
+
Enable database encryption that will be used to encrypt Kubernetes Secrets at
the application layer. The key provided should be the resource ID in the format of
`projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]`.
For more information, see
https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets |
--default-max-pods-per-node <DEFAULT_MAX_PODS_PER_NODE> | The default max number of pods per node for node pools in the cluster.
+
This flag sets the default max-pods-per-node for node pools in the cluster. If
--max-pods-per-node is not specified explicitly for a node pool, this flag
value will be used.
+
Must be used in conjunction with '--enable-ip-alias' |
--disable-default-snat | Disable default source NAT rules applied in cluster nodes.
+
By default, cluster nodes perform source network address translation (SNAT)
for packets sent from Pod IP address sources to destination IP addresses
that are not in the non-masquerade CIDRs list.
For more details about SNAT and IP masquerading, see:
https://cloud.google.com/kubernetes-engine/docs/how-to/ip-masquerade-agent#how_ipmasq_works
SNAT changes the packet's source IP address to the node's internal IP address.
+
When this flag is set, GKE does not perform SNAT for packets sent to any destination.
You must set this flag if the cluster uses privately reused public IPs.
+
The --disable-default-snat flag is only applicable to private GKE clusters, which are
inherently VPC-native. Thus, --disable-default-snat requires that you also set
--enable-ip-alias and --enable-private-nodes |
--disk-size <DISK_SIZE> | Size for node VM boot disks. Defaults to 100GB |
--disk-type <DISK_TYPE> | Type of the node VM boot disk. Defaults to pd-standard. _DISK_TYPE_ must be one of: *pd-standard*, *pd-ssd*, *pd-balanced* |
--enable-autoprovisioning | Enables node autoprovisioning for a cluster.
+
Cluster Autoscaler will be able to create new node pools. Requires maximum CPU
and memory limits to be specified |
--enable-autoprovisioning-autorepair | Enable node autorepair for autoprovisioned node pools.
Use --no-enable-autoprovisioning-autorepair to disable |
--enable-autoprovisioning-autoupgrade | Enable node autoupgrade for autoprovisioned node pools.
Use --no-enable-autoprovisioning-autoupgrade to disable |
--enable-autorepair | Enable node autorepair feature for a cluster's default node pool(s).
+
$ {command} example-cluster --enable-autorepair
+
Node autorepair is enabled by default for clusters using COS, COS_CONTAINERD, UBUNTU or UBUNTU_CONTAINERD
as a base image, use --no-enable-autorepair to disable.
+
See https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-repair for more info |
--enable-autoscaling | Enables autoscaling for a node pool.
+
Enables autoscaling in the node pool specified by --node-pool or
the default node pool if --node-pool is not provided |
--enable-autoupgrade | Sets autoupgrade feature for a cluster's default node pool(s).
+
$ {command} example-cluster --enable-autoupgrade
+
See https://cloud.google.com/kubernetes-engine/docs/node-auto-upgrades for more info.
+
Enabled by default, use *--no-enable-autoupgrade* to disable |
--enable-basic-auth | Enable basic (username/password) auth for the cluster. `--enable-basic-auth` is
an alias for `--username=admin`; `--no-enable-basic-auth` is an alias for
`--username=""`. Use `--password` to specify a password; if not, the server will
randomly generate one. For cluster versions before 1.12, if neither
`--enable-basic-auth` nor `--username` is specified, `--enable-basic-auth` will
default to `true`. After 1.12, `--enable-basic-auth` will default to `false` |
--enable-binauthz | Enable Binary Authorization for this cluster |
--enable-cloud-logging | (DEPRECATED) Automatically send logs from the cluster to the Google Cloud Logging API. This flag is deprecated, use `--enable-stackdriver-kubernetes` instead.
+
From 1.14, legacy Stackdriver GKE logging is deprecated. Thus, flag `--enable-cloud-logging` is also deprecated. Please use `--enable-stackdriver-kubernetes` instead, to migrate to new Stackdriver Kubernetes Engine monitoring and logging. For more details, please read: https://cloud.google.com/monitoring/kubernetes-engine/migration |
--enable-cloud-monitoring | (DEPRECATED) Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting. This flag is deprecated, use `--enable-stackdriver-kubernetes` instead.
+
From 1.14, legacy Stackdriver GKE monitoring is deprecated. Thus, flag `--enable-cloud-monitoring` is also deprecated. Please use `--enable-stackdriver-kubernetes` instead, to migrate to new Stackdriver Kubernetes Engine monitoring and logging. For more details, please read: https://cloud.google.com/monitoring/kubernetes-engine/migration |
--enable-cloud-run-alpha | Enable Cloud Run alpha features on this cluster. Selecting this
option will result in the cluster having all Cloud Run alpha API groups and
features turned on.
+
Cloud Run alpha clusters are not covered by the Cloud Run SLA and should not be
used for production workloads |
--enable-intra-node-visibility | Enable Intra-node visibility for this cluster.
+
Enabling intra-node visibility makes your intra-node pod-to-pod traffic
visible to the networking fabric. With this feature, you can use VPC flow
logging or other VPC features for intra-node traffic.
+
Enabling it on an existing cluster causes the cluster
master and the cluster nodes to restart, which might cause a disruption |
--enable-ip-alias | Enable use of alias IPs (https://cloud.google.com/compute/docs/alias-ip/)
for Pod IPs. This will require at least two secondary ranges in the
subnetwork, one for the pod IPs and another to reserve space for the
services range |
--enable-kubernetes-alpha | Enable Kubernetes alpha features on this cluster. Selecting this
option will result in the cluster having all Kubernetes alpha API groups and
features turned on. Cluster upgrades (both manual and automatic) will be
disabled and the cluster will be automatically deleted after 30 days.
+
Alpha clusters are not covered by the Kubernetes Engine SLA and should not be
used for production workloads |
--enable-legacy-authorization | Enables the legacy ABAC authentication for the cluster.
User rights are granted through the use of policies which combine attributes
together. For a detailed look at these properties and related formats, see
https://kubernetes.io/docs/admin/authorization/abac/. To use RBAC permissions
instead, create or update your cluster with the option
`--no-enable-legacy-authorization` |
--enable-master-authorized-networks | Allow only specified set of CIDR blocks (specified by the
`--master-authorized-networks` flag) to connect to Kubernetes master through
HTTPS. Besides these blocks, the following have access as well:
+
1) The private network the cluster connects to if
`--enable-private-nodes` is specified.
2) Google Compute Engine Public IPs if `--enable-private-nodes` is not
specified.
+
Use `--no-enable-master-authorized-networks` to disable. When disabled, public
internet (0.0.0.0/0) is allowed to connect to Kubernetes master through HTTPS |
--enable-master-global-access | Use with private clusters to allow access to the master's private endpoint from any Google Cloud region or on-premises environment regardless of the
private cluster's region.
+
Must be used in conjunction with '--enable-ip-alias' and '--enable-private-nodes' |
--enable-network-egress-metering | Enable network egress metering on this cluster.
+
When enabled, a DaemonSet is deployed into the cluster. Each DaemonSet pod
meters network egress traffic by collecting data from the conntrack table, and
exports the metered metrics to the specified destination.
+
Network egress metering is disabled if this flag is omitted, or when
`--no-enable-network-egress-metering` is set |
--enable-network-policy | Enable network policy enforcement for this cluster. If you are enabling network policy on an existing cluster the network policy addon must first be enabled on the master by using --update-addons=NetworkPolicy=ENABLED flag |
--enable-private-endpoint | Cluster is managed using the private IP address of the master API endpoint |
--enable-private-nodes | Cluster is created with no public IP addresses on the cluster nodes |
--enable-resource-consumption-metering | Enable resource consumption metering on this cluster.
+
When enabled, a table will be created in the specified BigQuery dataset to store
resource consumption data. The resulting table can be joined with the resource
usage table or with BigQuery billing export.
+
Resource consumption metering is enabled unless `--no-enable-resource-
consumption-metering` is set |
--enable-shielded-nodes | Enable Shielded Nodes for this cluster. Enabling Shielded Nodes will enable a
more secure Node credential bootstrapping implementation. Starting with version
1.18, clusters will have shielded GKE nodes by default |
--enable-stackdriver-kubernetes | Enable Stackdriver Kubernetes monitoring and logging |
--enable-tpu | Enable Cloud TPUs for this cluster.
+
Can not be specified unless `--enable-ip-alias` is also specified |
--enable-vertical-pod-autoscaling | Enable vertical pod autoscaling for a cluster |
--flags-file <YAML_FILE> | A YAML or JSON file that specifies a *--flag*:*value* dictionary.
Useful for specifying complex flag values with special characters
that work with any command interpreter. Additionally, each
*--flags-file* arg is replaced by its constituent flags. See
$ gcloud topic flags-file for more information |
--flatten <KEY> | Flatten _name_[] output resource slices in _KEY_ into separate records
for each item in each slice. Multiple keys and slices may be specified.
This also flattens keys for *--format* and *--filter*. For example,
*--flatten=abc.def* flattens *abc.def[].ghi* references to
*abc.def.ghi*. A resource record containing *abc.def[]* with N elements
will expand to N records in the flattened output. This flag interacts
with other flags that are applied in this order: *--flatten*,
*--sort-by*, *--filter*, *--limit* |
--format <FORMAT> | Set the format for printing command output resources. The default is a
command-specific human-friendly output format. The supported formats
are: `config`, `csv`, `default`, `diff`, `disable`, `flattened`, `get`, `json`, `list`, `multi`, `none`, `object`, `table`, `text`, `value`, `yaml`. For more details run $ gcloud topic formats |
--help | Display detailed help |
--image-type <IMAGE_TYPE> | The image type to use for the cluster. Defaults to server-specified.
+
Image Type specifies the base OS that the nodes in the cluster will run on.
If an image type is specified, that will be assigned to the cluster and all
future upgrades will use the specified image type. If it is not specified the
server will pick the default image type.
+
The default image type and the list of valid image types are available
using the following command.
+
$ gcloud container get-server-config |
--impersonate-service-account <SERVICE_ACCOUNT_EMAIL> | For this gcloud invocation, all API requests will be made as the given service account instead of the currently selected account. This is done without needing to create, download, and activate a key for the account. In order to perform operations as the service account, your currently selected account must have an IAM role that includes the iam.serviceAccounts.getAccessToken permission for the service account. The roles/iam.serviceAccountTokenCreator role has this permission or you may create a custom role. Overrides the default *auth/impersonate_service_account* property value for this command invocation |
--issue-client-certificate | Issue a TLS client certificate with admin permissions.
+
When enabled, the certificate and private key pair will be present in
MasterAuth field of the Cluster object. For cluster versions before 1.12, a
client certificate will be issued by default. As of 1.12, client certificates
are disabled by default |
--labels <KEY=VALUE> | Labels to apply to the Google Cloud resources in use by the Kubernetes Engine
cluster. These are unrelated to Kubernetes labels.
Example:
+
$ {command} example-cluster --labels=label_a=value1,label_b=,label_c=value3 |
--local-ssd-count <LOCAL_SSD_COUNT> | The number of local SSD disks to provision on each node, formatted and mounted
in the filesystem.
+
Local SSDs have a fixed 375 GB capacity per device. The number of disks that
can be attached to an instance is limited by the maximum number of disks
available on a machine, which differs by compute zone. See
https://cloud.google.com/compute/docs/disks/local-ssd for more information |
--log-http | Log all HTTP server requests and responses to stderr. Overrides the default *core/log_http* property value for this command invocation |
--machine-type <MACHINE_TYPE> | The type of machine to use for nodes. Defaults to e2-medium.
The list of predefined machine types is available using the following command:
+
$ gcloud compute machine-types list
+
You can also specify custom machine types with the string "custom-CPUS-RAM"
where ```CPUS``` is the number of virtual CPUs and ```RAM``` is the amount of
RAM in MiB.
+
For example, to create a node pool using custom machines with 2 vCPUs and 12 GB
of RAM:
+
$ {command} high-mem-pool --machine-type=custom-2-12288 |
--maintenance-window <START_TIME> | Set a time of day when you prefer maintenance to start on this cluster. For example:
+
$ {command} example-cluster --maintenance-window=12:43
+
The time corresponds to the UTC time zone, and must be in HH:MM format.
+
Non-emergency maintenance will occur in the 4 hour block starting at the
specified time.
+
This is mutually exclusive with the recurring maintenance windows
and will overwrite any existing window. Compatible with maintenance
exclusions |
--maintenance-window-end <TIME_STAMP> | End time of the first window (can occur in the past). Must take place after the
start time. The difference in start and end time specifies the length of each
recurrence. See $ gcloud topic datetimes for information on time formats |
--maintenance-window-recurrence <RRULE> | An RFC 5545 RRULE, specifying how the window will recur. Note that minimum
requirements for maintenance periods will be enforced. Note that FREQ=SECONDLY,
MINUTELY, and HOURLY are not supported |
--maintenance-window-start <TIME_STAMP> | Start time of the first window (can occur in the past). The start time
influences when the window will start for recurrences. See $ gcloud topic
datetimes for information on time formats |
--master-authorized-networks <NETWORK> | The list of CIDR blocks (up to 100 for private cluster, 50 for public cluster) that are allowed to connect to Kubernetes master through HTTPS. Specified in CIDR notation (e.g. 1.2.3.4/30). Cannot be specified unless `--enable-master-authorized-networks` is also specified |
--master-ipv4-cidr <MASTER_IPV4_CIDR> | IPv4 CIDR range to use for the master network. This should have a netmask of size /28 and should be used in conjunction with the --enable-private-nodes flag |
--max-accelerator <type=TYPE,count=COUNT> | Sets maximum limit for a single type of accelerators (e.g. GPUs) in cluster.
+
*type*::: (Required) The specific type (e.g. nvidia-tesla-k80 for nVidia Tesla K80)
of accelerator for which the limit is set. Use ```gcloud compute
accelerator-types list``` to learn about all available accelerator types.
+
*count*::: (Required) The maximum number of accelerators
to which the cluster can be scaled |
--max-cpu <MAX_CPU> | Maximum number of cores in the cluster.
+
Maximum number of cores to which the cluster can scale |
--max-memory <MAX_MEMORY> | Maximum memory in the cluster.
+
Maximum number of gigabytes of memory to which the cluster can scale |
--max-nodes <MAX_NODES> | Maximum number of nodes in the node pool.
+
Maximum number of nodes to which the node pool specified by --node-pool
(or default node pool if unspecified) can scale. Ignored unless
--enable-autoscaling is also specified |
--max-nodes-per-pool <MAX_NODES_PER_POOL> | The maximum number of nodes to allocate per default initial node pool. Kubernetes Engine will automatically create enough nodes pools such that each node pool contains less than `--max-nodes-per-pool` nodes. Defaults to 1000 nodes, but can be set as low as 100 nodes per pool on initial create |
--max-pods-per-node <MAX_PODS_PER_NODE> | The max number of pods per node for this node pool.
+
This flag sets the maximum number of pods that can be run at the same time on a
node. This will override the value given with --default-max-pods-per-node flag
set at the cluster level.
+
Must be used in conjunction with '--enable-ip-alias' |
--max-surge-upgrade <MAX_SURGE_UPGRADE> | Number of extra (surge) nodes to be created on each upgrade of a node pool.
+
Specifies the number of extra (surge) nodes to be created during this node
pool's upgrades. For example, running the following command will result in
creating an extra node each time the node pool is upgraded:
+
$ {command} example-cluster --max-surge-upgrade=1 --max-unavailable-upgrade=0
+
Must be used in conjunction with '--max-unavailable-upgrade' |
--max-unavailable-upgrade <MAX_UNAVAILABLE_UPGRADE> | Number of nodes that can be unavailable at the same time on each upgrade of a
node pool.
+
Specifies the number of nodes that can be unavailable at the same time while
this node pool is being upgraded. For example, running the following command
will result in having 3 nodes being upgraded in parallel (1 + 2), but keeping
always at least 3 (5 - 2) available each time the node pool is upgraded:
+
$ {command} example-cluster --num-nodes=5 --max-surge-upgrade=1 --max-unavailable-upgrade=2
+
Must be used in conjunction with '--max-surge-upgrade' |
--metadata <KEY=VALUE> | Compute Engine metadata to be made available to the guest operating system
running on nodes within the node pool.
+
Each metadata entry is a key/value pair separated by an equals sign.
Metadata keys must be unique and less than 128 bytes in length. Values
must be less than or equal to 32,768 bytes in length. The total size of
all keys and values must be less than 512 KB. Multiple arguments can be
passed to this flag. For example:
+
``--metadata key-1=value-1,key-2=value-2,key-3=value-3''
+
Additionally, the following keys are reserved for use by Kubernetes
Engine:
+
* ``cluster-location''
* ``cluster-name''
* ``cluster-uid''
* ``configure-sh''
* ``enable-os-login''
* ``gci-update-strategy''
* ``gci-ensure-gke-docker''
* ``instance-template''
* ``kube-env''
* ``startup-script''
* ``user-data''
+
Google Kubernetes Engine sets the following keys by default:
+
* ``serial-port-logging-enable''
+
See also Compute Engine's
link:https://cloud.google.com/compute/docs/storing-retrieving-metadata[documentation]
on storing and retrieving instance metadata |
--metadata-from-file <KEY=LOCAL_FILE_PATH> | Same as ``--metadata'' except that the value for the entry will
be read from a local file |
--min-accelerator <type=TYPE,count=COUNT> | Sets minimum limit for a single type of accelerators (e.g. GPUs) in cluster. Defaults
to 0 for all accelerator types if it isn't set.
+
*type*::: (Required) The specific type (e.g. nvidia-tesla-k80 for nVidia Tesla K80)
of accelerator for which the limit is set. Use ```gcloud compute
accelerator-types list``` to learn about all available accelerator types.
+
*count*::: (Required) The minimum number of accelerators
to which the cluster can be scaled |
--min-cpu <MIN_CPU> | Minimum number of cores in the cluster.
+
Minimum number of cores to which the cluster can scale |
--min-cpu-platform <PLATFORM> | When specified, the nodes for the new cluster's default node pool will be
scheduled on host with specified CPU architecture or a newer one.
+
Examples:
+
$ {command} example-cluster --min-cpu-platform=PLATFORM
+
To list available CPU platforms in given zone, run:
+
$ gcloud beta compute zones describe ZONE --format="value(availableCpuPlatforms)"
+
CPU platform selection is available only in selected zones |
--min-memory <MIN_MEMORY> | Minimum memory in the cluster.
+
Minimum number of gigabytes of memory to which the cluster can scale |
--min-nodes <MIN_NODES> | Minimum number of nodes in the node pool.
+
Minimum number of nodes to which the node pool specified by --node-pool
(or default node pool if unspecified) can scale. Ignored unless
--enable-autoscaling is also specified |
--network <NETWORK> | The Compute Engine Network that the cluster will connect to. Google Kubernetes Engine will use this network when creating routes and firewalls for the clusters. Defaults to the 'default' network |
--node-labels <NODE_LABEL> | Applies the given kubernetes labels on all nodes in the new node pool. Example:
+
$ {command} example-cluster --node-labels=label-a=value1,label-2=value2
+
New nodes, including ones created by resize or recreate, will have these labels
on the kubernetes API node object and can be used in nodeSelectors.
See [](http://kubernetes.io/docs/user-guide/node-selection/) for examples.
+
Note that kubernetes labels, intended to associate cluster components
and resources with one another and manage resource lifecycles, are different
from Kubernetes Engine labels that are used for the purpose of tracking billing
and usage information |
--node-locations <ZONE> | The set of zones in which the specified node footprint should be replicated.
All zones must be in the same region as the cluster's master(s), specified by
the `--zone` or `--region` flag. Additionally, for zonal clusters,
`--node-locations` must contain the cluster's primary zone. If not specified,
all nodes will be in the cluster's primary zone (for zonal clusters) or spread
across three randomly chosen zones within the cluster's region (for regional
clusters).
+
Note that `NUM_NODES` nodes will be created in each zone, such that if you
specify `--num-nodes=4` and choose two locations, 8 nodes will be created.
+
Multiple locations can be specified, separated by commas. For example:
+
$ {command} example-cluster --zone us-central1-a --node-locations us-central1-a,us-central1-b |
--node-taints <NODE_TAINT> | Applies the given kubernetes taints on all nodes in default node pool(s) in new cluster, which can be used with tolerations for pod scheduling. Example:
+
$ {command} example-cluster --node-taints=key1=val1:NoSchedule,key2=val2:PreferNoSchedule
+
Note, this feature uses `gcloud beta` commands. To use gcloud beta commands,
you must configure `gcloud` to use the v1beta1 API as described here: https://cloud.google.com/kubernetes-engine/docs/reference/api-organization#beta.
To read more about node-taints, see https://cloud.google.com/kubernetes-engine/docs/node-taints |
--node-version <NODE_VERSION> | The Kubernetes version to use for nodes. Defaults to server-specified.
+
The default Kubernetes version is available using the following command.
+
$ gcloud container get-server-config |
--num-nodes <NUM_NODES> | The number of nodes to be created in each of the cluster's zones |
--password <PASSWORD> | The password to use for cluster auth. Defaults to a server-specified randomly-generated string |
--preemptible | Create nodes using preemptible VM instances in the new cluster.
+
$ {command} example-cluster --preemptible
+
New nodes, including ones created by resize or recreate, will use preemptible
VM instances. See https://cloud.google.com/kubernetes-engine/docs/preemptible-vm
for more information on how to use Preemptible VMs with Kubernetes Engine |
--project <PROJECT_ID> | The Google Cloud Platform project ID to use for this invocation. If
omitted, then the current project is assumed; the current project can
be listed using `gcloud config list --format='text(core.project)'`
and can be set using `gcloud config set project PROJECTID`.
+
`--project` and its fallback `core/project` property play two roles
in the invocation. It specifies the project of the resource to
operate on. It also specifies the project for API enablement check,
quota, and billing. To specify a different project for quota and
billing, use `--billing-project` or `billing/quota_project` property |
--quiet | Disable all interactive prompts when running gcloud commands. If input
is required, defaults will be used, or an error will be raised.
Overrides the default core/disable_prompts property value for this
command invocation. This is equivalent to setting the environment
variable `CLOUDSDK_CORE_DISABLE_PROMPTS` to 1 |
--region <REGION> | Compute region (e.g. us-central1) for the cluster |
--release-channel <CHANNEL> | Release channel a cluster is subscribed to.
+
When a cluster is subscribed to a release channel, Google maintains
both the master version and the node version. Node auto-upgrade
defaults to true and cannot be disabled.
+
_CHANNEL_ must be one of:
+
*None*::: Use 'None' to opt-out of any release channel.
+
*rapid*::: 'rapid' channel is offered on an early access basis for customers who want
to test new releases.
+
WARNING: Versions available in the 'rapid' channel may be subject to
unresolved issues with no known workaround and are not subject to any
SLAs.
+
*regular*::: Clusters subscribed to 'regular' receive versions that are considered GA
quality. 'regular' is intended for production users who want to take
advantage of new features.
+
*stable*::: Clusters subscribed to 'stable' receive versions that are known to be
stable and reliable in production.
+
:::
+ |
--reservation <RESERVATION> | The name of the reservation, required when `--reservation-affinity=specific` |
--reservation-affinity <RESERVATION_AFFINITY> | The type of the reservation for the default initial node pool. _RESERVATION_AFFINITY_ must be one of: *any*, *none*, *specific* |
--resource-usage-bigquery-dataset <RESOURCE_USAGE_BIGQUERY_DATASET> | The name of the BigQuery dataset to which the cluster's usage of cloud
resources is exported. A table will be created in the specified dataset to
store cluster resource usage. The resulting table can be joined with BigQuery
Billing Export to produce a fine-grained cost breakdown.
+
Example:
+
$ {command} example-cluster --resource-usage-bigquery-dataset=example_bigquery_dataset_name |
--scopes <SCOPE> | Specifies scopes for the node instances. Examples:
+
$ {command} example-cluster --scopes=https://www.googleapis.com/auth/devstorage.read_only
+
$ {command} example-cluster --scopes=bigquery,storage-rw,compute-ro
+
Multiple SCOPEs can be specified, separated by commas. `logging-write`
and/or `monitoring` are added unless Cloud Logging and/or Cloud Monitoring
are disabled (see `--enable-cloud-logging` and `--enable-cloud-monitoring`
for more information).
SCOPE can be either the full URI of the scope or an alias. *default* scopes are
assigned to all instances. Available aliases are:
+
Alias | URI
--- | ---
bigquery | https://www.googleapis.com/auth/bigquery
cloud-platform | https://www.googleapis.com/auth/cloud-platform
cloud-source-repos | https://www.googleapis.com/auth/source.full_control
cloud-source-repos-ro | https://www.googleapis.com/auth/source.read_only
compute-ro | https://www.googleapis.com/auth/compute.readonly
compute-rw | https://www.googleapis.com/auth/compute
datastore | https://www.googleapis.com/auth/datastore
default | https://www.googleapis.com/auth/devstorage.read_only
| https://www.googleapis.com/auth/logging.write
| https://www.googleapis.com/auth/monitoring.write
| https://www.googleapis.com/auth/pubsub
| https://www.googleapis.com/auth/service.management.readonly
| https://www.googleapis.com/auth/servicecontrol
| https://www.googleapis.com/auth/trace.append
gke-default | https://www.googleapis.com/auth/devstorage.read_only
| https://www.googleapis.com/auth/logging.write
| https://www.googleapis.com/auth/monitoring
| https://www.googleapis.com/auth/service.management.readonly
| https://www.googleapis.com/auth/servicecontrol
| https://www.googleapis.com/auth/trace.append
logging-write | https://www.googleapis.com/auth/logging.write
monitoring | https://www.googleapis.com/auth/monitoring
monitoring-read | https://www.googleapis.com/auth/monitoring.read
monitoring-write | https://www.googleapis.com/auth/monitoring.write
pubsub | https://www.googleapis.com/auth/pubsub
service-control | https://www.googleapis.com/auth/servicecontrol
service-management | https://www.googleapis.com/auth/service.management.readonly
sql (deprecated) | https://www.googleapis.com/auth/sqlservice
sql-admin | https://www.googleapis.com/auth/sqlservice.admin
storage-full | https://www.googleapis.com/auth/devstorage.full_control
storage-ro | https://www.googleapis.com/auth/devstorage.read_only
storage-rw | https://www.googleapis.com/auth/devstorage.read_write
taskqueue | https://www.googleapis.com/auth/taskqueue
trace | https://www.googleapis.com/auth/trace.append
userinfo-email | https://www.googleapis.com/auth/userinfo.email
+
DEPRECATION WARNING: https://www.googleapis.com/auth/sqlservice account scope
and `sql` alias do not provide SQL instance management capabilities and have
been deprecated. Please, use https://www.googleapis.com/auth/sqlservice.admin
or `sql-admin` to manage your Google SQL Service instances.
+ |
--service-account <SERVICE_ACCOUNT> | The Google Cloud Platform Service Account to be used by the node VMs. If a service account is specified, the cloud-platform and userinfo.email scopes are used. If no Service Account is specified, the project default service account is used |
--services-ipv4-cidr <CIDR> | Set the IP range for the services IPs.
+
Can be specified as a netmask size (e.g. '/20') or as in CIDR notion
(e.g. '10.100.0.0/20'). If given as a netmask size, the IP range will
be chosen automatically from the available space in the network.
+
If unspecified, the services CIDR range will be chosen with a default
mask size.
+
Can not be specified unless '--enable-ip-alias' is also specified |
--services-secondary-range-name <NAME> | Set the secondary range to be used for services (e.g. ClusterIPs).
NAME must be the name of an existing secondary range in the cluster
subnetwork.
+
Must be used in conjunction with '--enable-ip-alias'. Cannot be used
with --create-subnetwork |
--shielded-integrity-monitoring | Enables monitoring and attestation of the boot integrity of the
instance. The attestation is performed against the integrity policy
baseline. This baseline is initially derived from the implicitly
trusted boot image when the instance is created |
--shielded-secure-boot | The instance will boot with secure boot enabled |
--subnetwork <SUBNETWORK> | The Google Compute Engine subnetwork
(https://cloud.google.com/compute/docs/subnetworks) to which the cluster is
connected. The subnetwork must belong to the network specified by --network.
+
Cannot be used with the "--create-subnetwork" option |
--tags <TAG> | Applies the given Compute Engine tags (comma separated) on all nodes in the new
node-pool. Example:
+
$ {command} example-cluster --tags=tag1,tag2
+
New nodes, including ones created by resize or recreate, will have these tags
on the Compute Engine API instance object and can be used in firewall rules.
See https://cloud.google.com/sdk/gcloud/reference/compute/firewall-rules/create
for examples |
--tpu-ipv4-cidr <CIDR> | Set the IP range for the Cloud TPUs.
+
Can be specified as a netmask size (e.g. '/20') or as in CIDR notion
(e.g. '10.100.0.0/20'). If given as a netmask size, the IP range will be chosen
automatically from the available space in the network.
+
If unspecified, the TPU CIDR range will use automatic default '/20'.
+
Can not be specified unless '--enable-tpu' and '--enable-ip-alias' are also
specified |
--trace-token <TRACE_TOKEN> | Token used to route traces of service requests for investigation of issues. Overrides the default *core/trace_token* property value for this command invocation |
--user-output-enabled | Print user intended output to the console. Overrides the default *core/user_output_enabled* property value for this command invocation. Use *--no-user-output-enabled* to disable |
--username <USERNAME> | The user name to use for basic auth for the cluster. Use `--password` to specify
a password; if not, the server will randomly generate one |
--verbosity <VERBOSITY> | Override the default verbosity for this command. Overrides the default *core/verbosity* property value for this command invocation. _VERBOSITY_ must be one of: *debug*, *info*, *warning*, *error*, *critical*, *none* |
--workload-metadata <WORKLOAD_METADATA> | Type of metadata server available to pods running in the node pool. _WORKLOAD_METADATA_ must be one of:
+
*GCE_METADATA*::: Pods running in this node pool have access to the node's underlying Compute Engine Metadata Server.
*GKE_METADATA*::: Run the Kubernetes Engine Metadata Server on this node. The Kubernetes Engine Metadata Server exposes a metadata API to workloads that is compatible with the V1 Compute Metadata APIs exposed by the Compute Engine and App Engine Metadata Servers. This feature can only be enabled if Workload Identity is enabled at the cluster level.
:::
+ |
--workload-pool <WORKLOAD_POOL> | Enable Workload Identity on the cluster.
+
When enabled, Kubernetes service accounts will be able to act as Cloud IAM
Service Accounts, through the provided workload pool.
+
Currently, the only accepted workload pool is the workload pool of
the Cloud project containing the cluster, `PROJECT_ID.svc.id.goog`.
+
For more information on Workload Identity, see
+
https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity |
--zone <ZONE> | Compute zone (e.g. us-central1-a) for the cluster. Overrides the default *compute/zone* property value for this command invocation |