mirror of
https://github.com/imjasonh/gcloud-help
synced 2026-07-08 18:45:13 +00:00
839 lines
37 KiB
Text
839 lines
37 KiB
Text
NAME
|
|
gcloud alpha container clusters create-auto - create an Autopilot cluster
|
|
for running containers
|
|
|
|
SYNOPSIS
|
|
gcloud alpha container clusters create-auto NAME
|
|
[--anonymous-authentication-config=ANONYMOUS_AUTHENTICATION_CONFIG]
|
|
[--async] [--auto-monitoring-scope=AUTO_MONITORING_SCOPE]
|
|
[--autoprovisioning-enable-insecure-kubelet-readonly-port]
|
|
[--autoprovisioning-network-tags=TAGS,[TAGS,...]]
|
|
[--autoprovisioning-resource-manager-tags=[KEY=VALUE,...]]
|
|
[--boot-disk-kms-key=BOOT_DISK_KMS_KEY]
|
|
[--cluster-ipv4-cidr=CLUSTER_IPV4_CIDR]
|
|
[--cluster-secondary-range-name=NAME]
|
|
[--cluster-version=CLUSTER_VERSION]
|
|
[--containerd-config-from-file=PATH_TO_FILE]
|
|
[--create-subnetwork=[KEY=VALUE,...]]
|
|
[--database-encryption-key=DATABASE_ENCRYPTION_KEY]
|
|
[--disable-l4-lb-firewall-reconciliation]
|
|
[--enable-authorized-networks-on-private-endpoint] [--enable-auto-ipam]
|
|
[--enable-backup-restore] [--enable-cilium-clusterwide-network-policy]
|
|
[--enable-confidential-nodes] [--enable-default-compute-class]
|
|
[--enable-dns-access] [--enable-fleet] [--enable-google-cloud-access]
|
|
[--enable-ip-access] [--enable-kubernetes-unstable-apis=API,[API,...]]
|
|
[--enable-legacy-lustre-port] [--enable-lustre-csi-driver]
|
|
[--enable-master-global-access] [--enable-multi-networking]
|
|
[--enable-ray-cluster-logging] [--enable-ray-cluster-monitoring]
|
|
[--enable-ray-operator] [--fleet-project=PROJECT_ID_OR_NUMBER]
|
|
[--hpa-profile=HPA_PROFILE] [--labels=[KEY=VALUE,...]]
|
|
[--logging=[COMPONENT,...]] [--membership-type=MEMBERSHIP_TYPE]
|
|
[--monitoring=[COMPONENT,...]] [--network=NETWORK]
|
|
[--private-endpoint-subnetwork=NAME] [--release-channel=CHANNEL]
|
|
[--security-group=SECURITY_GROUP] [--security-posture=SECURITY_POSTURE]
|
|
[--services-ipv4-cidr=CIDR] [--services-secondary-range-name=NAME]
|
|
[--subnetwork=SUBNETWORK] [--tier=TIER]
|
|
[--workload-policies=WORKLOAD_POLICIES]
|
|
[--workload-vulnerability-scanning=WORKLOAD_VULNERABILITY_SCANNING]
|
|
[--additive-vpc-scope-dns-domain=ADDITIVE_VPC_SCOPE_DNS_DOMAIN
|
|
| --disable-additive-vpc-scope]
|
|
[--aggregation-ca=CA_POOL_PATH --cluster-ca=CA_POOL_PATH
|
|
--control-plane-disk-encryption-key=KEY --etcd-api-ca=CA_POOL_PATH
|
|
--etcd-peer-ca=CA_POOL_PATH --gkeops-etcd-backup-encryption-key=KEY
|
|
--service-account-signing-keys=KEY_VERSION,[KEY_VERSION,...]
|
|
--service-account-verification-keys=KEY_VERSION,[KEY_VERSION,...]]
|
|
[--binauthz-evaluation-mode=BINAUTHZ_EVALUATION_MODE
|
|
--binauthz-policy-bindings=[name=BINAUTHZ_POLICY,
|
|
enforcement-mode=ENFORCEMENT_MODE,...]]
|
|
[--dataplane-v2-observability-mode=DATAPLANE_V2_OBSERVABILITY_MODE
|
|
| --disable-dataplane-v2-flow-observability
|
|
| --enable-dataplane-v2-flow-observability]
|
|
[--enable-insecure-binding-system-authenticated
|
|
--enable-insecure-binding-system-unauthenticated]
|
|
[--enable-master-authorized-networks
|
|
--master-authorized-networks=NETWORK,[NETWORK,...]]
|
|
[--enable-private-endpoint
|
|
--enable-private-nodes --master-ipv4-cidr=MASTER_IPV4_CIDR]
|
|
[--enable-secret-manager --enable-secret-manager-rotation
|
|
--secret-manager-rotation-interval=SECRET_MANAGER_ROTATION_INTERVAL]
|
|
[--location=LOCATION | --region=REGION | --zone=ZONE, -z ZONE]
|
|
[--scopes=[SCOPE,...];
|
|
default="gke-default" --service-account=SERVICE_ACCOUNT]
|
|
[GCLOUD_WIDE_FLAG ...]
|
|
|
|
DESCRIPTION
|
|
(ALPHA) Create an Autopilot cluster for running containers.
|
|
|
|
EXAMPLES
|
|
To create a cluster with the default configuration, run:
|
|
|
|
$ gcloud alpha container clusters create-auto sample-cluster
|
|
|
|
POSITIONAL ARGUMENTS
|
|
NAME
|
|
The name of the cluster to create.
|
|
|
|
The name may contain only lowercase alphanumerics and '-', must start
|
|
with a letter and end with an alphanumeric, and must be no longer than
|
|
40 characters.
|
|
|
|
FLAGS
|
|
--anonymous-authentication-config=ANONYMOUS_AUTHENTICATION_CONFIG
|
|
Enable or restrict anonymous access to the cluster. When enabled,
|
|
anonymous users will be authenticated as system:anonymous with the
|
|
group system:unauthenticated. Limiting access restricts anonymous
|
|
access to only the health check endpoints /readyz, /livez, and
|
|
/healthz.
|
|
|
|
ANONYMOUS_AUTHENTICATION_CONFIG must be one of:
|
|
|
|
ENABLED
|
|
'ENABLED' enables anonymous calls.
|
|
LIMITED
|
|
'LIMITED' restricts anonymous access to the cluster. Only calls to
|
|
the health check endpoints are allowed anonymously, all other calls
|
|
will be rejected.
|
|
|
|
--async
|
|
Return immediately, without waiting for the operation in progress to
|
|
complete.
|
|
|
|
--auto-monitoring-scope=AUTO_MONITORING_SCOPE
|
|
Enables Auto-Monitoring for a specific scope within the cluster. ALL:
|
|
Enables Auto-Monitoring for all supported workloads within the cluster.
|
|
NONE: Disables Auto-Monitoring. AUTO_MONITORING_SCOPE must be one of:
|
|
ALL, NONE.
|
|
|
|
--autoprovisioning-enable-insecure-kubelet-readonly-port
|
|
Enables the Kubelet's insecure read only port for Autoprovisioned Node
|
|
Pools.
|
|
|
|
If not set, the value from nodePoolDefaults.nodeConfigDefaults will be
|
|
used.
|
|
|
|
To disable the readonly port
|
|
--no-autoprovisioning-enable-insecure-kubelet-readonly-port.
|
|
|
|
--autoprovisioning-network-tags=TAGS,[TAGS,...]
|
|
Applies the given Compute Engine tags (comma separated) on all nodes in
|
|
the auto-provisioned node pools of the new Standard cluster or the new
|
|
Autopilot cluster.
|
|
|
|
Examples:
|
|
|
|
$ gcloud alpha container clusters create-auto example-cluster \
|
|
--autoprovisioning-network-tags=tag1,tag2
|
|
|
|
New nodes in auto-provisioned node pools, including ones created by
|
|
resize or recreate, will have these tags on the Compute Engine API
|
|
instance object and can be used in firewall rules. See
|
|
https://cloud.google.com/sdk/gcloud/reference/compute/firewall-rules/create
|
|
for examples.
|
|
|
|
--autoprovisioning-resource-manager-tags=[KEY=VALUE,...]
|
|
Applies the specified comma-separated resource manager tags that has
|
|
the GCE_FIREWALL purpose to all nodes in the new Autopilot cluster or
|
|
all auto-provisioned nodes in the new Standard cluster.
|
|
|
|
Examples:
|
|
|
|
$ gcloud alpha container clusters create-auto example-cluster \
|
|
--autoprovisioning-resource-manager-tags=tagKeys/\
|
|
1234=tagValues/2345
|
|
$ gcloud alpha container clusters create-auto example-cluster \
|
|
--autoprovisioning-resource-manager-tags=my-project/key1=value1
|
|
$ gcloud alpha container clusters create-auto example-cluster \
|
|
--autoprovisioning-resource-manager-tags=12345/key1=value1,\
|
|
23456/key2=value2
|
|
$ gcloud alpha container clusters create-auto example-cluster \
|
|
--autoprovisioning-resource-manager-tags=
|
|
|
|
All nodes in an Autopilot cluster or all auto-provisioned nodes in a
|
|
Standard cluster, including nodes that are resized or re-created, will
|
|
have the specified tags on the corresponding Instance object in the
|
|
Compute Engine API. You can reference these tags in network firewall
|
|
policy rules. For instructions, see
|
|
https://cloud.google.com/firewall/docs/use-tags-for-firewalls.
|
|
|
|
--boot-disk-kms-key=BOOT_DISK_KMS_KEY
|
|
The Customer Managed Encryption Key used to encrypt the boot disk
|
|
attached to each node in the node pool. This should be of the form
|
|
projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME].
|
|
For more information about protecting resources with Cloud KMS Keys
|
|
please see:
|
|
https://cloud.google.com/compute/docs/disks/customer-managed-encryption
|
|
|
|
--cluster-ipv4-cidr=CLUSTER_IPV4_CIDR
|
|
The IP address range for the pods in this cluster in CIDR notation
|
|
(e.g. 10.0.0.0/14). Prior to Kubernetes version 1.7.0 this must be a
|
|
subset of 10.0.0.0/8; however, starting with version 1.7.0 can be any
|
|
RFC 1918 IP range.
|
|
|
|
If you omit this option, a range is chosen automatically. The
|
|
automatically chosen range is randomly selected from 10.0.0.0/8 and
|
|
will not include IP address ranges allocated to VMs, existing routes,
|
|
or ranges allocated to other clusters. The automatically chosen range
|
|
might conflict with reserved IP addresses, dynamic routes, or routes
|
|
within VPCs that peer with this cluster. You should specify
|
|
--cluster-ipv4-cidr to prevent conflicts.
|
|
|
|
This field is not applicable in a Shared VPC setup where the IP address
|
|
range for the pods must be specified with
|
|
--cluster-secondary-range-name
|
|
|
|
--cluster-secondary-range-name=NAME
|
|
Set the secondary range to be used as the source for pod IPs. Alias
|
|
ranges will be allocated from this secondary range. NAME must be the
|
|
name of an existing secondary range in the cluster subnetwork.
|
|
|
|
Cannot be used with '--create-subnetwork' option.
|
|
|
|
--cluster-version=CLUSTER_VERSION
|
|
The Kubernetes version to use for the master and nodes. Defaults to
|
|
server-specified.
|
|
|
|
The default Kubernetes version is available using the following
|
|
command.
|
|
|
|
$ gcloud container get-server-config
|
|
|
|
--containerd-config-from-file=PATH_TO_FILE
|
|
Path of the YAML file that contains containerd configuration entries
|
|
like configuring access to private image registries.
|
|
|
|
For detailed information on the configuration usage, please refer to
|
|
https://cloud.google.com/kubernetes-engine/docs/how-to/customize-containerd-configuration.
|
|
|
|
Note: Updating the containerd configuration of an existing cluster or
|
|
node pool requires recreation of the existing nodes, which might cause
|
|
disruptions in running workloads.
|
|
|
|
Use a full or relative path to a local file containing the value of
|
|
containerd_config.
|
|
|
|
--create-subnetwork=[KEY=VALUE,...]
|
|
Create a new subnetwork for the cluster. The name and range of the
|
|
subnetwork can be customized via optional 'name' and 'range' key-value
|
|
pairs.
|
|
|
|
'name' specifies the name of the subnetwork to be created.
|
|
|
|
'range' specifies the IP range for the new subnetwork. This can either
|
|
be a netmask size (e.g. '/20') or a CIDR range (e.g. '10.0.0.0/20'). If
|
|
a netmask size is specified, the IP is automatically taken from the
|
|
free space in the cluster's network.
|
|
|
|
Examples:
|
|
|
|
Create a new subnetwork with a default name and size.
|
|
|
|
$ gcloud alpha container clusters create-auto --create-subnetwork ""
|
|
|
|
Create a new subnetwork named "my-subnet" with netmask of size 21.
|
|
|
|
$ gcloud alpha container clusters create-auto \
|
|
--create-subnetwork name=my-subnet,range=/21
|
|
|
|
Create a new subnetwork with a default name with the primary range of
|
|
10.100.0.0/16.
|
|
|
|
$ gcloud alpha container clusters create-auto \
|
|
--create-subnetwork range=10.100.0.0/16
|
|
|
|
Create a new subnetwork with the name "my-subnet" with a default range.
|
|
|
|
$ gcloud alpha container clusters create-auto \
|
|
--create-subnetwork name=my-subnet
|
|
|
|
Cannot be used in conjunction with '--subnetwork' option.
|
|
|
|
--database-encryption-key=DATABASE_ENCRYPTION_KEY
|
|
Enable Database Encryption.
|
|
|
|
Enable database encryption that will be used to encrypt Kubernetes
|
|
Secrets at the application layer. The key provided should be the
|
|
resource ID in the format of
|
|
projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME].
|
|
For more information, see
|
|
https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets.
|
|
|
|
--disable-l4-lb-firewall-reconciliation
|
|
Disable reconciliation on the cluster for L4 Load Balancer VPC
|
|
firewalls targeting ingress traffic.
|
|
|
|
--enable-authorized-networks-on-private-endpoint
|
|
Enable enforcement of --master-authorized-networks CIDR ranges for
|
|
traffic reaching cluster's control plane via private IP.
|
|
|
|
--enable-auto-ipam
|
|
Enable the Auto IP Address Management (Auto IPAM) feature for the
|
|
cluster.
|
|
|
|
--enable-backup-restore
|
|
Enable the Backup for GKE add-on. This add-on is disabled by default.
|
|
To learn more, see the Backup for GKE overview:
|
|
https://cloud.google.com/kubernetes-engine/docs/add-on/backup-for-gke/concepts/backup-for-gke.
|
|
|
|
--enable-cilium-clusterwide-network-policy
|
|
Enable Cilium Clusterwide Network Policies on the cluster. Disabled by
|
|
default.
|
|
|
|
--enable-confidential-nodes
|
|
Enable confidential nodes for the cluster. Enabling Confidential Nodes
|
|
will create nodes using Confidential VM
|
|
https://cloud.google.com/compute/confidential-vm/docs/about-cvm.
|
|
|
|
--enable-default-compute-class
|
|
Enable the default compute class to use for the cluster.
|
|
|
|
To disable Default Compute Class in an existing cluster, explicitly set
|
|
flag --no-enable-default-compute-class.
|
|
|
|
--enable-dns-access
|
|
Enable access to the cluster's control plane over DNS-based endpoint.
|
|
|
|
DNS-based control plane access is recommended.
|
|
|
|
--enable-fleet
|
|
Set cluster project as the fleet host project. This will register the
|
|
cluster to the same project. To register the cluster to a fleet in a
|
|
different project, please use --fleet-project=FLEET_HOST_PROJECT.
|
|
Example: $ gcloud alpha container clusters create-auto --enable-fleet
|
|
|
|
--enable-google-cloud-access
|
|
When you enable Google Cloud Access, any public IP addresses owned by
|
|
Google Cloud can reach the public control plane endpoint of your
|
|
cluster.
|
|
|
|
--enable-ip-access
|
|
Enable access to the cluster's control plane over private IP and public
|
|
IP if --enable-private-endpoint is not enabled.
|
|
|
|
--enable-kubernetes-unstable-apis=API,[API,...]
|
|
Enable Kubernetes beta API features on this cluster. Beta APIs are not
|
|
expected to be production ready and should be avoided in
|
|
production-grade environments.
|
|
|
|
--enable-legacy-lustre-port
|
|
Allow the Lustre CSI driver to initialize LNet (the virtual network
|
|
layer for Lustre kernel module) using port 6988. This flag is required
|
|
to workaround a port conflict with the gke-metadata-server on GKE
|
|
nodes.
|
|
|
|
--enable-lustre-csi-driver
|
|
Enable the Lustre CSI Driver GKE add-on. This add-on is disabled by
|
|
default.
|
|
|
|
--enable-master-global-access
|
|
Use with private clusters to allow access to the master's private
|
|
endpoint from any Google Cloud region or on-premises environment
|
|
regardless of the private cluster's region.
|
|
|
|
--enable-multi-networking
|
|
Enables multi-networking on the cluster. Multi-networking is disabled
|
|
by default.
|
|
|
|
--enable-ray-cluster-logging
|
|
Enable automatic log processing sidecar for Ray clusters.
|
|
|
|
--enable-ray-cluster-monitoring
|
|
Enable automatic metrics collection for Ray clusters.
|
|
|
|
--enable-ray-operator
|
|
Enable the Ray Operator GKE add-on. This add-on is disabled by default.
|
|
|
|
--fleet-project=PROJECT_ID_OR_NUMBER
|
|
Sets fleet host project for the cluster. If specified, the current
|
|
cluster will be registered as a fleet membership under the fleet host
|
|
project.
|
|
|
|
Example: $ gcloud alpha container clusters create-auto \
|
|
--fleet-project=my-project
|
|
|
|
--hpa-profile=HPA_PROFILE
|
|
Set Horizontal Pod Autoscaler behavior. Accepted values are: none,
|
|
performance. For more information, see
|
|
https://cloud.google.com/kubernetes-engine/docs/how-to/horizontal-pod-autoscaling#hpa-profile.
|
|
|
|
--labels=[KEY=VALUE,...]
|
|
Labels to apply to the Google Cloud resources in use by the Kubernetes
|
|
Engine cluster. These are unrelated to Kubernetes labels.
|
|
|
|
Examples:
|
|
|
|
$ gcloud alpha container clusters create-auto example-cluster \
|
|
--labels=label_a=value1,label_b=,label_c=value3
|
|
|
|
--logging=[COMPONENT,...]
|
|
Set the components that have logging enabled. Valid component values
|
|
are: SYSTEM, WORKLOAD, API_SERVER, CONTROLLER_MANAGER, SCHEDULER
|
|
|
|
The default is SYSTEM,WORKLOAD. If this flag is set, then SYSTEM must
|
|
be included.
|
|
|
|
For more information, see
|
|
https://cloud.google.com/kubernetes-engine/docs/concepts/about-logs#available-logs
|
|
|
|
Examples:
|
|
|
|
$ gcloud alpha container clusters create-auto --logging=SYSTEM
|
|
$ gcloud alpha container clusters create-auto \
|
|
--logging=SYSTEM,WORKLOAD
|
|
$ gcloud alpha container clusters create-auto \
|
|
--logging=SYSTEM,WORKLOAD,API_SERVER,CONTROLLER_MANAGER,\
|
|
SCHEDULER
|
|
|
|
--membership-type=MEMBERSHIP_TYPE
|
|
Specify a membership type for the cluster's fleet membership. Example:
|
|
$ gcloud alpha container clusters create-auto \
|
|
--membership-type=LIGHTWEIGHT. MEMBERSHIP_TYPE must be (only \ one
|
|
value is supported):
|
|
|
|
LIGHTWEIGHT
|
|
Fleet membership representing this cluster will be lightweight.
|
|
|
|
--monitoring=[COMPONENT,...]
|
|
Set the components that have monitoring enabled. Valid component values
|
|
are: SYSTEM, WORKLOAD (Deprecated), NONE, API_SERVER,
|
|
CONTROLLER_MANAGER, SCHEDULER, DAEMONSET, DEPLOYMENT, HPA, POD,
|
|
STATEFULSET, STORAGE, CADVISOR, KUBELET, DCGM, JOBSET
|
|
|
|
For more information, see
|
|
https://cloud.google.com/kubernetes-engine/docs/how-to/configure-metrics#available-metrics
|
|
|
|
Examples:
|
|
|
|
$ gcloud alpha container clusters create-auto \
|
|
--monitoring=SYSTEM,API_SERVER,POD,DCGM
|
|
$ gcloud alpha container clusters create-auto --monitoring=SYSTEM
|
|
|
|
--network=NETWORK
|
|
The Compute Engine Network that the cluster will connect to. Google
|
|
Kubernetes Engine will use this network when creating routes and
|
|
firewalls for the clusters. Defaults to the 'default' network.
|
|
|
|
--private-endpoint-subnetwork=NAME
|
|
Sets the subnetwork GKE uses to provision the control plane's private
|
|
endpoint.
|
|
|
|
--release-channel=CHANNEL
|
|
Release channel a cluster is subscribed to.
|
|
|
|
If left unspecified and a version is specified, the cluster is enrolled
|
|
in the most mature release channel where the version is available
|
|
(first checking STABLE, then REGULAR, and finally RAPID). Otherwise, if
|
|
no release channel and no version is specified, the cluster is enrolled
|
|
in the REGULAR channel with its default version. When a cluster is
|
|
subscribed to a release channel, Google maintains both the master
|
|
version and the node version. Node auto-upgrade is enabled by default
|
|
for release channel clusters and can be controlled via upgrade-scope
|
|
exclusions
|
|
(https://cloud.google.com/kubernetes-engine/docs/concepts/maintenance-windows-and-exclusions#scope_of_maintenance_to_exclude).
|
|
|
|
CHANNEL must be one of:
|
|
|
|
extended
|
|
Clusters subscribed to 'extended' can remain on a minor version for
|
|
24 months from when the minor version is made available in the
|
|
Regular channel.
|
|
|
|
rapid
|
|
'rapid' channel is offered on an early access basis for customers
|
|
who want to test new releases.
|
|
|
|
WARNING: Versions available in the 'rapid' channel may be subject
|
|
to unresolved issues with no known workaround and are not subject
|
|
to any SLAs.
|
|
|
|
regular
|
|
Clusters subscribed to 'regular' receive versions that are
|
|
considered GA quality. 'regular' is intended for production users
|
|
who want to take advantage of new features.
|
|
|
|
stable
|
|
Clusters subscribed to 'stable' receive versions that are known to
|
|
be stable and reliable in production.
|
|
|
|
--security-group=SECURITY_GROUP
|
|
The name of the RBAC security group for use with Google security groups
|
|
in Kubernetes RBAC
|
|
(https://kubernetes.io/docs/reference/access-authn-authz/rbac/).
|
|
|
|
To include group membership as part of the claims issued by Google
|
|
during authentication, a group must be designated as a security group
|
|
by including it as a direct member of this group.
|
|
|
|
If unspecified, no groups will be returned for use with RBAC.
|
|
|
|
--security-posture=SECURITY_POSTURE
|
|
Sets the mode of the Kubernetes security posture API's off-cluster
|
|
features.
|
|
|
|
To enable advanced mode explicitly set the flag to
|
|
--security-posture=enterprise.
|
|
|
|
To enable in standard mode explicitly set the flag to
|
|
--security-posture=standard
|
|
|
|
To disable in an existing cluster, explicitly set the flag to
|
|
--security-posture=disabled.
|
|
|
|
For more information on enablement, see
|
|
https://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard#feature-enablement.
|
|
|
|
SECURITY_POSTURE must be one of: disabled, standard, enterprise.
|
|
|
|
--services-ipv4-cidr=CIDR
|
|
Set the IP range for the services IPs.
|
|
|
|
Can be specified as a netmask size (e.g. '/20') or as in CIDR notion
|
|
(e.g. '10.100.0.0/20'). If given as a netmask size, the IP range will
|
|
be chosen automatically from the available space in the network.
|
|
|
|
If unspecified, the services CIDR range will be chosen with a default
|
|
mask size.
|
|
|
|
--services-secondary-range-name=NAME
|
|
Set the secondary range to be used for services (e.g. ClusterIPs). NAME
|
|
must be the name of an existing secondary range in the cluster
|
|
subnetwork.
|
|
|
|
Cannot be used with '--create-subnetwork' option.
|
|
|
|
--subnetwork=SUBNETWORK
|
|
The Google Compute Engine subnetwork
|
|
(https://cloud.google.com/compute/docs/subnetworks) to which the
|
|
cluster is connected. The subnetwork must belong to the network
|
|
specified by --network.
|
|
|
|
Cannot be used with the "--create-subnetwork" option.
|
|
|
|
--tier=TIER
|
|
Set the desired tier for the cluster. TIER must be one of: standard,
|
|
enterprise.
|
|
|
|
--workload-policies=WORKLOAD_POLICIES
|
|
Add Autopilot workload policies to the cluster.
|
|
|
|
Examples:
|
|
|
|
$ gcloud alpha container clusters create-auto example-cluster \
|
|
--workload-policies=allow-net-admin
|
|
|
|
The only supported workload policy is 'allow-net-admin'.
|
|
|
|
--workload-vulnerability-scanning=WORKLOAD_VULNERABILITY_SCANNING
|
|
Sets the mode of the Kubernetes security posture API's workload
|
|
vulnerability scanning.
|
|
|
|
To enable Advanced vulnerability insights mode explicitly set the flag
|
|
to --workload-vulnerability-scanning=enterprise.
|
|
|
|
To enable in standard mode explicitly set the flag to
|
|
--workload-vulnerability-scanning=standard.
|
|
|
|
To disable in an existing cluster, explicitly set the flag to
|
|
--workload-vulnerability-scanning=disabled.
|
|
|
|
For more information on enablement, see
|
|
https://cloud.google.com/kubernetes-engine/docs/concepts/about-security-posture-dashboard#feature-enablement.
|
|
|
|
WORKLOAD_VULNERABILITY_SCANNING must be one of: disabled, standard,
|
|
enterprise.
|
|
|
|
At most one of these can be specified:
|
|
|
|
--additive-vpc-scope-dns-domain=ADDITIVE_VPC_SCOPE_DNS_DOMAIN
|
|
The domain used in Additive VPC scope. Only works with Cluster Scope.
|
|
|
|
--disable-additive-vpc-scope
|
|
Disables Additive VPC Scope.
|
|
|
|
Control Plane Keys
|
|
|
|
--aggregation-ca=CA_POOL_PATH
|
|
The Certificate Authority Service caPool that will back the
|
|
aggregation CA
|
|
|
|
--cluster-ca=CA_POOL_PATH
|
|
The Certificate Authority Service caPool that will back the cluster
|
|
CA
|
|
|
|
--control-plane-disk-encryption-key=KEY
|
|
The Cloud KMS symmetric encryption cryptoKey that will be used to
|
|
encrypt the control plane disks
|
|
|
|
--etcd-api-ca=CA_POOL_PATH
|
|
The Certificate Authority Service caPool that will back the etcd API
|
|
CA
|
|
|
|
--etcd-peer-ca=CA_POOL_PATH
|
|
The Certificate Authority Service caPool that will back the etcd peer
|
|
CA
|
|
|
|
--gkeops-etcd-backup-encryption-key=KEY
|
|
The Cloud KMS symmetric encryption cryptoKey that will be used to
|
|
encrypt the disaster recovery etcd backups for the cluster
|
|
|
|
--service-account-signing-keys=KEY_VERSION,[KEY_VERSION,...]
|
|
A Cloud KMS asymmetric signing cryptoKeyVersion that will be used to
|
|
sign service account tokens
|
|
|
|
--service-account-verification-keys=KEY_VERSION,[KEY_VERSION,...]
|
|
A Cloud KMS asymmetric signing cryptoKeyVersion that will be used to
|
|
verify service account tokens. Maybe specified multiple times.
|
|
|
|
Flags for Binary Authorization:
|
|
|
|
--binauthz-evaluation-mode=BINAUTHZ_EVALUATION_MODE
|
|
Enable Binary Authorization for this cluster.
|
|
BINAUTHZ_EVALUATION_MODE must be one of: disabled, policy-bindings,
|
|
policy-bindings-and-project-singleton-policy-enforce,
|
|
project-singleton-policy-enforce.
|
|
|
|
--binauthz-policy-bindings=[name=BINAUTHZ_POLICY,enforcement-mode=ENFORCEMENT_MODE,...]
|
|
Binds a Binary Authorization policy to the cluster.
|
|
|
|
name
|
|
(Required) The relative resource name of the Binary Authorization
|
|
policy to audit and/or enforce. GKE policies have the following
|
|
format:
|
|
projects/{project_number}/platforms/gke/policies/{policy_id}.
|
|
|
|
enforcement-mode
|
|
(Optional) The mode of enforcement for the policy. Must be one
|
|
of: audit, audit-and-enforce, audit-and-dryrun. Defaults to
|
|
audit, if unset.
|
|
|
|
At most one of these can be specified:
|
|
|
|
--dataplane-v2-observability-mode=DATAPLANE_V2_OBSERVABILITY_MODE
|
|
(REMOVED) Select Advanced Datapath Observability mode for the
|
|
cluster. Defaults to DISABLED.
|
|
|
|
Advanced Datapath Observability allows for a real-time view into
|
|
pod-to-pod traffic within your cluster.
|
|
|
|
Examples:
|
|
|
|
$ gcloud alpha container clusters create-auto \
|
|
--dataplane-v2-observability-mode=DISABLED
|
|
|
|
$ gcloud alpha container clusters create-auto \
|
|
--dataplane-v2-observability-mode=INTERNAL_VPC_LB
|
|
|
|
$ gcloud alpha container clusters create-auto \
|
|
--dataplane-v2-observability-mode=EXTERNAL_LB
|
|
|
|
Flag --dataplane-v2-observability-mode has been removed.
|
|
|
|
DATAPLANE_V2_OBSERVABILITY_MODE must be one of:
|
|
|
|
DISABLED
|
|
Disables Advanced Datapath Observability.
|
|
EXTERNAL_LB
|
|
Makes Advanced Datapath Observability available to the external
|
|
network.
|
|
INTERNAL_VPC_LB
|
|
Makes Advanced Datapath Observability available from the VPC
|
|
network.
|
|
|
|
--disable-dataplane-v2-flow-observability
|
|
Disables Advanced Datapath Observability.
|
|
|
|
--enable-dataplane-v2-flow-observability
|
|
Enables Advanced Datapath Observability which allows for a real-time
|
|
view into pod-to-pod traffic within your cluster.
|
|
|
|
--enable-insecure-binding-system-authenticated
|
|
Allow using system:authenticated as a subject in ClusterRoleBindings
|
|
and RoleBindings. Allowing bindings that reference system:authenticated
|
|
is a security risk and is not recommended.
|
|
|
|
To disallow binding system:authenticated in a cluster, explicitly set
|
|
the --no-enable-insecure-binding-system-authenticated flag instead.
|
|
|
|
--enable-insecure-binding-system-unauthenticated
|
|
Allow using system:unauthenticated and system:anonymous as subjects in
|
|
ClusterRoleBindings and RoleBindings. Allowing bindings that reference
|
|
system:unauthenticated and system:anonymous are a security risk and is
|
|
not recommended.
|
|
|
|
To disallow binding system:authenticated in a cluster, explicitly set
|
|
the --no-enable-insecure-binding-system-unauthenticated flag instead.
|
|
|
|
Master Authorized Networks
|
|
|
|
--enable-master-authorized-networks
|
|
Allow only specified set of CIDR blocks (specified by the
|
|
--master-authorized-networks flag) to connect to Kubernetes master
|
|
through HTTPS. Besides these blocks, the following have access as
|
|
well:
|
|
|
|
1) The private network the cluster connects to if
|
|
`--enable-private-nodes` is specified.
|
|
2) Google Compute Engine Public IPs if `--enable-private-nodes` is not
|
|
specified.
|
|
|
|
Use --no-enable-master-authorized-networks to disable. When disabled,
|
|
public internet (0.0.0.0/0) is allowed to connect to Kubernetes
|
|
master through HTTPS.
|
|
|
|
--master-authorized-networks=NETWORK,[NETWORK,...]
|
|
The list of CIDR blocks (up to 100 for private cluster, 50 for public
|
|
cluster) that are allowed to connect to Kubernetes master through
|
|
HTTPS. Specified in CIDR notation (e.g. 1.2.3.4/30). Cannot be
|
|
specified unless --enable-master-authorized-networks is also
|
|
specified.
|
|
|
|
Private Clusters
|
|
|
|
--enable-private-endpoint
|
|
Cluster is managed using the private IP address of the master API
|
|
endpoint.
|
|
|
|
--enable-private-nodes
|
|
Cluster is created with no public IP addresses on the cluster nodes.
|
|
|
|
--master-ipv4-cidr=MASTER_IPV4_CIDR
|
|
IPv4 CIDR range to use for the master network. This should have a
|
|
netmask of size /28 and should be used in conjunction with the
|
|
--enable-private-nodes flag.
|
|
|
|
Flags for Secret Manager configuration:
|
|
|
|
--enable-secret-manager
|
|
Enables the Secret Manager CSI driver provider component. See
|
|
https://secrets-store-csi-driver.sigs.k8s.io/introduction
|
|
https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp
|
|
|
|
To disable in an existing cluster, explicitly set flag to
|
|
--no-enable-secret-manager
|
|
|
|
--enable-secret-manager-rotation
|
|
Enables the rotation of secrets in the Secret Manager CSI driver
|
|
provider component.
|
|
|
|
To disable in an existing cluster, explicitly set flag to
|
|
--no-enable-secret-manager-rotation
|
|
|
|
--secret-manager-rotation-interval=SECRET_MANAGER_ROTATION_INTERVAL
|
|
Set the rotation period for secrets in the Secret Manager CSI driver
|
|
provider component.
|
|
|
|
At most one of these can be specified:
|
|
|
|
--location=LOCATION
|
|
Compute zone or region (e.g. us-central1-a or us-central1) for the
|
|
cluster. Overrides the default compute/region or compute/zone value
|
|
for this command invocation. Prefer using this flag over the --region
|
|
or --zone flags.
|
|
|
|
--region=REGION
|
|
Compute region (e.g. us-central1) for a regional cluster. Overrides
|
|
the default compute/region property value for this command
|
|
invocation.
|
|
|
|
--zone=ZONE, -z ZONE
|
|
Compute zone (e.g. us-central1-a) for a zonal cluster. Overrides the
|
|
default compute/zone property value for this command invocation.
|
|
|
|
Options to specify the node identity.
|
|
|
|
Scopes options.
|
|
|
|
--scopes=[SCOPE,...]; default="gke-default"
|
|
Specifies scopes for the node instances.
|
|
|
|
Examples:
|
|
|
|
$ gcloud alpha container clusters create-auto example-cluster \
|
|
--scopes=https://www.googleapis.com/auth/devstorage.read_only
|
|
|
|
$ gcloud alpha container clusters create-auto example-cluster \
|
|
--scopes=bigquery,storage-rw,compute-ro
|
|
|
|
Multiple scopes can be specified, separated by commas. Various
|
|
scopes are automatically added based on feature usage. Such scopes
|
|
are not added if an equivalent scope already exists.
|
|
|
|
▫ monitoring-write: always added to ensure metrics can be written
|
|
▫ logging-write: added if Cloud Logging is enabled
|
|
(--enable-cloud-logging/--logging)
|
|
▫ monitoring: added if Cloud Monitoring is enabled
|
|
(--enable-cloud-monitoring/--monitoring)
|
|
▫ gke-default: added for Autopilot clusters that use the default
|
|
service account
|
|
▫ cloud-platform: added for Autopilot clusters that use any other
|
|
service account
|
|
|
|
SCOPE can be either the full URI of the scope or an alias. Default
|
|
scopes are assigned to all instances. Available aliases are:
|
|
|
|
Alias URI
|
|
bigquery https://www.googleapis.com/auth/bigquery
|
|
cloud-platform https://www.googleapis.com/auth/cloud-platform
|
|
cloud-source-repos https://www.googleapis.com/auth/source.full_control
|
|
cloud-source-repos-ro https://www.googleapis.com/auth/source.read_only
|
|
compute-ro https://www.googleapis.com/auth/compute.readonly
|
|
compute-rw https://www.googleapis.com/auth/compute
|
|
datastore https://www.googleapis.com/auth/datastore
|
|
default https://www.googleapis.com/auth/devstorage.read_only
|
|
https://www.googleapis.com/auth/logging.write
|
|
https://www.googleapis.com/auth/monitoring.write
|
|
https://www.googleapis.com/auth/pubsub
|
|
https://www.googleapis.com/auth/service.management.readonly
|
|
https://www.googleapis.com/auth/servicecontrol
|
|
https://www.googleapis.com/auth/trace.append
|
|
gke-default https://www.googleapis.com/auth/devstorage.read_only
|
|
https://www.googleapis.com/auth/logging.write
|
|
https://www.googleapis.com/auth/monitoring
|
|
https://www.googleapis.com/auth/service.management.readonly
|
|
https://www.googleapis.com/auth/servicecontrol
|
|
https://www.googleapis.com/auth/trace.append
|
|
logging-write https://www.googleapis.com/auth/logging.write
|
|
monitoring https://www.googleapis.com/auth/monitoring
|
|
monitoring-read https://www.googleapis.com/auth/monitoring.read
|
|
monitoring-write https://www.googleapis.com/auth/monitoring.write
|
|
pubsub https://www.googleapis.com/auth/pubsub
|
|
service-control https://www.googleapis.com/auth/servicecontrol
|
|
service-management https://www.googleapis.com/auth/service.management.readonly
|
|
sql (deprecated) https://www.googleapis.com/auth/sqlservice
|
|
sql-admin https://www.googleapis.com/auth/sqlservice.admin
|
|
storage-full https://www.googleapis.com/auth/devstorage.full_control
|
|
storage-ro https://www.googleapis.com/auth/devstorage.read_only
|
|
storage-rw https://www.googleapis.com/auth/devstorage.read_write
|
|
taskqueue https://www.googleapis.com/auth/taskqueue
|
|
trace https://www.googleapis.com/auth/trace.append
|
|
userinfo-email https://www.googleapis.com/auth/userinfo.email
|
|
|
|
DEPRECATION WARNING: https://www.googleapis.com/auth/sqlservice
|
|
account scope and sql alias do not provide SQL instance management
|
|
capabilities and have been deprecated. Please, use
|
|
https://www.googleapis.com/auth/sqlservice.admin or sql-admin to
|
|
manage your Google SQL Service instances.
|
|
|
|
--service-account=SERVICE_ACCOUNT
|
|
The Google Cloud Platform Service Account to be used by the node VMs.
|
|
If a service account is specified, the cloud-platform and
|
|
userinfo.email scopes are used. If no Service Account is specified,
|
|
the project default service account is used.
|
|
|
|
GCLOUD WIDE FLAGS
|
|
These flags are available to all commands: --access-token-file, --account,
|
|
--billing-project, --configuration, --flags-file, --flatten, --format,
|
|
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
|
--trace-token, --user-output-enabled, --verbosity.
|
|
|
|
Run $ gcloud help for details.
|
|
|
|
NOTES
|
|
This command is currently in alpha and might change without notice. If this
|
|
command fails with API permission errors despite specifying the correct
|
|
project, you might be trying to access an API with an invitation-only early
|
|
access allowlist. These variants are also available:
|
|
|
|
$ gcloud container clusters create-auto
|
|
|
|
$ gcloud beta container clusters create-auto
|
|
|