NAME
    gcloud container clusters create-auto - create an Autopilot cluster for
        running containers

SYNOPSIS
    gcloud container clusters create-auto NAME [--async]
        [--autoprovisioning-enable-insecure-kubelet-readonly-port]
        [--autoprovisioning-network-tags=TAGS,[TAGS,...]]
        [--autoprovisioning-resource-manager-tags=[KEY=VALUE,...]]
        [--binauthz-evaluation-mode=BINAUTHZ_EVALUATION_MODE]
        [--boot-disk-kms-key=BOOT_DISK_KMS_KEY]
        [--cluster-ipv4-cidr=CLUSTER_IPV4_CIDR]
        [--cluster-secondary-range-name=NAME]
        [--cluster-version=CLUSTER_VERSION]
        [--containerd-config-from-file=CONTAINERD_CONFIG_FROM_FILE]
        [--create-subnetwork=[KEY=VALUE,...]]
        [--database-encryption-key=DATABASE_ENCRYPTION_KEY]
        [--enable-backup-restore] [--enable-cilium-clusterwide-network-policy]
        [--enable-fleet] [--enable-google-cloud-access]
        [--enable-kubernetes-unstable-apis=API,[API,...]]
        [--enable-master-global-access] [--fleet-project=PROJECT_ID_OR_NUMBER]
        [--labels=[KEY=VALUE,...]] [--logging=[COMPONENT,...]]
        [--monitoring=[COMPONENT,...]] [--network=NETWORK]
        [--private-endpoint-subnetwork=NAME] [--release-channel=CHANNEL]
        [--security-group=SECURITY_GROUP] [--security-posture=SECURITY_POSTURE]
        [--services-ipv4-cidr=CIDR] [--services-secondary-range-name=NAME]
        [--subnetwork=SUBNETWORK] [--workload-policies=WORKLOAD_POLICIES]
        [--workload-vulnerability-scanning=WORKLOAD_VULNERABILITY_SCANNING]
        [--dataplane-v2-observability-mode=DATAPLANE_V2_OBSERVABILITY_MODE
          | --disable-dataplane-v2-flow-observability
          | --enable-dataplane-v2-flow-observability]
        [--enable-master-authorized-networks
          --master-authorized-networks=NETWORK,[NETWORK,...]]
        [--enable-private-endpoint
          --enable-private-nodes --master-ipv4-cidr=MASTER_IPV4_CIDR]
        [--location=LOCATION | --region=REGION | --zone=ZONE, -z ZONE]
        [--scopes=[SCOPE,...];
          default="gke-default" --service-account=SERVICE_ACCOUNT]
        [GCLOUD_WIDE_FLAG ...]

DESCRIPTION
    Create an Autopilot cluster for running containers.

EXAMPLES
    To create a cluster with the default configuration, run:

        $ gcloud container clusters create-auto sample-cluster

POSITIONAL ARGUMENTS
     NAME
        The name of the cluster to create.

        The name may contain only lowercase alphanumerics and '-', must start
        with a letter and end with an alphanumeric, and must be no longer than
        40 characters.

FLAGS
     --async
        Return immediately, without waiting for the operation in progress to
        complete.

     --autoprovisioning-enable-insecure-kubelet-readonly-port
        Enables the Kubelet's insecure read only port for Autoprovisioned Node
        Pools.

        If not set, the value from nodePoolDefaults.nodeConfigDefaults will be
        used.

        To disable the readonly port
        --no-autoprovisioning-enable-insecure-kubelet-readonly-port.

     --autoprovisioning-network-tags=TAGS,[TAGS,...]
        Applies the given Compute Engine tags (comma separated) on all nodes in
        the auto-provisioned node pools of the new Standard cluster or the new
        Autopilot cluster.

        Examples:

            $ gcloud container clusters create-auto example-cluster \
                --autoprovisioning-network-tags=tag1,tag2

        New nodes in auto-provisioned node pools, including ones created by
        resize or recreate, will have these tags on the Compute Engine API
        instance object and can be used in firewall rules. See
        https://cloud.google.com/sdk/gcloud/reference/compute/firewall-rules/create
        for examples.

     --autoprovisioning-resource-manager-tags=[KEY=VALUE,...]
        Applies the specified comma-separated resource manager tags that has
        the GCE_FIREWALL purpose to all nodes in the new Autopilot cluster or
        all auto-provisioned nodes in the new Standard cluster.

        Examples:

            $ gcloud container clusters create-auto example-cluster \
                --autoprovisioning-resource-manager-tags=tagKeys/\
            1234=tagValues/2345
            $ gcloud container clusters create-auto example-cluster \
                --autoprovisioning-resource-manager-tags=my-project/key1=value1
            $ gcloud container clusters create-auto example-cluster \
                --autoprovisioning-resource-manager-tags=12345/key1=value1,\
            23456/key2=value2
            $ gcloud container clusters create-auto example-cluster \
                --autoprovisioning-resource-manager-tags=

        All nodes in an Autopilot cluster or all auto-provisioned nodes in a
        Standard cluster, including nodes that are resized or re-created, will
        have the specified tags on the corresponding Instance object in the
        Compute Engine API. You can reference these tags in network firewall
        policy rules. For instructions, see
        https://cloud.google.com/firewall/docs/use-tags-for-firewalls.

     Flags for Binary Authorization:

       --binauthz-evaluation-mode=BINAUTHZ_EVALUATION_MODE
          Enable Binary Authorization for this cluster.
          BINAUTHZ_EVALUATION_MODE must be one of: disabled,
          project-singleton-policy-enforce.

     --boot-disk-kms-key=BOOT_DISK_KMS_KEY
        The Customer Managed Encryption Key used to encrypt the boot disk
        attached to each node in the node pool. This should be of the form
        projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME].
        For more information about protecting resources with Cloud KMS Keys
        please see:
        https://cloud.google.com/compute/docs/disks/customer-managed-encryption

     --cluster-ipv4-cidr=CLUSTER_IPV4_CIDR
        The IP address range for the pods in this cluster in CIDR notation
        (e.g. 10.0.0.0/14). Prior to Kubernetes version 1.7.0 this must be a
        subset of 10.0.0.0/8; however, starting with version 1.7.0 can be any
        RFC 1918 IP range.

        If you omit this option, a range is chosen automatically. The
        automatically chosen range is randomly selected from 10.0.0.0/8 and
        will not include IP address ranges allocated to VMs, existing routes,
        or ranges allocated to other clusters. The automatically chosen range
        might conflict with reserved IP addresses, dynamic routes, or routes
        within VPCs that peer with this cluster. You should specify
        --cluster-ipv4-cidr to prevent conflicts.

        This field is not applicable in a Shared VPC setup where the IP address
        range for the pods must be specified with
        --cluster-secondary-range-name

     --cluster-secondary-range-name=NAME
        Set the secondary range to be used as the source for pod IPs. Alias
        ranges will be allocated from this secondary range. NAME must be the
        name of an existing secondary range in the cluster subnetwork.

        Cannot be used with '--create-subnetwork' option.

     --cluster-version=CLUSTER_VERSION
        The Kubernetes version to use for the master and nodes. Defaults to
        server-specified.

        The default Kubernetes version is available using the following
        command.

            $ gcloud container get-server-config

     --containerd-config-from-file=CONTAINERD_CONFIG_FROM_FILE
        Path of the YAML file that contains containerd configuration entries
        like configuring access to private image registries.

        For detailed information on the configuration usage, please refer to
        https://cloud.google.com/kubernetes-engine/docs/how-to/customize-containerd-configuration.

        Note: Updating the containerd configuration of an existing cluster or
        node pool requires recreation of the existing nodes, which might cause
        disruptions in running workloads.

     --create-subnetwork=[KEY=VALUE,...]
        Create a new subnetwork for the cluster. The name and range of the
        subnetwork can be customized via optional 'name' and 'range' key-value
        pairs.

        'name' specifies the name of the subnetwork to be created.

        'range' specifies the IP range for the new subnetwork. This can either
        be a netmask size (e.g. '/20') or a CIDR range (e.g. '10.0.0.0/20'). If
        a netmask size is specified, the IP is automatically taken from the
        free space in the cluster's network.

        Examples:

        Create a new subnetwork with a default name and size.

            $ gcloud container clusters create-auto --create-subnetwork ""

        Create a new subnetwork named "my-subnet" with netmask of size 21.

            $ gcloud container clusters create-auto \
                --create-subnetwork name=my-subnet,range=/21

        Create a new subnetwork with a default name with the primary range of
        10.100.0.0/16.

            $ gcloud container clusters create-auto \
                --create-subnetwork range=10.100.0.0/16

        Create a new subnetwork with the name "my-subnet" with a default range.

            $ gcloud container clusters create-auto \
                --create-subnetwork name=my-subnet

        Cannot be used in conjunction with '--subnetwork' option.

     --database-encryption-key=DATABASE_ENCRYPTION_KEY
        Enable Database Encryption.

        Enable database encryption that will be used to encrypt Kubernetes
        Secrets at the application layer. The key provided should be the
        resource ID in the format of
        projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME].
        For more information, see
        https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets.

     --enable-backup-restore
        Enable the Backup for GKE add-on. This add-on is disabled by default.
        To learn more, see the Backup for GKE overview:
        https://cloud.google.com/kubernetes-engine/docs/add-on/backup-for-gke/concepts/backup-for-gke.

     --enable-cilium-clusterwide-network-policy
        Enable Cilium Clusterwide Network Policies on the cluster. Disabled by
        default.

     --enable-fleet
        Set cluster project as the fleet host project. This will register the
        cluster to the same project. To register the cluster to a fleet in a
        different project, please use --fleet-project=FLEET_HOST_PROJECT.
        Example: $ gcloud container clusters create-auto --enable-fleet

     --enable-google-cloud-access
        When you enable Google Cloud Access, any public IP addresses owned by
        Google Cloud can reach the public control plane endpoint of your
        cluster.

     --enable-kubernetes-unstable-apis=API,[API,...]
        Enable Kubernetes beta API features on this cluster. Beta APIs are not
        expected to be production ready and should be avoided in
        production-grade environments.

     --enable-master-global-access
        Use with private clusters to allow access to the master's private
        endpoint from any Google Cloud region or on-premises environment
        regardless of the private cluster's region.

     --fleet-project=PROJECT_ID_OR_NUMBER
        Sets fleet host project for the cluster. If specified, the current
        cluster will be registered as a fleet membership under the fleet host
        project.

        Example: $ gcloud container clusters create-auto
        --fleet-project=my-project

     --labels=[KEY=VALUE,...]
        Labels to apply to the Google Cloud resources in use by the Kubernetes
        Engine cluster. These are unrelated to Kubernetes labels.

        Examples:

            $ gcloud container clusters create-auto example-cluster \
                --labels=label_a=value1,label_b=,label_c=value3

     --logging=[COMPONENT,...]
        Set the components that have logging enabled. Valid component values
        are: SYSTEM, WORKLOAD, API_SERVER, CONTROLLER_MANAGER, SCHEDULER

        The default is SYSTEM,WORKLOAD. If this flag is set, then SYSTEM must
        be included.

        For more information, see
        https://cloud.google.com/stackdriver/docs/solutions/gke/installing#available-logs

        Examples:

            $ gcloud container clusters create-auto --logging=SYSTEM
            $ gcloud container clusters create-auto --logging=SYSTEM,WORKLOAD
            $ gcloud container clusters create-auto \
                --logging=SYSTEM,WORKLOAD,API_SERVER,CONTROLLER_MANAGER,\
            SCHEDULER

     --monitoring=[COMPONENT,...]
        Set the components that have monitoring enabled. Valid component values
        are: SYSTEM, WORKLOAD (Deprecated), NONE, API_SERVER,
        CONTROLLER_MANAGER, SCHEDULER, DAEMONSET, DEPLOYMENT, HPA, POD,
        STATEFULSET, STORAGE

        For more information, see
        https://cloud.google.com/stackdriver/docs/solutions/gke/installing#available-metrics

        Examples:

            $ gcloud container clusters create-auto \
                --monitoring=SYSTEM,API_SERVER,POD
            $ gcloud container clusters create-auto --monitoring=SYSTEM

     --network=NETWORK
        The Compute Engine Network that the cluster will connect to. Google
        Kubernetes Engine will use this network when creating routes and
        firewalls for the clusters. Defaults to the 'default' network.

     --private-endpoint-subnetwork=NAME
        Sets the subnetwork GKE uses to provision the control plane's private
        endpoint.

     --release-channel=CHANNEL
        Release channel a cluster is subscribed to.

        If left unspecified and a version is specified, the cluster is enrolled
        in the most mature release channel where the version is available
        (first checking STABLE, then REGULAR, and finally RAPID). Otherwise, if
        no release channel and no version is specified, the cluster is enrolled
        in the REGULAR channel with its default version. When a cluster is
        subscribed to a release channel, Google maintains both the master
        version and the node version. Node auto-upgrade is enabled by default
        for release channel clusters and can be controlled via upgrade-scope
        exclusions
        (https://cloud.google.com/kubernetes-engine/docs/concepts/maintenance-windows-and-exclusions#scope_of_maintenance_to_exclude).

        CHANNEL must be one of:

         rapid
            'rapid' channel is offered on an early access basis for customers
            who want to test new releases.

            WARNING: Versions available in the 'rapid' channel may be subject
            to unresolved issues with no known workaround and are not subject
            to any SLAs.

         regular
            Clusters subscribed to 'regular' receive versions that are
            considered GA quality. 'regular' is intended for production users
            who want to take advantage of new features.
         stable
            Clusters subscribed to 'stable' receive versions that are known to
            be stable and reliable in production.

     --security-group=SECURITY_GROUP
        The name of the RBAC security group for use with Google security groups
        in Kubernetes RBAC
        (https://kubernetes.io/docs/reference/access-authn-authz/rbac/).

        To include group membership as part of the claims issued by Google
        during authentication, a group must be designated as a security group
        by including it as a direct member of this group.

        If unspecified, no groups will be returned for use with RBAC.

     --security-posture=SECURITY_POSTURE
        Sets the mode of the Kubernetes security posture API's off-cluster
        features.

        To enable advanced mode explicitly set the flag to
        --security-posture=enterprise.

        To enable in standard mode explicitly set the flag to
        --security-posture=standard

        To disable in an existing cluster, explicitly set the flag to
        --security-posture=disabled.

        SECURITY_POSTURE must be one of: disabled, standard, enterprise.

     --services-ipv4-cidr=CIDR
        Set the IP range for the services IPs.

        Can be specified as a netmask size (e.g. '/20') or as in CIDR notion
        (e.g. '10.100.0.0/20'). If given as a netmask size, the IP range will
        be chosen automatically from the available space in the network.

        If unspecified, the services CIDR range will be chosen with a default
        mask size.

     --services-secondary-range-name=NAME
        Set the secondary range to be used for services (e.g. ClusterIPs). NAME
        must be the name of an existing secondary range in the cluster
        subnetwork.

        Cannot be used with '--create-subnetwork' option.

     --subnetwork=SUBNETWORK
        The Google Compute Engine subnetwork
        (https://cloud.google.com/compute/docs/subnetworks) to which the
        cluster is connected. The subnetwork must belong to the network
        specified by --network.

        Cannot be used with the "--create-subnetwork" option.

     --workload-policies=WORKLOAD_POLICIES
        Add Autopilot workload policies to the cluster.

        Examples:

            $ gcloud container clusters create-auto example-cluster \
                --workload-policies=allow-net-admin

        The only supported workload policy is 'allow-net-admin'.

     --workload-vulnerability-scanning=WORKLOAD_VULNERABILITY_SCANNING
        Sets the mode of the Kubernetes security posture API's workload
        vulnerability scanning.

        To enable Advanced vulnerability insights mode explicitly set the flag
        to --workload-vulnerability-scanning=enterprise.

        To enable in standard mode explicitly set the flag to
        --workload-vulnerability-scanning=standard.

        To disable in an existing cluster, explicitly set the flag to
        --workload-vulnerability-scanning=disabled.

        WORKLOAD_VULNERABILITY_SCANNING must be one of: disabled, standard,
        enterprise.

     At most one of these can be specified:

       --dataplane-v2-observability-mode=DATAPLANE_V2_OBSERVABILITY_MODE
          (REMOVED) Select Advanced Datapath Observability mode for the
          cluster. Defaults to DISABLED.

          Advanced Datapath Observability allows for a real-time view into
          pod-to-pod traffic within your cluster.

          Examples:

              $ gcloud container clusters create-auto \
                  --dataplane-v2-observability-mode=DISABLED

              $ gcloud container clusters create-auto \
                  --dataplane-v2-observability-mode=INTERNAL_VPC_LB

              $ gcloud container clusters create-auto \
                  --dataplane-v2-observability-mode=EXTERNAL_LB

          Flag --dataplane-v2-observability-mode has been removed.

          DATAPLANE_V2_OBSERVABILITY_MODE must be one of:

           DISABLED
              Disables Advanced Datapath Observability.
           EXTERNAL_LB
              Makes Advanced Datapath Observability available to the external
              network.
           INTERNAL_VPC_LB
              Makes Advanced Datapath Observability available from the VPC
              network.

       --disable-dataplane-v2-flow-observability
          Disables Advanced Datapath Observability.

       --enable-dataplane-v2-flow-observability
          Enables Advanced Datapath Observability which allows for a real-time
          view into pod-to-pod traffic within your cluster.

     Master Authorized Networks

       --enable-master-authorized-networks
          Allow only specified set of CIDR blocks (specified by the
          --master-authorized-networks flag) to connect to Kubernetes master
          through HTTPS. Besides these blocks, the following have access as
          well:

              1) The private network the cluster connects to if
              `--enable-private-nodes` is specified.
              2) Google Compute Engine Public IPs if `--enable-private-nodes` is not
              specified.

          Use --no-enable-master-authorized-networks to disable. When disabled,
          public internet (0.0.0.0/0) is allowed to connect to Kubernetes
          master through HTTPS.

       --master-authorized-networks=NETWORK,[NETWORK,...]
          The list of CIDR blocks (up to 100 for private cluster, 50 for public
          cluster) that are allowed to connect to Kubernetes master through
          HTTPS. Specified in CIDR notation (e.g. 1.2.3.4/30). Cannot be
          specified unless --enable-master-authorized-networks is also
          specified.

     Private Clusters

       --enable-private-endpoint
          Cluster is managed using the private IP address of the master API
          endpoint.

       --enable-private-nodes
          Cluster is created with no public IP addresses on the cluster nodes.

       --master-ipv4-cidr=MASTER_IPV4_CIDR
          IPv4 CIDR range to use for the master network. This should have a
          netmask of size /28 and should be used in conjunction with the
          --enable-private-nodes flag.

     At most one of these can be specified:

       --location=LOCATION
          Compute zone or region (e.g. us-central1-a or us-central1) for the
          cluster. Prefer using this flag over the --region or --zone flags.

       --region=REGION
          Compute region (e.g. us-central1) for a regional cluster.

       --zone=ZONE, -z ZONE
          Compute zone (e.g. us-central1-a) for a zonal cluster. Overrides the
          default compute/zone property value for this command invocation.

     Options to specify the node identity.

       Scopes options.

         --scopes=[SCOPE,...]; default="gke-default"
            Specifies scopes for the node instances.

            Examples:

                $ gcloud container clusters create-auto example-cluster \
                    --scopes=https://www.googleapis.com/auth/devstorage.read_only

                $ gcloud container clusters create-auto example-cluster \
                    --scopes=bigquery,storage-rw,compute-ro

            Multiple scopes can be specified, separated by commas. Various
            scopes are automatically added based on feature usage. Such scopes
            are not added if an equivalent scope already exists.

            ▫ monitoring-write: always added to ensure metrics can be written
            ▫ logging-write: added if Cloud Logging is enabled
              (--enable-cloud-logging/--logging)
            ▫ monitoring: added if Cloud Monitoring is enabled
              (--enable-cloud-monitoring/--monitoring)
            ▫ gke-default: added for Autopilot clusters that use the default
              service account
            ▫ cloud-platform: added for Autopilot clusters that use any other
              service account

            SCOPE can be either the full URI of the scope or an alias. Default
            scopes are assigned to all instances. Available aliases are:

              Alias                  URI
              bigquery               https://www.googleapis.com/auth/bigquery
              cloud-platform         https://www.googleapis.com/auth/cloud-platform
              cloud-source-repos     https://www.googleapis.com/auth/source.full_control
              cloud-source-repos-ro  https://www.googleapis.com/auth/source.read_only
              compute-ro             https://www.googleapis.com/auth/compute.readonly
              compute-rw             https://www.googleapis.com/auth/compute
              datastore              https://www.googleapis.com/auth/datastore
              default                https://www.googleapis.com/auth/devstorage.read_only
                                     https://www.googleapis.com/auth/logging.write
                                     https://www.googleapis.com/auth/monitoring.write
                                     https://www.googleapis.com/auth/pubsub
                                     https://www.googleapis.com/auth/service.management.readonly
                                     https://www.googleapis.com/auth/servicecontrol
                                     https://www.googleapis.com/auth/trace.append
              gke-default            https://www.googleapis.com/auth/devstorage.read_only
                                     https://www.googleapis.com/auth/logging.write
                                     https://www.googleapis.com/auth/monitoring
                                     https://www.googleapis.com/auth/service.management.readonly
                                     https://www.googleapis.com/auth/servicecontrol
                                     https://www.googleapis.com/auth/trace.append
              logging-write          https://www.googleapis.com/auth/logging.write
              monitoring             https://www.googleapis.com/auth/monitoring
              monitoring-read        https://www.googleapis.com/auth/monitoring.read
              monitoring-write       https://www.googleapis.com/auth/monitoring.write
              pubsub                 https://www.googleapis.com/auth/pubsub
              service-control        https://www.googleapis.com/auth/servicecontrol
              service-management     https://www.googleapis.com/auth/service.management.readonly
              sql (deprecated)       https://www.googleapis.com/auth/sqlservice
              sql-admin              https://www.googleapis.com/auth/sqlservice.admin
              storage-full           https://www.googleapis.com/auth/devstorage.full_control
              storage-ro             https://www.googleapis.com/auth/devstorage.read_only
              storage-rw             https://www.googleapis.com/auth/devstorage.read_write
              taskqueue              https://www.googleapis.com/auth/taskqueue
              trace                  https://www.googleapis.com/auth/trace.append
              userinfo-email         https://www.googleapis.com/auth/userinfo.email

            DEPRECATION WARNING: https://www.googleapis.com/auth/sqlservice
            account scope and sql alias do not provide SQL instance management
            capabilities and have been deprecated. Please, use
            https://www.googleapis.com/auth/sqlservice.admin or sql-admin to
            manage your Google SQL Service instances.

       --service-account=SERVICE_ACCOUNT
          The Google Cloud Platform Service Account to be used by the node VMs.
          If a service account is specified, the cloud-platform and
          userinfo.email scopes are used. If no Service Account is specified,
          the project default service account is used.

GCLOUD WIDE FLAGS
    These flags are available to all commands: --access-token-file, --account,
    --billing-project, --configuration, --flags-file, --flatten, --format,
    --help, --impersonate-service-account, --log-http, --project, --quiet,
    --trace-token, --user-output-enabled, --verbosity.

    Run $ gcloud help for details.

NOTES
    These variants are also available:

        $ gcloud alpha container clusters create-auto

        $ gcloud beta container clusters create-auto

