1
0
Fork 0
mirror of https://github.com/imjasonh/gcloud-help synced 2026-07-18 06:47:12 +00:00

gcloud: Wed Oct 9 09:55:07 UTC 2024

This commit is contained in:
Automated 2024-10-09 09:55:07 +00:00
parent 489be55d99
commit 4ffb04ab9e
211 changed files with 7635 additions and 1232 deletions

View file

@ -24,17 +24,19 @@ SYNOPSIS
[--database-encryption-key=DATABASE_ENCRYPTION_KEY]
[--default-max-pods-per-node=DEFAULT_MAX_PODS_PER_NODE]
[--disable-default-snat] [--disable-pod-cidr-overprovision]
[--disk-size=DISK_SIZE] [--disk-type=DISK_TYPE] [--enable-autorepair]
[--no-enable-autoupgrade] [--enable-cilium-clusterwide-network-policy]
[--enable-cloud-logging] [--enable-cloud-monitoring]
[--enable-cloud-run-alpha] [--enable-confidential-nodes]
[--enable-confidential-storage] [--enable-cost-allocation]
[--enable-dataplane-v2] [--enable-fleet] [--enable-fqdn-network-policy]
[--disk-size=DISK_SIZE] [--disk-type=DISK_TYPE]
[--enable-authorized-networks-on-private-endpoint]
[--enable-autorepair] [--no-enable-autoupgrade]
[--enable-cilium-clusterwide-network-policy] [--enable-cloud-logging]
[--enable-cloud-monitoring] [--enable-cloud-run-alpha]
[--enable-confidential-nodes] [--enable-confidential-storage]
[--enable-cost-allocation] [--enable-dataplane-v2]
[--enable-dns-access] [--enable-fleet] [--enable-fqdn-network-policy]
[--enable-gke-oidc] [--enable-google-cloud-access] [--enable-gvnic]
[--enable-identity-service] [--enable-image-streaming]
[--enable-insecure-kubelet-readonly-port]
[--enable-intra-node-visibility] [--enable-ip-alias]
[--enable-kubernetes-alpha]
[--enable-intra-node-visibility] [--enable-ip-access]
[--enable-ip-alias] [--enable-kubernetes-alpha]
[--enable-kubernetes-unstable-apis=API,[API,...]]
[--enable-l4-ilb-subsetting] [--enable-legacy-authorization]
[--enable-logging-monitoring-system-only] [--enable-managed-prometheus]
@ -434,6 +436,10 @@ FLAGS
DISK_TYPE must be one of: pd-standard, pd-ssd, pd-balanced,
hyperdisk-balanced, hyperdisk-extreme, hyperdisk-throughput.
--enable-authorized-networks-on-private-endpoint
Enable enforcement of --master-authorized-networks CIDR ranges for
traffic reaching cluster's control plane via private IP.
--enable-autorepair
Enable node autorepair feature for a cluster's default node pool(s).
@ -514,6 +520,11 @@ FLAGS
Enables the new eBPF dataplane for GKE clusters that is required for
network security, scalability and visibility features.
--enable-dns-access
Enable access to the cluster's control plane over DNS-based endpoint.
DNS-based control plane access is recommended.
--enable-fleet
Set cluster project as the fleet host project. This will register the
cluster to the same project. To register the cluster to a fleet in a
@ -576,6 +587,10 @@ FLAGS
Enabling it on an existing cluster causes the cluster master and the
cluster nodes to restart, which might cause a disruption.
--enable-ip-access
Enable access to the cluster's control plane over private IP and public
IP if --enable-private-endpoint is not enabled.
--enable-ip-alias
Enable use of alias IPs
(https://cloud.google.com/compute/docs/alias-ip/) for Pod IPs. This

View file

@ -14,9 +14,10 @@ SYNOPSIS
[--containerd-config-from-file=PATH_TO_FILE]
[--create-subnetwork=[KEY=VALUE,...]]
[--database-encryption-key=DATABASE_ENCRYPTION_KEY]
[--enable-authorized-networks-on-private-endpoint]
[--enable-backup-restore] [--enable-cilium-clusterwide-network-policy]
[--enable-fleet] [--enable-google-cloud-access]
[--enable-kubernetes-unstable-apis=API,[API,...]]
[--enable-dns-access] [--enable-fleet] [--enable-google-cloud-access]
[--enable-ip-access] [--enable-kubernetes-unstable-apis=API,[API,...]]
[--enable-master-global-access] [--enable-ray-cluster-logging]
[--enable-ray-cluster-monitoring] [--enable-ray-operator]
[--enable-secret-manager] [--fleet-project=PROJECT_ID_OR_NUMBER]
@ -219,6 +220,10 @@ FLAGS
For more information, see
https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets.
--enable-authorized-networks-on-private-endpoint
Enable enforcement of --master-authorized-networks CIDR ranges for
traffic reaching cluster's control plane via private IP.
--enable-backup-restore
Enable the Backup for GKE add-on. This add-on is disabled by default.
To learn more, see the Backup for GKE overview:
@ -228,6 +233,11 @@ FLAGS
Enable Cilium Clusterwide Network Policies on the cluster. Disabled by
default.
--enable-dns-access
Enable access to the cluster's control plane over DNS-based endpoint.
DNS-based control plane access is recommended.
--enable-fleet
Set cluster project as the fleet host project. This will register the
cluster to the same project. To register the cluster to a fleet in a
@ -239,6 +249,10 @@ FLAGS
Google Cloud can reach the public control plane endpoint of your
cluster.
--enable-ip-access
Enable access to the cluster's control plane over private IP and public
IP if --enable-private-endpoint is not enabled.
--enable-kubernetes-unstable-apis=API,[API,...]
Enable Kubernetes beta API features on this cluster. Beta APIs are not
expected to be production ready and should be avoided in

View file

@ -3,7 +3,8 @@ NAME
running cluster
SYNOPSIS
gcloud beta container clusters get-credentials NAME [--internal-ip]
gcloud beta container clusters get-credentials NAME [--dns-endpoint]
[--internal-ip]
[--location=LOCATION | --region=REGION | --zone=ZONE, -z ZONE]
[GCLOUD_WIDE_FLAG ...]
@ -46,6 +47,9 @@ POSITIONAL ARGUMENTS
container/cluster property value for this command invocation.
FLAGS
--dns-endpoint
Whether to use the DNS-based endpoint for the cluster address.
--internal-ip
Whether to use the internal IP address of the cluster endpoint.

View file

@ -0,0 +1,56 @@
NAME
gcloud beta container clusters get-upgrade-info - get information about
upgrades for existing clusters including auto upgrade status, upgrade
history, upgrade targets, and end of support timelines
SYNOPSIS
gcloud beta container clusters get-upgrade-info NAME
[--location=LOCATION | --region=REGION | --zone=ZONE, -z ZONE]
[GCLOUD_WIDE_FLAG ...]
DESCRIPTION
(BETA) Get information about upgrades for existing clusters including auto
upgrade status, upgrade history, upgrade targets, and end of support
timelines.
EXAMPLES
To get upgrade information for an existing cluster, run:
$ gcloud beta container clusters get-upgrade-info sample-cluster
POSITIONAL ARGUMENTS
NAME
The name of your existing cluster.
FLAGS
At most one of these can be specified:
--location=LOCATION
Compute zone or region (e.g. us-central1-a or us-central1) for the
cluster. Overrides the default compute/region or compute/zone value
for this command invocation. Prefer using this flag over the --region
or --zone flags.
--region=REGION
Compute region (e.g. us-central1) for a regional cluster. Overrides
the default compute/region property value for this command
invocation.
--zone=ZONE, -z ZONE
Compute zone (e.g. us-central1-a) for a zonal cluster. Overrides the
default compute/zone property value for this command invocation.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES
This command is currently in beta and might change without notice. This
variant is also available:
$ gcloud alpha container clusters get-upgrade-info

View file

@ -58,6 +58,11 @@ COMMANDS
get-credentials
(BETA) Fetch credentials for a running cluster.
get-upgrade-info
(BETA) Get information about upgrades for existing clusters including
auto upgrade status, upgrade history, upgrade targets, and end of
support timelines.
list
(BETA) List existing clusters for running containers.

View file

@ -16,16 +16,14 @@ SYNOPSIS
| --[no-]enable-cilium-clusterwide-network-policy
| --enable-cost-allocation | --enable-fleet
| --enable-fqdn-network-policy | --enable-gke-oidc
| --enable-google-cloud-access | --enable-identity-service
| --enable-image-streaming | --enable-insecure-kubelet-readonly-port
| --enable-identity-service | --enable-image-streaming
| --enable-insecure-kubelet-readonly-port
| --enable-intra-node-visibility
| --enable-kubernetes-unstable-apis=API,[API,...]
| --enable-l4-ilb-subsetting | --enable-legacy-authorization
| --enable-logging-monitoring-system-only
| --enable-master-authorized-networks | --enable-master-global-access
| --enable-multi-networking | --enable-network-policy
| --enable-pod-security-policy | --enable-private-endpoint
| --[no-]enable-ray-cluster-logging
| --enable-logging-monitoring-system-only | --enable-multi-networking
| --enable-network-policy | --enable-pod-security-policy
| --enable-private-nodes | --[no-]enable-ray-cluster-logging
| --[no-]enable-ray-cluster-monitoring | --enable-secret-manager
| --enable-service-externalips | --enable-shielded-nodes
| --enable-stackdriver-kubernetes | --enable-vertical-pod-autoscaling
@ -76,6 +74,11 @@ SYNOPSIS
| --disable-dataplane-v2-flow-observability
| --enable-dataplane-v2-flow-observability
--disable-dataplane-v2-metrics | --enable-dataplane-v2-metrics
| --enable-authorized-networks-on-private-endpoint
--enable-dns-access --enable-google-cloud-access --enable-ip-access
--enable-master-global-access --enable-private-endpoint
--enable-master-authorized-networks
--master-authorized-networks=NETWORK,[NETWORK,...]
| [--enable-autoprovisioning
: --autoprovisioning-config-file=PATH_TO_FILE
| --autoprovisioning-image-type=AUTOPROVISIONING_IMAGE_TYPE
@ -101,9 +104,7 @@ SYNOPSIS
| --password=PASSWORD --enable-basic-auth
| --username=USERNAME, -u USERNAME) [--async]
[--cloud-run-config=[load-balancer-type=EXTERNAL,...]]
[--istio-config=[auth=MTLS_PERMISSIVE,...]]
[--master-authorized-networks=NETWORK,[NETWORK,...]]
[--node-pool=NODE_POOL]
[--istio-config=[auth=MTLS_PERMISSIVE,...]] [--node-pool=NODE_POOL]
[--location=LOCATION | --region=REGION | --zone=ZONE, -z ZONE]
[--location-policy=LOCATION_POLICY --max-nodes=MAX_NODES
--min-nodes=MIN_NODES
@ -319,11 +320,6 @@ REQUIRED FLAGS
Thus, flag --enable-gke-oidc is also deprecated. Please use
--enable-identity-service to enable the Identity Service component
--enable-google-cloud-access
When you enable Google Cloud Access, any public IP addresses owned by
Google Cloud can reach the public control plane endpoint of your
cluster.
--enable-identity-service
Enable Identity Service component on the cluster.
@ -380,26 +376,6 @@ REQUIRED FLAGS
and
https://cloud.google.com/kubernetes-engine/docs/how-to/configure-metrics.
--enable-master-authorized-networks
Allow only specified set of CIDR blocks (specified by the
--master-authorized-networks flag) to connect to Kubernetes master
through HTTPS. Besides these blocks, the following have access as
well:
1) The private network the cluster connects to if
`--enable-private-nodes` is specified.
2) Google Compute Engine Public IPs if `--enable-private-nodes` is not
specified.
Use --no-enable-master-authorized-networks to disable. When disabled,
public internet (0.0.0.0/0) is allowed to connect to Kubernetes
master through HTTPS.
--enable-master-global-access
Use with private clusters to allow access to the master's private
endpoint from any Google Cloud region or on-premises environment
regardless of the private cluster's region.
--enable-multi-networking
Enables multi-networking on the cluster. Multi-networking is disabled
by default.
@ -417,9 +393,20 @@ REQUIRED FLAGS
PodSecurityPolicy API objects. For more information, see
https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies.
--enable-private-endpoint
Enables cluster's control plane to be accessible using private IP
address only.
--enable-private-nodes
Standard cluster: Enable private nodes as a default behavior for all
newly created node pools, if --enable-private-nodes is not provided
at node pool creation time.
Modifications to this flag do not affect `--enable-private-nodes` state of the
existing node pools.
Autopilot cluster: Force new and existing workloads, without explicit
cloud.google.com/private-node=true node selector, to run on nodes
with no public IP address.
Modifications to this flag trigger a re-schedule operation on all existng
workloads to run on different node VMs.
--[no-]enable-ray-cluster-logging
Enable automatic log processing sidecar for Ray clusters. Use
@ -1136,6 +1123,57 @@ REQUIRED FLAGS
--enable-dataplane-v2-metrics
Exposes advanced datapath flow metrics on node port.
--enable-authorized-networks-on-private-endpoint
Enable enforcement of --master-authorized-networks CIDR ranges for
traffic reaching cluster's control plane via private IP.
--enable-dns-access
Enable access to the cluster's control plane over DNS-based endpoint.
DNS-based control plane access is recommended.
--enable-google-cloud-access
When you enable Google Cloud Access, any public IP addresses owned by
Google Cloud can reach the public control plane endpoint of your
cluster.
--enable-ip-access
Enable access to the cluster's control plane over private IP and
public IP if --enable-private-endpoint is not enabled.
--enable-master-global-access
Use with private clusters to allow access to the master's private
endpoint from any Google Cloud region or on-premises environment
regardless of the private cluster's region.
--enable-private-endpoint
Enables cluster's control plane to be accessible using private IP
address only.
Master Authorized Networks
--enable-master-authorized-networks
Allow only specified set of CIDR blocks (specified by the
--master-authorized-networks flag) to connect to Kubernetes master
through HTTPS. Besides these blocks, the following have access as
well:
1) The private network the cluster connects to if
`--enable-private-nodes` is specified.
2) Google Compute Engine Public IPs if `--enable-private-nodes` is not
specified.
Use --no-enable-master-authorized-networks to disable. When
disabled, public internet (0.0.0.0/0) is allowed to connect to
Kubernetes master through HTTPS.
--master-authorized-networks=NETWORK,[NETWORK,...]
The list of CIDR blocks (up to 100 for private cluster, 50 for
public cluster) that are allowed to connect to Kubernetes master
through HTTPS. Specified in CIDR notation (e.g. 1.2.3.4/30). Cannot
be specified unless --enable-master-authorized-networks is also
specified.
Node autoprovisioning
--enable-autoprovisioning
@ -1499,12 +1537,6 @@ OPTIONAL FLAGS
information and migration, see
https://cloud.google.com/istio/docs/istio-on-gke/migrate-to-anthos-service-mesh.
--master-authorized-networks=NETWORK,[NETWORK,...]
The list of CIDR blocks (up to 100 for private cluster, 50 for public
cluster) that are allowed to connect to Kubernetes master through
HTTPS. Specified in CIDR notation (e.g. 1.2.3.4/30). Cannot be
specified unless --enable-master-authorized-networks is also specified.
--node-pool=NODE_POOL
Node pool to be updated.

View file

@ -0,0 +1,127 @@
NAME
gcloud beta container fleet scopes add-app-operator-binding - add
project-level and fleet scope-level IAM bindings and create a fleet
scope RBAC role binding for an app operator principal
SYNOPSIS
gcloud beta container fleet scopes add-app-operator-binding SCOPE
--role=ROLE (--group=GROUP | --user=USER) [--labels=[KEY=VALUE,...]]
[GCLOUD_WIDE_FLAG ...]
DESCRIPTION
(BETA) One binding consists of an app operator principal (user/group) and a
role (view/edit/admin).
This command sets up the different permissions required for an app
operator, including usage of fleet scopes, connect gateway, logging, and
metrics. The authoritative list for adding the permissions is the existing
RBAC role bindings under the specified scope.
This command can fail for the following reasons:
▪ The scope specified does not exist.
▪ The user does not have access to the specified scope.
▪ The principal specified already has another binding for the scope.
EXAMPLES
The following command:
$ gcloud beta container fleet scopes add-app-operator-binding \
SCOPE --role=view --group=people@google.com --project=PROJECT_ID
▪ adds IAM policy binding: roles/gkehub.scopeViewer on SCOPE
▪ adds IAM policy binding: roles/gkehub.scopeViewerProjectLevel on
PROJECT_ID
▪ adds IAM policy binding: roles/logging.viewAccessor on PROJECT_ID
with condition where bucket corresponds to SCOPE
▪ creates fleet scope RBAC role binding: role view with a random ID for
group people@google.com.
---
The following command:
$ gcloud beta container fleet scopes add-app-operator-binding \
SCOPE --role=edit --user=person@google.com --project=PROJECT_ID
▪ adds IAM policy binding: roles/gkehub.scopeEditor on SCOPE
▪ adds IAM policy binding: roles/gkehub.scopeEditorProjectLevel on
PROJECT_ID
▪ adds IAM policy binding: roles/logging.viewAccessor on PROJECT_ID
with condition where bucket corresponds to SCOPE
▪ creates fleet scope RBAC role binding: role edit with a random ID for
user person@google.com.
---
The following command:
$ gcloud beta container fleet scopes add-app-operator-binding \
SCOPE --role=admin --user=person@google.com --project=PROJECT_ID
▪ adds IAM policy binding: roles/gkehub.scopeAdmin on SCOPE
▪ adds IAM policy binding: roles/gkehub.scopeEditorProjectLevel on
PROJECT_ID
▪ adds IAM policy binding: roles/logging.viewAccessor on PROJECT_ID
with condition where bucket corresponds to SCOPE
▪ creates fleet scope RBAC role binding: role admin with a random ID
for user person@google.com.
POSITIONAL ARGUMENTS
Scope resource - The group of arguments defining the Fleet Scope. This
represents a Cloud resource. (NOTE) Some attributes are not given
arguments in this group but can be set in other ways.
To set the project attribute:
◆ provide the argument SCOPE on the command line with a fully specified
name;
◆ provide the argument --project on the command line;
◆ set the property core/project.
To set the location attribute:
◆ provide the argument SCOPE on the command line with a fully specified
name;
◆ global is the only supported location.
This must be specified.
SCOPE
ID of the scope or fully qualified identifier for the scope.
To set the scope attribute:
▸ provide the argument SCOPE on the command line.
REQUIRED FLAGS
--role=ROLE
Role to assign. ROLE must be one of: admin, edit, view.
Exactly one of these must be specified:
--group=GROUP
Group for the role binding.
--user=USER
User for the role binding.
OPTIONAL FLAGS
--labels=[KEY=VALUE,...]
List of label KEY=VALUE pairs to add.
Keys must start with a lowercase character and contain only hyphens
(-), underscores (_), lowercase characters, and numbers. Values must
contain only hyphens (-), underscores (_), lowercase characters, and
numbers.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES
This command is currently in beta and might change without notice. This
variant is also available:
$ gcloud alpha container fleet scopes add-app-operator-binding

View file

@ -25,6 +25,10 @@ GROUPS
COMMANDS
COMMAND is one of the following:
add-app-operator-binding
(BETA) Add project-level and fleet scope-level IAM bindings and create
a fleet scope RBAC role binding for an app operator principal.
add-iam-policy-binding
(BETA) Add IAM policy binding to a Fleet Scope.
@ -44,9 +48,18 @@ COMMANDS
(BETA) List fleet scopes in a project permitted to be viewed by the
caller.
list-app-operator-bindings
(BETA) List app operator principals corresponding to a fleet scope and
their roles based on project-level IAM bindings, fleet scope-level IAM
bindings, and fleet scope RBAC role bindings.
list-memberships
(BETA) List memberships bound to a fleet scope.
remove-app-operator-binding
(BETA) Remove project-level and fleet scope-level IAM bindings and
delete a fleet scope RBAC role binding for an app operator principal.
remove-iam-policy-binding
(BETA) Remove IAM policy binding of a Fleet Scope.

View file

@ -0,0 +1,106 @@
NAME
gcloud beta container fleet scopes list-app-operator-bindings - list app
operator principals corresponding to a fleet scope and their roles
based on project-level IAM bindings, fleet scope-level IAM bindings,
and fleet scope RBAC role bindings
SYNOPSIS
gcloud beta container fleet scopes list-app-operator-bindings SCOPE
[--filter=EXPRESSION] [--limit=LIMIT] [--page-size=PAGE_SIZE]
[--sort-by=[FIELD,...]] [--uri] [GCLOUD_WIDE_FLAG ...]
DESCRIPTION
(BETA) This command lists bindings corresponding to a fleet scope. The
bindings, which consist of an app operator principal and a role, grant
permissions required for an app operator, including usage of fleet scopes,
connect gateway, logging, and metrics. The overarching principal role
(view/edit/admin, or custom) is determined by (1) the fleet scope RBAC role
(view, edit, or admin), (2) the fleet scope-level IAM role
(roles/gkehub.scopeViewer, roles/gkehub.scopeEditor, or
roles/gkehub.scopeAdmin), (3) the project-level IAM role
(roles/gkehub.scopeViewerProjectLevel, or
roles/gkehub.scopeEditorProjectLevel), and (4) the conditional log view
access role for the scope bucket.
This command can fail for the following reasons:
▪ The scope specified does not exist.
▪ The user does not have access to the specified scope.
EXAMPLES
The following command lists app operator principals corresponding to SCOPE
under PROJECT_ID, their roles, and role details (fleet scope RBAC role,
fleet scope-level IAM role, project-level IAM role, and log view access):
$ gcloud beta container fleet scopes list-app-operator-bindings \
--scope=SCOPE --project=PROJECT_ID
POSITIONAL ARGUMENTS
Scope resource - The group of arguments defining the Fleet Scope. This
represents a Cloud resource. (NOTE) Some attributes are not given
arguments in this group but can be set in other ways.
To set the project attribute:
◆ provide the argument SCOPE on the command line with a fully specified
name;
◆ provide the argument --project on the command line;
◆ set the property core/project.
To set the location attribute:
◆ provide the argument SCOPE on the command line with a fully specified
name;
◆ global is the only supported location.
This must be specified.
SCOPE
ID of the scope or fully qualified identifier for the scope.
To set the scope attribute:
▸ provide the argument SCOPE on the command line.
LIST COMMAND FLAGS
--filter=EXPRESSION
Apply a Boolean filter EXPRESSION to each resource item to be listed.
If the expression evaluates True, then that item is listed. For more
details and examples of filter expressions, run $ gcloud topic filters.
This flag interacts with other flags that are applied in this order:
--flatten, --sort-by, --filter, --limit.
--limit=LIMIT
Maximum number of resources to list. The default is unlimited. This
flag interacts with other flags that are applied in this order:
--flatten, --sort-by, --filter, --limit.
--page-size=PAGE_SIZE
Some services group resource list output into pages. This flag
specifies the maximum number of resources per page. The default is
determined by the service if it supports paging, otherwise it is
unlimited (no paging). Paging may be applied before or after --filter
and --limit depending on the service.
--sort-by=[FIELD,...]
Comma-separated list of resource field key names to sort by. The
default order is ascending. Prefix a field with ``~'' for descending
order on that field. This flag interacts with other flags that are
applied in this order: --flatten, --sort-by, --filter, --limit.
--uri
Print a list of resource URIs instead of the default output, and change
the command output to a list of URIs. If this flag is used with
--format, the formatting is applied on this URI list. To display URIs
alongside other keys instead, use the uri() transform.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES
This command is currently in beta and might change without notice. This
variant is also available:
$ gcloud alpha container fleet scopes list-app-operator-bindings

View file

@ -0,0 +1,122 @@
NAME
gcloud beta container fleet scopes remove-app-operator-binding - remove
project-level and fleet scope-level IAM bindings and delete a fleet
scope RBAC role binding for an app operator principal
SYNOPSIS
gcloud beta container fleet scopes remove-app-operator-binding SCOPE
(--group=GROUP | --user=USER) [GCLOUD_WIDE_FLAG ...]
DESCRIPTION
(BETA) One binding consists of an app operator principal (user/group) and a
role (view/edit/admin).
This command unsets the different permissions required for an app operator,
including usage of fleet scopes, connect gateway, logging, and metrics. The
authoritative list for removing the permissions is the existing RBAC role
bindings under the specified scope.
This command can fail for the following reasons:
▪ The scope specified does not exist.
▪ The user does not have access to the specified scope.
▪ The principal specified does not any binding for the scope.
▪ The principal specified has bindings with different roles for the
scope.
EXAMPLES
The following command:
$ gcloud beta container fleet scopes remove-app-operator-binding \
SCOPE --group=people@google.com --project=PROJECT_ID
assuming the group already has the view role:
▪ removes IAM policy binding: roles/gkehub.scopeViewer from SCOPE
▪ removes IAM policy binding: roles/gkehub.scopeViewerProjectLevel from
PROJECT_ID if the group does not have the view role for any other scope
under the project
▪ removes IAM policy binding: roles/logging.viewAccessor from
PROJECT_ID condition where bucket corresponds to SCOPE
▪ deletes existing fleet scope RBAC role binding: role view for group
people@google.com.
---
The following command:
$ gcloud beta container fleet scopes remove-app-operator-binding \
SCOPE --user=person@google.com --project=PROJECT_ID
assuming the user already has the edit role:
▪ removes IAM policy binding: roles/gkehub.scopeEditor from SCOPE
▪ removes IAM policy binding: roles/gkehub.scopeEditorProjectLevel from
PROJECT_ID if the user does not have the edit/admin role for any other
scope under the project
▪ removes IAM policy binding: roles/logging.viewAccessor from
PROJECT_ID condition where bucket corresponds to SCOPE
▪ deletes existing fleet scope RBAC role binding: role edit for user
person@google.com.
---
The following command:
$ gcloud beta container fleet scopes remove-app-operator-binding \
SCOPE --role=admin --user=person@google.com --project=PROJECT_ID
assuming the user already has the admin role:
▪ removes IAM policy binding: roles/gkehub.scopeAdmin from SCOPE
▪ removes IAM policy binding: roles/gkehub.scopeEditorProjectLevel from
PROJECT_ID if the user does not have the edit/admin role for any other
scope under the project
▪ removes IAM policy binding: roles/logging.viewAccessor from
PROJECT_ID condition where bucket corresponds to SCOPE
▪ deletes existing fleet scope RBAC role binding: role admin for user
person@google.com.
POSITIONAL ARGUMENTS
Scope resource - The group of arguments defining the Fleet Scope. This
represents a Cloud resource. (NOTE) Some attributes are not given
arguments in this group but can be set in other ways.
To set the project attribute:
◆ provide the argument SCOPE on the command line with a fully specified
name;
◆ provide the argument --project on the command line;
◆ set the property core/project.
To set the location attribute:
◆ provide the argument SCOPE on the command line with a fully specified
name;
◆ global is the only supported location.
This must be specified.
SCOPE
ID of the scope or fully qualified identifier for the scope.
To set the scope attribute:
▸ provide the argument SCOPE on the command line.
REQUIRED FLAGS
Exactly one of these must be specified:
--group=GROUP
Group for the role binding.
--user=USER
User for the role binding.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES
This command is currently in beta and might change without notice. This
variant is also available:
$ gcloud alpha container fleet scopes remove-app-operator-binding

View file

@ -0,0 +1,127 @@
NAME
gcloud beta container hub scopes add-app-operator-binding - add
project-level and fleet scope-level IAM bindings and create a fleet
scope RBAC role binding for an app operator principal
SYNOPSIS
gcloud beta container hub scopes add-app-operator-binding SCOPE --role=ROLE
(--group=GROUP | --user=USER) [--labels=[KEY=VALUE,...]]
[GCLOUD_WIDE_FLAG ...]
DESCRIPTION
(BETA) One binding consists of an app operator principal (user/group) and a
role (view/edit/admin).
This command sets up the different permissions required for an app
operator, including usage of fleet scopes, connect gateway, logging, and
metrics. The authoritative list for adding the permissions is the existing
RBAC role bindings under the specified scope.
This command can fail for the following reasons:
▪ The scope specified does not exist.
▪ The user does not have access to the specified scope.
▪ The principal specified already has another binding for the scope.
EXAMPLES
The following command:
$ gcloud beta container hub scopes add-app-operator-binding SCOPE \
--role=view --group=people@google.com --project=PROJECT_ID
▪ adds IAM policy binding: roles/gkehub.scopeViewer on SCOPE
▪ adds IAM policy binding: roles/gkehub.scopeViewerProjectLevel on
PROJECT_ID
▪ adds IAM policy binding: roles/logging.viewAccessor on PROJECT_ID
with condition where bucket corresponds to SCOPE
▪ creates fleet scope RBAC role binding: role view with a random ID for
group people@google.com.
---
The following command:
$ gcloud beta container hub scopes add-app-operator-binding SCOPE \
--role=edit --user=person@google.com --project=PROJECT_ID
▪ adds IAM policy binding: roles/gkehub.scopeEditor on SCOPE
▪ adds IAM policy binding: roles/gkehub.scopeEditorProjectLevel on
PROJECT_ID
▪ adds IAM policy binding: roles/logging.viewAccessor on PROJECT_ID
with condition where bucket corresponds to SCOPE
▪ creates fleet scope RBAC role binding: role edit with a random ID for
user person@google.com.
---
The following command:
$ gcloud beta container hub scopes add-app-operator-binding SCOPE \
--role=admin --user=person@google.com --project=PROJECT_ID
▪ adds IAM policy binding: roles/gkehub.scopeAdmin on SCOPE
▪ adds IAM policy binding: roles/gkehub.scopeEditorProjectLevel on
PROJECT_ID
▪ adds IAM policy binding: roles/logging.viewAccessor on PROJECT_ID
with condition where bucket corresponds to SCOPE
▪ creates fleet scope RBAC role binding: role admin with a random ID
for user person@google.com.
POSITIONAL ARGUMENTS
Scope resource - The group of arguments defining the Fleet Scope. This
represents a Cloud resource. (NOTE) Some attributes are not given
arguments in this group but can be set in other ways.
To set the project attribute:
◆ provide the argument SCOPE on the command line with a fully specified
name;
◆ provide the argument --project on the command line;
◆ set the property core/project.
To set the location attribute:
◆ provide the argument SCOPE on the command line with a fully specified
name;
◆ global is the only supported location.
This must be specified.
SCOPE
ID of the scope or fully qualified identifier for the scope.
To set the scope attribute:
▸ provide the argument SCOPE on the command line.
REQUIRED FLAGS
--role=ROLE
Role to assign. ROLE must be one of: admin, edit, view.
Exactly one of these must be specified:
--group=GROUP
Group for the role binding.
--user=USER
User for the role binding.
OPTIONAL FLAGS
--labels=[KEY=VALUE,...]
List of label KEY=VALUE pairs to add.
Keys must start with a lowercase character and contain only hyphens
(-), underscores (_), lowercase characters, and numbers. Values must
contain only hyphens (-), underscores (_), lowercase characters, and
numbers.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES
This command is currently in beta and might change without notice. This
variant is also available:
$ gcloud alpha container hub scopes add-app-operator-binding

View file

@ -25,6 +25,10 @@ GROUPS
COMMANDS
COMMAND is one of the following:
add-app-operator-binding
(BETA) Add project-level and fleet scope-level IAM bindings and create
a fleet scope RBAC role binding for an app operator principal.
add-iam-policy-binding
(BETA) Add IAM policy binding to a Fleet Scope.
@ -44,9 +48,18 @@ COMMANDS
(BETA) List fleet scopes in a project permitted to be viewed by the
caller.
list-app-operator-bindings
(BETA) List app operator principals corresponding to a fleet scope and
their roles based on project-level IAM bindings, fleet scope-level IAM
bindings, and fleet scope RBAC role bindings.
list-memberships
(BETA) List memberships bound to a fleet scope.
remove-app-operator-binding
(BETA) Remove project-level and fleet scope-level IAM bindings and
delete a fleet scope RBAC role binding for an app operator principal.
remove-iam-policy-binding
(BETA) Remove IAM policy binding of a Fleet Scope.

View file

@ -0,0 +1,106 @@
NAME
gcloud beta container hub scopes list-app-operator-bindings - list app
operator principals corresponding to a fleet scope and their roles
based on project-level IAM bindings, fleet scope-level IAM bindings,
and fleet scope RBAC role bindings
SYNOPSIS
gcloud beta container hub scopes list-app-operator-bindings SCOPE
[--filter=EXPRESSION] [--limit=LIMIT] [--page-size=PAGE_SIZE]
[--sort-by=[FIELD,...]] [--uri] [GCLOUD_WIDE_FLAG ...]
DESCRIPTION
(BETA) This command lists bindings corresponding to a fleet scope. The
bindings, which consist of an app operator principal and a role, grant
permissions required for an app operator, including usage of fleet scopes,
connect gateway, logging, and metrics. The overarching principal role
(view/edit/admin, or custom) is determined by (1) the fleet scope RBAC role
(view, edit, or admin), (2) the fleet scope-level IAM role
(roles/gkehub.scopeViewer, roles/gkehub.scopeEditor, or
roles/gkehub.scopeAdmin), (3) the project-level IAM role
(roles/gkehub.scopeViewerProjectLevel, or
roles/gkehub.scopeEditorProjectLevel), and (4) the conditional log view
access role for the scope bucket.
This command can fail for the following reasons:
▪ The scope specified does not exist.
▪ The user does not have access to the specified scope.
EXAMPLES
The following command lists app operator principals corresponding to SCOPE
under PROJECT_ID, their roles, and role details (fleet scope RBAC role,
fleet scope-level IAM role, project-level IAM role, and log view access):
$ gcloud beta container hub scopes list-app-operator-bindings \
--scope=SCOPE --project=PROJECT_ID
POSITIONAL ARGUMENTS
Scope resource - The group of arguments defining the Fleet Scope. This
represents a Cloud resource. (NOTE) Some attributes are not given
arguments in this group but can be set in other ways.
To set the project attribute:
◆ provide the argument SCOPE on the command line with a fully specified
name;
◆ provide the argument --project on the command line;
◆ set the property core/project.
To set the location attribute:
◆ provide the argument SCOPE on the command line with a fully specified
name;
◆ global is the only supported location.
This must be specified.
SCOPE
ID of the scope or fully qualified identifier for the scope.
To set the scope attribute:
▸ provide the argument SCOPE on the command line.
LIST COMMAND FLAGS
--filter=EXPRESSION
Apply a Boolean filter EXPRESSION to each resource item to be listed.
If the expression evaluates True, then that item is listed. For more
details and examples of filter expressions, run $ gcloud topic filters.
This flag interacts with other flags that are applied in this order:
--flatten, --sort-by, --filter, --limit.
--limit=LIMIT
Maximum number of resources to list. The default is unlimited. This
flag interacts with other flags that are applied in this order:
--flatten, --sort-by, --filter, --limit.
--page-size=PAGE_SIZE
Some services group resource list output into pages. This flag
specifies the maximum number of resources per page. The default is
determined by the service if it supports paging, otherwise it is
unlimited (no paging). Paging may be applied before or after --filter
and --limit depending on the service.
--sort-by=[FIELD,...]
Comma-separated list of resource field key names to sort by. The
default order is ascending. Prefix a field with ``~'' for descending
order on that field. This flag interacts with other flags that are
applied in this order: --flatten, --sort-by, --filter, --limit.
--uri
Print a list of resource URIs instead of the default output, and change
the command output to a list of URIs. If this flag is used with
--format, the formatting is applied on this URI list. To display URIs
alongside other keys instead, use the uri() transform.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES
This command is currently in beta and might change without notice. This
variant is also available:
$ gcloud alpha container hub scopes list-app-operator-bindings

View file

@ -0,0 +1,122 @@
NAME
gcloud beta container hub scopes remove-app-operator-binding - remove
project-level and fleet scope-level IAM bindings and delete a fleet
scope RBAC role binding for an app operator principal
SYNOPSIS
gcloud beta container hub scopes remove-app-operator-binding SCOPE
(--group=GROUP | --user=USER) [GCLOUD_WIDE_FLAG ...]
DESCRIPTION
(BETA) One binding consists of an app operator principal (user/group) and a
role (view/edit/admin).
This command unsets the different permissions required for an app operator,
including usage of fleet scopes, connect gateway, logging, and metrics. The
authoritative list for removing the permissions is the existing RBAC role
bindings under the specified scope.
This command can fail for the following reasons:
▪ The scope specified does not exist.
▪ The user does not have access to the specified scope.
▪ The principal specified does not any binding for the scope.
▪ The principal specified has bindings with different roles for the
scope.
EXAMPLES
The following command:
$ gcloud beta container hub scopes remove-app-operator-binding \
SCOPE --group=people@google.com --project=PROJECT_ID
assuming the group already has the view role:
▪ removes IAM policy binding: roles/gkehub.scopeViewer from SCOPE
▪ removes IAM policy binding: roles/gkehub.scopeViewerProjectLevel from
PROJECT_ID if the group does not have the view role for any other scope
under the project
▪ removes IAM policy binding: roles/logging.viewAccessor from
PROJECT_ID condition where bucket corresponds to SCOPE
▪ deletes existing fleet scope RBAC role binding: role view for group
people@google.com.
---
The following command:
$ gcloud beta container hub scopes remove-app-operator-binding \
SCOPE --user=person@google.com --project=PROJECT_ID
assuming the user already has the edit role:
▪ removes IAM policy binding: roles/gkehub.scopeEditor from SCOPE
▪ removes IAM policy binding: roles/gkehub.scopeEditorProjectLevel from
PROJECT_ID if the user does not have the edit/admin role for any other
scope under the project
▪ removes IAM policy binding: roles/logging.viewAccessor from
PROJECT_ID condition where bucket corresponds to SCOPE
▪ deletes existing fleet scope RBAC role binding: role edit for user
person@google.com.
---
The following command:
$ gcloud beta container hub scopes remove-app-operator-binding \
SCOPE --role=admin --user=person@google.com --project=PROJECT_ID
assuming the user already has the admin role:
▪ removes IAM policy binding: roles/gkehub.scopeAdmin from SCOPE
▪ removes IAM policy binding: roles/gkehub.scopeEditorProjectLevel from
PROJECT_ID if the user does not have the edit/admin role for any other
scope under the project
▪ removes IAM policy binding: roles/logging.viewAccessor from
PROJECT_ID condition where bucket corresponds to SCOPE
▪ deletes existing fleet scope RBAC role binding: role admin for user
person@google.com.
POSITIONAL ARGUMENTS
Scope resource - The group of arguments defining the Fleet Scope. This
represents a Cloud resource. (NOTE) Some attributes are not given
arguments in this group but can be set in other ways.
To set the project attribute:
◆ provide the argument SCOPE on the command line with a fully specified
name;
◆ provide the argument --project on the command line;
◆ set the property core/project.
To set the location attribute:
◆ provide the argument SCOPE on the command line with a fully specified
name;
◆ global is the only supported location.
This must be specified.
SCOPE
ID of the scope or fully qualified identifier for the scope.
To set the scope attribute:
▸ provide the argument SCOPE on the command line.
REQUIRED FLAGS
Exactly one of these must be specified:
--group=GROUP
Group for the role binding.
--user=USER
User for the role binding.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES
This command is currently in beta and might change without notice. This
variant is also available:
$ gcloud alpha container hub scopes remove-app-operator-binding

View file

@ -0,0 +1,61 @@
NAME
gcloud beta container node-pools get-upgrade-info - get information about
upgrades for existing clusters including auto upgrade status, upgrade
history, upgrade targets, and end of support timelines
SYNOPSIS
gcloud beta container node-pools get-upgrade-info NAME [--cluster=CLUSTER]
[--location=LOCATION | --region=REGION | --zone=ZONE, -z ZONE]
[GCLOUD_WIDE_FLAG ...]
DESCRIPTION
(BETA) Get information about upgrades for existing clusters including auto
upgrade status, upgrade history, upgrade targets, and end of support
timelines.
EXAMPLES
To get upgrade information for a node pool of an existing cluster, run:
$ gcloud beta container node-pools get-upgrade-info node-pool-1 \
--cluster=sample-cluster
POSITIONAL ARGUMENTS
NAME
The name of the node pool.
FLAGS
--cluster=CLUSTER
The name of the cluster. Overrides the default container/cluster
property value for this command invocation.
At most one of these can be specified:
--location=LOCATION
Compute zone or region (e.g. us-central1-a or us-central1) for the
cluster. Overrides the default compute/region or compute/zone value
for this command invocation. Prefer using this flag over the --region
or --zone flags.
--region=REGION
Compute region (e.g. us-central1) for a regional cluster. Overrides
the default compute/region property value for this command
invocation.
--zone=ZONE, -z ZONE
Compute zone (e.g. us-central1-a) for a zonal cluster. Overrides the
default compute/zone property value for this command invocation.
GCLOUD WIDE FLAGS
These flags are available to all commands: --access-token-file, --account,
--billing-project, --configuration, --flags-file, --flatten, --format,
--help, --impersonate-service-account, --log-http, --project, --quiet,
--trace-token, --user-output-enabled, --verbosity.
Run $ gcloud help for details.
NOTES
This command is currently in beta and might change without notice. This
variant is also available:
$ gcloud alpha container node-pools get-upgrade-info

View file

@ -49,6 +49,11 @@ COMMANDS
describe
(BETA) Describe an existing node pool for a cluster.
get-upgrade-info
(BETA) Get information about upgrades for existing clusters including
auto upgrade status, upgrade history, upgrade targets, and end of
support timelines.
list
(BETA) List existing node pools for a cluster.