gcloud beta container hub memberships generate-gateway-rbac

NAME
gcloud beta container hub memberships generate-gateway-rbac - generate RBAC policy files for connected clusters by the user
SYNOPSIS
gcloud beta container hub memberships generate-gateway-rbac(--anthos-support    |--groups=GROUPS    |--users=USERS)[--apply][--context=CONTEXT][--kubeconfig=KUBECONFIG][--membership=MEMBERSHIP][--rbac-output-file=RBAC_OUTPUT_FILE][--revoke][--role=ROLE][GCLOUD_WIDE_FLAG]
DESCRIPTION
(BETA) gcloud beta container hub memberships generate-gateway-rbacgenerates RBAC policies to be used by Connect Gateway API.

Upon success, this command will write the output RBAC policy to the designatedlocal file in dry run mode.

Override RBAC policy: Y to override previous RBAC policy, N to stop. Ifoverriding the --role, Y will clean up the previous RBAC policy and then applythe new one.

EXAMPLES
The current implementation supports multiple modes:

Dry run mode to generate the RBAC policy file, and write to local directory:

gcloudbetacontainerhubmembershipsgenerate-gateway-rbac--membership=my-cluster--users=foo@example.com,test-acct@test-project.iam.gserviceaccount.com--role=clusterrole/cluster-admin--rbac-output-file=./rbac.yaml

Dry run mode to generate the RBAC policy, and print on screen:

gcloudbetacontainerhubmembershipsgenerate-gateway-rbac--membership=my-cluster--users=foo@example.com,test-acct@test-project.iam.gserviceaccount.com--role=clusterrole/cluster-admin

Anthos support mode, generate the RBAC policy file with read-only permission forTSE/Eng to debug customers' clusters:

gcloudbetacontainerhubmembershipsgenerate-gateway-rbac--membership=my-cluster--anthos-support

Apply mode, generate the RBAC policy and apply it to the specified cluster:

gcloudbetacontainerhubmembershipsgenerate-gateway-rbac--membership=my-cluster--users=foo@example.com,test-acct@test-project.iam.gserviceaccount.com--role=clusterrole/cluster-admin--context=my-cluster-context--kubeconfig=/home/user/custom_kubeconfig--apply

Revoke mode, revoke the RBAC policy for the specified users:

gcloudbetacontainerhubmembershipsgenerate-gateway-rbac--membership=my-cluster--users=foo@example.com,test-acct@test-project.iam.gserviceaccount.com--role=clusterrole/cluster-admin--context=my-cluster-context--kubeconfig=/home/user/custom_kubeconfig--revoke

The role to be granted to the users can either be cluster-scoped ornamespace-scoped. To grant a namespace-scoped role to the users in dry run mode,run:

gcloudbetacontainerhubmembershipsgenerate-gateway-rbac--membership=my-cluster--users=foo@example.com,test-acct@test-project.iam.gserviceaccount.com--role=role/mynamespace/namespace-reader

The users provided can be using a Google identity (only email) or using externalidentity providers (starting with "principal://iam.googleapis.com"):

gcloudbetacontainerhubmembershipsgenerate-gateway-rbac--membership=my-cluster--users=foo@example.com,principal://iam.googleapis.com/locations/global/workforcePools/pool/subject/user--role=clusterrole/cluster-admin--context=my-cluster-context--kubeconfig=/home/user/custom_kubeconfig--apply

The groups can be provided as a Google identity (only email) or an externalidentity (starting with "principalSet://iam.googleapis.com"):

gcloudbetacontainerhubmembershipsgenerate-gateway-rbac--membership=my-cluster--groups=group@example.com,principalSet://iam.googleapis.com/locations/global/workforcePools/pool/group/ExampleGroup--role=clusterrole/cluster-admin--context=my-cluster-context--kubeconfig=/home/user/custom_kubeconfig--apply
REQUIRED FLAGS
Exactly one of these must be specified:
--anthos-support
If specified, this command will generate RBAC policy file for anthos support.
--groups=GROUPS
Group email address or third-party IAM group principal.
--users=USERS
User's email address, service account email address, or third-party IAM subjectprincipal.
OPTIONAL FLAGS
--apply
If specified, this command will generate RBAC policy and apply to the specifiedcluster.
--context=CONTEXT
The cluster context as it appears in the kubeconfig file. You can get this valuefrom the command line by running command:kubectl configcurrent-context.
--kubeconfig=KUBECONFIG
The kubeconfig file containing an entry for the cluster. Defaults to $KUBECONFIGif it is set in the environment, otherwise defaults to $HOME/.kube/config.
--membership=MEMBERSHIP
Membership name to assign RBAC policy with.
--rbac-output-file=RBAC_OUTPUT_FILE
If specified, this command will execute in dry run mode and write to the filespecified with this flag: the generated RBAC policy will not be applied toKubernetes clusters,instead it will be written to the designated local file.
--revoke
If specified, this command will revoke the RBAC policy for the specified users.
--role=ROLE
Namespace scoped role or cluster role.
GCLOUD WIDE FLAGS
These flags are available to all commands:--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.

Run$gcloud help for details.

NOTES
This command is currently in beta and might change without notice. Thesevariants are also available:
gcloudcontainerhubmembershipsgenerate-gateway-rbac
gcloudalphacontainerhubmembershipsgenerate-gateway-rbac

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-05-07 UTC.