NAME
    gcloud container clusters update - update cluster settings for an existing
        container cluster

SYNOPSIS
    gcloud container clusters update NAME
        (--anonymous-authentication-config=ANONYMOUS_AUTHENTICATION_CONFIG
          | --autopilot-general-profile=AUTOPILOT_GENERAL_PROFILE
          | --autopilot-privileged-admission=[ALLOWLIST_PATHS,...]
          | --autopilot-workload-policies=WORKLOAD_POLICIES
          | --autoprovisioning-cgroup-mode=AUTOPROVISIONING_CGROUP_MODE
          | --autoprovisioning-enable-insecure-kubelet-readonly-port
          | --autoprovisioning-network-tags=[TAGS,...]
          | --autoprovisioning-resource-manager-tags=[KEY=VALUE,...]
          | --autoscaling-profile=AUTOSCALING_PROFILE
          | --complete-credential-rotation | --complete-ip-rotation
          | --containerd-config-from-file=PATH_TO_FILE
          | --control-plane-egress=CONTROL_PLANE_EGRESS
          | --database-encryption-key=DATABASE_ENCRYPTION_KEY
          | --disable-database-encryption | --disable-default-snat
          | --disable-multi-nic-lustre | --disable-workload-identity
          | --[no-]enable-autopilot-compatibility-auditing
          | --enable-autoscaling
          | --[no-]enable-cilium-clusterwide-network-policy
          | --enable-cost-allocation | --enable-default-compute-class
          | --enable-fqdn-network-policy | --enable-identity-service
          | --enable-image-streaming | --enable-insecure-kubelet-readonly-port
          | --enable-intra-node-visibility
          | --enable-kernel-module-signature-enforcement
          | --enable-kubernetes-unstable-apis=API,[API,...]
          | --enable-l4-ilb-subsetting | --enable-legacy-authorization
          | --enable-legacy-lustre-port | --enable-multi-networking
          | --enable-network-policy | --enable-private-nodes
          | --[no-]enable-ray-cluster-logging
          | --[no-]enable-ray-cluster-monitoring | --enable-service-externalips
          | --enable-shielded-nodes | --enable-stackdriver-kubernetes
          | --enable-vertical-pod-autoscaling | --gateway-api=GATEWAY_API
          | --generate-password | --hpa-profile=HPA_PROFILE
          | --in-transit-encryption=IN_TRANSIT_ENCRYPTION
          | --logging-variant=LOGGING_VARIANT | --maintenance-window=START_TIME
          | --network-performance-configs=[PROPERTY1=VALUE1,...]
          | --node-locations=ZONE,[ZONE,...]
          | --notification-config=[pubsub=ENABLED|DISABLED,
          pubsub-topic=TOPIC,...] | --patch-update=[PATCH_UPDATE]
          | --private-ipv6-google-access-type=PRIVATE_IPV6_GOOGLE_ACCESS_TYPE
          | --release-channel=CHANNEL
          | --remove-autopilot-workload-policies=REMOVE_WORKLOAD_POLICIES
          | --remove-labels=[KEY,...]
          | --remove-workload-policies=REMOVE_WORKLOAD_POLICIES
          | --security-group=SECURITY_GROUP
          | --security-posture=SECURITY_POSTURE | --set-password
          | --stack-type=STACK_TYPE | --start-credential-rotation
          | --start-ip-rotation | --tier=TIER
          | --update-addons=[ADDON=ENABLED|DISABLED,...]
          | --update-labels=[KEY=VALUE,...]
          | --workload-policies=WORKLOAD_POLICIES
          | --workload-pool=WORKLOAD_POOL
          | --workload-vulnerability-scanning=WORKLOAD_VULNERABILITY_SCANNING
          | --additional-ip-ranges=[subnetwork=NAME,pod-ipv4-range=NAME,...]
          --remove-additional-ip-ranges=[subnetwork=NAME,
          pod-ipv4-range=NAME,...]
          | --additional-pod-ipv4-ranges=NAME,[NAME,...]
          --remove-additional-pod-ipv4-ranges=NAME,[NAME,...]
          | --auto-monitoring-scope=AUTO_MONITORING_SCOPE
          --logging=[COMPONENT,...]
          --monitoring=[COMPONENT,...] --disable-managed-prometheus
          | --enable-managed-prometheus
          | --binauthz-evaluation-mode=BINAUTHZ_EVALUATION_MODE
          | --enable-binauthz | --clear-fleet-project --enable-fleet
          --fleet-project=PROJECT_ID_OR_NUMBER
          --membership-type=MEMBERSHIP_TYPE --unset-membership-type
          | --clear-maintenance-minor-version-disruption-interval
          | --maintenance-minor-version-disruption-interval=MAINTENANCE_MINOR_VERSION_DISRUPTION_INTERVAL --clear-maintenance-patch-version-disruption-interval | --maintenance-patch-version-disruption-interval=MAINTENANCE_PATCH_VERSION_DISRUPTION_INTERVAL | --clear-maintenance-window | --remove-maintenance-exclusion=NAME | [(--add-maintenance-exclusion-end=TIME_STAMP | --add-maintenance-exclusion-until-end-of-support) : --add-maintenance-exclusion-name=NAME --add-maintenance-exclusion-scope=SCOPE --add-maintenance-exclusion-start=TIME_STAMP] | --maintenance-window-end=TIME_STAMP --maintenance-window-recurrence=RRULE --maintenance-window-start=TIME_STAMP | --clear-resource-usage-bigquery-dataset | --enable-network-egress-metering --enable-resource-consumption-metering --resource-usage-bigquery-dataset=RESOURCE_USAGE_BIGQUERY_DATASET | --cluster-dns=CLUSTER_DNS --cluster-dns-domain=CLUSTER_DNS_DOMAIN --cluster-dns-scope=CLUSTER_DNS_SCOPE --additive-vpc-scope-dns-domain=ADDITIVE_VPC_SCOPE_DNS_DOMAIN | --disable-additive-vpc-scope | --dataplane-v2-observability-mode=DATAPLANE_V2_OBSERVABILITY_MODE | --disable-dataplane-v2-flow-observability | --enable-dataplane-v2-flow-observability --disable-dataplane-v2-metrics | --enable-dataplane-v2-metrics | --disable-auto-ipam | --enable-auto-ipam | --disable-l4-lb-firewall-reconciliation | --enable-l4-lb-firewall-reconciliation | --disable-pod-snapshots | --enable-pod-snapshots | --enable-authorized-networks-on-private-endpoint --enable-dns-access --enable-google-cloud-access --enable-ip-access --enable-k8s-certs-via-dns --enable-k8s-tokens-via-dns --enable-master-global-access --enable-private-endpoint --enable-master-authorized-networks --master-authorized-networks=NETWORK,
          [NETWORK,...] | --enable-autoprovisioning
          --autoprovisioning-config-file=PATH_TO_FILE
          | --autoprovisioning-image-type=AUTOPROVISIONING_IMAGE_TYPE
          --autoprovisioning-locations=ZONE,[ZONE,...]
          --autoprovisioning-min-cpu-platform=PLATFORM --max-cpu=MAX_CPU
          --max-memory=MAX_MEMORY --min-cpu=MIN_CPU --min-memory=MIN_MEMORY
          --autoprovisioning-max-surge-upgrade=AUTOPROVISIONING_MAX_SURGE_UPGRADE --autoprovisioning-max-unavailable-upgrade=AUTOPROVISIONING_MAX_UNAVAILABLE_UPGRADE --autoprovisioning-node-pool-soak-duration=AUTOPROVISIONING_NODE_POOL_SOAK_DURATION --autoprovisioning-standard-rollout-policy=[batch-node-count=BATCH_NODE_COUNT,
          batch-percent=BATCH_NODE_PERCENTAGE,
          batch-soak-duration=BATCH_SOAK_DURATION,...]
          --enable-autoprovisioning-blue-green-upgrade
          | --enable-autoprovisioning-surge-upgrade
          --autoprovisioning-scopes=[SCOPE,...]
          --autoprovisioning-service-account=AUTOPROVISIONING_SERVICE_ACCOUNT
          --enable-autoprovisioning-autorepair
          --enable-autoprovisioning-autoupgrade
          [--max-accelerator=[type=TYPE,count=COUNT,...]
          : --min-accelerator=[type=TYPE,count=COUNT,...]]
          | --enable-insecure-binding-system-authenticated
          --enable-insecure-binding-system-unauthenticated
          | --logging-service=LOGGING_SERVICE
          --monitoring-service=MONITORING_SERVICE
          | --[no-]enable-secret-manager --[no-]enable-secret-manager-rotation
          --secret-manager-rotation-interval=SECRET_MANAGER_ROTATION_INTERVAL
          | --password=PASSWORD --enable-basic-auth
          | --username=USERNAME, -u USERNAME) [--async]
        [--cloud-run-config=[load-balancer-type=EXTERNAL,...]]
        [--node-pool=NODE_POOL]
        [--location=LOCATION | --region=REGION | --zone=ZONE, -z ZONE]
        [--location-policy=LOCATION_POLICY --max-nodes=MAX_NODES
          --min-nodes=MIN_NODES
          --total-max-nodes=TOTAL_MAX_NODES --total-min-nodes=TOTAL_MIN_NODES]
        [GCLOUD_WIDE_FLAG ...]

DESCRIPTION
    Update cluster settings for an existing container cluster.

EXAMPLES
    To enable autoscaling for an existing cluster, run:

        $ gcloud container clusters update sample-cluster \
            --enable-autoscaling

POSITIONAL ARGUMENTS
     NAME
        The name of the cluster to update.

REQUIRED FLAGS
     Exactly one of these must be specified:

       --anonymous-authentication-config=ANONYMOUS_AUTHENTICATION_CONFIG
          Enable or restrict anonymous access to the cluster. When enabled,
          anonymous users will be authenticated as system:anonymous with the
          group system:unauthenticated. Limiting access restricts anonymous
          access to only the health check endpoints /readyz, /livez, and
          /healthz.

          ANONYMOUS_AUTHENTICATION_CONFIG must be one of:

           ENABLED
              'ENABLED' enables anonymous calls.
           LIMITED
              'LIMITED' restricts anonymous access to the cluster. Only calls
              to the health check endpoints are allowed anonymously, all other
              calls will be rejected.

       --autopilot-general-profile=AUTOPILOT_GENERAL_PROFILE
          Sets the Autopilot general profile for the cluster; possible values
          are none and no-performance. If none is used, the cluster will use
          the Autopilot default configuration. AUTOPILOT_GENERAL_PROFILE must
          be one of: none, no-performance.

       --autopilot-privileged-admission=[ALLOWLIST_PATHS,...]
          Specifies which privileged workload allowlist paths can be referenced
          and installed by AllowlistSynchronizers in Autopilot modes.

          The value is a comma-separated list of paths in the format:

          ▸ gke://<partner_name>/<app_name>/<allowlist_path> for Autopilot
            partner allowlists
          ▸ gs://<bucket_name>/<allowlist_path> for user allowlists

          By default, all GKE-managed allowlists (gke://*) are authorized. See
          https://cloud.google.com/kubernetes-engine/docs/resources/autopilot-partners
          for all supported Autopilot partner allowlists. When setting this
          flag, be careful to explicitly specify gke://* in addition to other
          entries if you rely on this default behavior.

          Wildcards (*) are supported. For example, if gke://* is authorized,
          then AllowlistSynchronizers can be used to install
          gke://partner1/allowlist1.yaml and gke://partner2/allowlist2.yaml.

          Note: Use of user allowlists (gs://) requires special permissions and
          is only available to a subset of high tier customers. Please contact
          your account team for more information.

          Examples:

          Allow all GKE-managed allowlists (default behavior):

              $ gcloud container clusters update \
                  --autopilot-privileged-admission=gke://*

          Authorize only allowlists from a GKE Autopilot partner:

              $ gcloud container clusters update \
                  --autopilot-privileged-admission=gke://my-partner/*

          Authorize only a singular user-owned allowlist

              $ gcloud container clusters update \
                  --autopilot-privileged-admission=gs://my-bucket/allowlists/\
              my-allowlist.yaml

          Authorize all user-owned allowlists under a given path:

              $ gcloud container clusters update \
                  --autopilot-privileged-admission=gs://my-bucket/*

          Authorize all GKE-managed allowlists and a specific user-owned
          allowlist:

              $ gcloud container clusters update \
                  --autopilot-privileged-admission=gke://*,gs://my-bucket/\
              allowlists/my-allowlist.yaml

          Disable allowlist installation entirely:

              $ gcloud container clusters update \
                  --autopilot-privileged-admission=""

          Exercise caution when using this flag on an existing cluster. Upon
          updates, existing AllowlistSynchronizers will uninstall allowlists
          that are no longer authorized.

          For instructions on installing allowlists in the cluster after
          authorization, please refer to:
          https://cloud.google.com/kubernetes-engine/docs/how-to/run-autopilot-partner-workloads

       --autopilot-workload-policies=WORKLOAD_POLICIES
          Add Autopilot workload policies to the cluster.

          Examples:

              $ gcloud container clusters update example-cluster \
                  --autopilot-workload-policies=allow-net-admin

          The only supported workload policy is 'allow-net-admin'.

       --autoprovisioning-cgroup-mode=AUTOPROVISIONING_CGROUP_MODE
          Sets the cgroup mode for auto-provisioned nodes.

          Updating this flag triggers an update using surge upgrades of all
          existing auto-provisioned nodes to apply the new value of cgroup
          mode.

          For an Autopilot cluster, the specified cgroup mode will be set on
          all existing and new nodes in the cluster. For a Standard cluster,
          the specified cgroup mode will be set on all existing and new
          auto-provisioned node pools in the cluster.

          If not set, GKE uses cgroupv2 for new nodes when the cluster was
          created running 1.26 or later, and cgroupv1 for clusters created
          running 1.25 or earlier. To check your initial cluster version, run
          gcloud container clusters describe [NAME]
          --format="value(initialClusterVersion)"

          For clusters created running version 1.26 or later, you can't set the
          cgroup mode to v1.

          To learn more, see:
          https://cloud.google.com/kubernetes-engine/docs/how-to/migrate-cgroupv2.

          AUTOPROVISIONING_CGROUP_MODE must be one of: default, v1, v2.

       --autoprovisioning-enable-insecure-kubelet-readonly-port
          Enables the Kubelet's insecure read only port for Autoprovisioned
          Node Pools.

          If not set, the value from nodePoolDefaults.nodeConfigDefaults will
          be used.

          To disable the readonly port
          --no-autoprovisioning-enable-insecure-kubelet-readonly-port.

       --autoprovisioning-network-tags=[TAGS,...]
          Replaces the user specified Compute Engine tags on all nodes in all
          the existing auto-provisioned node pools in the Standard cluster or
          the Autopilot with the given tags (comma separated).

          Examples:

              $ gcloud container clusters update example-cluster \
                  --autoprovisioning-network-tags=tag1,tag2

          New nodes in auto-provisioned node pools, including ones created by
          resize or recreate, will have these tags on the Compute Engine API
          instance object and these tags can be used in firewall rules. See
          https://cloud.google.com/sdk/gcloud/reference/compute/firewall-rules/create
          for examples.

       --autoprovisioning-resource-manager-tags=[KEY=VALUE,...]
          For an Autopilot cluster, the specified comma-separated resource
          manager tags that has the GCP_FIREWALL purpose replace the existing
          tags on all nodes in the cluster.

          For a Standard cluster, the specified comma-separated resource
          manager tags that has the GCE_FIREWALL purpose are applied to all
          nodes in the new newly created auto-provisioned node pools. Existing
          auto-provisioned node pools retain the tags that they had before the
          update. To update tags on an existing auto-provisioned node pool, use
          the node pool level flag '--resource-manager-tags'.

          Examples:

              $ gcloud container clusters update example-cluster \
                  --autoprovisioning-resource-manager-tags=tagKeys/\
              1234=tagValues/2345
              $ gcloud container clusters update example-cluster \
                  --autoprovisioning-resource-manager-tags=my-project/key1=value1
              $ gcloud container clusters update example-cluster \
                  --autoprovisioning-resource-manager-tags=12345/key1=value1,\
              23456/key2=value2
              $ gcloud container clusters update example-cluster \
                  --autoprovisioning-resource-manager-tags=

          All nodes in an Autopilot cluster or all newly created
          auto-provisioned nodes in a Standard cluster, including nodes that
          are resized or re-created, will have the specified tags on the
          corresponding Instance object in the Compute Engine API. You can
          reference these tags in network firewall policy rules. For
          instructions, see
          https://cloud.google.com/firewall/docs/use-tags-for-firewalls.

       --autoscaling-profile=AUTOSCALING_PROFILE
          Set autoscaling behaviour, choices are 'optimize-utilization' and
          'balanced'. Default is 'balanced'.

       --complete-credential-rotation
          Complete the IP and credential rotation for this cluster. For
          example:

              $ gcloud container clusters update example-cluster \
                  --complete-credential-rotation

          This causes the cluster to stop serving its old IP, return to a
          single IP, and invalidate old credentials. See documentation for more
          details:
          https://cloud.google.com/kubernetes-engine/docs/how-to/credential-rotation.

       --complete-ip-rotation
          Complete the IP rotation for this cluster. For example:

              $ gcloud container clusters update example-cluster \
                  --complete-ip-rotation

          This causes the cluster to stop serving its old IP, and return to a
          single IP state. See documentation for more details:
          https://cloud.google.com/kubernetes-engine/docs/how-to/ip-rotation.

       --containerd-config-from-file=PATH_TO_FILE
          Path of the YAML file that contains containerd configuration entries
          like configuring access to private image registries.

          For detailed information on the configuration usage, please refer to
          https://cloud.google.com/kubernetes-engine/docs/how-to/customize-containerd-configuration.

          Note: Updating the containerd configuration of an existing cluster or
          node pool requires recreation of the existing nodes, which might
          cause disruptions in running workloads.

          Use a full or relative path to a local file containing the value of
          containerd_config.

       --control-plane-egress=CONTROL_PLANE_EGRESS
          Configures the egress policy for the GKE control plane to control
          outbound traffic from the kube-apiserver. CONTROL_PLANE_EGRESS must
          be one of:

           NONE
              (Recommended) Provides maximum security. This mode removes the
              control plane's public IP address and blocks all outbound traffic
              from the kube-apiserver by default, preventing unexpected data
              exfiltration. Webhooks that use clientConfig.url will be
              disabled. Essential GKE-managed services are still permitted to
              function via an internal allowlist.
           VIA_CONTROL_PLANE
              (Default) Maintains backward compatibility. The control plane
              retains its public IP address and allows egress traffic from the
              kube-apiserver.

       --database-encryption-key=DATABASE_ENCRYPTION_KEY
          Enable Database Encryption.

          Enable database encryption that will be used to encrypt Kubernetes
          Secrets at the application layer. The key provided should be the
          resource ID in the format of
          projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME].
          For more information, see
          https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets.

       --disable-database-encryption
          Disable database encryption.

          Disable Database Encryption which encrypt Kubernetes Secrets at the
          application layer. For more information, see
          https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets.

       --disable-default-snat
          Disable default source NAT rules applied in cluster nodes.

          By default, cluster nodes perform source network address translation
          (SNAT) for packets sent from Pod IP address sources to destination IP
          addresses that are not in the non-masquerade CIDRs list. For more
          details about SNAT and IP masquerading, see:
          https://cloud.google.com/kubernetes-engine/docs/how-to/ip-masquerade-agent#how_ipmasq_works
          SNAT changes the packet's source IP address to the node's internal IP
          address.

          When this flag is set, GKE does not perform SNAT for packets sent to
          any destination. You must set this flag if the cluster uses privately
          reused public IPs.

          The --disable-default-snat flag is only applicable to private GKE
          clusters, which are inherently VPC-native. Thus,
          --disable-default-snat requires that the cluster was created with
          both --enable-ip-alias and --enable-private-nodes.

       --disable-multi-nic-lustre
          Disable the Lustre CSI driver to automatically detect and configure
          all suitable network interfaces on a node for Lustre IO.

       --disable-workload-identity
          Disable Workload Identity on the cluster.

          For more information on Workload Identity, see

              https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity

       --[no-]enable-autopilot-compatibility-auditing
          Lets you run the gcloud container clusters
          check-autopilot-compatibility
          (https://cloud.google.com/sdk/gcloud/reference/container/clusters/check-autopilot-compatibility)
          command to check whether your workloads are compatible with Autopilot
          mode. This flag is only applicable to clusters that run version
          1.31.6-gke.1027000 or later.

          Note: This flag causes a control plane restart.

          Use --enable-autopilot-compatibility-auditing to enable and
          --no-enable-autopilot-compatibility-auditing to disable.

       --enable-autoscaling
          Enables autoscaling for a node pool.

          Enables autoscaling in the node pool specified by --node-pool or the
          default node pool if --node-pool is not provided. If not already,
          --max-nodes or --total-max-nodes must also be set.

       --[no-]enable-cilium-clusterwide-network-policy
          Enable Cilium Clusterwide Network Policies on the cluster. Use
          --enable-cilium-clusterwide-network-policy to enable and
          --no-enable-cilium-clusterwide-network-policy to disable.

       --enable-cost-allocation
          Enable the cost management feature.

          When enabled, you can get informational GKE cost breakdowns by
          cluster, namespace and label in your billing data exported to
          BigQuery
          (https://cloud.google.com/billing/docs/how-to/export-data-bigquery).

          Use --no-enable-cost-allocation to disable this feature.

       --enable-default-compute-class
          Enable the default compute class to use for the cluster.

          To disable Default Compute Class in an existing cluster, explicitly
          set flag --no-enable-default-compute-class.

       --enable-fqdn-network-policy
          Enable FQDN Network Policies on the cluster. FQDN Network Policies
          are disabled by default.

       --enable-identity-service
          Enable Identity Service component on the cluster.

          When enabled, users can authenticate to Kubernetes cluster with
          external identity providers.

          Identity Service is by default disabled when creating a new cluster.
          To disable Identity Service in an existing cluster, explicitly set
          flag --no-enable-identity-service.

       --enable-image-streaming
          Enable Image Streaming for the cluster, allowing nodes to stream
          container image data from Artifact Registry on demand to reduce
          container start times. This flag sets the default for new node pools.
          It is enabled by default on Autopilot clusters.

          See Image Streaming documentation
          (https://cloud.google.com/kubernetes-engine/docs/how-to/image-streaming)
          for full requirements (including version, API enablement and Artifact
          Registry usage). To disable Image Streaming for the cluster, use
          --no-enable-image-streaming.

       --enable-insecure-kubelet-readonly-port
          Enables the Kubelet's insecure read only port.

          To disable the readonly port on a cluster or node-pool set the flag
          to --no-enable-insecure-kubelet-readonly-port.

       --enable-intra-node-visibility
          Enable Intra-node visibility for this cluster.

          Enabling intra-node visibility makes your intra-node pod-to-pod
          traffic visible to the networking fabric. With this feature, you can
          use VPC flow logging or other VPC features for intra-node traffic.

          Enabling it on an existing cluster causes the cluster master and the
          cluster nodes to restart, which might cause a disruption.

       --enable-kernel-module-signature-enforcement
          Enforces that kernel modules are signed on all new nodes in the
          cluster unless explicitly overridden with
          --no-enable-kernel-module-signature-enforcement when creating the
          nodepool. Use --no-enable-kernel-module-signature-enforcement to
          disable.

          Examples:

              $ gcloud container clusters update example-cluster \
                  --enable-kernel-module-signature-enforcement

       --enable-kubernetes-unstable-apis=API,[API,...]
          Enable Kubernetes beta API features on this cluster. Beta APIs are
          not expected to be production ready and should be avoided in
          production-grade environments.

       --enable-l4-ilb-subsetting
          Enable Subsetting for L4 ILB services created on this cluster.

       --enable-legacy-authorization
          Enables the legacy ABAC authentication for the cluster. User rights
          are granted through the use of policies which combine attributes
          together. For a detailed look at these properties and related
          formats, see https://kubernetes.io/docs/admin/authorization/abac/. To
          use RBAC permissions instead, create or update your cluster with the
          option --no-enable-legacy-authorization.

       --enable-legacy-lustre-port
          Allow the Lustre CSI driver to initialize LNet (the virtual network
          layer for Lustre kernel module) using port 6988. This flag is
          required to workaround a port conflict with the gke-metadata-server
          on GKE nodes.

       --enable-multi-networking
          Enables multi-networking on the cluster. Multi-networking is disabled
          by default.

       --enable-network-policy
          Enable network policy enforcement for this cluster. If you are
          enabling network policy on an existing cluster the network policy
          addon must first be enabled on the master by using
          --update-addons=NetworkPolicy=ENABLED flag.

       --enable-private-nodes
          Standard cluster: Enable private nodes as a default behavior for all
          newly created node pools, if --enable-private-nodes is not provided
          at node pool creation time.

              Modifications to this flag do not affect `--enable-private-nodes` state of the
              existing node pools.

          Autopilot cluster: Force new and existing workloads, without explicit
          cloud.google.com/private-node=true node selector, to run on nodes
          with no public IP address.

              Modifications to this flag trigger a re-schedule operation on all existng
              workloads to run on different node VMs.

       --[no-]enable-ray-cluster-logging
          Enable automatic log processing sidecar for Ray clusters. Use
          --enable-ray-cluster-logging to enable and
          --no-enable-ray-cluster-logging to disable.

       --[no-]enable-ray-cluster-monitoring
          Enable automatic metrics collection for Ray clusters. Use
          --enable-ray-cluster-monitoring to enable and
          --no-enable-ray-cluster-monitoring to disable.

       --enable-service-externalips
          Enables use of services with externalIPs field.

       --enable-shielded-nodes
          Enable Shielded Nodes for this cluster. Enabling Shielded Nodes will
          enable a more secure Node credential bootstrapping implementation.
          Starting with version 1.18, clusters will have Shielded GKE nodes by
          default.

       --enable-stackdriver-kubernetes
          (DEPRECATED) Enable Cloud Operations for GKE.

          The --enable-stackdriver-kubernetes flag is deprecated and will be
          removed in an upcoming release. Please use --logging and --monitoring
          instead. For more information, please read:
          https://cloud.google.com/kubernetes-engine/docs/concepts/about-logs
          and
          https://cloud.google.com/kubernetes-engine/docs/how-to/configure-metrics.

       Or at most one of these can be specified:

         Flags for vertical pod autoscaling:

         --enable-vertical-pod-autoscaling
            Enable vertical pod autoscaling for a cluster.

       --gateway-api=GATEWAY_API
          Enables GKE Gateway controller in this cluster. The value of the flag
          specifies which Open Source Gateway API release channel will be used
          to define Gateway resources. GATEWAY_API must be one of:

           disabled
              Gateway controller will be disabled in the cluster.

           standard
              Gateway controller will be enabled in the cluster. Resource
              definitions from the standard OSS Gateway API release channel
              will be installed.

       --generate-password
          Ask the server to generate a secure password and use that as the
          basic auth password, keeping the existing username.

       --hpa-profile=HPA_PROFILE
          Set Horizontal Pod Autoscaler behavior. Accepted values are: none,
          performance. For more information, see
          https://cloud.google.com/kubernetes-engine/docs/how-to/horizontal-pod-autoscaling#hpa-profile.

       --in-transit-encryption=IN_TRANSIT_ENCRYPTION
          Enable Dataplane V2 in-transit encryption. Dataplane v2 in-transit
          encryption is disabled by default. IN_TRANSIT_ENCRYPTION must be one
          of: inter-node-transparent, none.

       --logging-variant=LOGGING_VARIANT
          Specifies the logging variant that will be deployed on all the nodes
          in the cluster. Valid logging variants are MAX_THROUGHPUT, DEFAULT.
          If no value is specified, DEFAULT is used. LOGGING_VARIANT must be
          one of:

           DEFAULT
              'DEFAULT' variant requests minimal resources but may not
              guarantee high throughput.
           MAX_THROUGHPUT
              'MAX_THROUGHPUT' variant requests more node resources and is able
              to achieve logging throughput up to 10MB per sec.

       --maintenance-window=START_TIME
          Set a time of day when you prefer maintenance to start on this
          cluster. For example:

              $ gcloud container clusters update example-cluster \
                  --maintenance-window=12:43

          The time corresponds to the UTC time zone, and must be in HH:MM
          format.

          Non-emergency maintenance will occur in the 4 hour block starting at
          the specified time.

          This is mutually exclusive with the recurring maintenance windows and
          will overwrite any existing window. Compatible with maintenance
          exclusions.

          To remove an existing maintenance window from the cluster, use
          '--clear-maintenance-window'.

       --network-performance-configs=[PROPERTY1=VALUE1,...]
          Configures network performance settings for the cluster. Node pools
          can override with their own settings.

           total-egress-bandwidth-tier
              Total egress bandwidth is the available outbound bandwidth from a
              VM, regardless of whether the traffic is going to internal IP or
              external IP destinations. The following tier values are allowed:
              [TIER_UNSPECIFIED,TIER_1].

              See
              https://cloud.google.com/compute/docs/networking/configure-vm-with-high-bandwidth-configuration
              for more information.

       --node-locations=ZONE,[ZONE,...]
          The set of zones in which the specified node footprint should be
          replicated. All zones must be in the same region as the cluster's
          master(s), specified by the -location, --zone, or --region flag.
          Additionally, for zonal clusters, --node-locations must contain the
          cluster's primary zone. If not specified, all nodes will be in the
          cluster's primary zone (for zonal clusters) or spread across three
          randomly chosen zones within the cluster's region (for regional
          clusters).

          Note that NUM_NODES nodes will be created in each zone, such that if
          you specify --num-nodes=4 and choose two locations, 8 nodes will be
          created.

          Multiple locations can be specified, separated by commas. For
          example:

              $ gcloud container clusters update example-cluster \
                  --location us-central1-a \
                  --node-locations us-central1-a,us-central1-b

       --notification-config=[pubsub=ENABLED|DISABLED,pubsub-topic=TOPIC,...]
          The notification configuration of the cluster. GKE supports
          publishing cluster upgrade notifications to any Pub/Sub topic you
          created in the same project. Create a subscription for the topic
          specified to receive notification messages. See
          https://cloud.google.com/pubsub/docs/admin on how to manage Pub/Sub
          topics and subscriptions. You can also use the filter option to
          specify which event types you'd like to receive from the following
          options: SecurityBulletinEvent, UpgradeEvent, UpgradeInfoEvent,
          UpgradeAvailableEvent.

          Examples:

              $ gcloud container clusters update example-cluster \
                  --notification-config=pubsub=ENABLED,pubsub-topic=projects/\
              {project}/topics/{topic-name}
              $ gcloud container clusters update example-cluster \
                  --notification-config=pubsub=ENABLED,pubsub-topic=projects/\
              {project}/topics/{topic-name},\
              filter="SecurityBulletinEvent|UpgradeEvent"

          The project of the Pub/Sub topic must be the same one as the cluster.
          It can be either the project ID or the project number.

       --patch-update=[PATCH_UPDATE]
          The patch update to use for the cluster.

          Setting to 'accelerated' automatically upgrades the cluster to the
          latest patch available within the cluster's current minor version and
          release channel. Setting to 'default' automatically upgrades the
          cluster to the default patch upgrade targetversion available within
          the cluster's current minor version and release channel.

          PATCH_UPDATE must be one of: accelerated, default.

       --private-ipv6-google-access-type=PRIVATE_IPV6_GOOGLE_ACCESS_TYPE
          Sets the type of private access to Google services over IPv6.

          PRIVATE_IPV6_GOOGLE_ACCESS_TYPE must be one of:

              bidirectional
                Allows Google services to initiate connections to GKE pods in this
                cluster. This is not intended for common use, and requires previous
                integration with Google services.

              disabled
                Default value. Disables private access to Google services over IPv6.

              outbound-only
                Allows GKE pods to make fast, secure requests to Google services
                over IPv6. This is the most common use of private IPv6 access.

              $ gcloud alpha container clusters create       \
                  --private-ipv6-google-access-type=disabled
              $ gcloud alpha container clusters create       \
                  --private-ipv6-google-access-type=outbound-only
              $ gcloud alpha container clusters create       \
                  --private-ipv6-google-access-type=bidirectional

          PRIVATE_IPV6_GOOGLE_ACCESS_TYPE must be one of: bidirectional,
          disabled, outbound-only.

       --release-channel=CHANNEL
          Subscribe or unsubscribe this cluster to a release channel.

          When a cluster is subscribed to a release channel, Google maintains
          both the master version and the node version. Node auto-upgrade is
          enabled by default for release channel clusters and can be controlled
          via upgrade-scope exclusions
          (https://cloud.google.com/kubernetes-engine/docs/concepts/maintenance-windows-and-exclusions#scope_of_maintenance_to_exclude).

          CHANNEL must be one of:

           None
              Use 'None' to opt-out of any release channel.

           extended
              Clusters subscribed to 'extended' can remain on a minor version
              for 24 months from when the minor version is made available in
              the Regular channel.

           rapid
              'rapid' channel is offered on an early access basis for customers
              who want to test new releases.

              WARNING: Versions available in the 'rapid' channel may be subject
              to unresolved issues with no known workaround and are not subject
              to any SLAs.

           regular
              Clusters subscribed to 'regular' receive versions that are
              considered GA quality. 'regular' is intended for production users
              who want to take advantage of new features.

           stable
              Clusters subscribed to 'stable' receive versions that are known
              to be stable and reliable in production.

       --remove-autopilot-workload-policies=REMOVE_WORKLOAD_POLICIES
          Remove Autopilot workload policies from the cluster.

          Examples:

              $ gcloud container clusters update example-cluster \
                  --remove-autopilot-workload-policies=allow-net-admin

          The only supported workload policy is 'allow-net-admin'.

       --remove-labels=[KEY,...]
          Labels to remove from the Google Cloud resources in use by the
          Kubernetes Engine cluster. These are unrelated to Kubernetes labels.

          Examples:

              $ gcloud container clusters update example-cluster \
                  --remove-labels=label_a,label_b

       --remove-workload-policies=REMOVE_WORKLOAD_POLICIES
          Remove Autopilot workload policies from the cluster.

          Examples:

              $ gcloud container clusters update example-cluster \
                  --remove-workload-policies=allow-net-admin

          The only supported workload policy is 'allow-net-admin'.

       --security-group=SECURITY_GROUP
          The name of the RBAC security group for use with Google security
          groups in Kubernetes RBAC
          (https://kubernetes.io/docs/reference/access-authn-authz/rbac/).

          To include group membership as part of the claims issued by Google
          during authentication, a group must be designated as a security group
          by including it as a direct member of this group.

          If unspecified, no groups will be returned for use with RBAC.

       --security-posture=SECURITY_POSTURE
          Sets the mode of the Kubernetes security posture API's off-cluster
          features.

          To enable advanced mode explicitly set the flag to
          --security-posture=enterprise.

          To enable in standard mode explicitly set the flag to
          --security-posture=standard

          To disable in an existing cluster, explicitly set the flag to
          --security-posture=disabled.

          For more information on enablement, see
          https://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard#feature-enablement.

          SECURITY_POSTURE must be one of: disabled, standard, enterprise.

       --set-password
          Set the basic auth password to the specified value, keeping the
          existing username.

       --stack-type=STACK_TYPE
          IP stack type of the cluster nodes. STACK_TYPE must be one of: ipv4,
          ipv4-ipv6.

       --start-credential-rotation
          Start the rotation of IP and credentials for this cluster. For
          example:

              $ gcloud container clusters update example-cluster \
                  --start-credential-rotation

          This causes the cluster to serve on two IPs, and will initiate a node
          upgrade to point to the new IP. See documentation for more details:
          https://cloud.google.com/kubernetes-engine/docs/how-to/credential-rotation.

       --start-ip-rotation
          Start the rotation of this cluster to a new IP. For example:

              $ gcloud container clusters update example-cluster \
                  --start-ip-rotation

          This causes the cluster to serve on two IPs, and will initiate a node
          upgrade to point to the new IP. See documentation for more details:
          https://cloud.google.com/kubernetes-engine/docs/how-to/ip-rotation.

       --tier=TIER
          (DEPRECATED) Set the desired tier for the cluster.

          The --tier flag is deprecated. More info:
          https://cloud.google.com/kubernetes-engine/docs/release-notes#September_02_2025.
          TIER must be one of: standard, enterprise.

       --update-addons=[ADDON=ENABLED|DISABLED,...]
          Cluster addons to enable or disable. Options are
          HorizontalPodAutoscaling=ENABLED|DISABLED
          HttpLoadBalancing=ENABLED|DISABLED
          KubernetesDashboard=ENABLED|DISABLED NetworkPolicy=ENABLED|DISABLED
          BackupRestore=ENABLED|DISABLED CloudRun=ENABLED|DISABLED
          ConfigConnector=ENABLED|DISABLED NodeLocalDNS=ENABLED|DISABLED
          GcePersistentDiskCsiDriver=ENABLED|DISABLED
          GcpFilestoreCsiDriver=ENABLED|DISABLED
          GcsFuseCsiDriver=ENABLED|DISABLED
          NodeReadinessController=ENABLED|DISABLED

       --update-labels=[KEY=VALUE,...]
          Labels to apply to the Google Cloud resources in use by the
          Kubernetes Engine cluster. These are unrelated to Kubernetes labels.

          Examples:

              $ gcloud container clusters update example-cluster \
                  --update-labels=label_a=value1,label_b=value2

       --workload-policies=WORKLOAD_POLICIES
          Add Autopilot workload policies to the cluster.

          Examples:

              $ gcloud container clusters update example-cluster \
                  --workload-policies=allow-net-admin

          The only supported workload policy is 'allow-net-admin'.

       --workload-pool=WORKLOAD_POOL
          Enable Workload Identity on the cluster.

          When enabled, Kubernetes service accounts will be able to act as
          Cloud IAM Service Accounts, through the provided workload pool.

          Currently, the only accepted workload pool is the workload pool of
          the Cloud project containing the cluster, PROJECT_ID.svc.id.goog.

          For more information on Workload Identity, see

              https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity

       --workload-vulnerability-scanning=WORKLOAD_VULNERABILITY_SCANNING
          Sets the mode of the Kubernetes security posture API's workload
          vulnerability scanning.

          To enable Advanced vulnerability insights mode explicitly set the
          flag to --workload-vulnerability-scanning=enterprise.

          To enable in standard mode explicitly set the flag to
          --workload-vulnerability-scanning=standard.

          To disable in an existing cluster, explicitly set the flag to
          --workload-vulnerability-scanning=disabled.

          For more information on enablement, see
          https://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard#feature-enablement.

          WORKLOAD_VULNERABILITY_SCANNING must be one of: disabled, standard,
          enterprise.

       Or at least one of these can be specified:

         --additional-ip-ranges=[subnetwork=NAME,pod-ipv4-range=NAME,...]
            Add additional subnetworks named "my-subnet" with pod ipv4 range
            named "my-range" to the cluster.

            Examples:

                $ gcloud container clusters update example-cluster \
                    --additional-ip-ranges=subnetwork=my-subnet,\
                pod-ipv4-range=my-range

         --remove-additional-ip-ranges=[subnetwork=NAME,pod-ipv4-range=NAME,...]
            Additional subnetworks to be removed from the cluster.

            Examples:

            Remove pod range named "my-range" under additional subnetwork named
            "my-subnet" from the cluster.

                $ gcloud container clusters update example-cluster \
                    --remove-additional-ip-ranges=subnetwork=my-subnet,\
                pod-ipv4-range=my-range

            Remove additional subnetwork named "my-subnet", including all the
            pod ipv4 ranges under the subnetwork.

                $ gcloud container clusters update example-cluster \
                    --remove-additional-ip-ranges=subnetwork=my-subnet

       Or at least one of these can be specified:

         --additional-pod-ipv4-ranges=NAME,[NAME,...]
            Additional IP address ranges(by name) for pods that need to be
            added to the cluster.

            Examples:

                $ gcloud container clusters update example-cluster \
                    --additional-pod-ipv4-ranges=range1,range2

         --remove-additional-pod-ipv4-ranges=NAME,[NAME,...]
            Previously added additional pod ranges(by name) for pods that are
            to be removed from the cluster.

            Examples:

                $ gcloud container clusters update example-cluster \
                    --remove-additional-pod-ipv4-ranges=range1,range2

       Or at least one of these can be specified:

         --auto-monitoring-scope=AUTO_MONITORING_SCOPE
            Enables Auto-Monitoring for a specific scope within the cluster.
            ALL: Enables Auto-Monitoring for all supported workloads within the
            cluster. NONE: Disables Auto-Monitoring. AUTO_MONITORING_SCOPE must
            be one of: ALL, NONE.

         --logging=[COMPONENT,...]
            Set the components that have logging enabled. Valid component
            values are: SYSTEM, WORKLOAD, API_SERVER, CONTROLLER_MANAGER,
            SCHEDULER, KCP_HPA, NONE

            For more information, see
            https://cloud.google.com/kubernetes-engine/docs/concepts/about-logs#available-logs

            Examples:

                $ gcloud container clusters update --logging=SYSTEM
                $ gcloud container clusters update \
                    --logging=SYSTEM,API_SERVER,WORKLOAD
                $ gcloud container clusters update --logging=NONE

         --monitoring=[COMPONENT,...]
            Set the components that have monitoring enabled. Valid component
            values are: SYSTEM, WORKLOAD (Deprecated), NONE, API_SERVER,
            CONTROLLER_MANAGER, SCHEDULER, DAEMONSET, DEPLOYMENT, HPA, POD,
            STATEFULSET, STORAGE, CADVISOR, KUBELET, DCGM, JOBSET

            Note: DAEMONSET, DEPLOYMENT, HPA, POD, STATEFULSET, STORAGE,
            CADVISOR, KUBELET, DCGM, and JOBSET require Google Managed
            Prometheus to be enabled.

            For more information, see
            https://cloud.google.com/kubernetes-engine/docs/how-to/configure-metrics#available-metrics

            Examples:

                $ gcloud container clusters update --monitoring=SYSTEM,API_SERVER,POD
                $ gcloud container clusters update --monitoring=NONE

         At most one of these can be specified:

           --disable-managed-prometheus
              Disable managed collection for Managed Service for Prometheus.

           --enable-managed-prometheus
              Enables managed collection for Managed Service for Prometheus in
              the cluster.

              See
              https://cloud.google.com/stackdriver/docs/managed-prometheus/setup-managed#enable-mgdcoll-gke
              for more info.

              Enabled by default for cluster versions 1.27 or greater, use
              --no-enable-managed-prometheus to disable.

       Or at least one of these can be specified:

         Flags for Binary Authorization:

         At most one of these can be specified:

           --binauthz-evaluation-mode=BINAUTHZ_EVALUATION_MODE
              Enable Binary Authorization for this cluster.
              BINAUTHZ_EVALUATION_MODE must be one of: disabled,
              project-singleton-policy-enforce.

           --enable-binauthz
              (DEPRECATED) Enable Binary Authorization for this cluster.

              The --enable-binauthz flag is deprecated. Please use
              --binauthz-evaluation-mode instead.

       Or at least one of these can be specified:

         --clear-fleet-project
            Remove the cluster from current fleet host project. Example: $
            gcloud container clusters update --clear-fleet-project

         --enable-fleet
            Set cluster project as the fleet host project. This will register
            the cluster to the same project. To register the cluster to a fleet
            in a different project, please use
            --fleet-project=FLEET_HOST_PROJECT. Example: $ gcloud container
            clusters update --enable-fleet

         --fleet-project=PROJECT_ID_OR_NUMBER
            Sets fleet host project for the cluster. If specified, the current
            cluster will be registered as a fleet membership under the fleet
            host project.

            Example: $ gcloud container clusters update
            --fleet-project=my-project

         --membership-type=MEMBERSHIP_TYPE
            Specify a membership type for the cluster's fleet membership.
            Example: $ gcloud container clusters update
            --membership-type=LIGHTWEIGHT. \ MEMBERSHIP_TYPE must be (only one
            value is supported):

             LIGHTWEIGHT
                Fleet membership representing this cluster will be lightweight.

         --unset-membership-type
            Set the membership type for the cluster's fleet membership to
            empty. Example: $ gcloud container clusters update
            --unset-membership-type

       Or at least one of these can be specified:

         Flags for cluster disruption budget configuration:

         At most one of these can be specified:

           --clear-maintenance-minor-version-disruption-interval
              Restore the default values for the minimum interval of time
              between minor version cluster upgrades.

           --maintenance-minor-version-disruption-interval=MAINTENANCE_MINOR_VERSION_DISRUPTION_INTERVAL
              Set the minimum interval of time between minor version cluster
              upgrades.

         At most one of these can be specified:

           --clear-maintenance-patch-version-disruption-interval
              Restore the default values for the minimum interval of time
              between patch version cluster upgrades.

           --maintenance-patch-version-disruption-interval=MAINTENANCE_PATCH_VERSION_DISRUPTION_INTERVAL
              Set the minimum interval of time between patch version cluster
              upgrades.

       Or at most one of these can be specified:

         --clear-maintenance-window
            If set, remove the maintenance window that was set with
            --maintenance-window family of flags.

         --remove-maintenance-exclusion=NAME
            Name of a maintenance exclusion to remove. If you hadn't specified
            a name, one was auto-generated. Get it with $ gcloud container
            clusters describe.

         Or at least one of these can be specified:

           Sets a period of time in which maintenance should not occur. This is
           compatible with both daily and recurring maintenance windows. If
           --add-maintenance-exclusion-scope is not specified, the exclusion
           will exclude all upgrades.

           Examples:

               $ gcloud container clusters update example-cluster   \
                   --add-maintenance-exclusion-name=holidays-2000   \
                   --add-maintenance-exclusion-start=2000-11-20T00:00:00   \
                   --add-maintenance-exclusion-end=2000-12-31T23:59:59   \
                   --add-maintenance-exclusion-scope=no_upgrades

           --add-maintenance-exclusion-name=NAME
              A descriptor for the exclusion that can be used to remove it. If
              not specified, it will be autogenerated.

           --add-maintenance-exclusion-scope=SCOPE
              Scope of the exclusion window to specify the type of upgrades
              that the exclusion will apply to. Must be in one of no_upgrades,
              no_minor_upgrades or no_minor_or_node_upgrades. If not specified
              in an exclusion, defaults to no_upgrades.

           --add-maintenance-exclusion-start=TIME_STAMP
              Start time of the exclusion window (can occur in the past). If
              not specified, the current time will be used. See $ gcloud topic
              datetimes for information on time formats.

           Exactly one of these must be specified:

             --add-maintenance-exclusion-end=TIME_STAMP
                End time of the exclusion window. Must take place after the
                start time. See $ gcloud topic datetimes for information on
                time formats.

             --add-maintenance-exclusion-until-end-of-support
                End time of the exclusion window is the end of the cluster's
                support.

         Or at least one of these can be specified:

           Set a flexible maintenance window by specifying a window that recurs
           per an RFC 5545 RRULE. Non-emergency maintenance will occur in the
           recurring windows.

           Examples:

           For a 9-5 Mon-Wed UTC-4 maintenance window:

               $ gcloud container clusters update example-cluster \
                   --maintenance-window-start=2000-01-01T09:00:00-04:00 \
                   --maintenance-window-end=2000-01-01T17:00:00-04:00 \
                   --maintenance-window-recurrence='FREQ=WEEKLY;BYDAY=MO,TU,WE'

           For a daily window from 22:00 - 04:00 UTC:

               $ gcloud container clusters update example-cluster \
                   --maintenance-window-start=2000-01-01T22:00:00Z \
                   --maintenance-window-end=2000-01-02T04:00:00Z \
                   --maintenance-window-recurrence=FREQ=DAILY

           --maintenance-window-end=TIME_STAMP
              The end time for calculating the duration of the maintenance
              window, as expressed by the amount of time after the START_TIME,
              in the same format. The value for END_TIME must be in the future,
              relative to START_TIME. This only calculates the duration of the
              window, and doesn't set when the maintenance window stops
              recurring. Maintenance windows only stop recurring when they're
              removed. See $ gcloud topic datetimes for information on time
              formats.

              This flag argument must be specified if any of the other
              arguments in this group are specified.

              This flag argument must be specified if any of the other
              arguments in this group are specified.

           --maintenance-window-recurrence=RRULE
              An RFC 5545 RRULE, specifying how the window will recur. Note
              that minimum requirements for maintenance periods will be
              enforced. Note that FREQ=SECONDLY, MINUTELY, and HOURLY are not
              supported.

              This flag argument must be specified if any of the other
              arguments in this group are specified.

           --maintenance-window-start=TIME_STAMP
              Start time of the first window (can occur in the past). The start
              time influences when the window will start for recurrences. See $
              gcloud topic datetimes for information on time formats.

              This flag argument must be specified if any of the other
              arguments in this group are specified.

       Or at most one of these can be specified:

         Exports cluster's usage of cloud resources

         --clear-resource-usage-bigquery-dataset
            Disables exporting cluster resource usage to BigQuery.

         Or at least one of these can be specified:

           --enable-network-egress-metering
              Enable network egress metering on this cluster.

              When enabled, a DaemonSet is deployed into the cluster. Each
              DaemonSet pod meters network egress traffic by collecting data
              from the conntrack table, and exports the metered metrics to the
              specified destination.

              Network egress metering is disabled if this flag is omitted, or
              when --no-enable-network-egress-metering is set.

           --enable-resource-consumption-metering
              Enable resource consumption metering on this cluster.

              When enabled, a table will be created in the specified BigQuery
              dataset to store resource consumption data. The resulting table
              can be joined with the resource usage table or with BigQuery
              billing export.

              To disable resource consumption metering, set
              --no-enable-resource-consumption- metering. If this flag is
              omitted, then resource consumption metering will remain enabled
              or disabled depending on what is already configured for this
              cluster.

           --resource-usage-bigquery-dataset=RESOURCE_USAGE_BIGQUERY_DATASET
              The name of the BigQuery dataset to which the cluster's usage of
              cloud resources is exported. A table will be created in the
              specified dataset to store cluster resource usage. The resulting
              table can be joined with BigQuery Billing Export to produce a
              fine-grained cost breakdown.

              Examples:

                  $ gcloud container clusters update example-cluster \
                      --resource-usage-bigquery-dataset=example_bigquery_dataset_name

       Or at least one of these can be specified:

         ClusterDNS

         --cluster-dns=CLUSTER_DNS
            DNS provider to use for this cluster. CLUSTER_DNS must be one of:

             clouddns
                Selects Cloud DNS as the DNS provider for the cluster.
             default
                Selects the default DNS provider (kube-dns) for the cluster.
             kubedns
                Selects Kube DNS as the DNS provider for the cluster.

         --cluster-dns-domain=CLUSTER_DNS_DOMAIN
            DNS domain for this cluster. The default value is cluster.local.
            This is configurable when --cluster-dns=clouddns and
            --cluster-dns-scope=vpc are set. The value must be a valid DNS
            subdomain as defined in RFC 1123.

         --cluster-dns-scope=CLUSTER_DNS_SCOPE
            DNS scope for the Cloud DNS zone created - valid only with
            --cluster-dns=clouddns. Defaults to cluster.

            CLUSTER_DNS_SCOPE must be one of:

             cluster
                Configures the Cloud DNS zone to be private to the cluster.
             vpc
                Configures the Cloud DNS zone to be private to the VPC Network.

         At most one of these can be specified:

           --additive-vpc-scope-dns-domain=ADDITIVE_VPC_SCOPE_DNS_DOMAIN
              The domain used in Additive VPC scope. Only works with Cluster
              Scope.

           --disable-additive-vpc-scope
              Disables Additive VPC Scope.

       Or at least one of these can be specified:

         At most one of these can be specified:

           --dataplane-v2-observability-mode=DATAPLANE_V2_OBSERVABILITY_MODE
              (REMOVED) Select Advanced Datapath Observability mode for the
              cluster. Defaults to DISABLED.

              Advanced Datapath Observability allows for a real-time view into
              pod-to-pod traffic within your cluster.

              Examples:

                  $ gcloud container clusters update \
                      --dataplane-v2-observability-mode=DISABLED

                  $ gcloud container clusters update \
                      --dataplane-v2-observability-mode=INTERNAL_VPC_LB

                  $ gcloud container clusters update \
                      --dataplane-v2-observability-mode=EXTERNAL_LB

              Flag --dataplane-v2-observability-mode has been removed.

              DATAPLANE_V2_OBSERVABILITY_MODE must be one of:

               DISABLED
                  Disables Advanced Datapath Observability.
               EXTERNAL_LB
                  Makes Advanced Datapath Observability available to the
                  external network.
               INTERNAL_VPC_LB
                  Makes Advanced Datapath Observability available from the VPC
                  network.

           --disable-dataplane-v2-flow-observability
              Disables Advanced Datapath Observability.

           --enable-dataplane-v2-flow-observability
              Enables Advanced Datapath Observability which allows for a
              real-time view into pod-to-pod traffic within your cluster.

         At most one of these can be specified:

           --disable-dataplane-v2-metrics
              Stops exposing advanced datapath flow metrics on node port.

           --enable-dataplane-v2-metrics
              Exposes advanced datapath flow metrics on node port.

       Or at most one of these can be specified:

         --disable-auto-ipam
            Disable the Auto IP Address Management (Auto IPAM) feature for the
            cluster.

         --enable-auto-ipam
            Enable the Auto IP Address Management (Auto IPAM) feature for the
            cluster.

       Or at most one of these can be specified:

         --disable-l4-lb-firewall-reconciliation
            Disable reconciliation on the cluster for L4 Load Balancer VPC
            firewalls targeting ingress traffic.

         --enable-l4-lb-firewall-reconciliation
            Enable reconciliation on the cluster for L4 Load Balancer VPC
            firewalls targeting ingress traffic. L4 LB VPC firewall
            reconciliation is enabled by default.

       Or at most one of these can be specified:

         --disable-pod-snapshots
            Disable the Pod Snapshot feature on the cluster.

         --enable-pod-snapshots
            Enable the Pod Snapshot feature on the cluster.

       Or at least one of these can be specified:

         --enable-authorized-networks-on-private-endpoint
            Enable enforcement of --master-authorized-networks CIDR ranges for
            traffic reaching cluster's control plane via private IP.

         --enable-dns-access
            Enable access to the cluster's control plane over DNS-based
            endpoint.

            DNS-based control plane access is recommended.

         --enable-google-cloud-access
            When you enable Google Cloud Access, any public IP addresses owned
            by Google Cloud can reach the public control plane endpoint of your
            cluster.

         --enable-ip-access
            Enable access to the cluster's control plane over private IP and
            public IP if --enable-private-endpoint is not enabled.

         --enable-k8s-certs-via-dns
            Enable K8s client certificates Authentication to the cluster's
            control plane over DNS-based endpoint.

         --enable-k8s-tokens-via-dns
            Enable K8s Service Account tokens Authentication to the cluster's
            control plane over DNS-based endpoint.

         --enable-master-global-access
            Use with private clusters to allow access to the master's private
            endpoint from any Google Cloud region or on-premises environment
            regardless of the private cluster's region.

         --enable-private-endpoint
            Enables cluster's control plane to be accessible using private IP
            address only.

         Master Authorized Networks

         --enable-master-authorized-networks
            Allow only specified set of CIDR blocks (specified by the
            --master-authorized-networks flag) to connect to Kubernetes master
            through HTTPS. Besides these blocks, the following have access as
            well:

                1) The private network the cluster connects to if
                `--enable-private-nodes` is specified.
                2) Google Compute Engine Public IPs if `--enable-private-nodes` is not
                specified.

            Use --no-enable-master-authorized-networks to disable. When
            disabled, public internet (0.0.0.0/0) is allowed to connect to
            Kubernetes master through HTTPS.

         --master-authorized-networks=NETWORK,[NETWORK,...]
            The list of CIDR blocks (up to 100 for private cluster, 50 for
            public cluster) that are allowed to connect to Kubernetes master
            through HTTPS. Specified in CIDR notation (e.g. 1.2.3.4/30). Cannot
            be specified unless --enable-master-authorized-networks is also
            specified.

       Or at least one of these can be specified:

         Node autoprovisioning

         --enable-autoprovisioning
            Enables node autoprovisioning for a cluster.

            Cluster Autoscaler will be able to create new node pools. Requires
            maximum CPU and memory limits to be specified.

         At most one of these can be specified:

           --autoprovisioning-config-file=PATH_TO_FILE
              Path of the JSON/YAML file which contains information about the
              cluster's node autoprovisioning configuration. Currently it
              contains a list of resource limits, identity defaults for
              autoprovisioning, node upgrade settings, node management
              settings, minimum cpu platform, image type, node locations for
              autoprovisioning, disk type and size configuration, Shielded
              instance settings, and customer-managed encryption keys settings.

              Resource limits are specified in the field 'resourceLimits'. Each
              resource limits definition contains three fields: resourceType,
              maximum and minimum. Resource type can be "cpu", "memory" or an
              accelerator (e.g. "nvidia-tesla-t4" for NVIDIA T4). Use gcloud
              compute accelerator-types list to learn about available
              accelerator types. Maximum is the maximum allowed amount with the
              unit of the resource. Minimum is the minimum allowed amount with
              the unit of the resource.

              Identity default contains at most one of the below fields:
              serviceAccount: The Google Cloud Platform Service Account to be
              used by node VMs in autoprovisioned node pools. If not specified,
              the project's default service account is used. scopes: A list of
              scopes to be used by node instances in autoprovisioned node
              pools. Multiple scopes can be specified, separated by commas. For
              information on defaults, look at:
              https://cloud.google.com/sdk/gcloud/reference/container/clusters/create#--scopes

              Node Upgrade settings are specified under the field
              'upgradeSettings', which has the following fields:
              maxSurgeUpgrade: Number of extra (surge) nodes to be created on
              each upgrade of an autoprovisioned node pool.
              maxUnavailableUpgrade: Number of nodes that can be unavailable at
              the same time on each upgrade of an autoprovisioned node pool.

              Node Management settings are specified under the field
              'management', which has the following fields: autoUpgrade: A
              boolean field that indicates if node autoupgrade is enabled for
              autoprovisioned node pools. autoRepair: A boolean field that
              indicates if node autorepair is enabled for autoprovisioned node
              pools.

              minCpuPlatform (deprecated): If specified, new autoprovisioned
              nodes will be scheduled on host with specified CPU architecture
              or a newer one. Note: Min CPU platform can only be specified in
              Beta and Alpha.

              Autoprovisioned node image is specified under the 'imageType'
              field. If not specified the default value will be applied.

              Autoprovisioning locations is a set of zones where new node pools
              can be created by Autoprovisioning. Autoprovisioning locations
              are specified in the field 'autoprovisioningLocations'. All zones
              must be in the same region as the cluster's master(s).

              Disk type and size are specified under the 'diskType' and
              'diskSizeGb' fields, respectively. If specified, new
              autoprovisioned nodes will be created with custom boot disks
              configured by these settings.

              Shielded instance settings are specified under the
              'shieldedInstanceConfig' field, which has the following fields:
              enableSecureBoot: A boolean field that indicates if secure boot
              is enabled for autoprovisioned nodes. enableIntegrityMonitoring:
              A boolean field that indicates if integrity monitoring is enabled
              for autoprovisioned nodes.

              Customer Managed Encryption Keys (CMEK) used by new
              auto-provisioned node pools can be specified in the
              'bootDiskKmsKey' field.

              Use a full or relative path to a local file containing the value
              of autoprovisioning_config_file.

           Or at least one of these can be specified:

             Flags to configure autoprovisioned nodes

             --autoprovisioning-image-type=AUTOPROVISIONING_IMAGE_TYPE
                Node Autoprovisioning will create new nodes with the specified
                image type

             --autoprovisioning-locations=ZONE,[ZONE,...]
                Set of zones where new node pools can be created by
                autoprovisioning. All zones must be in the same region as the
                cluster's master(s). Multiple locations can be specified,
                separated by commas.

             --autoprovisioning-min-cpu-platform=PLATFORM
                (DEPRECATED) If specified, new autoprovisioned nodes will be
                scheduled on host with specified CPU architecture or a newer
                one.

                The --autoprovisioning-min-cpu-platform flag is deprecated and
                will be removed in an upcoming release. More info:
                https://cloud.google.com/kubernetes-engine/docs/release-notes#March_08_2022

             --max-cpu=MAX_CPU
                Maximum number of cores in the cluster.

                Maximum number of cores to which the cluster can scale.
                Required to be set when --enable-autoprovisioning is used.

             --max-memory=MAX_MEMORY
                Maximum memory in the cluster.

                Maximum number of gigabytes of memory to which the cluster can
                scale. Required to be set when --enable-autoprovisioning is
                used.

             --min-cpu=MIN_CPU
                Minimum number of cores in the cluster.

                Minimum number of cores to which the cluster can scale.

             --min-memory=MIN_MEMORY
                Minimum memory in the cluster.

                Minimum number of gigabytes of memory to which the cluster can
                scale.

             Flags to specify upgrade settings for autoprovisioned nodes:

             --autoprovisioning-max-surge-upgrade=AUTOPROVISIONING_MAX_SURGE_UPGRADE
                Number of extra (surge) nodes to be created on each upgrade of
                an autoprovisioned node pool.

             --autoprovisioning-max-unavailable-upgrade=AUTOPROVISIONING_MAX_UNAVAILABLE_UPGRADE
                Number of nodes that can be unavailable at the same time on
                each upgrade of an autoprovisioned node pool.

             --autoprovisioning-node-pool-soak-duration=AUTOPROVISIONING_NODE_POOL_SOAK_DURATION
                Time in seconds to be spent waiting during blue-green upgrade
                before deleting the blue pool and completing the update. This
                argument should be used in conjunction with
                --enable-autoprovisioning-blue-green-upgrade to take effect.

             --autoprovisioning-standard-rollout-policy=[batch-node-count=BATCH_NODE_COUNT,batch-percent=BATCH_NODE_PERCENTAGE,batch-soak-duration=BATCH_SOAK_DURATION,...]
                Standard rollout policy options for blue-green upgrade. This
                argument should be used in conjunction with
                --enable-autoprovisioning-blue-green-upgrade to take effect.

                Batch sizes are specified by one of, batch-node-count or
                batch-percent. The duration between batches is specified by
                batch-soak-duration.

                Example:
                --standard-rollout-policy=batch-node-count=3,batch-soak-duration=60s
                --standard-rollout-policy=batch-percent=0.05,batch-soak-duration=180s

             Flag group to choose the top level upgrade option:

             At most one of these can be specified:

               --enable-autoprovisioning-blue-green-upgrade
                  Whether to use blue-green upgrade for the autoprovisioned
                  node pool.

               --enable-autoprovisioning-surge-upgrade
                  Whether to use surge upgrade for the autoprovisioned node
                  pool.

             Flags to specify identity for autoprovisioned nodes:

             --autoprovisioning-scopes=[SCOPE,...]
                The scopes to be used by node instances in autoprovisioned node
                pools. Multiple scopes can be specified, separated by commas.
                For information on defaults, look at:
                https://cloud.google.com/sdk/gcloud/reference/container/clusters/create#--scopes

             --autoprovisioning-service-account=AUTOPROVISIONING_SERVICE_ACCOUNT
                The Google Cloud Platform Service Account to be used by node
                VMs in autoprovisioned node pools. If not specified, the
                project default service account is used.

             Flags to specify node management settings for autoprovisioned
             nodes:

             --enable-autoprovisioning-autorepair
                Enable node autorepair for autoprovisioned node pools. Use
                --no-enable-autoprovisioning-autorepair to disable.

                This flag argument must be specified if any of the other
                arguments in this group are specified.

             --enable-autoprovisioning-autoupgrade
                Enable node autoupgrade for autoprovisioned node pools. Use
                --no-enable-autoprovisioning-autoupgrade to disable.

                This flag argument must be specified if any of the other
                arguments in this group are specified.

             Arguments to set limits on accelerators:

             --max-accelerator=[type=TYPE,count=COUNT,...]
                Sets maximum limit for a single type of accelerators (e.g.
                GPUs) in cluster.

                 type
                    (Required) The specific type (e.g. nvidia-tesla-t4 for
                    NVIDIA T4) of accelerator for which the limit is set. Use
                    gcloud compute accelerator-types list to learn about all
                    available accelerator types.

                 count
                    (Required) The maximum number of accelerators to which the
                    cluster can be scaled.

                    This flag argument must be specified if any of the other
                    arguments in this group are specified.

             --min-accelerator=[type=TYPE,count=COUNT,...]
                Sets minimum limit for a single type of accelerators (e.g.
                GPUs) in cluster. Defaults to 0 for all accelerator types if it
                isn't set.

                 type
                    (Required) The specific type (e.g. nvidia-tesla-t4 for
                    NVIDIA T4) of accelerator for which the limit is set. Use
                    gcloud compute accelerator-types list to learn about all
                    available accelerator types.

                 count
                    (Required) The minimum number of accelerators to which the
                    cluster can be scaled.

       Or at least one of these can be specified:

         --enable-insecure-binding-system-authenticated
            Allow using system:authenticated as a subject in
            ClusterRoleBindings and RoleBindings. Allowing bindings that
            reference system:authenticated is a security risk and is not
            recommended.

            To disallow binding system:authenticated in a cluster, explicitly
            set the --no-enable-insecure-binding-system-authenticated flag
            instead.

         --enable-insecure-binding-system-unauthenticated
            Allow using system:unauthenticated and system:anonymous as subjects
            in ClusterRoleBindings and RoleBindings. Allowing bindings that
            reference system:unauthenticated and system:anonymous are a
            security risk and is not recommended.

            To disallow binding system:authenticated in a cluster, explicitly
            set the --no-enable-insecure-binding-system-unauthenticated flag
            instead.

       Or at least one of these can be specified:

         --logging-service=LOGGING_SERVICE
            (DEPRECATED) Logging service to use for the cluster. Options are:
            "logging.googleapis.com/kubernetes" (the Google Cloud Logging
            service with Kubernetes-native resource model enabled),
            "logging.googleapis.com" (the Google Cloud Logging service), "none"
            (logs will not be exported from the cluster)

            The --logging-service flag is deprecated and will be removed in an
            upcoming release. Please use --logging instead. For more
            information, please read:
            https://cloud.google.com/kubernetes-engine/docs/concepts/about-logs.

         --monitoring-service=MONITORING_SERVICE
            (DEPRECATED) Monitoring service to use for the cluster. Options
            are: "monitoring.googleapis.com/kubernetes" (the Google Cloud
            Monitoring service with Kubernetes-native resource model enabled),
            "monitoring.googleapis.com" (the Google Cloud Monitoring service),
            "none" (no metrics will be exported from the cluster)

            The --monitoring-service flag is deprecated and will be removed in
            an upcoming release. Please use --monitoring instead. For more
            information, please read:
            https://cloud.google.com/kubernetes-engine/docs/how-to/configure-metrics.

       Or at least one of these can be specified:

         Flags for Secret Manager configuration:

         --[no-]enable-secret-manager
            Enables the Secret Manager CSI driver provider component. See
            https://secrets-store-csi-driver.sigs.k8s.io/introduction
            https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp.
            Use --enable-secret-manager to enable and
            --no-enable-secret-manager to disable.

         --[no-]enable-secret-manager-rotation
            Enables the rotation of secrets in the Secret Manager CSI driver
            provider component. Use --enable-secret-manager-rotation to enable
            and --no-enable-secret-manager-rotation to disable.

         --secret-manager-rotation-interval=SECRET_MANAGER_ROTATION_INTERVAL
            Set the rotation period for secrets in the Secret Manager CSI
            driver provider component. If you don't specify a time interval for
            the rotation, it will default to a rotation period of two minutes.

       Or at least one of these can be specified:

         Basic auth

         --password=PASSWORD
            The password to use for cluster auth. Defaults to a
            server-specified randomly-generated string.

         Options to specify the username.

         At most one of these can be specified:

           --enable-basic-auth
              Enable basic (username/password) auth for the cluster.
              --enable-basic-auth is an alias for --username=admin;
              --no-enable-basic-auth is an alias for --username="". Use
              --password to specify a password; if not, the server will
              randomly generate one. For cluster versions before 1.12, if
              neither --enable-basic-auth nor --username is specified,
              --enable-basic-auth will default to true. After 1.12,
              --enable-basic-auth will default to false.

           --username=USERNAME, -u USERNAME
              The user name to use for basic auth for the cluster. Use
              --password to specify a password; if not, the server will
              randomly generate one.

OPTIONAL FLAGS
     --async
        Return immediately, without waiting for the operation in progress to
        complete.

     --cloud-run-config=[load-balancer-type=EXTERNAL,...]
        Configurations for Cloud Run addon, requires --addons=CloudRun for
        create and --update-addons=CloudRun=ENABLED for update.

         load-balancer-type
            (Optional) Type of load-balancer-type EXTERNAL or INTERNAL.

            Examples:

                $ gcloud container clusters update example-cluster \
                    --cloud-run-config=load-balancer-type=INTERNAL

     --node-pool=NODE_POOL
        Node pool to be updated.

     At most one of these can be specified:

       --location=LOCATION
          Compute zone or region (e.g. us-central1-a or us-central1) for the
          cluster. Overrides the default compute/region or compute/zone value
          for this command invocation. Prefer using this flag over the --region
          or --zone flags.

       --region=REGION
          Compute region (e.g. us-central1) for a regional cluster. Overrides
          the default compute/region property value for this command
          invocation.

       --zone=ZONE, -z ZONE
          Compute zone (e.g. us-central1-a) for a zonal cluster. Overrides the
          default compute/zone property value for this command invocation.

     Cluster autoscaling

     --location-policy=LOCATION_POLICY
        Location policy specifies the algorithm used when scaling-up the node
        pool.

        ◆ BALANCED - Is a best effort policy that aims to balance the sizes
          of available zones.
        ◆ ANY - Instructs the cluster autoscaler to prioritize utilization of
          unused reservations, and reduces preemption risk for Spot VMs.

        LOCATION_POLICY must be one of: BALANCED, ANY.

     --max-nodes=MAX_NODES
        Maximum number of nodes per zone in the node pool.

        Maximum number of nodes per zone to which the node pool specified by
        --node-pool (or default node pool if unspecified) can scale. Ignored
        unless --enable-autoscaling is also specified.

     --min-nodes=MIN_NODES
        Minimum number of nodes per zone in the node pool.

        Minimum number of nodes per zone to which the node pool specified by
        --node-pool (or default node pool if unspecified) can scale. Ignored
        unless --enable-autoscaling is also specified.

     --total-max-nodes=TOTAL_MAX_NODES
        Maximum number of all nodes in the node pool.

        Maximum number of all nodes to which the node pool specified by
        --node-pool (or default node pool if unspecified) can scale. Ignored
        unless --enable-autoscaling is also specified.

     --total-min-nodes=TOTAL_MIN_NODES
        Minimum number of all nodes in the node pool.

        Minimum number of all nodes to which the node pool specified by
        --node-pool (or default node pool if unspecified) can scale. Ignored
        unless --enable-autoscaling is also specified.

GCLOUD WIDE FLAGS
    These flags are available to all commands: --access-token-file, --account,
    --billing-project, --configuration, --flags-file, --flatten, --format,
    --help, --impersonate-service-account, --log-http, --project, --quiet,
    --trace-token, --user-output-enabled, --verbosity.

    Run $ gcloud help for details.

NOTES
    These variants are also available:

        $ gcloud alpha container clusters update

        $ gcloud beta container clusters update

