gcloud container clusters create

NAME
gcloud container clusters create - create a cluster for running containers
SYNOPSIS
gcloud container clusters create NAME [--accelerator=[type=TYPE,[count=COUNT,gpu-driver-version=GPU_DRIVER_VERSION,gpu-partition-size=GPU_PARTITION_SIZE,gpu-sharing-strategy=GPU_SHARING_STRATEGY,max-shared-clients-per-gpu=MAX_SHARED_CLIENTS_PER_GPU],…]] [--additional-zones=ZONE,[ZONE,…]] [--addons=[ADDON[=ENABLED|DISABLED],…]] [--alpha-cluster-feature-gates=[FEATURE=true|false,…]] [--anonymous-authentication-config=ANONYMOUS_AUTHENTICATION_CONFIG] [--async] [--auto-monitoring-scope=AUTO_MONITORING_SCOPE] [--autopilot-general-profile=AUTOPILOT_GENERAL_PROFILE] [--autopilot-privileged-admission=[ALLOWLIST_PATHS,…]] [--autopilot-workload-policies=WORKLOAD_POLICIES] [--autoprovisioning-enable-insecure-kubelet-readonly-port] [--autoprovisioning-network-tags=TAGS,[TAGS,…]] [--autoprovisioning-resource-manager-tags=[KEY=VALUE,…]] [--autoscaling-profile=AUTOSCALING_PROFILE] [--boot-disk-kms-key=BOOT_DISK_KMS_KEY] [--cloud-run-config=[load-balancer-type=EXTERNAL,…]] [--cluster-ipv4-cidr=CLUSTER_IPV4_CIDR] [--cluster-secondary-range-name=NAME] [--cluster-version=CLUSTER_VERSION] [--confidential-node-type=CONFIDENTIAL_NODE_TYPE] [--containerd-config-from-file=PATH_TO_FILE] [--create-subnetwork=[KEY=VALUE,…]] [--data-cache-count=DATA_CACHE_COUNT] [--database-encryption-key=DATABASE_ENCRYPTION_KEY] [--default-max-pods-per-node=DEFAULT_MAX_PODS_PER_NODE] [--disable-default-snat] [--disable-l4-lb-firewall-reconciliation] [--disable-multi-nic-lustre] [--disk-size=DISK_SIZE] [--disk-type=DISK_TYPE] [--enable-authorized-networks-on-private-endpoint] [--enable-auto-ipam] [--enable-autorepair] [--no-enable-autoupgrade] [--enable-cilium-clusterwide-network-policy] [--enable-cloud-logging] [--enable-cloud-monitoring] [--enable-cloud-run-alpha] [--enable-confidential-nodes] [--enable-confidential-storage] [--enable-cost-allocation] [--enable-dataplane-v2] [--enable-default-compute-class] [--enable-dns-access] [--enable-fleet] [--enable-fqdn-network-policy] [--enable-google-cloud-access] [--enable-gvnic] [--enable-identity-service] [--enable-image-streaming] [--enable-insecure-kubelet-readonly-port] [--enable-intra-node-visibility] [--enable-ip-access] [--enable-ip-alias] [--enable-k8s-certs-via-dns] [--enable-k8s-tokens-via-dns] [--enable-kernel-module-signature-enforcement] [--enable-kubernetes-alpha] [--enable-kubernetes-unstable-apis=API,[API,…]] [--enable-l4-ilb-subsetting] [--enable-legacy-authorization] [--enable-legacy-lustre-port] [--enable-managed-prometheus] [--enable-master-global-access] [--enable-multi-networking] [--enable-nested-virtualization] [--enable-network-policy] [--enable-ray-cluster-logging] [--enable-ray-cluster-monitoring] [--enable-service-externalips] [--enable-shielded-nodes] [--enable-stackdriver-kubernetes] [--enable-vertical-pod-autoscaling] [--fleet-project=PROJECT_ID_OR_NUMBER] [--gateway-api=GATEWAY_API] [--hpa-profile=HPA_PROFILE] [--image-type=IMAGE_TYPE] [--in-transit-encryption=IN_TRANSIT_ENCRYPTION] [--ipv6-access-type=IPV6_ACCESS_TYPE] [--issue-client-certificate] [--labels=[KEY=VALUE,…]] [--logging=[COMPONENT,…]] [--logging-variant=LOGGING_VARIANT] [--machine-type=MACHINE_TYPE, -m MACHINE_TYPE] [--max-nodes-per-pool=MAX_NODES_PER_POOL] [--max-pods-per-node=MAX_PODS_PER_NODE] [--max-surge-upgrade=MAX_SURGE_UPGRADE; default=1] [--max-unavailable-upgrade=MAX_UNAVAILABLE_UPGRADE] [--membership-type=MEMBERSHIP_TYPE] [--metadata=KEY=VALUE,[KEY=VALUE,…]] [--metadata-from-file=KEY=LOCAL_FILE_PATH,[…]] [--min-cpu-platform=PLATFORM] [--monitoring=[COMPONENT,…]] [--network=NETWORK] [--network-performance-configs=[PROPERTY1=VALUE1,…]] [--node-labels=[NODE_LABEL,…]] [--node-locations=ZONE,[ZONE,…]] [--node-taints=[NODE_TAINT,…]] [--node-version=NODE_VERSION] [--notification-config=[pubsub=ENABLED|DISABLED,pubsub-topic=TOPIC,…]] [--num-nodes=NUM_NODES; default=3] [--patch-update=[PATCH_UPDATE]] [--performance-monitoring-unit=PERFORMANCE_MONITORING_UNIT] [--placement-policy=PLACEMENT_POLICY] [--placement-type=PLACEMENT_TYPE] [--preemptible] [--private-endpoint-subnetwork=NAME] [--private-ipv6-google-access-type=PRIVATE_IPV6_GOOGLE_ACCESS_TYPE] [--release-channel=CHANNEL] [--resource-manager-tags=[KEY=VALUE,…]] [--security-group=SECURITY_GROUP] [--security-posture=SECURITY_POSTURE] [--services-ipv4-cidr=CIDR] [--services-secondary-range-name=NAME] [--shielded-integrity-monitoring] [--shielded-secure-boot] [--spot] [--stack-type=STACK_TYPE] [--storage-pools=STORAGE_POOL,[…]] [--subnetwork=SUBNETWORK] [--system-config-from-file=PATH_TO_FILE] [--tags=TAG,[TAG,…]] [--threads-per-core=THREADS_PER_CORE] [--tier=TIER] [--workload-metadata=WORKLOAD_METADATA] [--workload-pool=WORKLOAD_POOL] [--workload-vulnerability-scanning=WORKLOAD_VULNERABILITY_SCANNING] [--aggregation-ca=CA_POOL_PATH --cluster-ca=CA_POOL_PATH --control-plane-disk-encryption-key=KEY --etcd-api-ca=CA_POOL_PATH --etcd-peer-ca=CA_POOL_PATH --gkeops-etcd-backup-encryption-key=KEY --service-account-signing-keys=KEY_VERSION,[KEY_VERSION,…] --service-account-verification-keys=KEY_VERSION,[KEY_VERSION,…]] [--binauthz-evaluation-mode=BINAUTHZ_EVALUATION_MODE     | --enable-binauthz] [--boot-disk-provisioned-iops=BOOT_DISK_PROVISIONED_IOPS --boot-disk-provisioned-throughput=BOOT_DISK_PROVISIONED_THROUGHPUT] [--cluster-dns=CLUSTER_DNS --cluster-dns-domain=CLUSTER_DNS_DOMAIN --cluster-dns-scope=CLUSTER_DNS_SCOPE --additive-vpc-scope-dns-domain=ADDITIVE_VPC_SCOPE_DNS_DOMAIN     | --disable-additive-vpc-scope] [--dataplane-v2-observability-mode=DATAPLANE_V2_OBSERVABILITY_MODE     | --disable-dataplane-v2-flow-observability     | --enable-dataplane-v2-flow-observability] [--disable-dataplane-v2-metrics     | --enable-dataplane-v2-metrics] [[--enable-autoprovisioning : --autoprovisioning-config-file=PATH_TO_FILE | [--max-cpu=MAX_CPU --max-memory=MAX_MEMORY : --autoprovisioning-image-type=AUTOPROVISIONING_IMAGE_TYPE --autoprovisioning-locations=ZONE,[ZONE,…] --autoprovisioning-min-cpu-platform=PLATFORM --min-cpu=MIN_CPU --min-memory=MIN_MEMORY --autoprovisioning-max-surge-upgrade=AUTOPROVISIONING_MAX_SURGE_UPGRADE --autoprovisioning-max-unavailable-upgrade=AUTOPROVISIONING_MAX_UNAVAILABLE_UPGRADE --autoprovisioning-node-pool-soak-duration=AUTOPROVISIONING_NODE_POOL_SOAK_DURATION --autoprovisioning-standard-rollout-policy=[batch-node-count=BATCH_NODE_COUNT,batch-percent=BATCH_NODE_PERCENTAGE,batch-soak-duration=BATCH_SOAK_DURATION,…] --enable-autoprovisioning-blue-green-upgrade | --enable-autoprovisioning-surge-upgrade --autoprovisioning-scopes=[SCOPE,…] --autoprovisioning-service-account=AUTOPROVISIONING_SERVICE_ACCOUNT --enable-autoprovisioning-autorepair --enable-autoprovisioning-autoupgrade [--max-accelerator=[type=TYPE,count=COUNT,…] : --min-accelerator=[type=TYPE,count=COUNT,…]]]]] [--enable-autoscaling --location-policy=LOCATION_POLICY --max-nodes=MAX_NODES --min-nodes=MIN_NODES --total-max-nodes=TOTAL_MAX_NODES --total-min-nodes=TOTAL_MIN_NODES] [--enable-insecure-binding-system-authenticated --enable-insecure-binding-system-unauthenticated] [--enable-master-authorized-networks --master-authorized-networks=NETWORK,[NETWORK,…]] [--enable-network-egress-metering --enable-resource-consumption-metering --resource-usage-bigquery-dataset=RESOURCE_USAGE_BIGQUERY_DATASET] [--enable-private-endpoint --enable-private-nodes --master-ipv4-cidr=MASTER_IPV4_CIDR] [--enable-secret-manager --enable-secret-manager-rotation --secret-manager-rotation-interval=SECRET_MANAGER_ROTATION_INTERVAL] [--ephemeral-storage-local-ssd[=[count=COUNT]]     | --local-nvme-ssd-block[=[count=COUNT]]     | --local-ssd-count=LOCAL_SSD_COUNT] [--location=LOCATION     | --region=REGION     | --zone=ZONE, -z ZONE] [--maintenance-minor-version-disruption-interval=MAINTENANCE_MINOR_VERSION_DISRUPTION_INTERVAL --maintenance-patch-version-disruption-interval=MAINTENANCE_PATCH_VERSION_DISRUPTION_INTERVAL] [--maintenance-window=START_TIME     | --maintenance-window-end=TIME_STAMP --maintenance-window-recurrence=RRULE --maintenance-window-start=TIME_STAMP] [--password=PASSWORD --enable-basic-auth     | --username=USERNAME, -u USERNAME] [--reservation=RESERVATION --reservation-affinity=RESERVATION_AFFINITY] [--scopes=[SCOPE,…]; default="gke-default" --service-account=SERVICE_ACCOUNT] [GCLOUD_WIDE_FLAG]
DESCRIPTION
Create a cluster for running containers.
EXAMPLES
To create a cluster with the default configuration, run: 
gcloud container clusters create sample-cluster
POSITIONAL ARGUMENTS
NAME
The name of the cluster to create.

The name may contain only lowercase alphanumerics and '-', must start with a letter and end with an alphanumeric, and must be no longer than 40 characters.

FLAGS
--accelerator=[type=TYPE,[count=COUNT,gpu-driver-version=GPU_DRIVER_VERSION,gpu-partition-size=GPU_PARTITION_SIZE,gpu-sharing-strategy=GPU_SHARING_STRATEGY,max-shared-clients-per-gpu=MAX_SHARED_CLIENTS_PER_GPU],…]
Attaches accelerators (e.g. GPUs) to all nodes.
type
(Required) The specific type (e.g. nvidia-tesla-t4 for NVIDIA T4) of accelerator to attach to the instances. Use gcloud compute accelerator-types list to learn about all available accelerator types.
count
(Optional) The number of accelerators to attach to the instances. The default value is 1.
gpu-driver-version
(Optional) The NVIDIA driver version to install. GPU_DRIVER_VERSION must be one of: 
`default`: Install the default driver version for this GKE version. For GKE version 1.30.1-gke.1156000 and later, this is the default option.
 
`latest`: Install the latest driver version available for this GKE version.
Can only be used for nodes that use Container-Optimized OS.
 
`disabled`: Skip automatic driver installation. You must manually install a
driver after you create the cluster. For GKE version 1.30.1-gke.1156000 and earlier, this is the default option.
To manually install the GPU driver, refer to https://cloud.google.com/kubernetes-engine/docs/how-to/gpus#installing_drivers.
gpu-partition-size
(Optional) The GPU partition size used when running multi-instance GPUs. For information about multi-instance GPUs, refer to: https://cloud.google.com/kubernetes-engine/docs/how-to/gpus-multi
gpu-sharing-strategy
(Optional) The GPU sharing strategy (e.g. time-sharing) to use. For information about GPU sharing, refer to: https://cloud.google.com/kubernetes-engine/docs/concepts/timesharing-gpus
max-shared-clients-per-gpu
(Optional) The max number of containers allowed to share each GPU on the node. This field is used together with gpu-sharing-strategy.
--additional-zones=ZONE,[ZONE,…]
(DEPRECATED) The set of additional zones in which the specified node footprint should be replicated. All zones must be in the same region as the cluster's primary zone. If additional-zones is not specified, all nodes will be in the cluster's primary zone.

Note that NUM_NODES nodes will be created in each zone, such that if you specify --num-nodes=4 and choose one additional zone, 8 nodes will be created.

Multiple locations can be specified, separated by commas. For example: 

gcloud container clusters create example-cluster --zone us-central1-a --additional-zones us-central1-b,us-central1-c

This flag is deprecated. Use --node-locations=PRIMARY_ZONE,[ZONE,…] instead.

--addons=[ADDON[=ENABLED|DISABLED],…]
Addons (https://cloud.google.com/kubernetes-engine/docs/reference/rest/v1/projects.locations.clusters#Cluster.AddonsConfig) are additional Kubernetes cluster components. Addons specified by this flag will be enabled. The others will be disabled. Default addons: HttpLoadBalancing, HorizontalPodAutoscaling. The Istio addon is deprecated and removed. For more information and migration, see https://cloud.google.com/istio/docs/istio-on-gke/migrate-to-anthos-service-mesh. ADDON must be one of: HttpLoadBalancing, HorizontalPodAutoscaling, KubernetesDashboard, NetworkPolicy, NodeLocalDNS, ConfigConnector, GcePersistentDiskCsiDriver, GcpFilestoreCsiDriver, BackupRestore, GcsFuseCsiDriver, ParallelstoreCsiDriver, HighScaleCheckpointing, LustreCsiDriver, RayOperator, SlurmOperator, NodeReadinessController, CloudRun.
--alpha-cluster-feature-gates=[FEATURE=true|false,…]
Selectively enable or disable Kubernetes alpha and beta kubernetesfeature gates on alpha GKE cluster. Alpha clusters are not covered by the Kubernetes Engine SLA and should not be used for production workloads.
--anonymous-authentication-config=ANONYMOUS_AUTHENTICATION_CONFIG
Enable or restrict anonymous access to the cluster. When enabled, anonymous users will be authenticated as system:anonymous with the group system:unauthenticated. Limiting access restricts anonymous access to only the health check endpoints /readyz, /livez, and /healthz.

ANONYMOUS_AUTHENTICATION_CONFIG must be one of:

ENABLED
'ENABLED' enables anonymous calls.
LIMITED
'LIMITED' restricts anonymous access to the cluster. Only calls to the health check endpoints are allowed anonymously, all other calls will be rejected.
--async
Return immediately, without waiting for the operation in progress to complete.
--auto-monitoring-scope=AUTO_MONITORING_SCOPE
Enables Auto-Monitoring for a specific scope within the cluster. ALL: Enables Auto-Monitoring for all supported workloads within the cluster. NONE: Disables Auto-Monitoring. AUTO_MONITORING_SCOPE must be one of: ALL, NONE.
--autopilot-general-profile=AUTOPILOT_GENERAL_PROFILE
Sets the Autopilot general profile for the cluster; possible values are none and no-performance. If none is used, the cluster will use the Autopilot default configuration. AUTOPILOT_GENERAL_PROFILE must be one of: none, no-performance.
--autopilot-privileged-admission=[ALLOWLIST_PATHS,…]
Specifies which privileged workload allowlist paths can be referenced and installed by AllowlistSynchronizers in Autopilot modes.

The value is a comma-separated list of paths in the format:

  • gke://<partner_name>/<app_name>/<allowlist_path> for Autopilot partner allowlists
  • gs://<bucket_name>/<allowlist_path> for user allowlists

By default, all GKE-managed allowlists (gke://*) are authorized. See https://cloud.google.com/kubernetes-engine/docs/resources/autopilot-partners for all supported Autopilot partner allowlists. When setting this flag, be careful to explicitly specify gke://* in addition to other entries if you rely on this default behavior.

Wildcards (*) are supported. For example, if gke://* is authorized, then AllowlistSynchronizers can be used to install gke://partner1/allowlist1.yaml and gke://partner2/allowlist2.yaml.

Note: Use of user allowlists (gs://) requires special permissions and is only available to a subset of high tier customers. Please contact your account team for more information.

Examples:

Allow all GKE-managed allowlists (default behavior): 

gcloud container clusters create --autopilot-privileged-admission=gke://*

Authorize only allowlists from a GKE Autopilot partner: 

gcloud container clusters create --autopilot-privileged-admission=gke://my-partner/*

Authorize only a singular user-owned allowlist 

gcloud container clusters create --autopilot-privileged-admission=gs://my-bucket/allowlists/my-allowlist.yaml

Authorize all user-owned allowlists under a given path: 

gcloud container clusters create --autopilot-privileged-admission=gs://my-bucket/*

Authorize all GKE-managed allowlists and a specific user-owned allowlist: 

gcloud container clusters create --autopilot-privileged-admission=gke://*,gs://my-bucket/allowlists/my-allowlist.yaml

Disable allowlist installation entirely: 

gcloud container clusters create --autopilot-privileged-admission=""

Exercise caution when using this flag on an existing cluster. Upon updates, existing AllowlistSynchronizers will uninstall allowlists that are no longer authorized.

For instructions on installing allowlists in the cluster after authorization, please refer to: https://cloud.google.com/kubernetes-engine/docs/how-to/run-autopilot-partner-workloads

--autopilot-workload-policies=WORKLOAD_POLICIES
Add Autopilot workload policies to the cluster.

Examples: 

gcloud container clusters create example-cluster --autopilot-workload-policies=allow-net-admin

The only supported workload policy is 'allow-net-admin'.

--autoprovisioning-enable-insecure-kubelet-readonly-port
Enables the Kubelet's insecure read only port for Autoprovisioned Node Pools.

If not set, the value from nodePoolDefaults.nodeConfigDefaults will be used.

To disable the readonly port --no-autoprovisioning-enable-insecure-kubelet-readonly-port.

--autoprovisioning-network-tags=TAGS,[TAGS,…]
Applies the given Compute Engine tags (comma separated) on all nodes in the auto-provisioned node pools of the new Standard cluster or the new Autopilot cluster.

Examples: 

gcloud container clusters create example-cluster --autoprovisioning-network-tags=tag1,tag2

New nodes in auto-provisioned node pools, including ones created by resize or recreate, will have these tags on the Compute Engine API instance object and can be used in firewall rules. See https://cloud.google.com/sdk/gcloud/reference/compute/firewall-rules/create for examples.

--autoprovisioning-resource-manager-tags=[KEY=VALUE,…]
Applies the specified comma-separated resource manager tags that has the GCE_FIREWALL purpose to all nodes in the new Autopilot cluster or all auto-provisioned nodes in the new Standard cluster.

Examples: 

gcloud container clusters create example-cluster --autoprovisioning-resource-manager-tags=tagKeys/1234=tagValues/2345
gcloud container clusters create example-cluster --autoprovisioning-resource-manager-tags=my-project/key1=value1
gcloud container clusters create example-cluster --autoprovisioning-resource-manager-tags=12345/key1=value1,23456/key2=value2
gcloud container clusters create example-cluster --autoprovisioning-resource-manager-tags=

All nodes in an Autopilot cluster or all auto-provisioned nodes in a Standard cluster, including nodes that are resized or re-created, will have the specified tags on the corresponding Instance object in the Compute Engine API. You can reference these tags in network firewall policy rules. For instructions, see https://cloud.google.com/firewall/docs/use-tags-for-firewalls.

--autoscaling-profile=AUTOSCALING_PROFILE
Set autoscaling behaviour, choices are 'optimize-utilization' and 'balanced'. Default is 'balanced'.
--boot-disk-kms-key=BOOT_DISK_KMS_KEY
The Customer Managed Encryption Key used to encrypt the boot disk attached to each node in the node pool. This should be of the form projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information about protecting resources with Cloud KMS Keys please see: https://cloud.google.com/compute/docs/disks/customer-managed-encryption
--cloud-run-config=[load-balancer-type=EXTERNAL,…]
Configurations for Cloud Run addon, requires --addons=CloudRun for create and --update-addons=CloudRun=ENABLED for update.
load-balancer-type
(Optional) Type of load-balancer-type EXTERNAL or INTERNAL.

Examples: 

gcloud container clusters create example-cluster --cloud-run-config=load-balancer-type=INTERNAL
--cluster-ipv4-cidr=CLUSTER_IPV4_CIDR
The IP address range for the pods in this cluster in CIDR notation (e.g. 10.0.0.0/14). Prior to Kubernetes version 1.7.0 this must be a subset of 10.0.0.0/8; however, starting with version 1.7.0 can be any RFC 1918 IP range.

If you omit this option, a range is chosen automatically. The automatically chosen range is randomly selected from 10.0.0.0/8 and will not include IP address ranges allocated to VMs, existing routes, or ranges allocated to other clusters. The automatically chosen range might conflict with reserved IP addresses, dynamic routes, or routes within VPCs that peer with this cluster. You should specify --cluster-ipv4-cidr to prevent conflicts.

This field is not applicable in a Shared VPC setup where the IP address range for the pods must be specified with --cluster-secondary-range-name

--cluster-secondary-range-name=NAME
Set the secondary range to be used as the source for pod IPs. Alias ranges will be allocated from this secondary range. NAME must be the name of an existing secondary range in the cluster subnetwork. Cannot be specified unless '--enable-ip-alias' option is also specified. Cannot be used with '--create-subnetwork' option.
--cluster-version=CLUSTER_VERSION
The Kubernetes version to use for the master and nodes. Defaults to server-specified.

The default Kubernetes version is available using the following command. 

gcloud container get-server-config
--confidential-node-type=CONFIDENTIAL_NODE_TYPE
Enable confidential nodes for the cluster. Enabling Confidential Nodes will create nodes using Confidential VM https://docs.cloud.google.com/compute/docs/about-confidential-vm. CONFIDENTIAL_NODE_TYPE must be one of: sev, sev_snp, tdx.
--containerd-config-from-file=PATH_TO_FILE
Path of the YAML file that contains containerd configuration entries like configuring access to private image registries.

For detailed information on the configuration usage, please refer to https://cloud.google.com/kubernetes-engine/docs/how-to/customize-containerd-configuration.

Note: Updating the containerd configuration of an existing cluster or node pool requires recreation of the existing nodes, which might cause disruptions in running workloads.

Use a full or relative path to a local file containing the value of containerd_config.

--create-subnetwork=[KEY=VALUE,…]
Create a new subnetwork for the cluster. The name and range of the subnetwork can be customized via optional 'name' and 'range' key-value pairs.

'name' specifies the name of the subnetwork to be created.

'range' specifies the IP range for the new subnetwork. This can either be a netmask size (e.g. '/20') or a CIDR range (e.g. '10.0.0.0/20'). If a netmask size is specified, the IP is automatically taken from the free space in the cluster's network.

Examples:

Create a new subnetwork with a default name and size. 

gcloud container clusters create --create-subnetwork ""

Create a new subnetwork named "my-subnet" with netmask of size 21. 

gcloud container clusters create --create-subnetwork name=my-subnet,range=/21

Create a new subnetwork with a default name with the primary range of 10.100.0.0/16. 

gcloud container clusters create --create-subnetwork range=10.100.0.0/16

Create a new subnetwork with the name "my-subnet" with a default range. 

gcloud container clusters create --create-subnetwork name=my-subnet
 Cannot be specified unless '--enable-ip-alias' option is also specified. Cannot be used in conjunction with '--subnetwork' option.
--data-cache-count=DATA_CACHE_COUNT
Specifies the number of local SSDs to be utilized for GKE Data Cache in the cluster.
--database-encryption-key=DATABASE_ENCRYPTION_KEY
Enable Database Encryption.

Enable database encryption that will be used to encrypt Kubernetes Secrets at the application layer. The key provided should be the resource ID in the format of projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information, see https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets.

--default-max-pods-per-node=DEFAULT_MAX_PODS_PER_NODE
The default max number of pods per node for node pools in the cluster.

This flag sets the default max-pods-per-node for node pools in the cluster. If --max-pods-per-node is not specified explicitly for a node pool, this flag value will be used.

Must be used in conjunction with '--enable-ip-alias'.

--disable-default-snat
Disable default source NAT rules applied in cluster nodes.

By default, cluster nodes perform source network address translation (SNAT) for packets sent from Pod IP address sources to destination IP addresses that are not in the non-masquerade CIDRs list. For more details about SNAT and IP masquerading, see: https://cloud.google.com/kubernetes-engine/docs/how-to/ip-masquerade-agent#how_ipmasq_works SNAT changes the packet's source IP address to the node's internal IP address.

When this flag is set, GKE does not perform SNAT for packets sent to any destination. You must set this flag if the cluster uses privately reused public IPs.

The --disable-default-snat flag is only applicable to private GKE clusters, which are inherently VPC-native. Thus, --disable-default-snat requires that you also set --enable-ip-alias and --enable-private-nodes.

--disable-l4-lb-firewall-reconciliation
Disable reconciliation on the cluster for L4 Load Balancer VPC firewalls targeting ingress traffic.
--disable-multi-nic-lustre
Disable the Lustre CSI driver to automatically detect and configure all suitable network interfaces on a node for Lustre IO.
--disk-size=DISK_SIZE
Size for node VM boot disks in GB. Defaults to 100GB.
--disk-type=DISK_TYPE
Type of the node VM boot disk. For version 1.24 and later, defaults to pd-balanced. For versions earlier than 1.24, defaults to pd-standard. DISK_TYPE must be one of: pd-standard, pd-ssd, pd-balanced, hyperdisk-balanced, hyperdisk-extreme, hyperdisk-throughput.
--enable-authorized-networks-on-private-endpoint
Enable enforcement of --master-authorized-networks CIDR ranges for traffic reaching cluster's control plane via private IP.
--enable-auto-ipam
Enable the Auto IP Address Management (Auto IPAM) feature for the cluster.
--enable-autorepair
Enable node autorepair feature for a cluster's default node pool(s). 
gcloud container clusters create example-cluster --enable-autorepair

Node autorepair is enabled by default for clusters using COS, COS_CONTAINERD, UBUNTU or UBUNTU_CONTAINERD as a base image, use --no-enable-autorepair to disable.

See https://cloud.google.com/kubernetes-engine/docs/how-to/node-auto-repair for more info.

--enable-autoupgrade
Sets autoupgrade feature for a cluster's default node pool(s). 
gcloud container clusters create example-cluster --enable-autoupgrade

See https://cloud.google.com/kubernetes-engine/docs/node-auto-upgrades for more info.

Enabled by default, use --no-enable-autoupgrade to disable.

--enable-cilium-clusterwide-network-policy
Enable Cilium Clusterwide Network Policies on the cluster. Disabled by default.
--enable-cloud-logging
(DEPRECATED) Automatically send logs from the cluster to the Google Cloud Logging API.

Legacy Logging and Monitoring is deprecated. Thus, flag --enable-cloud-logging is also deprecated and will be removed in an upcoming release. Please use --logging (optionally with --monitoring). For more details, please read: https://cloud.google.com/kubernetes-engine/docs/concepts/about-logs and https://cloud.google.com/kubernetes-engine/docs/how-to/configure-metrics.

--enable-cloud-monitoring
(DEPRECATED) Automatically send metrics from pods in the cluster to the Google Cloud Monitoring API. VM metrics will be collected by Google Compute Engine regardless of this setting.

Legacy Logging and Monitoring is deprecated. Thus, flag --enable-cloud-monitoring is also deprecated. Please use --monitoring (optionally with --logging). For more details, please read: https://cloud.google.com/kubernetes-engine/docs/how-to/configure-metrics and https://cloud.google.com/kubernetes-engine/docs/concepts/about-logs.

--enable-cloud-run-alpha
Enable Cloud Run alpha features on this cluster. Selecting this option will result in the cluster having all Cloud Run alpha API groups and features turned on.

Cloud Run alpha clusters are not covered by the Cloud Run SLA and should not be used for production workloads.

--enable-confidential-nodes
Enable confidential nodes for the cluster. Enabling Confidential Nodes will create nodes using Confidential VM https://docs.cloud.google.com/compute/docs/about-confidential-vm.
--enable-confidential-storage
Enable confidential storage for the cluster. Enabling Confidential Storage will create boot disk with confidential mode
--enable-cost-allocation
Enable the cost management feature.

When enabled, you can get informational GKE cost breakdowns by cluster, namespace and label in your billing data exported to BigQuery (https://cloud.google.com/billing/docs/how-to/export-data-bigquery).

--enable-dataplane-v2
Enables the new eBPF dataplane for GKE clusters that is required for network security, scalability and visibility features.
--enable-default-compute-class
Enable the default compute class to use for the cluster.

To disable Default Compute Class in an existing cluster, explicitly set flag --no-enable-default-compute-class.

--enable-dns-access
Enable access to the cluster's control plane over DNS-based endpoint.

DNS-based control plane access is recommended.

--enable-fleet
Set cluster project as the fleet host project. This will register the cluster to the same project. To register the cluster to a fleet in a different project, please use --fleet-project=FLEET_HOST_PROJECT. Example: $ gcloud container clusters create --enable-fleet
--enable-fqdn-network-policy
Enable FQDN Network Policies on the cluster. FQDN Network Policies are disabled by default.
--enable-google-cloud-access
When you enable Google Cloud Access, any public IP addresses owned by Google Cloud can reach the public control plane endpoint of your cluster.
--enable-gvnic
Enable the use of GVNIC for this cluster. Requires re-creation of nodes using either a node-pool upgrade or node-pool creation.
--enable-identity-service
Enable Identity Service component on the cluster.

When enabled, users can authenticate to Kubernetes cluster with external identity providers.

Identity Service is by default disabled when creating a new cluster. To disable Identity Service in an existing cluster, explicitly set flag --no-enable-identity-service.

--enable-image-streaming
Enable Image Streaming for the cluster, allowing nodes to stream container image data from Artifact Registry on demand to reduce container start times. This flag sets the default for new node pools. It is enabled by default on Autopilot clusters.

See Image Streaming documentation for full requirements (including version, API enablement and Artifact Registry usage). To disable Image Streaming for the cluster, use --no-enable-image-streaming.

--enable-insecure-kubelet-readonly-port
Enables the Kubelet's insecure read only port.

To disable the readonly port on a cluster or node-pool set the flag to --no-enable-insecure-kubelet-readonly-port.

--enable-intra-node-visibility
Enable Intra-node visibility for this cluster.

Enabling intra-node visibility makes your intra-node pod-to-pod traffic visible to the networking fabric. With this feature, you can use VPC flow logging or other VPC features for intra-node traffic.

Enabling it on an existing cluster causes the cluster master and the cluster nodes to restart, which might cause a disruption.

--enable-ip-access
Enable access to the cluster's control plane over private IP and public IP if --enable-private-endpoint is not enabled.
--enable-ip-alias
--enable-ip-alias creates a VPC-native cluster. If you set this option, you can optionally specify the IP address ranges to use for Pods and Services. For instructions, see https://cloud.google.com/kubernetes-engine/docs/how-to/alias-ips.

--no-enable-ip-alias creates a routes-based cluster. This type of cluster routes traffic between Pods using Google Cloud Routes. This option is not recommended; use the default VPC-native cluster type instead. For instructions, see https://cloud.google.com/kubernetes-engine/docs/how-to/routes-based-cluster

Note: For IPv6-only clusters, these flags are a no-op as IP Aliases do not apply, and any specified IP address ranges for Pods and Services will be ignored.

You can't specify both --enable-ip-alias and --no-enable-ip-alias. If you omit both --enable-ip-alias and --no-enable-ip-alias, the default is a VPC-native cluster.

--enable-k8s-certs-via-dns
Enable K8s client certificates Authentication to the cluster's control plane over DNS-based endpoint.
--enable-k8s-tokens-via-dns
Enable K8s Service Account tokens Authentication to the cluster's control plane over DNS-based endpoint.
--enable-kernel-module-signature-enforcement
Enforces that kernel modules are signed on all new nodes in the cluster unless explicitly overridden with --no-enable-kernel-module-signature-enforcement when creating the nodepool. Use --no-