mirror of
https://github.com/imjasonh/gcloud-help
synced 2026-07-18 06:47:12 +00:00
gcloud: Wed Oct 9 09:55:07 UTC 2024
This commit is contained in:
parent
489be55d99
commit
4ffb04ab9e
211 changed files with 7635 additions and 1232 deletions
|
|
@ -24,17 +24,19 @@ SYNOPSIS
|
|||
[--database-encryption-key=DATABASE_ENCRYPTION_KEY]
|
||||
[--default-max-pods-per-node=DEFAULT_MAX_PODS_PER_NODE]
|
||||
[--disable-default-snat] [--disable-pod-cidr-overprovision]
|
||||
[--disk-size=DISK_SIZE] [--disk-type=DISK_TYPE] [--enable-autorepair]
|
||||
[--no-enable-autoupgrade] [--enable-cilium-clusterwide-network-policy]
|
||||
[--enable-cloud-logging] [--enable-cloud-monitoring]
|
||||
[--enable-cloud-run-alpha] [--enable-confidential-nodes]
|
||||
[--enable-confidential-storage] [--enable-cost-allocation]
|
||||
[--enable-dataplane-v2] [--enable-fleet] [--enable-fqdn-network-policy]
|
||||
[--disk-size=DISK_SIZE] [--disk-type=DISK_TYPE]
|
||||
[--enable-authorized-networks-on-private-endpoint]
|
||||
[--enable-autorepair] [--no-enable-autoupgrade]
|
||||
[--enable-cilium-clusterwide-network-policy] [--enable-cloud-logging]
|
||||
[--enable-cloud-monitoring] [--enable-cloud-run-alpha]
|
||||
[--enable-confidential-nodes] [--enable-confidential-storage]
|
||||
[--enable-cost-allocation] [--enable-dataplane-v2]
|
||||
[--enable-dns-access] [--enable-fleet] [--enable-fqdn-network-policy]
|
||||
[--enable-gke-oidc] [--enable-google-cloud-access] [--enable-gvnic]
|
||||
[--enable-identity-service] [--enable-image-streaming]
|
||||
[--enable-insecure-kubelet-readonly-port]
|
||||
[--enable-intra-node-visibility] [--enable-ip-alias]
|
||||
[--enable-kubernetes-alpha]
|
||||
[--enable-intra-node-visibility] [--enable-ip-access]
|
||||
[--enable-ip-alias] [--enable-kubernetes-alpha]
|
||||
[--enable-kubernetes-unstable-apis=API,[API,...]]
|
||||
[--enable-l4-ilb-subsetting] [--enable-legacy-authorization]
|
||||
[--enable-logging-monitoring-system-only] [--enable-managed-prometheus]
|
||||
|
|
@ -434,6 +436,10 @@ FLAGS
|
|||
DISK_TYPE must be one of: pd-standard, pd-ssd, pd-balanced,
|
||||
hyperdisk-balanced, hyperdisk-extreme, hyperdisk-throughput.
|
||||
|
||||
--enable-authorized-networks-on-private-endpoint
|
||||
Enable enforcement of --master-authorized-networks CIDR ranges for
|
||||
traffic reaching cluster's control plane via private IP.
|
||||
|
||||
--enable-autorepair
|
||||
Enable node autorepair feature for a cluster's default node pool(s).
|
||||
|
||||
|
|
@ -514,6 +520,11 @@ FLAGS
|
|||
Enables the new eBPF dataplane for GKE clusters that is required for
|
||||
network security, scalability and visibility features.
|
||||
|
||||
--enable-dns-access
|
||||
Enable access to the cluster's control plane over DNS-based endpoint.
|
||||
|
||||
DNS-based control plane access is recommended.
|
||||
|
||||
--enable-fleet
|
||||
Set cluster project as the fleet host project. This will register the
|
||||
cluster to the same project. To register the cluster to a fleet in a
|
||||
|
|
@ -576,6 +587,10 @@ FLAGS
|
|||
Enabling it on an existing cluster causes the cluster master and the
|
||||
cluster nodes to restart, which might cause a disruption.
|
||||
|
||||
--enable-ip-access
|
||||
Enable access to the cluster's control plane over private IP and public
|
||||
IP if --enable-private-endpoint is not enabled.
|
||||
|
||||
--enable-ip-alias
|
||||
Enable use of alias IPs
|
||||
(https://cloud.google.com/compute/docs/alias-ip/) for Pod IPs. This
|
||||
|
|
|
|||
|
|
@ -14,9 +14,10 @@ SYNOPSIS
|
|||
[--containerd-config-from-file=PATH_TO_FILE]
|
||||
[--create-subnetwork=[KEY=VALUE,...]]
|
||||
[--database-encryption-key=DATABASE_ENCRYPTION_KEY]
|
||||
[--enable-authorized-networks-on-private-endpoint]
|
||||
[--enable-backup-restore] [--enable-cilium-clusterwide-network-policy]
|
||||
[--enable-fleet] [--enable-google-cloud-access]
|
||||
[--enable-kubernetes-unstable-apis=API,[API,...]]
|
||||
[--enable-dns-access] [--enable-fleet] [--enable-google-cloud-access]
|
||||
[--enable-ip-access] [--enable-kubernetes-unstable-apis=API,[API,...]]
|
||||
[--enable-master-global-access] [--enable-ray-cluster-logging]
|
||||
[--enable-ray-cluster-monitoring] [--enable-ray-operator]
|
||||
[--enable-secret-manager] [--fleet-project=PROJECT_ID_OR_NUMBER]
|
||||
|
|
@ -219,6 +220,10 @@ FLAGS
|
|||
For more information, see
|
||||
https://cloud.google.com/kubernetes-engine/docs/how-to/encrypting-secrets.
|
||||
|
||||
--enable-authorized-networks-on-private-endpoint
|
||||
Enable enforcement of --master-authorized-networks CIDR ranges for
|
||||
traffic reaching cluster's control plane via private IP.
|
||||
|
||||
--enable-backup-restore
|
||||
Enable the Backup for GKE add-on. This add-on is disabled by default.
|
||||
To learn more, see the Backup for GKE overview:
|
||||
|
|
@ -228,6 +233,11 @@ FLAGS
|
|||
Enable Cilium Clusterwide Network Policies on the cluster. Disabled by
|
||||
default.
|
||||
|
||||
--enable-dns-access
|
||||
Enable access to the cluster's control plane over DNS-based endpoint.
|
||||
|
||||
DNS-based control plane access is recommended.
|
||||
|
||||
--enable-fleet
|
||||
Set cluster project as the fleet host project. This will register the
|
||||
cluster to the same project. To register the cluster to a fleet in a
|
||||
|
|
@ -239,6 +249,10 @@ FLAGS
|
|||
Google Cloud can reach the public control plane endpoint of your
|
||||
cluster.
|
||||
|
||||
--enable-ip-access
|
||||
Enable access to the cluster's control plane over private IP and public
|
||||
IP if --enable-private-endpoint is not enabled.
|
||||
|
||||
--enable-kubernetes-unstable-apis=API,[API,...]
|
||||
Enable Kubernetes beta API features on this cluster. Beta APIs are not
|
||||
expected to be production ready and should be avoided in
|
||||
|
|
|
|||
|
|
@ -3,7 +3,8 @@ NAME
|
|||
running cluster
|
||||
|
||||
SYNOPSIS
|
||||
gcloud beta container clusters get-credentials NAME [--internal-ip]
|
||||
gcloud beta container clusters get-credentials NAME [--dns-endpoint]
|
||||
[--internal-ip]
|
||||
[--location=LOCATION | --region=REGION | --zone=ZONE, -z ZONE]
|
||||
[GCLOUD_WIDE_FLAG ...]
|
||||
|
||||
|
|
@ -46,6 +47,9 @@ POSITIONAL ARGUMENTS
|
|||
container/cluster property value for this command invocation.
|
||||
|
||||
FLAGS
|
||||
--dns-endpoint
|
||||
Whether to use the DNS-based endpoint for the cluster address.
|
||||
|
||||
--internal-ip
|
||||
Whether to use the internal IP address of the cluster endpoint.
|
||||
|
||||
|
|
|
|||
56
gcloud/beta/container/clusters/get-upgrade-info
Normal file
56
gcloud/beta/container/clusters/get-upgrade-info
Normal file
|
|
@ -0,0 +1,56 @@
|
|||
NAME
|
||||
gcloud beta container clusters get-upgrade-info - get information about
|
||||
upgrades for existing clusters including auto upgrade status, upgrade
|
||||
history, upgrade targets, and end of support timelines
|
||||
|
||||
SYNOPSIS
|
||||
gcloud beta container clusters get-upgrade-info NAME
|
||||
[--location=LOCATION | --region=REGION | --zone=ZONE, -z ZONE]
|
||||
[GCLOUD_WIDE_FLAG ...]
|
||||
|
||||
DESCRIPTION
|
||||
(BETA) Get information about upgrades for existing clusters including auto
|
||||
upgrade status, upgrade history, upgrade targets, and end of support
|
||||
timelines.
|
||||
|
||||
EXAMPLES
|
||||
To get upgrade information for an existing cluster, run:
|
||||
|
||||
$ gcloud beta container clusters get-upgrade-info sample-cluster
|
||||
|
||||
POSITIONAL ARGUMENTS
|
||||
NAME
|
||||
The name of your existing cluster.
|
||||
|
||||
FLAGS
|
||||
At most one of these can be specified:
|
||||
|
||||
--location=LOCATION
|
||||
Compute zone or region (e.g. us-central1-a or us-central1) for the
|
||||
cluster. Overrides the default compute/region or compute/zone value
|
||||
for this command invocation. Prefer using this flag over the --region
|
||||
or --zone flags.
|
||||
|
||||
--region=REGION
|
||||
Compute region (e.g. us-central1) for a regional cluster. Overrides
|
||||
the default compute/region property value for this command
|
||||
invocation.
|
||||
|
||||
--zone=ZONE, -z ZONE
|
||||
Compute zone (e.g. us-central1-a) for a zonal cluster. Overrides the
|
||||
default compute/zone property value for this command invocation.
|
||||
|
||||
GCLOUD WIDE FLAGS
|
||||
These flags are available to all commands: --access-token-file, --account,
|
||||
--billing-project, --configuration, --flags-file, --flatten, --format,
|
||||
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
||||
--trace-token, --user-output-enabled, --verbosity.
|
||||
|
||||
Run $ gcloud help for details.
|
||||
|
||||
NOTES
|
||||
This command is currently in beta and might change without notice. This
|
||||
variant is also available:
|
||||
|
||||
$ gcloud alpha container clusters get-upgrade-info
|
||||
|
||||
|
|
@ -58,6 +58,11 @@ COMMANDS
|
|||
get-credentials
|
||||
(BETA) Fetch credentials for a running cluster.
|
||||
|
||||
get-upgrade-info
|
||||
(BETA) Get information about upgrades for existing clusters including
|
||||
auto upgrade status, upgrade history, upgrade targets, and end of
|
||||
support timelines.
|
||||
|
||||
list
|
||||
(BETA) List existing clusters for running containers.
|
||||
|
||||
|
|
|
|||
|
|
@ -16,16 +16,14 @@ SYNOPSIS
|
|||
| --[no-]enable-cilium-clusterwide-network-policy
|
||||
| --enable-cost-allocation | --enable-fleet
|
||||
| --enable-fqdn-network-policy | --enable-gke-oidc
|
||||
| --enable-google-cloud-access | --enable-identity-service
|
||||
| --enable-image-streaming | --enable-insecure-kubelet-readonly-port
|
||||
| --enable-identity-service | --enable-image-streaming
|
||||
| --enable-insecure-kubelet-readonly-port
|
||||
| --enable-intra-node-visibility
|
||||
| --enable-kubernetes-unstable-apis=API,[API,...]
|
||||
| --enable-l4-ilb-subsetting | --enable-legacy-authorization
|
||||
| --enable-logging-monitoring-system-only
|
||||
| --enable-master-authorized-networks | --enable-master-global-access
|
||||
| --enable-multi-networking | --enable-network-policy
|
||||
| --enable-pod-security-policy | --enable-private-endpoint
|
||||
| --[no-]enable-ray-cluster-logging
|
||||
| --enable-logging-monitoring-system-only | --enable-multi-networking
|
||||
| --enable-network-policy | --enable-pod-security-policy
|
||||
| --enable-private-nodes | --[no-]enable-ray-cluster-logging
|
||||
| --[no-]enable-ray-cluster-monitoring | --enable-secret-manager
|
||||
| --enable-service-externalips | --enable-shielded-nodes
|
||||
| --enable-stackdriver-kubernetes | --enable-vertical-pod-autoscaling
|
||||
|
|
@ -76,6 +74,11 @@ SYNOPSIS
|
|||
| --disable-dataplane-v2-flow-observability
|
||||
| --enable-dataplane-v2-flow-observability
|
||||
--disable-dataplane-v2-metrics | --enable-dataplane-v2-metrics
|
||||
| --enable-authorized-networks-on-private-endpoint
|
||||
--enable-dns-access --enable-google-cloud-access --enable-ip-access
|
||||
--enable-master-global-access --enable-private-endpoint
|
||||
--enable-master-authorized-networks
|
||||
--master-authorized-networks=NETWORK,[NETWORK,...]
|
||||
| [--enable-autoprovisioning
|
||||
: --autoprovisioning-config-file=PATH_TO_FILE
|
||||
| --autoprovisioning-image-type=AUTOPROVISIONING_IMAGE_TYPE
|
||||
|
|
@ -101,9 +104,7 @@ SYNOPSIS
|
|||
| --password=PASSWORD --enable-basic-auth
|
||||
| --username=USERNAME, -u USERNAME) [--async]
|
||||
[--cloud-run-config=[load-balancer-type=EXTERNAL,...]]
|
||||
[--istio-config=[auth=MTLS_PERMISSIVE,...]]
|
||||
[--master-authorized-networks=NETWORK,[NETWORK,...]]
|
||||
[--node-pool=NODE_POOL]
|
||||
[--istio-config=[auth=MTLS_PERMISSIVE,...]] [--node-pool=NODE_POOL]
|
||||
[--location=LOCATION | --region=REGION | --zone=ZONE, -z ZONE]
|
||||
[--location-policy=LOCATION_POLICY --max-nodes=MAX_NODES
|
||||
--min-nodes=MIN_NODES
|
||||
|
|
@ -319,11 +320,6 @@ REQUIRED FLAGS
|
|||
Thus, flag --enable-gke-oidc is also deprecated. Please use
|
||||
--enable-identity-service to enable the Identity Service component
|
||||
|
||||
--enable-google-cloud-access
|
||||
When you enable Google Cloud Access, any public IP addresses owned by
|
||||
Google Cloud can reach the public control plane endpoint of your
|
||||
cluster.
|
||||
|
||||
--enable-identity-service
|
||||
Enable Identity Service component on the cluster.
|
||||
|
||||
|
|
@ -380,26 +376,6 @@ REQUIRED FLAGS
|
|||
and
|
||||
https://cloud.google.com/kubernetes-engine/docs/how-to/configure-metrics.
|
||||
|
||||
--enable-master-authorized-networks
|
||||
Allow only specified set of CIDR blocks (specified by the
|
||||
--master-authorized-networks flag) to connect to Kubernetes master
|
||||
through HTTPS. Besides these blocks, the following have access as
|
||||
well:
|
||||
|
||||
1) The private network the cluster connects to if
|
||||
`--enable-private-nodes` is specified.
|
||||
2) Google Compute Engine Public IPs if `--enable-private-nodes` is not
|
||||
specified.
|
||||
|
||||
Use --no-enable-master-authorized-networks to disable. When disabled,
|
||||
public internet (0.0.0.0/0) is allowed to connect to Kubernetes
|
||||
master through HTTPS.
|
||||
|
||||
--enable-master-global-access
|
||||
Use with private clusters to allow access to the master's private
|
||||
endpoint from any Google Cloud region or on-premises environment
|
||||
regardless of the private cluster's region.
|
||||
|
||||
--enable-multi-networking
|
||||
Enables multi-networking on the cluster. Multi-networking is disabled
|
||||
by default.
|
||||
|
|
@ -417,9 +393,20 @@ REQUIRED FLAGS
|
|||
PodSecurityPolicy API objects. For more information, see
|
||||
https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies.
|
||||
|
||||
--enable-private-endpoint
|
||||
Enables cluster's control plane to be accessible using private IP
|
||||
address only.
|
||||
--enable-private-nodes
|
||||
Standard cluster: Enable private nodes as a default behavior for all
|
||||
newly created node pools, if --enable-private-nodes is not provided
|
||||
at node pool creation time.
|
||||
|
||||
Modifications to this flag do not affect `--enable-private-nodes` state of the
|
||||
existing node pools.
|
||||
|
||||
Autopilot cluster: Force new and existing workloads, without explicit
|
||||
cloud.google.com/private-node=true node selector, to run on nodes
|
||||
with no public IP address.
|
||||
|
||||
Modifications to this flag trigger a re-schedule operation on all existng
|
||||
workloads to run on different node VMs.
|
||||
|
||||
--[no-]enable-ray-cluster-logging
|
||||
Enable automatic log processing sidecar for Ray clusters. Use
|
||||
|
|
@ -1136,6 +1123,57 @@ REQUIRED FLAGS
|
|||
--enable-dataplane-v2-metrics
|
||||
Exposes advanced datapath flow metrics on node port.
|
||||
|
||||
--enable-authorized-networks-on-private-endpoint
|
||||
Enable enforcement of --master-authorized-networks CIDR ranges for
|
||||
traffic reaching cluster's control plane via private IP.
|
||||
|
||||
--enable-dns-access
|
||||
Enable access to the cluster's control plane over DNS-based endpoint.
|
||||
|
||||
DNS-based control plane access is recommended.
|
||||
|
||||
--enable-google-cloud-access
|
||||
When you enable Google Cloud Access, any public IP addresses owned by
|
||||
Google Cloud can reach the public control plane endpoint of your
|
||||
cluster.
|
||||
|
||||
--enable-ip-access
|
||||
Enable access to the cluster's control plane over private IP and
|
||||
public IP if --enable-private-endpoint is not enabled.
|
||||
|
||||
--enable-master-global-access
|
||||
Use with private clusters to allow access to the master's private
|
||||
endpoint from any Google Cloud region or on-premises environment
|
||||
regardless of the private cluster's region.
|
||||
|
||||
--enable-private-endpoint
|
||||
Enables cluster's control plane to be accessible using private IP
|
||||
address only.
|
||||
|
||||
Master Authorized Networks
|
||||
|
||||
--enable-master-authorized-networks
|
||||
Allow only specified set of CIDR blocks (specified by the
|
||||
--master-authorized-networks flag) to connect to Kubernetes master
|
||||
through HTTPS. Besides these blocks, the following have access as
|
||||
well:
|
||||
|
||||
1) The private network the cluster connects to if
|
||||
`--enable-private-nodes` is specified.
|
||||
2) Google Compute Engine Public IPs if `--enable-private-nodes` is not
|
||||
specified.
|
||||
|
||||
Use --no-enable-master-authorized-networks to disable. When
|
||||
disabled, public internet (0.0.0.0/0) is allowed to connect to
|
||||
Kubernetes master through HTTPS.
|
||||
|
||||
--master-authorized-networks=NETWORK,[NETWORK,...]
|
||||
The list of CIDR blocks (up to 100 for private cluster, 50 for
|
||||
public cluster) that are allowed to connect to Kubernetes master
|
||||
through HTTPS. Specified in CIDR notation (e.g. 1.2.3.4/30). Cannot
|
||||
be specified unless --enable-master-authorized-networks is also
|
||||
specified.
|
||||
|
||||
Node autoprovisioning
|
||||
|
||||
--enable-autoprovisioning
|
||||
|
|
@ -1499,12 +1537,6 @@ OPTIONAL FLAGS
|
|||
information and migration, see
|
||||
https://cloud.google.com/istio/docs/istio-on-gke/migrate-to-anthos-service-mesh.
|
||||
|
||||
--master-authorized-networks=NETWORK,[NETWORK,...]
|
||||
The list of CIDR blocks (up to 100 for private cluster, 50 for public
|
||||
cluster) that are allowed to connect to Kubernetes master through
|
||||
HTTPS. Specified in CIDR notation (e.g. 1.2.3.4/30). Cannot be
|
||||
specified unless --enable-master-authorized-networks is also specified.
|
||||
|
||||
--node-pool=NODE_POOL
|
||||
Node pool to be updated.
|
||||
|
||||
|
|
|
|||
127
gcloud/beta/container/fleet/scopes/add-app-operator-binding
Normal file
127
gcloud/beta/container/fleet/scopes/add-app-operator-binding
Normal file
|
|
@ -0,0 +1,127 @@
|
|||
NAME
|
||||
gcloud beta container fleet scopes add-app-operator-binding - add
|
||||
project-level and fleet scope-level IAM bindings and create a fleet
|
||||
scope RBAC role binding for an app operator principal
|
||||
|
||||
SYNOPSIS
|
||||
gcloud beta container fleet scopes add-app-operator-binding SCOPE
|
||||
--role=ROLE (--group=GROUP | --user=USER) [--labels=[KEY=VALUE,...]]
|
||||
[GCLOUD_WIDE_FLAG ...]
|
||||
|
||||
DESCRIPTION
|
||||
(BETA) One binding consists of an app operator principal (user/group) and a
|
||||
role (view/edit/admin).
|
||||
|
||||
This command sets up the different permissions required for an app
|
||||
operator, including usage of fleet scopes, connect gateway, logging, and
|
||||
metrics. The authoritative list for adding the permissions is the existing
|
||||
RBAC role bindings under the specified scope.
|
||||
|
||||
This command can fail for the following reasons:
|
||||
▪ The scope specified does not exist.
|
||||
▪ The user does not have access to the specified scope.
|
||||
▪ The principal specified already has another binding for the scope.
|
||||
|
||||
EXAMPLES
|
||||
The following command:
|
||||
|
||||
$ gcloud beta container fleet scopes add-app-operator-binding \
|
||||
SCOPE --role=view --group=people@google.com --project=PROJECT_ID
|
||||
|
||||
▪ adds IAM policy binding: roles/gkehub.scopeViewer on SCOPE
|
||||
▪ adds IAM policy binding: roles/gkehub.scopeViewerProjectLevel on
|
||||
PROJECT_ID
|
||||
▪ adds IAM policy binding: roles/logging.viewAccessor on PROJECT_ID
|
||||
with condition where bucket corresponds to SCOPE
|
||||
▪ creates fleet scope RBAC role binding: role view with a random ID for
|
||||
group people@google.com.
|
||||
|
||||
---
|
||||
|
||||
The following command:
|
||||
|
||||
$ gcloud beta container fleet scopes add-app-operator-binding \
|
||||
SCOPE --role=edit --user=person@google.com --project=PROJECT_ID
|
||||
|
||||
▪ adds IAM policy binding: roles/gkehub.scopeEditor on SCOPE
|
||||
▪ adds IAM policy binding: roles/gkehub.scopeEditorProjectLevel on
|
||||
PROJECT_ID
|
||||
▪ adds IAM policy binding: roles/logging.viewAccessor on PROJECT_ID
|
||||
with condition where bucket corresponds to SCOPE
|
||||
▪ creates fleet scope RBAC role binding: role edit with a random ID for
|
||||
user person@google.com.
|
||||
|
||||
---
|
||||
|
||||
The following command:
|
||||
|
||||
$ gcloud beta container fleet scopes add-app-operator-binding \
|
||||
SCOPE --role=admin --user=person@google.com --project=PROJECT_ID
|
||||
|
||||
▪ adds IAM policy binding: roles/gkehub.scopeAdmin on SCOPE
|
||||
▪ adds IAM policy binding: roles/gkehub.scopeEditorProjectLevel on
|
||||
PROJECT_ID
|
||||
▪ adds IAM policy binding: roles/logging.viewAccessor on PROJECT_ID
|
||||
with condition where bucket corresponds to SCOPE
|
||||
▪ creates fleet scope RBAC role binding: role admin with a random ID
|
||||
for user person@google.com.
|
||||
|
||||
POSITIONAL ARGUMENTS
|
||||
Scope resource - The group of arguments defining the Fleet Scope. This
|
||||
represents a Cloud resource. (NOTE) Some attributes are not given
|
||||
arguments in this group but can be set in other ways.
|
||||
|
||||
To set the project attribute:
|
||||
◆ provide the argument SCOPE on the command line with a fully specified
|
||||
name;
|
||||
◆ provide the argument --project on the command line;
|
||||
◆ set the property core/project.
|
||||
|
||||
To set the location attribute:
|
||||
◆ provide the argument SCOPE on the command line with a fully specified
|
||||
name;
|
||||
◆ global is the only supported location.
|
||||
|
||||
This must be specified.
|
||||
|
||||
SCOPE
|
||||
ID of the scope or fully qualified identifier for the scope.
|
||||
|
||||
To set the scope attribute:
|
||||
▸ provide the argument SCOPE on the command line.
|
||||
|
||||
REQUIRED FLAGS
|
||||
--role=ROLE
|
||||
Role to assign. ROLE must be one of: admin, edit, view.
|
||||
|
||||
Exactly one of these must be specified:
|
||||
|
||||
--group=GROUP
|
||||
Group for the role binding.
|
||||
|
||||
--user=USER
|
||||
User for the role binding.
|
||||
|
||||
OPTIONAL FLAGS
|
||||
--labels=[KEY=VALUE,...]
|
||||
List of label KEY=VALUE pairs to add.
|
||||
|
||||
Keys must start with a lowercase character and contain only hyphens
|
||||
(-), underscores (_), lowercase characters, and numbers. Values must
|
||||
contain only hyphens (-), underscores (_), lowercase characters, and
|
||||
numbers.
|
||||
|
||||
GCLOUD WIDE FLAGS
|
||||
These flags are available to all commands: --access-token-file, --account,
|
||||
--billing-project, --configuration, --flags-file, --flatten, --format,
|
||||
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
||||
--trace-token, --user-output-enabled, --verbosity.
|
||||
|
||||
Run $ gcloud help for details.
|
||||
|
||||
NOTES
|
||||
This command is currently in beta and might change without notice. This
|
||||
variant is also available:
|
||||
|
||||
$ gcloud alpha container fleet scopes add-app-operator-binding
|
||||
|
||||
|
|
@ -25,6 +25,10 @@ GROUPS
|
|||
COMMANDS
|
||||
COMMAND is one of the following:
|
||||
|
||||
add-app-operator-binding
|
||||
(BETA) Add project-level and fleet scope-level IAM bindings and create
|
||||
a fleet scope RBAC role binding for an app operator principal.
|
||||
|
||||
add-iam-policy-binding
|
||||
(BETA) Add IAM policy binding to a Fleet Scope.
|
||||
|
||||
|
|
@ -44,9 +48,18 @@ COMMANDS
|
|||
(BETA) List fleet scopes in a project permitted to be viewed by the
|
||||
caller.
|
||||
|
||||
list-app-operator-bindings
|
||||
(BETA) List app operator principals corresponding to a fleet scope and
|
||||
their roles based on project-level IAM bindings, fleet scope-level IAM
|
||||
bindings, and fleet scope RBAC role bindings.
|
||||
|
||||
list-memberships
|
||||
(BETA) List memberships bound to a fleet scope.
|
||||
|
||||
remove-app-operator-binding
|
||||
(BETA) Remove project-level and fleet scope-level IAM bindings and
|
||||
delete a fleet scope RBAC role binding for an app operator principal.
|
||||
|
||||
remove-iam-policy-binding
|
||||
(BETA) Remove IAM policy binding of a Fleet Scope.
|
||||
|
||||
|
|
|
|||
106
gcloud/beta/container/fleet/scopes/list-app-operator-bindings
Normal file
106
gcloud/beta/container/fleet/scopes/list-app-operator-bindings
Normal file
|
|
@ -0,0 +1,106 @@
|
|||
NAME
|
||||
gcloud beta container fleet scopes list-app-operator-bindings - list app
|
||||
operator principals corresponding to a fleet scope and their roles
|
||||
based on project-level IAM bindings, fleet scope-level IAM bindings,
|
||||
and fleet scope RBAC role bindings
|
||||
|
||||
SYNOPSIS
|
||||
gcloud beta container fleet scopes list-app-operator-bindings SCOPE
|
||||
[--filter=EXPRESSION] [--limit=LIMIT] [--page-size=PAGE_SIZE]
|
||||
[--sort-by=[FIELD,...]] [--uri] [GCLOUD_WIDE_FLAG ...]
|
||||
|
||||
DESCRIPTION
|
||||
(BETA) This command lists bindings corresponding to a fleet scope. The
|
||||
bindings, which consist of an app operator principal and a role, grant
|
||||
permissions required for an app operator, including usage of fleet scopes,
|
||||
connect gateway, logging, and metrics. The overarching principal role
|
||||
(view/edit/admin, or custom) is determined by (1) the fleet scope RBAC role
|
||||
(view, edit, or admin), (2) the fleet scope-level IAM role
|
||||
(roles/gkehub.scopeViewer, roles/gkehub.scopeEditor, or
|
||||
roles/gkehub.scopeAdmin), (3) the project-level IAM role
|
||||
(roles/gkehub.scopeViewerProjectLevel, or
|
||||
roles/gkehub.scopeEditorProjectLevel), and (4) the conditional log view
|
||||
access role for the scope bucket.
|
||||
|
||||
This command can fail for the following reasons:
|
||||
▪ The scope specified does not exist.
|
||||
▪ The user does not have access to the specified scope.
|
||||
|
||||
EXAMPLES
|
||||
The following command lists app operator principals corresponding to SCOPE
|
||||
under PROJECT_ID, their roles, and role details (fleet scope RBAC role,
|
||||
fleet scope-level IAM role, project-level IAM role, and log view access):
|
||||
|
||||
$ gcloud beta container fleet scopes list-app-operator-bindings \
|
||||
--scope=SCOPE --project=PROJECT_ID
|
||||
|
||||
POSITIONAL ARGUMENTS
|
||||
Scope resource - The group of arguments defining the Fleet Scope. This
|
||||
represents a Cloud resource. (NOTE) Some attributes are not given
|
||||
arguments in this group but can be set in other ways.
|
||||
|
||||
To set the project attribute:
|
||||
◆ provide the argument SCOPE on the command line with a fully specified
|
||||
name;
|
||||
◆ provide the argument --project on the command line;
|
||||
◆ set the property core/project.
|
||||
|
||||
To set the location attribute:
|
||||
◆ provide the argument SCOPE on the command line with a fully specified
|
||||
name;
|
||||
◆ global is the only supported location.
|
||||
|
||||
This must be specified.
|
||||
|
||||
SCOPE
|
||||
ID of the scope or fully qualified identifier for the scope.
|
||||
|
||||
To set the scope attribute:
|
||||
▸ provide the argument SCOPE on the command line.
|
||||
|
||||
LIST COMMAND FLAGS
|
||||
--filter=EXPRESSION
|
||||
Apply a Boolean filter EXPRESSION to each resource item to be listed.
|
||||
If the expression evaluates True, then that item is listed. For more
|
||||
details and examples of filter expressions, run $ gcloud topic filters.
|
||||
This flag interacts with other flags that are applied in this order:
|
||||
--flatten, --sort-by, --filter, --limit.
|
||||
|
||||
--limit=LIMIT
|
||||
Maximum number of resources to list. The default is unlimited. This
|
||||
flag interacts with other flags that are applied in this order:
|
||||
--flatten, --sort-by, --filter, --limit.
|
||||
|
||||
--page-size=PAGE_SIZE
|
||||
Some services group resource list output into pages. This flag
|
||||
specifies the maximum number of resources per page. The default is
|
||||
determined by the service if it supports paging, otherwise it is
|
||||
unlimited (no paging). Paging may be applied before or after --filter
|
||||
and --limit depending on the service.
|
||||
|
||||
--sort-by=[FIELD,...]
|
||||
Comma-separated list of resource field key names to sort by. The
|
||||
default order is ascending. Prefix a field with ``~'' for descending
|
||||
order on that field. This flag interacts with other flags that are
|
||||
applied in this order: --flatten, --sort-by, --filter, --limit.
|
||||
|
||||
--uri
|
||||
Print a list of resource URIs instead of the default output, and change
|
||||
the command output to a list of URIs. If this flag is used with
|
||||
--format, the formatting is applied on this URI list. To display URIs
|
||||
alongside other keys instead, use the uri() transform.
|
||||
|
||||
GCLOUD WIDE FLAGS
|
||||
These flags are available to all commands: --access-token-file, --account,
|
||||
--billing-project, --configuration, --flags-file, --flatten, --format,
|
||||
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
||||
--trace-token, --user-output-enabled, --verbosity.
|
||||
|
||||
Run $ gcloud help for details.
|
||||
|
||||
NOTES
|
||||
This command is currently in beta and might change without notice. This
|
||||
variant is also available:
|
||||
|
||||
$ gcloud alpha container fleet scopes list-app-operator-bindings
|
||||
|
||||
122
gcloud/beta/container/fleet/scopes/remove-app-operator-binding
Normal file
122
gcloud/beta/container/fleet/scopes/remove-app-operator-binding
Normal file
|
|
@ -0,0 +1,122 @@
|
|||
NAME
|
||||
gcloud beta container fleet scopes remove-app-operator-binding - remove
|
||||
project-level and fleet scope-level IAM bindings and delete a fleet
|
||||
scope RBAC role binding for an app operator principal
|
||||
|
||||
SYNOPSIS
|
||||
gcloud beta container fleet scopes remove-app-operator-binding SCOPE
|
||||
(--group=GROUP | --user=USER) [GCLOUD_WIDE_FLAG ...]
|
||||
|
||||
DESCRIPTION
|
||||
(BETA) One binding consists of an app operator principal (user/group) and a
|
||||
role (view/edit/admin).
|
||||
|
||||
This command unsets the different permissions required for an app operator,
|
||||
including usage of fleet scopes, connect gateway, logging, and metrics. The
|
||||
authoritative list for removing the permissions is the existing RBAC role
|
||||
bindings under the specified scope.
|
||||
|
||||
This command can fail for the following reasons:
|
||||
▪ The scope specified does not exist.
|
||||
▪ The user does not have access to the specified scope.
|
||||
▪ The principal specified does not any binding for the scope.
|
||||
▪ The principal specified has bindings with different roles for the
|
||||
scope.
|
||||
|
||||
EXAMPLES
|
||||
The following command:
|
||||
|
||||
$ gcloud beta container fleet scopes remove-app-operator-binding \
|
||||
SCOPE --group=people@google.com --project=PROJECT_ID
|
||||
|
||||
assuming the group already has the view role:
|
||||
▪ removes IAM policy binding: roles/gkehub.scopeViewer from SCOPE
|
||||
▪ removes IAM policy binding: roles/gkehub.scopeViewerProjectLevel from
|
||||
PROJECT_ID if the group does not have the view role for any other scope
|
||||
under the project
|
||||
▪ removes IAM policy binding: roles/logging.viewAccessor from
|
||||
PROJECT_ID condition where bucket corresponds to SCOPE
|
||||
▪ deletes existing fleet scope RBAC role binding: role view for group
|
||||
people@google.com.
|
||||
|
||||
---
|
||||
|
||||
The following command:
|
||||
|
||||
$ gcloud beta container fleet scopes remove-app-operator-binding \
|
||||
SCOPE --user=person@google.com --project=PROJECT_ID
|
||||
|
||||
assuming the user already has the edit role:
|
||||
▪ removes IAM policy binding: roles/gkehub.scopeEditor from SCOPE
|
||||
▪ removes IAM policy binding: roles/gkehub.scopeEditorProjectLevel from
|
||||
PROJECT_ID if the user does not have the edit/admin role for any other
|
||||
scope under the project
|
||||
▪ removes IAM policy binding: roles/logging.viewAccessor from
|
||||
PROJECT_ID condition where bucket corresponds to SCOPE
|
||||
▪ deletes existing fleet scope RBAC role binding: role edit for user
|
||||
person@google.com.
|
||||
|
||||
---
|
||||
|
||||
The following command:
|
||||
|
||||
$ gcloud beta container fleet scopes remove-app-operator-binding \
|
||||
SCOPE --role=admin --user=person@google.com --project=PROJECT_ID
|
||||
|
||||
assuming the user already has the admin role:
|
||||
▪ removes IAM policy binding: roles/gkehub.scopeAdmin from SCOPE
|
||||
▪ removes IAM policy binding: roles/gkehub.scopeEditorProjectLevel from
|
||||
PROJECT_ID if the user does not have the edit/admin role for any other
|
||||
scope under the project
|
||||
▪ removes IAM policy binding: roles/logging.viewAccessor from
|
||||
PROJECT_ID condition where bucket corresponds to SCOPE
|
||||
▪ deletes existing fleet scope RBAC role binding: role admin for user
|
||||
person@google.com.
|
||||
|
||||
POSITIONAL ARGUMENTS
|
||||
Scope resource - The group of arguments defining the Fleet Scope. This
|
||||
represents a Cloud resource. (NOTE) Some attributes are not given
|
||||
arguments in this group but can be set in other ways.
|
||||
|
||||
To set the project attribute:
|
||||
◆ provide the argument SCOPE on the command line with a fully specified
|
||||
name;
|
||||
◆ provide the argument --project on the command line;
|
||||
◆ set the property core/project.
|
||||
|
||||
To set the location attribute:
|
||||
◆ provide the argument SCOPE on the command line with a fully specified
|
||||
name;
|
||||
◆ global is the only supported location.
|
||||
|
||||
This must be specified.
|
||||
|
||||
SCOPE
|
||||
ID of the scope or fully qualified identifier for the scope.
|
||||
|
||||
To set the scope attribute:
|
||||
▸ provide the argument SCOPE on the command line.
|
||||
|
||||
REQUIRED FLAGS
|
||||
Exactly one of these must be specified:
|
||||
|
||||
--group=GROUP
|
||||
Group for the role binding.
|
||||
|
||||
--user=USER
|
||||
User for the role binding.
|
||||
|
||||
GCLOUD WIDE FLAGS
|
||||
These flags are available to all commands: --access-token-file, --account,
|
||||
--billing-project, --configuration, --flags-file, --flatten, --format,
|
||||
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
||||
--trace-token, --user-output-enabled, --verbosity.
|
||||
|
||||
Run $ gcloud help for details.
|
||||
|
||||
NOTES
|
||||
This command is currently in beta and might change without notice. This
|
||||
variant is also available:
|
||||
|
||||
$ gcloud alpha container fleet scopes remove-app-operator-binding
|
||||
|
||||
127
gcloud/beta/container/hub/scopes/add-app-operator-binding
Normal file
127
gcloud/beta/container/hub/scopes/add-app-operator-binding
Normal file
|
|
@ -0,0 +1,127 @@
|
|||
NAME
|
||||
gcloud beta container hub scopes add-app-operator-binding - add
|
||||
project-level and fleet scope-level IAM bindings and create a fleet
|
||||
scope RBAC role binding for an app operator principal
|
||||
|
||||
SYNOPSIS
|
||||
gcloud beta container hub scopes add-app-operator-binding SCOPE --role=ROLE
|
||||
(--group=GROUP | --user=USER) [--labels=[KEY=VALUE,...]]
|
||||
[GCLOUD_WIDE_FLAG ...]
|
||||
|
||||
DESCRIPTION
|
||||
(BETA) One binding consists of an app operator principal (user/group) and a
|
||||
role (view/edit/admin).
|
||||
|
||||
This command sets up the different permissions required for an app
|
||||
operator, including usage of fleet scopes, connect gateway, logging, and
|
||||
metrics. The authoritative list for adding the permissions is the existing
|
||||
RBAC role bindings under the specified scope.
|
||||
|
||||
This command can fail for the following reasons:
|
||||
▪ The scope specified does not exist.
|
||||
▪ The user does not have access to the specified scope.
|
||||
▪ The principal specified already has another binding for the scope.
|
||||
|
||||
EXAMPLES
|
||||
The following command:
|
||||
|
||||
$ gcloud beta container hub scopes add-app-operator-binding SCOPE \
|
||||
--role=view --group=people@google.com --project=PROJECT_ID
|
||||
|
||||
▪ adds IAM policy binding: roles/gkehub.scopeViewer on SCOPE
|
||||
▪ adds IAM policy binding: roles/gkehub.scopeViewerProjectLevel on
|
||||
PROJECT_ID
|
||||
▪ adds IAM policy binding: roles/logging.viewAccessor on PROJECT_ID
|
||||
with condition where bucket corresponds to SCOPE
|
||||
▪ creates fleet scope RBAC role binding: role view with a random ID for
|
||||
group people@google.com.
|
||||
|
||||
---
|
||||
|
||||
The following command:
|
||||
|
||||
$ gcloud beta container hub scopes add-app-operator-binding SCOPE \
|
||||
--role=edit --user=person@google.com --project=PROJECT_ID
|
||||
|
||||
▪ adds IAM policy binding: roles/gkehub.scopeEditor on SCOPE
|
||||
▪ adds IAM policy binding: roles/gkehub.scopeEditorProjectLevel on
|
||||
PROJECT_ID
|
||||
▪ adds IAM policy binding: roles/logging.viewAccessor on PROJECT_ID
|
||||
with condition where bucket corresponds to SCOPE
|
||||
▪ creates fleet scope RBAC role binding: role edit with a random ID for
|
||||
user person@google.com.
|
||||
|
||||
---
|
||||
|
||||
The following command:
|
||||
|
||||
$ gcloud beta container hub scopes add-app-operator-binding SCOPE \
|
||||
--role=admin --user=person@google.com --project=PROJECT_ID
|
||||
|
||||
▪ adds IAM policy binding: roles/gkehub.scopeAdmin on SCOPE
|
||||
▪ adds IAM policy binding: roles/gkehub.scopeEditorProjectLevel on
|
||||
PROJECT_ID
|
||||
▪ adds IAM policy binding: roles/logging.viewAccessor on PROJECT_ID
|
||||
with condition where bucket corresponds to SCOPE
|
||||
▪ creates fleet scope RBAC role binding: role admin with a random ID
|
||||
for user person@google.com.
|
||||
|
||||
POSITIONAL ARGUMENTS
|
||||
Scope resource - The group of arguments defining the Fleet Scope. This
|
||||
represents a Cloud resource. (NOTE) Some attributes are not given
|
||||
arguments in this group but can be set in other ways.
|
||||
|
||||
To set the project attribute:
|
||||
◆ provide the argument SCOPE on the command line with a fully specified
|
||||
name;
|
||||
◆ provide the argument --project on the command line;
|
||||
◆ set the property core/project.
|
||||
|
||||
To set the location attribute:
|
||||
◆ provide the argument SCOPE on the command line with a fully specified
|
||||
name;
|
||||
◆ global is the only supported location.
|
||||
|
||||
This must be specified.
|
||||
|
||||
SCOPE
|
||||
ID of the scope or fully qualified identifier for the scope.
|
||||
|
||||
To set the scope attribute:
|
||||
▸ provide the argument SCOPE on the command line.
|
||||
|
||||
REQUIRED FLAGS
|
||||
--role=ROLE
|
||||
Role to assign. ROLE must be one of: admin, edit, view.
|
||||
|
||||
Exactly one of these must be specified:
|
||||
|
||||
--group=GROUP
|
||||
Group for the role binding.
|
||||
|
||||
--user=USER
|
||||
User for the role binding.
|
||||
|
||||
OPTIONAL FLAGS
|
||||
--labels=[KEY=VALUE,...]
|
||||
List of label KEY=VALUE pairs to add.
|
||||
|
||||
Keys must start with a lowercase character and contain only hyphens
|
||||
(-), underscores (_), lowercase characters, and numbers. Values must
|
||||
contain only hyphens (-), underscores (_), lowercase characters, and
|
||||
numbers.
|
||||
|
||||
GCLOUD WIDE FLAGS
|
||||
These flags are available to all commands: --access-token-file, --account,
|
||||
--billing-project, --configuration, --flags-file, --flatten, --format,
|
||||
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
||||
--trace-token, --user-output-enabled, --verbosity.
|
||||
|
||||
Run $ gcloud help for details.
|
||||
|
||||
NOTES
|
||||
This command is currently in beta and might change without notice. This
|
||||
variant is also available:
|
||||
|
||||
$ gcloud alpha container hub scopes add-app-operator-binding
|
||||
|
||||
|
|
@ -25,6 +25,10 @@ GROUPS
|
|||
COMMANDS
|
||||
COMMAND is one of the following:
|
||||
|
||||
add-app-operator-binding
|
||||
(BETA) Add project-level and fleet scope-level IAM bindings and create
|
||||
a fleet scope RBAC role binding for an app operator principal.
|
||||
|
||||
add-iam-policy-binding
|
||||
(BETA) Add IAM policy binding to a Fleet Scope.
|
||||
|
||||
|
|
@ -44,9 +48,18 @@ COMMANDS
|
|||
(BETA) List fleet scopes in a project permitted to be viewed by the
|
||||
caller.
|
||||
|
||||
list-app-operator-bindings
|
||||
(BETA) List app operator principals corresponding to a fleet scope and
|
||||
their roles based on project-level IAM bindings, fleet scope-level IAM
|
||||
bindings, and fleet scope RBAC role bindings.
|
||||
|
||||
list-memberships
|
||||
(BETA) List memberships bound to a fleet scope.
|
||||
|
||||
remove-app-operator-binding
|
||||
(BETA) Remove project-level and fleet scope-level IAM bindings and
|
||||
delete a fleet scope RBAC role binding for an app operator principal.
|
||||
|
||||
remove-iam-policy-binding
|
||||
(BETA) Remove IAM policy binding of a Fleet Scope.
|
||||
|
||||
|
|
|
|||
106
gcloud/beta/container/hub/scopes/list-app-operator-bindings
Normal file
106
gcloud/beta/container/hub/scopes/list-app-operator-bindings
Normal file
|
|
@ -0,0 +1,106 @@
|
|||
NAME
|
||||
gcloud beta container hub scopes list-app-operator-bindings - list app
|
||||
operator principals corresponding to a fleet scope and their roles
|
||||
based on project-level IAM bindings, fleet scope-level IAM bindings,
|
||||
and fleet scope RBAC role bindings
|
||||
|
||||
SYNOPSIS
|
||||
gcloud beta container hub scopes list-app-operator-bindings SCOPE
|
||||
[--filter=EXPRESSION] [--limit=LIMIT] [--page-size=PAGE_SIZE]
|
||||
[--sort-by=[FIELD,...]] [--uri] [GCLOUD_WIDE_FLAG ...]
|
||||
|
||||
DESCRIPTION
|
||||
(BETA) This command lists bindings corresponding to a fleet scope. The
|
||||
bindings, which consist of an app operator principal and a role, grant
|
||||
permissions required for an app operator, including usage of fleet scopes,
|
||||
connect gateway, logging, and metrics. The overarching principal role
|
||||
(view/edit/admin, or custom) is determined by (1) the fleet scope RBAC role
|
||||
(view, edit, or admin), (2) the fleet scope-level IAM role
|
||||
(roles/gkehub.scopeViewer, roles/gkehub.scopeEditor, or
|
||||
roles/gkehub.scopeAdmin), (3) the project-level IAM role
|
||||
(roles/gkehub.scopeViewerProjectLevel, or
|
||||
roles/gkehub.scopeEditorProjectLevel), and (4) the conditional log view
|
||||
access role for the scope bucket.
|
||||
|
||||
This command can fail for the following reasons:
|
||||
▪ The scope specified does not exist.
|
||||
▪ The user does not have access to the specified scope.
|
||||
|
||||
EXAMPLES
|
||||
The following command lists app operator principals corresponding to SCOPE
|
||||
under PROJECT_ID, their roles, and role details (fleet scope RBAC role,
|
||||
fleet scope-level IAM role, project-level IAM role, and log view access):
|
||||
|
||||
$ gcloud beta container hub scopes list-app-operator-bindings \
|
||||
--scope=SCOPE --project=PROJECT_ID
|
||||
|
||||
POSITIONAL ARGUMENTS
|
||||
Scope resource - The group of arguments defining the Fleet Scope. This
|
||||
represents a Cloud resource. (NOTE) Some attributes are not given
|
||||
arguments in this group but can be set in other ways.
|
||||
|
||||
To set the project attribute:
|
||||
◆ provide the argument SCOPE on the command line with a fully specified
|
||||
name;
|
||||
◆ provide the argument --project on the command line;
|
||||
◆ set the property core/project.
|
||||
|
||||
To set the location attribute:
|
||||
◆ provide the argument SCOPE on the command line with a fully specified
|
||||
name;
|
||||
◆ global is the only supported location.
|
||||
|
||||
This must be specified.
|
||||
|
||||
SCOPE
|
||||
ID of the scope or fully qualified identifier for the scope.
|
||||
|
||||
To set the scope attribute:
|
||||
▸ provide the argument SCOPE on the command line.
|
||||
|
||||
LIST COMMAND FLAGS
|
||||
--filter=EXPRESSION
|
||||
Apply a Boolean filter EXPRESSION to each resource item to be listed.
|
||||
If the expression evaluates True, then that item is listed. For more
|
||||
details and examples of filter expressions, run $ gcloud topic filters.
|
||||
This flag interacts with other flags that are applied in this order:
|
||||
--flatten, --sort-by, --filter, --limit.
|
||||
|
||||
--limit=LIMIT
|
||||
Maximum number of resources to list. The default is unlimited. This
|
||||
flag interacts with other flags that are applied in this order:
|
||||
--flatten, --sort-by, --filter, --limit.
|
||||
|
||||
--page-size=PAGE_SIZE
|
||||
Some services group resource list output into pages. This flag
|
||||
specifies the maximum number of resources per page. The default is
|
||||
determined by the service if it supports paging, otherwise it is
|
||||
unlimited (no paging). Paging may be applied before or after --filter
|
||||
and --limit depending on the service.
|
||||
|
||||
--sort-by=[FIELD,...]
|
||||
Comma-separated list of resource field key names to sort by. The
|
||||
default order is ascending. Prefix a field with ``~'' for descending
|
||||
order on that field. This flag interacts with other flags that are
|
||||
applied in this order: --flatten, --sort-by, --filter, --limit.
|
||||
|
||||
--uri
|
||||
Print a list of resource URIs instead of the default output, and change
|
||||
the command output to a list of URIs. If this flag is used with
|
||||
--format, the formatting is applied on this URI list. To display URIs
|
||||
alongside other keys instead, use the uri() transform.
|
||||
|
||||
GCLOUD WIDE FLAGS
|
||||
These flags are available to all commands: --access-token-file, --account,
|
||||
--billing-project, --configuration, --flags-file, --flatten, --format,
|
||||
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
||||
--trace-token, --user-output-enabled, --verbosity.
|
||||
|
||||
Run $ gcloud help for details.
|
||||
|
||||
NOTES
|
||||
This command is currently in beta and might change without notice. This
|
||||
variant is also available:
|
||||
|
||||
$ gcloud alpha container hub scopes list-app-operator-bindings
|
||||
|
||||
122
gcloud/beta/container/hub/scopes/remove-app-operator-binding
Normal file
122
gcloud/beta/container/hub/scopes/remove-app-operator-binding
Normal file
|
|
@ -0,0 +1,122 @@
|
|||
NAME
|
||||
gcloud beta container hub scopes remove-app-operator-binding - remove
|
||||
project-level and fleet scope-level IAM bindings and delete a fleet
|
||||
scope RBAC role binding for an app operator principal
|
||||
|
||||
SYNOPSIS
|
||||
gcloud beta container hub scopes remove-app-operator-binding SCOPE
|
||||
(--group=GROUP | --user=USER) [GCLOUD_WIDE_FLAG ...]
|
||||
|
||||
DESCRIPTION
|
||||
(BETA) One binding consists of an app operator principal (user/group) and a
|
||||
role (view/edit/admin).
|
||||
|
||||
This command unsets the different permissions required for an app operator,
|
||||
including usage of fleet scopes, connect gateway, logging, and metrics. The
|
||||
authoritative list for removing the permissions is the existing RBAC role
|
||||
bindings under the specified scope.
|
||||
|
||||
This command can fail for the following reasons:
|
||||
▪ The scope specified does not exist.
|
||||
▪ The user does not have access to the specified scope.
|
||||
▪ The principal specified does not any binding for the scope.
|
||||
▪ The principal specified has bindings with different roles for the
|
||||
scope.
|
||||
|
||||
EXAMPLES
|
||||
The following command:
|
||||
|
||||
$ gcloud beta container hub scopes remove-app-operator-binding \
|
||||
SCOPE --group=people@google.com --project=PROJECT_ID
|
||||
|
||||
assuming the group already has the view role:
|
||||
▪ removes IAM policy binding: roles/gkehub.scopeViewer from SCOPE
|
||||
▪ removes IAM policy binding: roles/gkehub.scopeViewerProjectLevel from
|
||||
PROJECT_ID if the group does not have the view role for any other scope
|
||||
under the project
|
||||
▪ removes IAM policy binding: roles/logging.viewAccessor from
|
||||
PROJECT_ID condition where bucket corresponds to SCOPE
|
||||
▪ deletes existing fleet scope RBAC role binding: role view for group
|
||||
people@google.com.
|
||||
|
||||
---
|
||||
|
||||
The following command:
|
||||
|
||||
$ gcloud beta container hub scopes remove-app-operator-binding \
|
||||
SCOPE --user=person@google.com --project=PROJECT_ID
|
||||
|
||||
assuming the user already has the edit role:
|
||||
▪ removes IAM policy binding: roles/gkehub.scopeEditor from SCOPE
|
||||
▪ removes IAM policy binding: roles/gkehub.scopeEditorProjectLevel from
|
||||
PROJECT_ID if the user does not have the edit/admin role for any other
|
||||
scope under the project
|
||||
▪ removes IAM policy binding: roles/logging.viewAccessor from
|
||||
PROJECT_ID condition where bucket corresponds to SCOPE
|
||||
▪ deletes existing fleet scope RBAC role binding: role edit for user
|
||||
person@google.com.
|
||||
|
||||
---
|
||||
|
||||
The following command:
|
||||
|
||||
$ gcloud beta container hub scopes remove-app-operator-binding \
|
||||
SCOPE --role=admin --user=person@google.com --project=PROJECT_ID
|
||||
|
||||
assuming the user already has the admin role:
|
||||
▪ removes IAM policy binding: roles/gkehub.scopeAdmin from SCOPE
|
||||
▪ removes IAM policy binding: roles/gkehub.scopeEditorProjectLevel from
|
||||
PROJECT_ID if the user does not have the edit/admin role for any other
|
||||
scope under the project
|
||||
▪ removes IAM policy binding: roles/logging.viewAccessor from
|
||||
PROJECT_ID condition where bucket corresponds to SCOPE
|
||||
▪ deletes existing fleet scope RBAC role binding: role admin for user
|
||||
person@google.com.
|
||||
|
||||
POSITIONAL ARGUMENTS
|
||||
Scope resource - The group of arguments defining the Fleet Scope. This
|
||||
represents a Cloud resource. (NOTE) Some attributes are not given
|
||||
arguments in this group but can be set in other ways.
|
||||
|
||||
To set the project attribute:
|
||||
◆ provide the argument SCOPE on the command line with a fully specified
|
||||
name;
|
||||
◆ provide the argument --project on the command line;
|
||||
◆ set the property core/project.
|
||||
|
||||
To set the location attribute:
|
||||
◆ provide the argument SCOPE on the command line with a fully specified
|
||||
name;
|
||||
◆ global is the only supported location.
|
||||
|
||||
This must be specified.
|
||||
|
||||
SCOPE
|
||||
ID of the scope or fully qualified identifier for the scope.
|
||||
|
||||
To set the scope attribute:
|
||||
▸ provide the argument SCOPE on the command line.
|
||||
|
||||
REQUIRED FLAGS
|
||||
Exactly one of these must be specified:
|
||||
|
||||
--group=GROUP
|
||||
Group for the role binding.
|
||||
|
||||
--user=USER
|
||||
User for the role binding.
|
||||
|
||||
GCLOUD WIDE FLAGS
|
||||
These flags are available to all commands: --access-token-file, --account,
|
||||
--billing-project, --configuration, --flags-file, --flatten, --format,
|
||||
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
||||
--trace-token, --user-output-enabled, --verbosity.
|
||||
|
||||
Run $ gcloud help for details.
|
||||
|
||||
NOTES
|
||||
This command is currently in beta and might change without notice. This
|
||||
variant is also available:
|
||||
|
||||
$ gcloud alpha container hub scopes remove-app-operator-binding
|
||||
|
||||
61
gcloud/beta/container/node-pools/get-upgrade-info
Normal file
61
gcloud/beta/container/node-pools/get-upgrade-info
Normal file
|
|
@ -0,0 +1,61 @@
|
|||
NAME
|
||||
gcloud beta container node-pools get-upgrade-info - get information about
|
||||
upgrades for existing clusters including auto upgrade status, upgrade
|
||||
history, upgrade targets, and end of support timelines
|
||||
|
||||
SYNOPSIS
|
||||
gcloud beta container node-pools get-upgrade-info NAME [--cluster=CLUSTER]
|
||||
[--location=LOCATION | --region=REGION | --zone=ZONE, -z ZONE]
|
||||
[GCLOUD_WIDE_FLAG ...]
|
||||
|
||||
DESCRIPTION
|
||||
(BETA) Get information about upgrades for existing clusters including auto
|
||||
upgrade status, upgrade history, upgrade targets, and end of support
|
||||
timelines.
|
||||
|
||||
EXAMPLES
|
||||
To get upgrade information for a node pool of an existing cluster, run:
|
||||
|
||||
$ gcloud beta container node-pools get-upgrade-info node-pool-1 \
|
||||
--cluster=sample-cluster
|
||||
|
||||
POSITIONAL ARGUMENTS
|
||||
NAME
|
||||
The name of the node pool.
|
||||
|
||||
FLAGS
|
||||
--cluster=CLUSTER
|
||||
The name of the cluster. Overrides the default container/cluster
|
||||
property value for this command invocation.
|
||||
|
||||
At most one of these can be specified:
|
||||
|
||||
--location=LOCATION
|
||||
Compute zone or region (e.g. us-central1-a or us-central1) for the
|
||||
cluster. Overrides the default compute/region or compute/zone value
|
||||
for this command invocation. Prefer using this flag over the --region
|
||||
or --zone flags.
|
||||
|
||||
--region=REGION
|
||||
Compute region (e.g. us-central1) for a regional cluster. Overrides
|
||||
the default compute/region property value for this command
|
||||
invocation.
|
||||
|
||||
--zone=ZONE, -z ZONE
|
||||
Compute zone (e.g. us-central1-a) for a zonal cluster. Overrides the
|
||||
default compute/zone property value for this command invocation.
|
||||
|
||||
GCLOUD WIDE FLAGS
|
||||
These flags are available to all commands: --access-token-file, --account,
|
||||
--billing-project, --configuration, --flags-file, --flatten, --format,
|
||||
--help, --impersonate-service-account, --log-http, --project, --quiet,
|
||||
--trace-token, --user-output-enabled, --verbosity.
|
||||
|
||||
Run $ gcloud help for details.
|
||||
|
||||
NOTES
|
||||
This command is currently in beta and might change without notice. This
|
||||
variant is also available:
|
||||
|
||||
$ gcloud alpha container node-pools get-upgrade-info
|
||||
|
||||
|
|
@ -49,6 +49,11 @@ COMMANDS
|
|||
describe
|
||||
(BETA) Describe an existing node pool for a cluster.
|
||||
|
||||
get-upgrade-info
|
||||
(BETA) Get information about upgrades for existing clusters including
|
||||
auto upgrade status, upgrade history, upgrade targets, and end of
|
||||
support timelines.
|
||||
|
||||
list
|
||||
(BETA) List existing node pools for a cluster.
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue