mirror of
https://github.com/imjasonh/gcloud-help
synced 2026-07-18 23:08:48 +00:00
gcloud: Wed Jan 10 10:17:49 UTC 2024
This commit is contained in:
parent
08ad88258a
commit
5fec13c692
262 changed files with 3211 additions and 4501 deletions
|
|
@ -5,9 +5,10 @@ NAME
|
|||
SYNOPSIS
|
||||
gcloud beta container binauthz attestations create
|
||||
--artifact-url=ARTIFACT_URL --public-key-id=PUBLIC_KEY_ID
|
||||
--signature-file=SIGNATURE_FILE
|
||||
(--attestor=ATTESTOR : --attestor-project=ATTESTOR_PROJECT)
|
||||
[--payload-file=PAYLOAD_FILE] [--validate] [GCLOUD_WIDE_FLAG ...]
|
||||
--signature-file=SIGNATURE_FILE [--payload-file=PAYLOAD_FILE]
|
||||
[[--note=NOTE : --note-project=NOTE_PROJECT]
|
||||
| --validate [--attestor=ATTESTOR
|
||||
: --attestor-project=ATTESTOR_PROJECT]] [GCLOUD_WIDE_FLAG ...]
|
||||
|
||||
DESCRIPTION
|
||||
(BETA) This command creates a Binary Authorization attestation for your
|
||||
|
|
@ -26,6 +27,16 @@ EXAMPLES
|
|||
--signature-file=signed_artifact_attestation.pgp.sig \
|
||||
--public-key-id=AAAA0000000000000000FFFFFFFFFFFFFFFFFFFF
|
||||
|
||||
To create an attestation in the project "my_proj" in note
|
||||
"projects/foo/notes/bar", run:
|
||||
|
||||
$ gcloud beta container binauthz attestations create \
|
||||
--project=my_proj \
|
||||
--artifact-url='gcr.io/example-project/example-image@sha256:abcd\
|
||||
' --note=projects/foo/notes/bar \
|
||||
--signature-file=signed_artifact_attestation.pgp.sig \
|
||||
--public-key-id=AAAA0000000000000000FFFFFFFFFFFFFFFFFFFF
|
||||
|
||||
REQUIRED FLAGS
|
||||
--artifact-url=ARTIFACT_URL
|
||||
Container URL. May be in the gcr.io/repository/image format, or may
|
||||
|
|
@ -47,35 +58,6 @@ REQUIRED FLAGS
|
|||
Path to file containing the signature to store, or - to read signature
|
||||
from stdin.
|
||||
|
||||
Attestor resource - The Attestor whose Container Analysis Note will be
|
||||
used to host the created attestation. In order to successfully attach the
|
||||
attestation, the active gcloud account (core/account) must be able to read
|
||||
this attestor and must have the containeranalysis.notes.attachOccurrence
|
||||
permission for the Attestor's underlying Note resource (usually via the
|
||||
containeranalysis.notes.attacher role). The arguments in this group can be
|
||||
used to specify the attributes of this resource.
|
||||
|
||||
This must be specified.
|
||||
|
||||
--attestor=ATTESTOR
|
||||
ID of the attestor or fully qualified identifier for the attestor.
|
||||
|
||||
To set the name attribute:
|
||||
▸ provide the argument --attestor on the command line.
|
||||
|
||||
This flag argument must be specified if any of the other arguments in
|
||||
this group are specified.
|
||||
|
||||
--attestor-project=ATTESTOR_PROJECT
|
||||
Project ID of the Google Cloud project for the attestor.
|
||||
|
||||
To set the project attribute:
|
||||
▸ provide the argument --attestor on the command line with a fully
|
||||
specified name;
|
||||
▸ provide the argument --attestor-project on the command line;
|
||||
▸ provide the argument --project on the command line;
|
||||
▸ set the property core/project.
|
||||
|
||||
OPTIONAL FLAGS
|
||||
--payload-file=PAYLOAD_FILE
|
||||
Path to file containing the payload over which the signature was
|
||||
|
|
@ -89,9 +71,63 @@ OPTIONAL FLAGS
|
|||
formatting, you must explicitly provide the payload content via this
|
||||
flag.
|
||||
|
||||
--validate
|
||||
Whether to validate that the Attestation can be verified by the
|
||||
provided Attestor.
|
||||
At most one of these can be specified:
|
||||
|
||||
Note resource - The Container Analysis Note which will be used to host
|
||||
the created attestation. In order to successfully attach the
|
||||
attestation, the active gcloud account (core/account) must have the
|
||||
containeranalysis.notes.attachOccurrence permission for the Note
|
||||
(usually via the containeranalysis.notes.attacher role). The arguments
|
||||
in this group can be used to specify the attributes of this resource.
|
||||
|
||||
--note=NOTE
|
||||
ID of the note or fully qualified identifier for the note.
|
||||
|
||||
To set the note attribute:
|
||||
▫ provide the argument --note on the command line.
|
||||
|
||||
This flag argument must be specified if any of the other arguments
|
||||
in this group are specified.
|
||||
|
||||
--note-project=NOTE_PROJECT
|
||||
The Container Analysis project for the note.
|
||||
|
||||
To set the project attribute:
|
||||
▫ provide the argument --note on the command line with a fully
|
||||
specified name;
|
||||
▫ provide the argument --note-project on the command line.
|
||||
|
||||
--validate
|
||||
Whether to validate that the Attestation can be verified by the
|
||||
provided Attestor.
|
||||
|
||||
Attestor resource - The Attestor whose Container Analysis Note will be
|
||||
used to host the created attestation. In order to successfully attach
|
||||
the attestation, the active gcloud account (core/account) must be able
|
||||
to read this attestor and must have the
|
||||
containeranalysis.notes.attachOccurrence permission for the Attestor's
|
||||
underlying Note resource (usually via the
|
||||
containeranalysis.notes.attacher role). The arguments in this group can
|
||||
be used to specify the attributes of this resource.
|
||||
|
||||
--attestor=ATTESTOR
|
||||
ID of the attestor or fully qualified identifier for the attestor.
|
||||
|
||||
To set the name attribute:
|
||||
▫ provide the argument --attestor on the command line.
|
||||
|
||||
This flag argument must be specified if any of the other arguments
|
||||
in this group are specified.
|
||||
|
||||
--attestor-project=ATTESTOR_PROJECT
|
||||
Project ID of the Google Cloud project for the attestor.
|
||||
|
||||
To set the project attribute:
|
||||
▫ provide the argument --attestor on the command line with a
|
||||
fully specified name;
|
||||
▫ provide the argument --attestor-project on the command line;
|
||||
▫ provide the argument --project on the command line;
|
||||
▫ set the property core/project.
|
||||
|
||||
GCLOUD WIDE FLAGS
|
||||
These flags are available to all commands: --access-token-file, --account,
|
||||
|
|
|
|||
|
|
@ -34,8 +34,8 @@ POSITIONAL ARGUMENTS
|
|||
▸ provide the argument ATTESTOR on the command line.
|
||||
|
||||
REQUIRED FLAGS
|
||||
Note resource - The Container Analysis ATTESTATION_AUTHORITY Note to which
|
||||
the created attestor will be bound.
|
||||
Note resource - The Container Analysis Note to which the created attestor
|
||||
will be bound.
|
||||
|
||||
For the attestor to be able to access and use the Note, the Note must
|
||||
exist and the active gcloud account (core/account) must have the
|
||||
|
|
|
|||
|
|
@ -37,8 +37,9 @@ SYNOPSIS
|
|||
[--enable-logging-monitoring-system-only] [--enable-managed-prometheus]
|
||||
[--enable-master-global-access] [--enable-multi-networking]
|
||||
[--enable-network-policy] [--enable-pod-security-policy]
|
||||
[--enable-service-externalips] [--enable-shielded-nodes]
|
||||
[--enable-stackdriver-kubernetes] [--enable-vertical-pod-autoscaling]
|
||||
[--enable-secret-manager] [--enable-service-externalips]
|
||||
[--enable-shielded-nodes] [--enable-stackdriver-kubernetes]
|
||||
[--enable-vertical-pod-autoscaling]
|
||||
[--fleet-project=PROJECT_ID_OR_NUMBER] [--gateway-api=GATEWAY_API]
|
||||
[--identity-provider=IDENTITY_PROVIDER] [--image-type=IMAGE_TYPE]
|
||||
[--in-transit-encryption=IN_TRANSIT_ENCRYPTION]
|
||||
|
|
@ -592,6 +593,14 @@ FLAGS
|
|||
API objects. For more information, see
|
||||
https://cloud.google.com/kubernetes-engine/docs/how-to/pod-security-policies.
|
||||
|
||||
--enable-secret-manager
|
||||
Enables the Secret Manager CSI driver provider component. See
|
||||
https://secrets-store-csi-driver.sigs.k8s.io/introduction
|
||||
https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp
|
||||
|
||||
To disable in an existing cluster, explicitly set flag to
|
||||
--no-enable-secret-manager
|
||||
|
||||
--enable-service-externalips
|
||||
Enables use of services with externalIPs field.
|
||||
|
||||
|
|
@ -741,7 +750,7 @@ FLAGS
|
|||
The maximum number of nodes to allocate per default initial node pool.
|
||||
Kubernetes Engine will automatically create enough nodes pools such
|
||||
that each node pool contains less than --max-nodes-per-pool nodes.
|
||||
Defaults to 1000 nodes, but can be set as low as 100 nodes per pool on
|
||||
Defaults to 2000 nodes, but can be set as low as 100 nodes per pool on
|
||||
initial create.
|
||||
|
||||
--max-pods-per-node=MAX_PODS_PER_NODE
|
||||
|
|
@ -1366,8 +1375,8 @@ FLAGS
|
|||
At most one of these can be specified:
|
||||
|
||||
--dataplane-v2-observability-mode=DATAPLANE_V2_OBSERVABILITY_MODE
|
||||
Select Advanced Datapath Observability mode for the cluster. Defaults
|
||||
to DISABLED.
|
||||
(DEPRECATED) Select Advanced Datapath Observability mode for the
|
||||
cluster. Defaults to DISABLED.
|
||||
|
||||
Advanced Datapath Observability allows for a real-time view into
|
||||
pod-to-pod traffic within your cluster.
|
||||
|
|
@ -1383,6 +1392,11 @@ FLAGS
|
|||
$ gcloud beta container clusters create \
|
||||
--dataplane-v2-observability-mode=EXTERNAL_LB
|
||||
|
||||
The --dataplane-v2-observability-mode flag is deprecated and will be
|
||||
removed in an upcoming release. Please use
|
||||
--enable-dataplane-v2-flow-observability or
|
||||
--disable-dataplane-v2-flow-observability.
|
||||
|
||||
DATAPLANE_V2_OBSERVABILITY_MODE must be one of:
|
||||
|
||||
DISABLED
|
||||
|
|
|
|||
|
|
@ -15,13 +15,14 @@ SYNOPSIS
|
|||
[--enable-backup-restore] [--enable-fleet]
|
||||
[--enable-google-cloud-access]
|
||||
[--enable-kubernetes-unstable-apis=API,[API,...]]
|
||||
[--enable-master-global-access] [--fleet-project=PROJECT_ID_OR_NUMBER]
|
||||
[--labels=[KEY=VALUE,...]] [--logging=[COMPONENT,...]]
|
||||
[--monitoring=[COMPONENT,...]] [--network=NETWORK]
|
||||
[--private-endpoint-subnetwork=NAME] [--release-channel=CHANNEL]
|
||||
[--security-group=SECURITY_GROUP] [--security-posture=SECURITY_POSTURE]
|
||||
[--services-ipv4-cidr=CIDR] [--services-secondary-range-name=NAME]
|
||||
[--subnetwork=SUBNETWORK] [--workload-policies=WORKLOAD_POLICIES]
|
||||
[--enable-master-global-access] [--enable-secret-manager]
|
||||
[--fleet-project=PROJECT_ID_OR_NUMBER] [--labels=[KEY=VALUE,...]]
|
||||
[--logging=[COMPONENT,...]] [--monitoring=[COMPONENT,...]]
|
||||
[--network=NETWORK] [--private-endpoint-subnetwork=NAME]
|
||||
[--release-channel=CHANNEL] [--security-group=SECURITY_GROUP]
|
||||
[--security-posture=SECURITY_POSTURE] [--services-ipv4-cidr=CIDR]
|
||||
[--services-secondary-range-name=NAME] [--subnetwork=SUBNETWORK]
|
||||
[--workload-policies=WORKLOAD_POLICIES]
|
||||
[--workload-vulnerability-scanning=WORKLOAD_VULNERABILITY_SCANNING]
|
||||
[--binauthz-evaluation-mode=BINAUTHZ_EVALUATION_MODE
|
||||
--binauthz-policy-bindings=[name=BINAUTHZ_POLICY]]
|
||||
|
|
@ -211,6 +212,14 @@ FLAGS
|
|||
endpoint from any Google Cloud region or on-premises environment
|
||||
regardless of the private cluster's region.
|
||||
|
||||
--enable-secret-manager
|
||||
Enables the Secret Manager CSI driver provider component. See
|
||||
https://secrets-store-csi-driver.sigs.k8s.io/introduction
|
||||
https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp
|
||||
|
||||
To disable in an existing cluster, explicitly set flag to
|
||||
--no-enable-secret-manager
|
||||
|
||||
--fleet-project=PROJECT_ID_OR_NUMBER
|
||||
Sets fleet host project for the cluster. If specified, the current
|
||||
cluster will be registered as a fleet membership under the fleet host
|
||||
|
|
@ -230,17 +239,22 @@ FLAGS
|
|||
|
||||
--logging=[COMPONENT,...]
|
||||
Set the components that have logging enabled. Valid component values
|
||||
are: SYSTEM, WORKLOAD, API_SERVER, CONTROLLER_MANAGER, SCHEDULER, NONE
|
||||
are: SYSTEM, WORKLOAD, API_SERVER, CONTROLLER_MANAGER, SCHEDULER
|
||||
|
||||
The default is SYSTEM,WORKLOAD. If this flag is set, then SYSTEM must
|
||||
be included.
|
||||
|
||||
For more information, see
|
||||
https://cloud.google.com/stackdriver/docs/solutions/gke/installing#available-logs
|
||||
|
||||
Examples:
|
||||
|
||||
$ gcloud beta container clusters create-auto --logging=SYSTEM
|
||||
$ gcloud beta container clusters create-auto \
|
||||
--logging=SYSTEM,WORKLOAD
|
||||
$ gcloud beta container clusters create-auto \
|
||||
--logging=SYSTEM,API_SERVER,WORKLOAD
|
||||
--logging=SYSTEM,WORKLOAD,API_SERVER,CONTROLLER_MANAGER,\
|
||||
SCHEDULER
|
||||
|
||||
--monitoring=[COMPONENT,...]
|
||||
Set the components that have monitoring enabled. Valid component values
|
||||
|
|
@ -391,8 +405,8 @@ FLAGS
|
|||
At most one of these can be specified:
|
||||
|
||||
--dataplane-v2-observability-mode=DATAPLANE_V2_OBSERVABILITY_MODE
|
||||
Select Advanced Datapath Observability mode for the cluster. Defaults
|
||||
to DISABLED.
|
||||
(DEPRECATED) Select Advanced Datapath Observability mode for the
|
||||
cluster. Defaults to DISABLED.
|
||||
|
||||
Advanced Datapath Observability allows for a real-time view into
|
||||
pod-to-pod traffic within your cluster.
|
||||
|
|
@ -408,6 +422,11 @@ FLAGS
|
|||
$ gcloud beta container clusters create-auto \
|
||||
--dataplane-v2-observability-mode=EXTERNAL_LB
|
||||
|
||||
The --dataplane-v2-observability-mode flag is deprecated and will be
|
||||
removed in an upcoming release. Please use
|
||||
--enable-dataplane-v2-flow-observability or
|
||||
--disable-dataplane-v2-flow-observability.
|
||||
|
||||
DATAPLANE_V2_OBSERVABILITY_MODE must be one of:
|
||||
|
||||
DISABLED
|
||||
|
|
|
|||
|
|
@ -20,9 +20,9 @@ SYNOPSIS
|
|||
| --enable-logging-monitoring-system-only
|
||||
| --enable-master-authorized-networks | --enable-master-global-access
|
||||
| --enable-network-policy | --enable-pod-security-policy
|
||||
| --enable-private-endpoint | --enable-service-externalips
|
||||
| --enable-shielded-nodes | --enable-stackdriver-kubernetes
|
||||
| --enable-vertical-pod-autoscaling
|
||||
| --enable-private-endpoint | --enable-secret-manager
|
||||
| --enable-service-externalips | --enable-shielded-nodes
|
||||
| --enable-stackdriver-kubernetes | --enable-vertical-pod-autoscaling
|
||||
| --fleet-project=PROJECT_ID_OR_NUMBER | --gateway-api=GATEWAY_API
|
||||
| --generate-password | --identity-provider=IDENTITY_PROVIDER
|
||||
| --in-transit-encryption=IN_TRANSIT_ENCRYPTION
|
||||
|
|
@ -369,6 +369,14 @@ REQUIRED FLAGS
|
|||
Enables cluster's control plane to be accessible using private IP
|
||||
address only.
|
||||
|
||||
--enable-secret-manager
|
||||
Enables the Secret Manager CSI driver provider component. See
|
||||
https://secrets-store-csi-driver.sigs.k8s.io/introduction
|
||||
https://github.com/GoogleCloudPlatform/secrets-store-csi-driver-provider-gcp
|
||||
|
||||
To disable in an existing cluster, explicitly set flag to
|
||||
--no-enable-secret-manager
|
||||
|
||||
--enable-service-externalips
|
||||
Enables use of services with externalIPs field.
|
||||
|
||||
|
|
@ -941,8 +949,8 @@ REQUIRED FLAGS
|
|||
At most one of these can be specified:
|
||||
|
||||
--dataplane-v2-observability-mode=DATAPLANE_V2_OBSERVABILITY_MODE
|
||||
Select Advanced Datapath Observability mode for the cluster.
|
||||
Defaults to DISABLED.
|
||||
(DEPRECATED) Select Advanced Datapath Observability mode for the
|
||||
cluster. Defaults to DISABLED.
|
||||
|
||||
Advanced Datapath Observability allows for a real-time view into
|
||||
pod-to-pod traffic within your cluster.
|
||||
|
|
@ -958,6 +966,11 @@ REQUIRED FLAGS
|
|||
$ gcloud beta container clusters update \
|
||||
--dataplane-v2-observability-mode=EXTERNAL_LB
|
||||
|
||||
The --dataplane-v2-observability-mode flag is deprecated and will
|
||||
be removed in an upcoming release. Please use
|
||||
--enable-dataplane-v2-flow-observability or
|
||||
--disable-dataplane-v2-flow-observability.
|
||||
|
||||
DATAPLANE_V2_OBSERVABILITY_MODE must be one of:
|
||||
|
||||
DISABLED
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue