gcloud alpha container hub memberships generate-gateway-rbac - generate RBAC policy files for connected clusters by the user
gcloud alpha container hub memberships generate-gateway-rbac [--anthos-support] [--apply] [--context=CONTEXT] [--kubeconfig=KUBECONFIG] [--membership=MEMBERSHIP] [--rbac-output-file=RBAC_OUTPUT_FILE] [--revoke] [--role=ROLE] [--users=USERS] [GCLOUD_WIDE_FLAG ...]
(ALPHA) gcloud alpha container hub memberships generate-gateway-rbac generates RBAC policies to be used by Connect Gateway API.
Upon success, this command will write the output RBAC policy to the designated local file in dry run mode.
Override RBAC policy: Y to override previous RBAC policy, N to stop. If overriding the --role, Y will clean up the previous RBAC policy and then apply the new one.
The current implementation supports multiple modes:
Dry run mode to generate the RBAC policy file, and write to local directory:
$ gcloud alpha container hub memberships generate-gateway-rbac \ --membership=my-cluster \ --users=foo@example.com,\ test-acct@test-project.iam.gserviceaccount.com \ --role=clusterrole/cluster-admin --rbac-output-file=./rbac.yaml
Dry run mode to generate the RBAC policy, and print on screen:
$ gcloud alpha container hub memberships generate-gateway-rbac \ --membership=my-cluster \ --users=foo@example.com,\ test-acct@test-project.iam.gserviceaccount.com \ --role=clusterrole/cluster-admin
Anthos support mode, generate the RBAC policy file with read-only permission for TSE/Eng to debug customers' clusters:
$ gcloud alpha container hub memberships generate-gateway-rbac \ --membership=my-cluster --anthos-support
Apply mode, generate the RBAC policy and apply it to the specified cluster:
$ gcloud alpha container hub memberships generate-gateway-rbac \ --membership=my-cluster \ --users=foo@example.com,\ test-acct@test-project.iam.gserviceaccount.com \ --role=clusterrole/cluster-admin --context=my-cluster-context \ --kubeconfig=/home/user/custom_kubeconfig --apply
Revoke mode, revoke the RBAC policy for the specified users:
$ gcloud alpha container hub memberships generate-gateway-rbac \ --membership=my-cluster \ --users=foo@example.com,\ test-acct@test-project.iam.gserviceaccount.com \ --role=clusterrole/cluster-admin --context=my-cluster-context \ --kubeconfig=/home/user/custom_kubeconfig --revoke
The role to be granted to the users can either be cluster-scoped or namespace-scoped. To grant a namespace-scoped role to the users in dry run mode, run:
$ gcloud alpha container hub memberships generate-gateway-rbac \ --membership=my-cluster \ --users=foo@example.com,\ test-acct@test-project.iam.gserviceaccount.com \ --role=role/mynamespace/namespace-reader
- --anthos-support
If specified, this command will generate RBAC policy file for anthos support.
- --apply
If specified, this command will generate RBAC policy and apply to the specified cluster.
- --context=CONTEXT
The cluster context as it appears in the kubeconfig file. You can get this value from the command line by running command: kubectl config current-context.
- --kubeconfig=KUBECONFIG
The kubeconfig file containing an entry for the cluster. Defaults to $KUBECONFIG if it is set in the environment, otherwise defaults to $HOME/.kube/config.
- --membership=MEMBERSHIP
Membership name to assign RBAC policy with.
- --rbac-output-file=RBAC_OUTPUT_FILE
If specified, this command will execute in dry run mode and write to the file specified with this flag: the generated RBAC policy will not be applied to Kubernetes clusters,instead it will be written to the designated local file.
- --revoke
If specified, this command will revoke the RBAC policy for the specified users.
- --role=ROLE
Namespace scoped role or cluster role.
- --users=USERS
User's email address or service account email address.
These flags are available to all commands: --access-token-file, --account, --billing-project, --configuration, --flags-file, --flatten, --format, --help, --impersonate-service-account, --log-http, --project, --quiet, --trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
This command is currently in alpha and might change without notice. If this command fails with API permission errors despite specifying the correct project, you might be trying to access an API with an invitation-only early access allowlist. These variants are also available:
$ gcloud container hub memberships generate-gateway-rbac
$ gcloud beta container hub memberships generate-gateway-rbac