gcloud alpha container clusters update - update cluster settings for an existing container cluster
gcloud alpha container clusters update NAME (--autoprovisioning-network-tags=[TAGS,...] | --autoscaling-profile=AUTOSCALING_PROFILE | --complete-credential-rotation | --complete-ip-rotation | --database-encryption-key=DATABASE_ENCRYPTION_KEY | --disable-database-encryption | --disable-default-snat | --disable-workload-identity | --enable-autoscaling | --enable-cost-allocation | --enable-gke-oidc | --enable-google-cloud-access | --enable-identity-service | --enable-image-streaming | --enable-intra-node-visibility | --enable-l4-ilb-subsetting | --enable-legacy-authorization | --enable-logging-monitoring-system-only | --enable-master-authorized-networks | --enable-master-global-access | --enable-network-policy | --enable-pod-security-policy | --enable-private-endpoint | --enable-service-externalips | --enable-shielded-nodes | --enable-stackdriver-kubernetes | --enable-vertical-pod-autoscaling | --gateway-api=GATEWAY_API | --generate-password | --identity-provider=IDENTITY_PROVIDER | --logging-variant=LOGGING_VARIANT | --maintenance-window=START_TIME | --notification-config=[pubsub=ENABLED|DISABLED,pubsub-topic=TOPIC,...] | --private-ipv6-google-access-type=PRIVATE_IPV6_GOOGLE_ACCESS_TYPE | --release-channel=CHANNEL | --remove-labels=[KEY,...] | --security-group=SECURITY_GROUP | --security-profile=SECURITY_PROFILE | --set-password | --stack-type=STACK_TYPE | --start-credential-rotation | --start-ip-rotation | --update-addons=[ADDON=ENABLED|DISABLED,...] | --update-labels=[KEY=VALUE,...] | --workload-pool=WORKLOAD_POOL | --additional-zones=[ZONE,...] | --node-locations=ZONE,[ZONE,...] | --binauthz-policy=BINAUTHZ_POLICY --binauthz-evaluation-mode=BINAUTHZ_EVALUATION_MODE | --enable-binauthz | --clear-maintenance-window | --remove-maintenance-exclusion=NAME | [--add-maintenance-exclusion-end=TIME_STAMP : --add-maintenance-exclusion-name=NAME --add-maintenance-exclusion-scope=SCOPE --add-maintenance-exclusion-start=TIME_STAMP] | --maintenance-window-end=TIME_STAMP --maintenance-window-recurrence=RRULE --maintenance-window-start=TIME_STAMP | --clear-resource-usage-bigquery-dataset | --enable-network-egress-metering --enable-resource-consumption-metering --resource-usage-bigquery-dataset=RESOURCE_USAGE_BIGQUERY_DATASET | --cluster-dns=CLUSTER_DNS --cluster-dns-domain=CLUSTER_DNS_DOMAIN --cluster-dns-scope=CLUSTER_DNS_SCOPE | --disable-managed-prometheus | --enable-managed-prometheus | [--enable-autoprovisioning : --autoprovisioning-config-file=AUTOPROVISIONING_CONFIG_FILE | --autoprovisioning-image-type=AUTOPROVISIONING_IMAGE_TYPE --autoprovisioning-locations=ZONE,[ZONE,...] --autoprovisioning-min-cpu-platform=PLATFORM --max-cpu=MAX_CPU --max-memory=MAX_MEMORY --min-cpu=MIN_CPU --min-memory=MIN_MEMORY --autoprovisioning-max-surge-upgrade=AUTOPROVISIONING_MAX_SURGE_UPGRADE --autoprovisioning-max-unavailable-upgrade=AUTOPROVISIONING_MAX_UNAVAILABLE_UPGRADE --autoprovisioning-node-pool-soak-duration=AUTOPROVISIONING_NODE_POOL_SOAK_DURATION --autoprovisioning-standard-rollout-policy=[batch-node-count=BATCH_NODE_COUNT,batch-percent=BATCH_NODE_PERCENTAGE,batch-soak-duration=BATCH_SOAK_DURATION,...] --enable-autoprovisioning-blue-green-upgrade | --enable-autoprovisioning-surge-upgrade --autoprovisioning-scopes=[SCOPE,...] --autoprovisioning-service-account=AUTOPROVISIONING_SERVICE_ACCOUNT --enable-autoprovisioning-autorepair --enable-autoprovisioning-autoupgrade [--max-accelerator=[type=TYPE,count=COUNT,...] : --min-accelerator=[type=TYPE,count=COUNT,...]]] | --enable-tpu --enable-tpu-service-networking | --tpu-ipv4-cidr=CIDR | --logging=[COMPONENT,...] --monitoring=[COMPONENT,...] | --logging-service=LOGGING_SERVICE --monitoring-service=MONITORING_SERVICE | --password=PASSWORD --enable-basic-auth | --username=USERNAME, -u USERNAME) [--async] [--cloud-run-config=[load-balancer-type=EXTERNAL,...]] [--istio-config=[auth=MTLS_PERMISSIVE,...]] [--master-authorized-networks=NETWORK,[NETWORK,...]] [--node-pool=NODE_POOL] [--location-policy=LOCATION_POLICY --max-nodes=MAX_NODES --min-nodes=MIN_NODES --total-max-nodes=TOTAL_MAX_NODES --total-min-nodes=TOTAL_MIN_NODES] [--region=REGION | --zone=ZONE, -z ZONE] [GCLOUD_WIDE_FLAG ...]
(ALPHA) Update cluster settings for an existing container cluster.
To enable autoscaling for an existing cluster, run:
$ gcloud alpha container clusters update sample-cluster \ --enable-autoscaling
- NAME
The name of the cluster to update.
- Exactly one of these must be specified:
- --autoprovisioning-network-tags=[TAGS,...]
Replaces the user specified Compute Engine tags on all nodes in all the existing auto-provisioned node pools in the Standard cluster or the Autopilot with the given tags (comma separated).
Examples:
$ gcloud alpha container clusters update example-cluster \ --autoprovisioning-network-tags=tag1,tag2
New nodes in auto-provisioned node pools, including ones created by resize or recreate, will have these tags on the Compute Engine API instance object and these tags can be used in firewall rules. See https://cloud.google.com/sdk/gcloud/reference/compute/firewall-rules/create for examples.
- --autoscaling-profile=AUTOSCALING_PROFILE
Set autoscaling behaviour, choices are 'optimize-utilization' and 'balanced'. Default is 'balanced'.
- --complete-credential-rotation
Complete the IP and credential rotation for this cluster. For example:
$ gcloud alpha container clusters update example-cluster \ --complete-credential-rotation
This causes the cluster to stop serving its old IP, return to a single IP, and invalidate old credentials. See documentation for more details: https://cloud.google.com/kubernetes-engine/docs/how-to/credential-rotation.
- --complete-ip-rotation
Complete the IP rotation for this cluster. For example:
$ gcloud alpha container clusters update example-cluster \ --complete-ip-rotation
This causes the cluster to stop serving its old IP, and return to a single IP state. See documentation for more details: https://cloud.google.com/kubernetes-engine/docs/how-to/ip-rotation.
- --database-encryption-key=DATABASE_ENCRYPTION_KEY
Enable Database Encryption.
Enable database encryption that will be used to encrypt Kubernetes Secrets at the application layer. The key provided should be the resource ID in the format of projects/[KEY_PROJECT_ID]/locations/[LOCATION]/keyRings/[RING_NAME]/cryptoKeys/[KEY_NAME]. For more information, see https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets.
- --disable-database-encryption
Disable database encryption.
Disable Database Encryption which encrypt Kubernetes Secrets at the application layer. For more information, see https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets.
- --disable-default-snat
Disable default source NAT rules applied in cluster nodes.
By default, cluster nodes perform source network address translation (SNAT) for packets sent from Pod IP address sources to destination IP addresses that are not in the non-masquerade CIDRs list. For more details about SNAT and IP masquerading, see: https://cloud.google.com/kubernetes-engine/docs/how-to/ip-masquerade-agent#how_ipmasq_works SNAT changes the packet's source IP address to the node's internal IP address.
When this flag is set, GKE does not perform SNAT for packets sent to any destination. You must set this flag if the cluster uses privately reused public IPs.
The --disable-default-snat flag is only applicable to private GKE clusters, which are inherently VPC-native. Thus, --disable-default-snat requires that the cluster was created with both --enable-ip-alias and --enable-private-nodes.
- --disable-workload-identity
Disable Workload Identity on the cluster.
For more information on Workload Identity, see
https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
- --enable-autoscaling
Enables autoscaling for a node pool.
Enables autoscaling in the node pool specified by --node-pool or the default node pool if --node-pool is not provided. If not already, --max-nodes or --total-max-nodes must also be set.
- --enable-cost-allocation
Enable the cost management feature.
When enabled, you can get informational GKE cost breakdowns by cluster, namespace and label in your billing data exported to BigQuery https://cloud.google.com/billing/docs/how-to/export-data-bigquery.
Use --no-enable-cost-allocation to disable this feature.
- --enable-gke-oidc
(DEPRECATED) Enable GKE OIDC authentication on the cluster.
When enabled, users would be able to authenticate to Kubernetes cluster after properly setting OIDC config.
GKE OIDC is by default disabled when creating a new cluster. To disable GKE OIDC in an existing cluster, explicitly set flag --no-enable-gke-oidc.
GKE OIDC is being replaced by Identity Service across Anthos and GKE. Thus, flag --enable-gke-oidc is also deprecated. Please use --enable-identity-service to enable the Identity Service component
- --enable-google-cloud-access
When you enable Google Cloud Access, any public IP addresses owned by Google Cloud can reach the public control plane endpoint of your cluster.
- --enable-identity-service
Enable Identity Service component on the cluster.
When enabled, users can authenticate to Kubernetes cluster with external identity providers.
Identity Service is by default disabled when creating a new cluster. To disable Identity Service in an existing cluster, explicitly set flag --no-enable-identity-service.
- --enable-image-streaming
Specifies whether to enable image streaming on cluster.
- --enable-intra-node-visibility
Enable Intra-node visibility for this cluster.
Enabling intra-node visibility makes your intra-node pod-to-pod traffic visible to the networking fabric. With this feature, you can use VPC flow logging or other VPC features for intra-node traffic.
Enabling it on an existing cluster causes the cluster master and the cluster nodes to restart, which might cause a disruption.
- --enable-l4-ilb-subsetting
Enable Subsetting for L4 ILB services created on this cluster.
- --enable-legacy-authorization
Enables the legacy ABAC authentication for the cluster. User rights are granted through the use of policies which combine attributes together. For a detailed look at these properties and related formats, see https://kubernetes.io/docs/admin/authorization/abac/. To use RBAC permissions instead, create or update your cluster with the option --no-enable-legacy-authorization.
- --enable-logging-monitoring-system-only
(DEPRECATED) Enable Cloud Operations system-only monitoring and logging.
The --enable-logging-monitoring-system-only flag is deprecated and will be removed in an upcoming release. Please use --logging and --monitoring instead. For more information, please read: https://cloud.google.com/stackdriver/docs/solutions/gke/installing.
- --enable-master-authorized-networks
Allow only specified set of CIDR blocks (specified by the --master-authorized-networks flag) to connect to Kubernetes master through HTTPS. Besides these blocks, the following have access as well:
1) The private network the cluster connects to if `--enable-private-nodes` is specified. 2) Google Compute Engine Public IPs if `--enable-private-nodes` is not specified.
Use --no-enable-master-authorized-networks to disable. When disabled, public internet (0.0.0.0/0) is allowed to connect to Kubernetes master through HTTPS.
- --enable-master-global-access
Use with private clusters to allow access to the master's private endpoint from any Google Cloud region or on-premises environment regardless of the private cluster's region.
- --enable-network-policy
Enable network policy enforcement for this cluster. If you are enabling network policy on an existing cluster the network policy addon must first be enabled on the master by using --update-addons=NetworkPolicy=ENABLED flag.
- --enable-pod-security-policy
Enables the pod security policy admission controller for the cluster. The pod security policy admission controller adds fine-grained pod create and update authorization controls through the PodSecurityPolicy API objects. For more information, see https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies.
- --enable-private-endpoint
Enables cluster's control plane to be accessible using private IP address only.
- --enable-service-externalips
Enables use of services with externalIPs field.
- --enable-shielded-nodes
Enable Shielded Nodes for this cluster. Enabling Shielded Nodes will enable a more secure Node credential bootstrapping implementation. Starting with version 1.18, clusters will have Shielded GKE nodes by default.
- --enable-stackdriver-kubernetes
(DEPRECATED) Enable Cloud Operations for GKE.
The --enable-stackdriver-kubernetes flag is deprecated and will be removed in an upcoming release. Please use --logging and --monitoring instead. For more information, please read: https://cloud.google.com/stackdriver/docs/solutions/gke/installing.
- Flags for vertical pod autoscaling:
At most one of these can be specified:
- --enable-vertical-pod-autoscaling
Enable vertical pod autoscaling for a cluster.
- --gateway-api=GATEWAY_API
Enables GKE Gateway controller in this cluster. The value of the flag specifies which Open Source Gateway API release channel will be used to define Gateway resources. GATEWAY_API must be one of:
- disabled
Gateway controller will be disabled in the cluster.
- standard
Gateway controller will be enabled in the cluster. Resource definitions from the standard OSS Gateway API release channel will be installed.
- --generate-password
Ask the server to generate a secure password and use that as the basic auth password, keeping the existing username.
- --identity-provider=IDENTITY_PROVIDER
Enable 3P identity provider on the cluster.
- --logging-variant=LOGGING_VARIANT
Specifies the logging variant that will be deployed on all the nodes in the cluster. Valid logging variants are MAX_THROUGHPUT, DEFAULT. If no value is specified, DEFAULT is used. LOGGING_VARIANT must be one of:
- DEFAULT
'DEFAULT' variant requests minimal resources but may not guarantee high throughput.
- MAX_THROUGHPUT
'MAX_THROUGHPUT' variant requests more node resources and is able to achieve logging throughput up to 10MB per sec.
- --maintenance-window=START_TIME
Set a time of day when you prefer maintenance to start on this cluster. For example:
$ gcloud alpha container clusters update example-cluster \ --maintenance-window=12:43
The time corresponds to the UTC time zone, and must be in HH:MM format.
Non-emergency maintenance will occur in the 4 hour block starting at the specified time.
This is mutually exclusive with the recurring maintenance windows and will overwrite any existing window. Compatible with maintenance exclusions.
To remove an existing maintenance window from the cluster, use '--clear-maintenance-window'.
- --notification-config=[pubsub=ENABLED|DISABLED,pubsub-topic=TOPIC,...]
The notification configuration of the cluster. GKE supports publishing cluster upgrade notifications to any Pub/Sub topic you created in the same project. Create a subscription for the topic specified to receive notification messages. See https://cloud.google.com/pubsub/docs/admin on how to manage Pub/Sub topics and subscriptions. You can also use the filter option to specify which event types you'd like to receive from the following options: SecurityBulletinEvent, UpgradeEvent, UpgradeAvailableEvent.
Examples:
$ gcloud alpha container clusters update example-cluster \ --notification-config=pubsub=ENABLED,pubsub-topic=projects/\ {project}/topics/{topic-name} $ gcloud alpha container clusters update example-cluster \ --notification-config=pubsub=ENABLED,pubsub-topic=projects/\ {project}/topics/{topic-name},\ filter="SecurityBulletinEvent|UpgradeEvent"
The project of the Pub/Sub topic must be the same one as the cluster. It can be either the project ID or the project number.
- --private-ipv6-google-access-type=PRIVATE_IPV6_GOOGLE_ACCESS_TYPE
Sets the type of private access to Google services over IPv6.
PRIVATE_IPV6_GOOGLE_ACCESS_TYPE must be one of:
bidirectional Allows Google services to initiate connections to GKE pods in this cluster. This is not intended for common use, and requires previous integration with Google services.
disabled Default value. Disables private access to Google services over IPv6.
outbound-only Allows GKE pods to make fast, secure requests to Google services over IPv6. This is the most common use of private IPv6 access.
$ gcloud alpha container clusters create \ --private-ipv6-google-access-type=disabled $ gcloud alpha container clusters create \ --private-ipv6-google-access-type=outbound-only $ gcloud alpha container clusters create \ --private-ipv6-google-access-type=bidirectional
PRIVATE_IPV6_GOOGLE_ACCESS_TYPE must be one of: bidirectional, disabled, outbound-only.
- --release-channel=CHANNEL
Subscribe or unsubscribe this cluster to a release channel.
When a cluster is subscribed to a release channel, Google maintains both the master version and the node version. Node auto-upgrade defaults to true and cannot be disabled.
CHANNEL must be one of:
- None
Use 'None' to opt-out of any release channel.
- rapid
'rapid' channel is offered on an early access basis for customers who want to test new releases.
WARNING: Versions available in the 'rapid' channel may be subject to unresolved issues with no known workaround and are not subject to any SLAs.
- regular
Clusters subscribed to 'regular' receive versions that are considered GA quality. 'regular' is intended for production users who want to take advantage of new features.
- stable
Clusters subscribed to 'stable' receive versions that are known to be stable and reliable in production.
- --remove-labels=[KEY,...]
Labels to remove from the Google Cloud resources in use by the Kubernetes Engine cluster. These are unrelated to Kubernetes labels.
Examples:
$ gcloud alpha container clusters update example-cluster \ --remove-labels=label_a,label_b
- --security-group=SECURITY_GROUP
The name of the RBAC security group for use with Google security groups in Kubernetes RBAC https://kubernetes.io/docs/reference/access-authn-authz/rbac/.
To include group membership as part of the claims issued by Google during authentication, a group must be designated as a security group by including it as a direct member of this group.
If unspecified, no groups will be returned for use with RBAC.
- --security-profile=SECURITY_PROFILE
Name and version of the security profile to be applied to the cluster. If not specified, the current setting of security profile will be preserved.
Examples:
$ gcloud alpha container clusters update example-cluster \ --security-profile=default-1.0-gke.1
- --set-password
Set the basic auth password to the specified value, keeping the existing username.
- --stack-type=STACK_TYPE
IP stack type of the node VMs. STACK_TYPE must be one of: ipv4, ipv4-ipv6.
- --start-credential-rotation
Start the rotation of IP and credentials for this cluster. For example:
$ gcloud alpha container clusters update example-cluster \ --start-credential-rotation
This causes the cluster to serve on two IPs, and will initiate a node upgrade to point to the new IP. See documentation for more details: https://cloud.google.com/kubernetes-engine/docs/how-to/credential-rotation.
- --start-ip-rotation
Start the rotation of this cluster to a new IP. For example:
$ gcloud alpha container clusters update example-cluster \ --start-ip-rotation
This causes the cluster to serve on two IPs, and will initiate a node upgrade to point to the new IP. See documentation for more details: https://cloud.google.com/kubernetes-engine/docs/how-to/ip-rotation.
- --update-addons=[ADDON=ENABLED|DISABLED,...]
Cluster addons to enable or disable. Options are HorizontalPodAutoscaling=ENABLED|DISABLED HttpLoadBalancing=ENABLED|DISABLED KubernetesDashboard=ENABLED|DISABLED Istio=ENABLED|DISABLED BackupRestore=ENABLED|DISABLED NetworkPolicy=ENABLED|DISABLED CloudRun=ENABLED|DISABLED CloudBuild=ENABLED|DISABLED ConfigConnector=ENABLED|DISABLED NodeLocalDNS=ENABLED|DISABLED GcePersistentDiskCsiDriver=ENABLED|DISABLED GcpFilestoreCsiDriver=ENABLED|DISABLED
- --update-labels=[KEY=VALUE,...]
Labels to apply to the Google Cloud resources in use by the Kubernetes Engine cluster. These are unrelated to Kubernetes labels.
Examples:
$ gcloud alpha container clusters update example-cluster \ --update-labels=label_a=value1,label_b=value2
- --workload-pool=WORKLOAD_POOL
Enable Workload Identity on the cluster.
When enabled, Kubernetes service accounts will be able to act as Cloud IAM Service Accounts, through the provided workload pool.
Currently, the only accepted workload pool is the workload pool of the Cloud project containing the cluster, PROJECT_ID.svc.id.goog.
For more information on Workload Identity, see
https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity
- At most one of these can be specified:
- --additional-zones=[ZONE,...]
(DEPRECATED) The set of additional zones in which the cluster's node footprint should be replicated. All zones must be in the same region as the cluster's primary zone.
Note that the exact same footprint will be replicated in all zones, such that if you created a cluster with 4 nodes in a single zone and then use this option to spread across 2 more zones, 8 additional nodes will be created.
Multiple locations can be specified, separated by commas. For example:
$ gcloud alpha container clusters update example-cluster \ --zone us-central1-a \ --additional-zones us-central1-b,us-central1-c
To remove all zones other than the cluster's primary zone, pass the empty string to the flag. For example:
$ gcloud alpha container clusters update example-cluster \ --zone us-central1-a --additional-zones ""
This flag is deprecated. Use --node-locations=PRIMARY_ZONE,[ZONE,...] instead.
- --node-locations=ZONE,[ZONE,...]
The set of zones in which the specified node footprint should be replicated. All zones must be in the same region as the cluster's master(s), specified by the --zone or --region flag. Additionally, for zonal clusters, --node-locations must contain the cluster's primary zone. If not specified, all nodes will be in the cluster's primary zone (for zonal clusters) or spread across three randomly chosen zones within the cluster's region (for regional clusters).
Note that NUM_NODES nodes will be created in each zone, such that if you specify --num-nodes=4 and choose two locations, 8 nodes will be created.
Multiple locations can be specified, separated by commas. For example:
$ gcloud alpha container clusters update example-cluster \ --zone us-central1-a \ --node-locations us-central1-a,us-central1-b
- Flags for Binary Authorization:
- --binauthz-policy=BINAUTHZ_POLICY
The relative resource name of the Binary Authorization policy to audit and/or enforce. GKE policies have the following format: projects/{project_number}/platforms/gke/policies/{policy_id}.
- At most one of these can be specified:
- --binauthz-evaluation-mode=BINAUTHZ_EVALUATION_MODE
Enable Binary Authorization for this cluster. BINAUTHZ_EVALUATION_MODE must be one of: DISABLED, MONITORING, MONITORING_AND_PROJECT_SINGLETON_POLICY_ENFORCE, PROJECT_SINGLETON_POLICY_ENFORCE.
- --enable-binauthz
(DEPRECATED) Enable Binary Authorization for this cluster.
The --enable-binauthz flag is deprecated. Please use --binauthz-evaluation-mode instead.
- At most one of these can be specified:
- --clear-maintenance-window
If set, remove the maintenance window that was set with --maintenance-window family of flags.
- --remove-maintenance-exclusion=NAME
Name of a maintenance exclusion to remove. If you hadn't specified a name, one was auto-generated. Get it with $ gcloud container clusters describe.
- Sets a period of time in which maintenance should not occur. This is compatible
with both daily and recurring maintenance windows. If --add-maintenance-exclusion-scope is not specified, the exclusion will exclude all upgrades.
Examples:
$ gcloud alpha container clusters update example-cluster \ --add-maintenance-exclusion-name=holidays-2000 \ --add-maintenance-exclusion-start=2000-11-20T00:00:00 \ --add-maintenance-exclusion-end=2000-12-31T23:59:59 \ --add-maintenance-exclusion-scope=no_upgrades
- --add-maintenance-exclusion-end=TIME_STAMP
End time of the exclusion window. Must take place after the start time. See $ gcloud topic datetimes for information on time formats.
This flag argument must be specified if any of the other arguments in this group are specified.
- --add-maintenance-exclusion-name=NAME
A descriptor for the exclusion that can be used to remove it. If not specified, it will be autogenerated.
- --add-maintenance-exclusion-scope=SCOPE
Scope of the exclusion window to specify the type of upgrades that the exclusion will apply to. Must be in one of no_upgrades, no_minor_upgrades or no_minor_or_node_upgrades. If not specified in an exclusion, defaults to no_upgrades.
- --add-maintenance-exclusion-start=TIME_STAMP
Start time of the exclusion window (can occur in the past). If not specified, the current time will be used. See $ gcloud topic datetimes for information on time formats.
- Set a flexible maintenance window by specifying a window that recurs per an RFC
5545 RRULE. Non-emergency maintenance will occur in the recurring windows.
Examples:
For a 9-5 Mon-Wed UTC-4 maintenance window:
$ gcloud alpha container clusters update example-cluster \ --maintenance-window-start=2000-01-01T09:00:00-04:00 \ --maintenance-window-end=2000-01-01T17:00:00-04:00 \ --maintenance-window-recurrence='FREQ=WEEKLY;BYDAY=MO,TU,WE'
For a daily window from 22:00 - 04:00 UTC:
$ gcloud alpha container clusters update example-cluster \ --maintenance-window-start=2000-01-01T22:00:00Z \ --maintenance-window-end=2000-01-02T04:00:00Z \ --maintenance-window-recurrence=FREQ=DAILY
- --maintenance-window-end=TIME_STAMP
End time of the first window (can occur in the past). Must take place after the start time. The difference in start and end time specifies the length of each recurrence. See $ gcloud topic datetimes for information on time formats.
This flag argument must be specified if any of the other arguments in this group are specified.
- --maintenance-window-recurrence=RRULE
An RFC 5545 RRULE, specifying how the window will recur. Note that minimum requirements for maintenance periods will be enforced. Note that FREQ=SECONDLY, MINUTELY, and HOURLY are not supported.
This flag argument must be specified if any of the other arguments in this group are specified.
- --maintenance-window-start=TIME_STAMP
Start time of the first window (can occur in the past). The start time influences when the window will start for recurrences. See $ gcloud topic datetimes for information on time formats.
This flag argument must be specified if any of the other arguments in this group are specified.
- Exports cluster's usage of cloud resources
At most one of these can be specified:
- --clear-resource-usage-bigquery-dataset
Disables exporting cluster resource usage to BigQuery.
- --enable-network-egress-metering
Enable network egress metering on this cluster.
When enabled, a DaemonSet is deployed into the cluster. Each DaemonSet pod meters network egress traffic by collecting data from the conntrack table, and exports the metered metrics to the specified destination.
Network egress metering is disabled if this flag is omitted, or when --no-enable-network-egress-metering is set.
- --enable-resource-consumption-metering
Enable resource consumption metering on this cluster.
When enabled, a table will be created in the specified BigQuery dataset to store resource consumption data. The resulting table can be joined with the resource usage table or with BigQuery billing export.
To disable resource consumption metering, set --no-enable-resource-consumption- metering. If this flag is omitted, then resource consumption metering will remain enabled or disabled depending on what is already configured for this cluster.
- --resource-usage-bigquery-dataset=RESOURCE_USAGE_BIGQUERY_DATASET
The name of the BigQuery dataset to which the cluster's usage of cloud resources is exported. A table will be created in the specified dataset to store cluster resource usage. The resulting table can be joined with BigQuery Billing Export to produce a fine-grained cost breakdown.
Examples:
$ gcloud alpha container clusters update example-cluster \ --resource-usage-bigquery-dataset=example_bigquery_dataset_name
- ClusterDNS
- --cluster-dns=CLUSTER_DNS
DNS provider to use for this cluster. CLUSTER_DNS must be one of:
- clouddns
Selects Cloud DNS as the DNS provider for the cluster.
- default
Selects the default DNS provider (kube-dns) for the cluster.
- --cluster-dns-domain=CLUSTER_DNS_DOMAIN
DNS domain for this cluster. The default value is cluster.local. This is configurable when --cluster-dns=clouddns and --cluster-dns-scope=vpc are set. The value must be a valid DNS subdomain as defined in RFC 1123.
- --cluster-dns-scope=CLUSTER_DNS_SCOPE
DNS scope for the Cloud DNS zone created - valid only with --cluster-dns=clouddns. Defaults to cluster.
CLUSTER_DNS_SCOPE must be one of:
- cluster
Configures the Cloud DNS zone to be private to the cluster.
- vpc
Configures the Cloud DNS zone to be private to the VPC Network.
- At most one of these can be specified:
- --disable-managed-prometheus
Disable managed collection for Managed Service for Prometheus.
- --enable-managed-prometheus
Enable managed collection for Managed Service for Prometheus.
- Node autoprovisioning
- --enable-autoprovisioning
Enables node autoprovisioning for a cluster.
Cluster Autoscaler will be able to create new node pools. Requires maximum CPU and memory limits to be specified.
This flag argument must be specified if any of the other arguments in this group are specified.
- At most one of these can be specified:
- --autoprovisioning-config-file=AUTOPROVISIONING_CONFIG_FILE
Path of the JSON/YAML file which contains information about the cluster's node autoprovisioning configuration. Currently it contains a list of resource limits, identity defaults for autoprovisioning, node upgrade settings, node management settings, minimum cpu platform, image type, node locations for autoprovisioning, disk type and size configuration, Shielded instance settings, and customer-managed encryption keys settings.
Resource limits are specified in the field 'resourceLimits'. Each resource limits definition contains three fields: resourceType, maximum and minimum. Resource type can be "cpu", "memory" or an accelerator (e.g. "nvidia-tesla-k80" for nVidia Tesla K80). Use gcloud compute accelerator-types list to learn about available accelerator types. Maximum is the maximum allowed amount with the unit of the resource. Minimum is the minimum allowed amount with the unit of the resource.
Identity default contains at most one of the below fields: serviceAccount: The Google Cloud Platform Service Account to be used by node VMs in autoprovisioned node pools. If not specified, the project's default service account is used. scopes: A list of scopes to be used by node instances in autoprovisioned node pools. Multiple scopes can be specified, separated by commas. For information on defaults, look at: https://cloud.google.com/sdk/gcloud/reference/container/clusters/create#--scopes
Node Upgrade settings are specified under the field 'upgradeSettings', which has the following fields: maxSurgeUpgrade: Number of extra (surge) nodes to be created on each upgrade of an autoprovisioned node pool. maxUnavailableUpgrade: Number of nodes that can be unavailable at the same time on each upgrade of an autoprovisioned node pool.
Node Management settings are specified under the field 'management', which has the following fields: autoUpgrade: A boolean field that indicates if node autoupgrade is enabled for autoprovisioned node pools. autoRepair: A boolean field that indicates if node autorepair is enabled for autoprovisioned node pools.
minCpuPlatform (deprecated): If specified, new autoprovisioned nodes will be scheduled on host with specified CPU architecture or a newer one. Note: Min CPU platform can only be specified in Beta and Alpha.
Autoprovisioned node image is specified under the 'imageType' field. If not specified the default value will be applied.
Autoprovisioning locations is a set of zones where new node pools can be created by Autoprovisioning. Autoprovisioning locations are specified in the field 'autoprovisioningLocations'. All zones must be in the same region as the cluster's master(s).
Disk type and size are specified under the 'diskType' and 'diskSizeGb' fields, respectively. If specified, new autoprovisioned nodes will be created with custom boot disks configured by these settings.
Shielded instance settings are specified under the 'shieldedInstanceConfig' field, which has the following fields: enableSecureBoot: A boolean field that indicates if secure boot is enabled for autoprovisioned nodes. enableIntegrityMonitoring: A boolean field that indicates if integrity monitoring is enabled for autoprovisioned nodes.
Customer Managed Encryption Keys (CMEK) used by new auto-provisioned node pools can be specified in the 'bootDiskKmsKey' field.
- Flags to configure autoprovisioned nodes
- --autoprovisioning-image-type=AUTOPROVISIONING_IMAGE_TYPE
Node Autoprovisioning will create new nodes with the specified image type
- --autoprovisioning-locations=ZONE,[ZONE,...]
Set of zones where new node pools can be created by autoprovisioning. All zones must be in the same region as the cluster's master(s). Multiple locations can be specified, separated by commas.
- --autoprovisioning-min-cpu-platform=PLATFORM
(DEPRECATED) If specified, new autoprovisioned nodes will be scheduled on host with specified CPU architecture or a newer one.
The --autoprovisioning-min-cpu-platform flag is deprecated and will be removed in an upcoming release. More info: https://cloud.google.com/kubernetes-engine/docs/release-notes#March_08_2022
- --max-cpu=MAX_CPU
Maximum number of cores in the cluster.
Maximum number of cores to which the cluster can scale.
- --max-memory=MAX_MEMORY
Maximum memory in the cluster.
Maximum number of gigabytes of memory to which the cluster can scale.
- --min-cpu=MIN_CPU
Minimum number of cores in the cluster.
Minimum number of cores to which the cluster can scale.
- --min-memory=MIN_MEMORY
Minimum memory in the cluster.
Minimum number of gigabytes of memory to which the cluster can scale.
- Flags to specify upgrade settings for autoprovisioned nodes:
- --autoprovisioning-max-surge-upgrade=AUTOPROVISIONING_MAX_SURGE_UPGRADE
Number of extra (surge) nodes to be created on each upgrade of an autoprovisioned node pool.
- --autoprovisioning-max-unavailable-upgrade=AUTOPROVISIONING_MAX_UNAVAILABLE_UPGRADE
Number of nodes that can be unavailable at the same time on each upgrade of an autoprovisioned node pool.
- --autoprovisioning-node-pool-soak-duration=AUTOPROVISIONING_NODE_POOL_SOAK_DURATION
Time in seconds to be spent waiting during blue-green upgrade before deleting the blue pool and completing the update. This argument should be used in conjunction with --enable-autoprovisioning-blue-green-upgrade to take effect.
- --autoprovisioning-standard-rollout-policy=[batch-node-count=BATCH_NODE_COUNT,batch-percent=BATCH_NODE_PERCENTAGE,batch-soak-duration=BATCH_SOAK_DURATION,...]
Standard rollout policy options for blue-green upgrade. This argument should be used in conjunction with --enable-autoprovisioning-blue-green-upgrade to take effect.
Batch sizes are specfied by one of, batch-node-count or batch-percent. The duration between batches is specified by batch-soak-duration.
Example: --standard-rollout-policy=batch-node-count=3,batch-soak-duration=60s --standard-rollout-policy=batch-percent=0.05,batch-soak-duration=180s
- Flag group to choose the top level upgrade option:
At most one of these can be specified:
- --enable-autoprovisioning-blue-green-upgrade
Whether to use blue-green upgrade for the autoprovisioned node pool.
- --enable-autoprovisioning-surge-upgrade
Whether to use surge upgrade for the autoprovisioned node pool.
- Flags to specify identity for autoprovisioned nodes:
- --autoprovisioning-scopes=[SCOPE,...]
The scopes to be used by node instances in autoprovisioned node pools. Multiple scopes can be specified, separated by commas. For information on defaults, look at: https://cloud.google.com/sdk/gcloud/reference/container/clusters/create#--scopes
- --autoprovisioning-service-account=AUTOPROVISIONING_SERVICE_ACCOUNT
The Google Cloud Platform Service Account to be used by node VMs in autoprovisioned node pools. If not specified, the project default service account is used.
- Flags to specify node management settings for autoprovisioned nodes:
- --enable-autoprovisioning-autorepair
Enable node autorepair for autoprovisioned node pools. Use --no-enable-autoprovisioning-autorepair to disable.
This flag argument must be specified if any of the other arguments in this group are specified.
- --enable-autoprovisioning-autoupgrade
Enable node autoupgrade for autoprovisioned node pools. Use --no-enable-autoprovisioning-autoupgrade to disable.
This flag argument must be specified if any of the other arguments in this group are specified.
- Arguments to set limits on accelerators:
- --max-accelerator=[type=TYPE,count=COUNT,...]
Sets maximum limit for a single type of accelerators (e.g. GPUs) in cluster.
- type
(Required) The specific type (e.g. nvidia-tesla-k80 for nVidia Tesla K80) of accelerator for which the limit is set. Use gcloud compute accelerator-types list to learn about all available accelerator types.
- count
(Required) The maximum number of accelerators to which the cluster can be scaled.
This flag argument must be specified if any of the other arguments in this group are specified.
- --min-accelerator=[type=TYPE,count=COUNT,...]
Sets minimum limit for a single type of accelerators (e.g. GPUs) in cluster. Defaults to 0 for all accelerator types if it isn't set.
- type
(Required) The specific type (e.g. nvidia-tesla-k80 for nVidia Tesla K80) of accelerator for which the limit is set. Use gcloud compute accelerator-types list to learn about all available accelerator types.
- count
(Required) The minimum number of accelerators to which the cluster can be scaled.
- Flags relating to Cloud TPUs:
- --enable-tpu
Enable Cloud TPUs for this cluster.
Can not be specified unless --enable-ip-alias is also specified.
- At most one of these can be specified:
- --enable-tpu-service-networking
Enable Cloud TPU's Service Networking mode. In this mode, the CIDR blocks used by the Cloud TPUs will be allocated and managed by Service Networking, instead of Kubernetes Engine.
This cannot be specified if tpu-ipv4-cidr is specified.
- --tpu-ipv4-cidr=CIDR
Set the IP range for the Cloud TPUs.
Can be specified as a netmask size (e.g. '/20') or as in CIDR notion (e.g. '10.100.0.0/20'). If given as a netmask size, the IP range will be chosen automatically from the available space in the network.
If unspecified, the TPU CIDR range will use automatic default '/20'.
Can not be specified unless '--enable-tpu' and '--enable-ip-alias' are also specified.
- --logging=[COMPONENT,...]
Set the components that have logging enabled. Valid component values are: SYSTEM, WORKLOAD, API_SERVER, CONTROLLER_MANAGER, SCHEDULER, NONE
For more information, look at https://cloud.google.com/stackdriver/docs/solutions/gke/installing#available-logs
Examples:
$ gcloud alpha container clusters update --logging=SYSTEM $ gcloud alpha container clusters update \ --logging=SYSTEM,API_SERVER,WORKLOAD $ gcloud alpha container clusters update --logging=NONE
- --monitoring=[COMPONENT,...]
Set the components that have monitoring enabled. Valid component values are: SYSTEM, WORKLOAD (Deprecated), NONE,API_SERVER, CONTROLLER_MANAGER, SCHEDULER
For more information, look at https://cloud.google.com/stackdriver/docs/solutions/gke/installing#available-metrics
Examples:
$ gcloud alpha container clusters update \ --monitoring=SYSTEM,API_SERVER $ gcloud alpha container clusters update --monitoring=NONE
- --logging-service=LOGGING_SERVICE
(DEPRECATED) Logging service to use for the cluster. Options are: "logging.googleapis.com/kubernetes" (the Google Cloud Logging service with Kubernetes-native resource model enabled), "logging.googleapis.com" (the Google Cloud Logging service), "none" (logs will not be exported from the cluster)
The --logging-service flag is deprecated and will be removed in an upcoming release. Please use --logging instead. For more information, please read: https://cloud.google.com/stackdriver/docs/solutions/gke/installing.
- --monitoring-service=MONITORING_SERVICE
(DEPRECATED) Monitoring service to use for the cluster. Options are: "monitoring.googleapis.com/kubernetes" (the Google Cloud Monitoring service with Kubernetes-native resource model enabled), "monitoring.googleapis.com" (the Google Cloud Monitoring service), "none" (no metrics will be exported from the cluster)
The --monitoring-service flag is deprecated and will be removed in an upcoming release. Please use --monitoring instead. For more information, please read: https://cloud.google.com/stackdriver/docs/solutions/gke/installing.
- Basic auth
- --password=PASSWORD
The password to use for cluster auth. Defaults to a server-specified randomly-generated string.
- Options to specify the username.
At most one of these can be specified:
- --enable-basic-auth
Enable basic (username/password) auth for the cluster. --enable-basic-auth is an alias for --username=admin; --no-enable-basic-auth is an alias for --username="". Use --password to specify a password; if not, the server will randomly generate one. For cluster versions before 1.12, if neither --enable-basic-auth nor --username is specified, --enable-basic-auth will default to true. After 1.12, --enable-basic-auth will default to false.
- --username=USERNAME, -u USERNAME
The user name to use for basic auth for the cluster. Use --password to specify a password; if not, the server will randomly generate one.
- --async
Return immediately, without waiting for the operation in progress to complete.
- --cloud-run-config=[load-balancer-type=EXTERNAL,...]
Configurations for Cloud Run addon, requires --addons=CloudRun for create and --update-addons=CloudRun=ENABLED for update.
- load-balancer-type
(Optional) Type of load-balancer-type EXTERNAL or INTERNAL.
Examples:
$ gcloud alpha container clusters update example-cluster \ --cloud-run-config=load-balancer-type=INTERNAL
- --istio-config=[auth=MTLS_PERMISSIVE,...]
(REMOVED) Configurations for Istio addon, requires --addons contains Istio for create, or --update-addons Istio=ENABLED for update.
- auth
(Optional) Type of auth MTLS_PERMISSIVE or MTLS_STRICT.
Examples:
$ gcloud alpha container clusters update example-cluster \ --istio-config=auth=MTLS_PERMISSIVE
The --istio-config flag is no longer supported. For more information and migration, see https://cloud.google.com/istio/docs/istio-on-gke/migrate-to-anthos-service-mesh.
- --master-authorized-networks=NETWORK,[NETWORK,...]
The list of CIDR blocks (up to 100 for private cluster, 50 for public cluster) that are allowed to connect to Kubernetes master through HTTPS. Specified in CIDR notation (e.g. 1.2.3.4/30). Cannot be specified unless --enable-master-authorized-networks is also specified.
- --node-pool=NODE_POOL
Node pool to be updated.
- Cluster autoscaling
- --location-policy=LOCATION_POLICY
Location policy specifies the algorithm used when scaling-up the node pool.
BALANCED - Is a best effort policy that aims to balance the sizes of available zones.
ANY - Instructs the cluster autoscaler to prioritize utilization of unused reservations, and reduces preemption risk for Spot VMs.
LOCATION_POLICY must be one of: BALANCED, ANY.
- --max-nodes=MAX_NODES
Maximum number of nodes per zone in the node pool.
Maximum number of nodes per zone to which the node pool specified by --node-pool (or default node pool if unspecified) can scale. Ignored unless --enable-autoscaling is also specified.
- --min-nodes=MIN_NODES
Minimum number of nodes per zone in the node pool.
Minimum number of nodes per zone to which the node pool specified by --node-pool (or default node pool if unspecified) can scale. Ignored unless --enable-autoscaling is also specified.
- --total-max-nodes=TOTAL_MAX_NODES
Maximum number of all nodes in the node pool.
Maximum number of all nodes to which the node pool specified by --node-pool (or default node pool if unspecified) can scale. Ignored unless --enable-autoscaling is also specified.
- --total-min-nodes=TOTAL_MIN_NODES
Minimum number of all nodes in the node pool.
Minimum number of all nodes to which the node pool specified by --node-pool (or default node pool if unspecified) can scale. Ignored unless --enable-autoscaling is also specified.
- At most one of these can be specified:
- --region=REGION
Compute region (e.g. us-central1) for the cluster.
- --zone=ZONE, -z ZONE
Compute zone (e.g. us-central1-a) for the cluster. Overrides the default compute/zone property value for this command invocation.
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
This command is currently in alpha and might change without notice. If this command fails with API permission errors despite specifying the correct project, you might be trying to access an API with an invitation-only early access allowlist. These variants are also available:
$ gcloud container clusters update
$ gcloud beta container clusters update