def AddMaintenanceDisruptionBudgetFlagGroup( parser: parser_arguments.ArgumentInterceptor, hidden=True, is_update=False ) -> None: """Adds cluster disruption budget flags to the given parser. Args: parser: A given parser. hidden: whether the flags are hidden. is_update: Whether the flag is used for an update operation. """ maintenance_disruption_budget_group = parser.add_group( mutex=False, help='Flags for cluster disruption budget configuration:', hidden=hidden, ) minor_group = maintenance_disruption_budget_group.add_group(mutex=True, hidden=hidden) patch_group = maintenance_disruption_budget_group.add_group(mutex=True, hidden=hidden) help_text = textwrap.dedent("""\ Set the minimum interval of time between minor version cluster upgrades. """) minor_group.add_argument( '--maintenance-minor-version-disruption-interval', default=None, help=help_text, hidden=hidden, ) help_text = textwrap.dedent("""\ Set the minimum interval of time between patch version cluster upgrades. """) patch_group.add_argument( '--maintenance-patch-version-disruption-interval', default=None, help=help_text, hidden=hidden, ) if not is_update: return help_text = textwrap.dedent("""\ Restore the default values for the minimum interval of time between minor version cluster upgrades. """) minor_group.add_argument( '--clear-maintenance-minor-version-disruption-interval', action='store_true', default=None, help=help_text, hidden=hidden, ) help_text = textwrap.dedent("""\ Restore the default values for the minimum interval of time between patch version cluster upgrades. """) patch_group.add_argument( '--clear-maintenance-patch-version-disruption-interval', action='store_true', default=None, help=help_text, hidden=hidden, ) def AddComplianceFlags(parser, hidden=True): """Adds --compliance and --compliance-standards flag group to the parser. Args: parser: A given parser. hidden: hidden status. """ compliance_group = parser.add_group( mutex=False, help='Flags for Compliance configuration:', hidden=hidden, ) mode_help = ( 'Sets enablement mode for Compliance. Must provide one of: enabled,' ' disabled.' ) standards_help = """\ Comma-delimited list of standards to be enabled. See https://cloud.google.com/kubernetes-engine/fleet-management/docs/about-compliance-dashboard#how-compliance-works """ compliance_group.add_argument( '--compliance', default=None, help=mode_help, hidden=hidden, ) compliance_group.add_argument( '--compliance-standards', default=None, help=standards_help, hidden=hidden, ) def AddControlPlaneKeysFlags(parser): """Adds control plane keys flags to the given parser. Args: parser: A given parser. """ group = parser.add_group(help='Control Plane Keys', mutex=False) group.add_argument( '--cluster-ca', help=( 'The Certificate Authority Service caPool that will back the' ' cluster CA' ), metavar='CA_POOL_PATH', ) group.add_argument( '--aggregation-ca', help=( 'The Certificate Authority Service caPool that will back the' ' aggregation CA' ), metavar='CA_POOL_PATH', ) group.add_argument( '--etcd-api-ca', help=( 'The Certificate Authority Service caPool that will back the etcd' ' API CA' ), metavar='CA_POOL_PATH', ) group.add_argument( '--etcd-peer-ca', help=( 'The Certificate Authority Service caPool that will back the etcd' ' peer CA' ), metavar='CA_POOL_PATH', ) group.add_argument( '--service-account-signing-keys', type=arg_parsers.ArgList(min_length=1), help=( 'A Cloud KMS asymmetric signing cryptoKeyVersion that will be used to' ' sign service account tokens' ), metavar='KEY_VERSION', ) group.add_argument( '--service-account-verification-keys', type=arg_parsers.ArgList(min_length=1), help=( 'A Cloud KMS asymmetric signing cryptoKeyVersion that will be used to' ' verify service account tokens. Maybe specified multiple times.' ), metavar='KEY_VERSION', ) group.add_argument( '--control-plane-disk-encryption-key', help=( 'The Cloud KMS symmetric encryption cryptoKey that will be used to' ' encrypt the control plane disks' ), metavar='KEY', ) group.add_argument( '--gkeops-etcd-backup-encryption-key', help=( 'The Cloud KMS symmetric encryption cryptoKey that will be used to' ' encrypt the disaster recovery etcd backups for the cluster' ), metavar='KEY', ) def AddInsecureRBACBindingFlags(parser, hidden=False): """Adds --enable-insecure-binding-system-authenticated and --enable-insecure-binding-system-unauthenticated flag group to the group. Args: parser: A given parser. hidden: hidden status """ group = parser.add_group(hidden=hidden, mutex=False) help_text = """\ Allow using `system:authenticated` as a subject in ClusterRoleBindings and RoleBindings. Allowing bindings that reference `system:authenticated` is a security risk and is not recommended. To disallow binding `system:authenticated` in a cluster, explicitly set the `--no-enable-insecure-binding-system-authenticated` flag instead. """ group.add_argument( '--enable-insecure-binding-system-authenticated', action='store_true', default=None, help=help_text, hidden=hidden, ) help_text = """\ Allow using `system:unauthenticated` and `system:anonymous` as subjects in ClusterRoleBindings and RoleBindings. Allowing bindings that reference `system:unauthenticated` and `system:anonymous` are a security risk and is not recommended. To disallow binding `system:authenticated` in a cluster, explicitly set the `--no-enable-insecure-binding-system-unauthenticated` flag instead. """ group.add_argument( '--enable-insecure-binding-system-unauthenticated', action='store_true', default=None, help=help_text, hidden=hidden, ) def AddAnonymousAuthenticationConfigFlag(parser): """Adds --anonymous-authentication-config flag group to the group. Args: parser: A given parser. """ parser.add_argument( '--anonymous-authentication-config', help="""Enable or restrict anonymous access to the cluster. When enabled, anonymous users will be authenticated as system:anonymous with the group system:unauthenticated. Limiting access restricts anonymous access to only the health check endpoints /readyz, /livez, and /healthz. """, choices={ 'LIMITED': """\ 'LIMITED' restricts anonymous access to the cluster. Only calls to the health check endpoints are allowed anonymously, all other calls will be rejected.""", 'ENABLED': """\ 'ENABLED' enables anonymous calls.""", }, default=None, ) def AddAdditionalIpRangesFlag(parser): """Adds additional IP ranges flag to parser.""" help_text = """\ Add additional subnetworks named "my-subnet" with pod ipv4 range named "my-range" to the cluster. Examples: $ {command} example-cluster --additional-ip-ranges=subnetwork=my-subnet,pod-ipv4-range=my-range """ spec = { 'subnetwork': str, 'pod-ipv4-range': str, } parser.add_argument( '--additional-ip-ranges', metavar='subnetwork=NAME,pod-ipv4-range=NAME', type=arg_parsers.ArgDict( spec=spec, required_keys=['subnetwork', 'pod-ipv4-range'], ), action='append', help=help_text, ) def AddRemoveAdditionalIpRangesFlag(parser): """Adds flag to remove additional Ip ranges to parser.""" help_text = """\ Additional subnetworks to be removed from the cluster. Examples: Remove pod range named "my-range" under additional subnetwork named "my-subnet" from the cluster. $ {command} example-cluster --remove-additional-ip-ranges=subnetwork=my-subnet,pod-ipv4-range=my-range Remove additional subnetwork named "my-subnet", including all the pod ipv4 ranges under the subnetwork. $ {command} example-cluster --remove-additional-ip-ranges=subnetwork=my-subnet """ spec = { 'subnetwork': str, 'pod-ipv4-range': str, } parser.add_argument( '--remove-additional-ip-ranges', metavar='subnetwork=NAME,pod-ipv4-range=NAME', type=arg_parsers.ArgDict( spec=spec, required_keys=['subnetwork'], ), action='append', help=help_text, ) def AddDrainAdditionalIpRangesFlag(parser): """Adds drain additional IP ranges flag to parser.""" help_text = """\ Set status of additional subnetworks named "my-subnet" to DRAINING. Examples: $ {command} example-cluster --drain-additional-ip-ranges=subnetwork=my-subnet """ spec = { 'subnetwork': str, } parser.add_argument( '--drain-additional-ip-ranges', metavar='subnetwork=NAME', type=arg_parsers.ArgDict( spec=spec, required_keys=['subnetwork'], ), action='append', help=help_text, hidden=True, ) def AddUndrainAdditionalIpRangesFlag(parser): """Adds undrain additional IP ranges flag to parser.""" help_text = """\ Set status of additional subnetworks named "my-subnet" to ACTIVE. Examples: $ {command} example-cluster --undrain-additional-ip-ranges=subnetwork=my-subnet """ spec = { 'subnetwork': str, } parser.add_argument( '--undrain-additional-ip-ranges', metavar='subnetwork=NAME', type=arg_parsers.ArgDict( spec=spec, required_keys=['subnetwork'], ), action='append', help=help_text, hidden=True, ) def AddClusterEnablePrivateNodesFlag(parser): """Adds a --enable-private-nodes to the given cluster parser.""" help_text = """\ Standard cluster: Enable private nodes as a default behavior for all newly created node pools, if `--enable-private-nodes` is not provided at node pool creation time. Modifications to this flag do not affect `--enable-private-nodes` state of the existing node pools. Autopilot cluster: Force new and existing workloads, without explicit `cloud.google.com/private-node=true` node selector, to run on nodes with no public IP address. Modifications to this flag trigger a re-schedule operation on all existng workloads to run on different node VMs. """ parser.add_argument( '--enable-private-nodes', default=None, action='store_true', help=help_text, ) def AddClusterTierFlag(parser): """Adds a --tier flag to the given cluster parser.""" help_text = 'Set the desired tier for the cluster.' parser.add_argument( '--tier', action=actions.DeprecationAction( '--tier', warn=( 'The `--tier` flag is deprecated. More info:' ' https://cloud.google.com/kubernetes-engine/docs/release-notes#September_02_2025' ), ), metavar='TIER', help=help_text, choices=['standard', 'enterprise'], ) def AddAutoprovisioningCgroupModeFlag(parser, hidden=False): """Adds a --autoprovisioning-cgroup-mode to the given cluster parser.""" help_text = textwrap.dedent("""\ Sets the cgroup mode for auto-provisioned nodes. Updating this flag triggers an update using surge upgrades of all existing auto-provisioned nodes to apply the new value of cgroup mode. For an Autopilot cluster, the specified cgroup mode will be set on all existing and new nodes in the cluster. For a Standard cluster, the specified cgroup mode will be set on all existing and new auto-provisioned node pools in the cluster. If not set, GKE uses cgroupv2 for new nodes when the cluster was created running 1.26 or later, and cgroupv1 for clusters created running 1.25 or earlier. To check your initial cluster version, run `gcloud container clusters describe [NAME] --format="value(initialClusterVersion)"` For clusters created running version 1.26 or later, you can't set the cgroup mode to v1. To learn more, see: https://cloud.google.com/kubernetes-engine/docs/how-to/migrate-cgroupv2 """) parser.add_argument( '--autoprovisioning-cgroup-mode', default=None, choices=['default', 'v1', 'v2'], help=help_text, hidden=hidden, ) def AddEnableIPAccessFlag(parser): """Adds the --enable-ip-access flag to parser.""" help_text = """\ Enable access to the cluster's control plane over private IP and public IP if --enable-private-endpoint is not enabled. """ parser.add_argument( '--enable-ip-access', default=None, action='store_true', help=help_text, ) def AddAauthorizedNetworksOnPrivateEndpointFlag(parser): """Adds the --enable-authorized-networks-on-private-endpoint flag to parser.""" help_text = """\ Enable enforcement of --master-authorized-networks CIDR ranges for traffic reaching cluster's control plane via private IP. """ parser.add_argument( '--enable-authorized-networks-on-private-endpoint', default=None, action='store_true', help=help_text, ) def AddEnableAutopilotCompatibilityAuditingFlag(parser, hidden=False): help_text = """\ Lets you run the [gcloud container clusters check-autopilot-compatibility](https://cloud.google.com/sdk/gcloud/reference/container/clusters/check-autopilot-compatibility) command to check whether your workloads are compatible with Autopilot mode. This flag is only applicable to clusters that run version 1.31.6-gke.1027000 or later. Note: This flag causes a control plane restart. """ parser.add_argument( '--enable-autopilot-compatibility-auditing', action=arg_parsers.StoreTrueFalseAction, help=help_text, hidden=hidden, ) def AddServiceAccountSigningKeysFlag(parser): help_text = """\ the resource path of the Cloud KMS asymmetric signing cryptoKeyVersion that will be used to sign service account tokens. only one key version can be specified. """ parser.add_argument( '--service-account-signing-keys', default=None, help=help_text, required=False, hidden=True, type=arg_parsers.ArgList( element_type=str, max_length=1, ), metavar='KEY_VERSION', ) def AddServiceAccountVerificationKeysFlag(parser): help_text = """\ the resource path of the Cloud KMS asymmetric signing cryptoKeyVersion that shall be used to verify service account tokens. at most 2 key versions can be specified. """ parser.add_argument( '--service-account-verification-keys', default=None, help=help_text, required=False, hidden=True, type=arg_parsers.ArgList( element_type=str, max_length=2, ), metavar='KEY_VERSION', ) def AddControlPlaneDiskEncryptionKeyFlag(parser): help_text = """\ The Cloud KMS symmetric encryption cryptoKey that will be used to encrypt the control plane disks. """ parser.add_argument( '--control-plane-disk-encryption-key', default=None, help=help_text, required=False, hidden=True, type=str, metavar='KEY', ) def AddPatchUpdateFlag(parser): """Adds the --patch-update flag to parser.""" help_text = """\ The patch update to use for the cluster. Setting to 'accelerated' automatically upgrades the cluster to the latest patch available within the cluster's current minor version and release channel. Setting to 'default' automatically upgrades the cluster to the default patch upgrade targetversion available within the cluster's current minor version and release channel. """ return parser.add_argument( '--patch-update', required=False, help=help_text, type=arg_parsers.ArgList( choices=['accelerated', 'default'], max_length=1, ), metavar='PATCH_UPDATE', ) def AddAutoIpamFlag(parser, hidden=False, is_update=False): """Adds a enable-auto-ipam/disable-auto-ipam to the given cluster parser. Args: parser: A given parser. hidden: Indicates that the flags are hidden. is_update: Whether the flag is used for an update operation. """ if is_update: group = parser.add_group(mutex=True, hidden=hidden) group.add_argument( '--disable-auto-ipam', action='store_const', const=True, help="""\ Disable the Auto IP Address Management (Auto IPAM) feature for the cluster. """, hidden=hidden, ) group.add_argument( '--enable-auto-ipam', action='store_const', const=True, help="""\ Enable the Auto IP Address Management (Auto IPAM) feature for the cluster. """, hidden=hidden, ) else: parser.add_argument( '--enable-auto-ipam', action='store_const', const=True, help="""\ Enable the Auto IP Address Management (Auto IPAM) feature for the cluster. """, hidden=hidden, ) def AddEnableK8sTokensViaDnsFlag(parser): """Adds the --enable-k8s-tokens-via-dns flag to parser.""" help_text = """ Enable K8s Service Account tokens Authentication to the cluster's control plane over DNS-based endpoint. """ parser.add_argument( '--enable-k8s-tokens-via-dns', default=None, action='store_true', help=help_text, ) def AddEnableLegacyLustrePortFlag(parser, hidden=False): """Adds the --enable-legacy-lustre-port flag to parser. Args: parser: A given parser. hidden: Indicates that the flags are hidden. """ help_text = """\ Allow the Lustre CSI driver to initialize LNet (the virtual network layer for Lustre kernel module) using port 6988. This flag is required to workaround a port conflict with the gke-metadata-server on GKE nodes. """ parser.add_argument( '--enable-legacy-lustre-port', default=None, hidden=hidden, action='store_true', help=help_text, ) def AddDisableMultiNicLustreFlag(parser, hidden=True): """Adds the --disable-multi-nic-lustre flag to parser. Args: parser: A given parser. hidden: Indicates that the flags are hidden. """ help_text = """\ Disable the Lustre CSI driver to automatically detect and configure all suitable network interfaces on a node for Lustre IO. """ parser.add_argument( '--disable-multi-nic-lustre', default=None, hidden=hidden, action='store_true', help=help_text, ) def AddEnableLustreMultiRailFlag(parser, for_node_pool=False, hidden=True): """Adds Lustre multi-NIC flag to the given parser. Args: parser: A given parser. for_node_pool: Whether for node pool. hidden: Indicates that the flags are hidden. """ if for_node_pool: help_text = """\ Enable Lustre multi-NIC configuration for the node pool. When enabled, Lustre CSI driver will be configured to use multiple NICs on nodes in this pool. Use `--no-enable-lustre-multi-nic` to disable. """ else: help_text = """\ Enable Lustre multi-NIC configuration for all new nodes in the cluster unless explicitly overridden with `--no-enable-lustre-multi-nic` when creating the nodepool. When enabled, Lustre CSI driver will be configured to use multiple NICs on nodes in this cluster. Use `--no-enable-lustre-multi-nic` to disable. """ parser.add_argument( '--enable-lustre-multi-nic', default=None, hidden=hidden, action='store_true', help=help_text, ) def AddUseIamTokenFlag(parser): """Adds the --use-iam-token flag to parser. Args: parser: A given parser. """ help_text = """\ Whether to generate and persist an IAM token in the kubeconfig file. """ parser.add_argument( '--use-iam-token', hidden=True, action='store_true', help=help_text, ) def AddEnableK8sCertsViaDnsFlag(parser): """Adds the --enable-k8s-certs-via-dns flag to parser.""" help_text = """ Enable K8s client certificates Authentication to the cluster's control plane over DNS-based endpoint. """ parser.add_argument( '--enable-k8s-certs-via-dns', default=None, action='store_true', help=help_text, ) def AddNetworkTierFlag(parser): """Adds the --network-tier flag to parser.""" help_text = """\ Set the network tier for the cluster, possible values are premium, standard and default. If use default, cluster will use project default network tier. """ parser.add_argument( '--network-tier', default=None, hidden=True, choices=['premium', 'standard', 'network-default'], help=help_text, ) def AddAcceleratorNetworkProfileFlag(parser, hidden=True): parser.add_argument( '--accelerator-network-profile', help="""\ Accelerator Network Profile that will be used by the node pool. Currently only the `auto` value is supported. A compatible Accelerator machine type needs to be specified with the `--machine-type` flag. An Accelerator Network Profiles will be created if it does not exist. """, default=None, type=str, hidden=hidden) def AddControlPlaneEgressFlag(parser): """Adds the --control-plane-egress flag to parser.""" help_text = """\ Configures the egress policy for the GKE control plane to control outbound traffic from the kube-apiserver. * `NONE`: (Recommended) Provides maximum security. This mode removes the control plane's public IP address and blocks all outbound traffic from the kube-apiserver by default, preventing unexpected data exfiltration. Webhooks that use `clientConfig.url` will be disabled. Essential GKE-managed services are still permitted to function via an internal allowlist. * `VIA_CONTROL_PLANE`: (Default) Maintains backward compatibility. The control plane retains its public IP address and allows egress traffic from the kube-apiserver. """ parser.add_argument( '--control-plane-egress', default=None, # TODO(b/436076409): Remove hidden flag once the feature is ready. hidden=True, choices={ 'NONE': """\ (Recommended) Provides maximum security by removing the control plane's public IP and blocking api server egress.""", 'VIA_CONTROL_PLANE': """\ (Default) Maintains backward compatibility by retaining the control plane's public IP and api server allowing egress.""", }, help=help_text, ) def AddTagBindingsCreate( parser, ): # Added 'parser' as an argument here """Adds the --tag-bindings flag for cluster creation.""" help_text = """\ List of tag-bindings KEY=VALUE pairs to bind. Each item must be expressed as `=`. Example: `123/environment=production,123/costCenter=marketing` """ # Instead of returning a base.Argument, directly add it to the parser parser.add_argument( '--tag-bindings', metavar='KEY=VALUE', type=arg_parsers.ArgDict(), action=arg_parsers.UpdateAction, help=help_text, hidden=True, ) def AddGpuDirectStrategyFlag(parser): """Adds the --gpudirect-strategy flag to parser.""" help_text = """\ Set the GPUDirect strategy for the node pool, the possible value is RDMA. """ parser.add_argument( '--gpudirect-strategy', default=None, hidden=True, choices=['RDMA'], type=lambda x: x.upper(), help=help_text, ) def AddControlPlaneSoakDurationFlag(parser, hidden): """Adds the --control-plane-soak-duration flag to parser.""" help_text = """\ The soak duration for the rollback-able control plane upgrade. It only applies to minor version upgrades. Setting this flag will trigger a control plane upgrade with emulated version. The cluster is rollback-able during the soak period. The soak period can be set between 6 hours and 7 days. """ parser.add_argument( '--control-plane-soak-duration', default=None, hidden=hidden, help=help_text, type=arg_parsers.Duration(lower_bound='6h', upper_bound='7d'), ) def AddAutopilotPrivilegedAdmissionFlag(parser, hidden): """Adds a --autopilot-privileged-admission flag to parser.""" help_text = """\ Specify Cloud Storage object paths pointing to privileged workload allowlists to be authorized for use in Autopilot mode. The value is a comma-separated list of Cloud Storage object paths in the format 'gke:////' for GKE-owned allowlists and 'gs:///' for user-owned allowlists. Wildcards are supported to authorize all allowlists under specific paths. Examples: $ {command} --autopilot-privileged-admission=gke://* $ {command} --autopilot-privileged-admission=gke://my-partner/my-app/my-allowlist.yaml $ {command} --autopilot-privileged-admission=gs://my-bucket/allowlists/my-allowlist.yaml $ {command} --autopilot-privileged-admission=gs://my-bucket/* $ {command} --autopilot-privileged-admission=gke://my-partner/my-app/*,gs://my-bucket/allowlists/my-allowlist.yaml $ {command} --autopilot-privileged-admission="" """ parser.add_argument( '--autopilot-privileged-admission', type=arg_parsers.ArgList(), default=None, hidden=hidden, help=help_text, metavar='GCS_PATH', ) def AddEnableSliceControllerFlag(parser, hidden=True): """Adds Slice Controller flag to the given parser. Args: parser: A given parser. hidden: Indicates that the flags are hidden. """ help_text = """\ Enable Slice Controller for the cluster. Use `--no-enable-slice-controller` to disable. """ parser.add_argument( '--enable-slice-controller', default=None, hidden=hidden, action='store_true', help=help_text, ) def AddAutopilotGeneralProfileFlag(parser, hidden=False): """Adds the --autopilot-general-profile flag to parser.""" help_text = """\ Sets the Autopilot general profile for the cluster; possible values are `none` and `no-performance`. If `none` is used, the cluster will use the Autopilot default configuration. """ parser.add_argument( '--autopilot-general-profile', required=False, default=None, hidden=hidden, choices=['none', 'no-performance'], help=help_text, ) def AddNodeDrainSettingsFlag(parser, hidden=False): """Adds the node drain settings flag to parser.""" group = parser.add_group(help='Node drain settings', mutex=False, hidden=hidden) group.add_argument( '--node-drain-grace-period-seconds', default=None, hidden=hidden, type=str, help="""\ The grace period in seconds for nodes to drain before being forcefully removed. """, ) group.add_argument( '--node-drain-pdb-timeout-seconds', default=None, hidden=hidden, type=str, help="""\ The timeout in seconds for the node pool to be drained. """, ) group.add_argument( '--respect-pdb-during-node-pool-deletion', default=None, hidden=hidden, action='store_true', help="""\ Whether to respect PDBs when deleting nodes in the node pool. """, ) def AddLinkedRunnersModeFlag(parser, hidden=False): """Adds the --linked-runners-mode flag to parser.""" help_text = """\ Sets the linked runners mode for the cluster; possible values are `standard` and `none`. """ parser.add_argument( '--linked-runners-mode', required=False, default=None, hidden=hidden, choices=['standard', 'none'], help=help_text, )