9?SrSSKJr SSKJr SSKJr SSKJr SSKrSSKrSSKJ r SSK J r SS K J r SS K J r SS KJr SS KJ r SS KJr S rSrSrSrSrSrSrSrSrSrSr g)z9Utils for GKE Connect generate gateway RBAC policy files.)absolute_import)division)print_function)unicode_literalsN) projects_api) format_util)invalid_args_error)util)errors)log clusterrolerolezTservice-{project_number}@gcp-sa-{instance_name}anthossupport.iam.gserviceaccount.comayapiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: {impersonate_metadata_name} labels: connect.gke.io/owner-feature: connect-gateway rules: - apiGroups: - "" resourceNames:{user_account} resources: - users verbs: - impersonate --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {impersonate_metadata_name} labels: connect.gke.io/owner-feature: connect-gateway roleRef: kind: ClusterRole name: {impersonate_metadata_name} apiGroup: rbac.authorization.k8s.io subjects: - kind: ServiceAccount name: connect-agent-sa namespace: gke-connect a--- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {permission_metadata_name} labels: connect.gke.io/owner-feature: connect-gateway subjects:{users} roleRef: kind: ClusterRole name: {permission} apiGroup: rbac.authorization.k8s.io --- a'--- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: {permission_metadata_name} labels: connect.gke.io/owner-feature: connect-gateway namespace: {namespace} subjects:{users} roleRef: kind: Role name: {permission} apiGroup: rbac.authorization.k8s.io --- a--- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: anthos-support-reader labels: connect.gke.io/owner-feature: connect-gateway rules: - apiGroups: ["acme.cert-manager.io"] resources: ["challenges", "orders"] verbs: ["get", "list", "watch"] - apiGroups: ["addon.baremetal.cluster.gke.io"] resources: ["addonmanifests", "addonoverrides", "addons", "addonsets", "addonsettemplates"] verbs: ["get", "list", "watch"] - apiGroups: ["addons.gke.io"] resources: ["metricsserver", "monitoring", "stackdrivers"] verbs: ["get", "list", "watch"] - apiGroups: ["admissionregistration.k8s.io"] resources: ["mutatingwebhookconfigurations", "validatingwebhookconfigurations"] verbs: ["get", "list", "watch"] - apiGroups: ["anthos.gke.io"] resources: ["entitlements"] verbs: ["get", "list", "watch"] - apiGroups: ["apiextensions.k8s.io"] resources: ["customresourcedefinitions"] verbs: ["get", "list", "watch"] - apiGroups: ["apiregistration.k8s.io"] resources: ["apiservices"] verbs: ["get", "list", "watch"] - apiGroups: ["apiserver.k8s.io"] resources: ["flowschemas", "prioritylevelconfigurations"] verbs: ["get", "list", "watch"] - apiGroups: ["apps"] resources: ["controllerrevisions", "daemonsets", "deployments", "replicasets", "statefulset"] verbs: ["get", "list", "watch"] - apiGroups: ["apps.k8s.io"] resources: ["applications"] verbs: ["get", "list", "watch"] - apiGroups: ["baremetal.cluster.gke.io"] resources: ["addonconfigurations", "clustercidrconfigs", "clustercredentials", "clustermanifestdeployments", "clusters", "inventorymachines", "machineclasses", "machinecredentials", "machines", "nodepools"] verbs: ["get", "list", "watch"] - apiGroups: ["batch"] resources: ["cronjobs", "jobs"] verbs: ["get", "list", "watch"] - apiGroups: ["bootstrap.cluster.x-k8s.io"] resources: ["kubeadmconfigs", "kubeadmconfigtemplates"] verbs: ["get", "list", "watch"] - apiGroups: ["bundle.gke.io"] resources: ["bundlebuilders", "bundles", "clusterbundles", "componentbuilders", "componentlists", "components", "componentsets", "gkeonprembundles", "packagedeploymentclasses", "packagedeployments", "patchtemplatebuilders", "patchtemplates", "requirements"] verbs: ["get", "list", "watch"] - apiGroups: ["bundleext.gke.io"] resources: ["nodeconfigs"] verbs: ["get", "list", "watch"] - apiGroups: ["certificates.k8s.io"] resources: ["certificatesigningrequests"] verbs: ["get", "list", "watch"] - apiGroups: ["cert-manager.io"] resources: ["certificaterequests", "certificates", "clusterissuers", "issuers"] verbs: ["get", "list", "watch"] - apiGroups: ["cilium.io"] resources: ["ciliumnodes", "ciliumendpoints", "ciliumidentities"] verbs: ["get", "list", "watch"] - apiGroups: ["configmanagement.gke.io"] resources: ["configmanagements"] verbs: ["get", "list", "watch"] - apiGroups: ["coordination.k8s.io"] resources: ["leases"] verbs: ["get", "list", "watch"] - apiGroups: ["cluster.k8s.io"] resources: ["clusters", "controlplanes", "machineclasses", "machinedeployments", "machines", "machinesets"] verbs: ["get", "list", "watch"] - apiGroups: ["cluster.x-k8s.io"] resources: ["clusters", "controlplanes", "machineclasses", "machinedeployments", "machines", "machinesets"] verbs: ["get", "list", "watch"] - apiGroups: ["crd.projectcalico.org"] resources: ["bgpconfigurations", "bgppeers", "blockaffinities", "clusterinformations", "felixconfigurations", "globalnetworkpolicies", "globalnetworksets", "hostendpoints", "ipamblocks", "ipamconfigs", "ipamhandles", "ippools", "networkpolicies", "networksets"] verbs: ["get", "list", "watch"] - apiGroups: ["discovery.k8s.io"] resources: ["endpointslices"] verbs: ["get", "list", "watch"] - apiGroups: ["infrastructure.baremetal.cluster.gke.io"] resources: ["baremetalclusters", "baremetalmachines"] verbs: ["get", "list", "watch"] - apiGroups: ["networking.gke.io"] resources: ["bgpadvertisedroutes", "bgploadbalancers", "bgppeers", "bgpreceivedroutes", "bgpsessions", "clustercidrconfigs", "clusterdns", "egressnatpolicies"] verbs: ["get", "list", "watch"] - apiGroups: ["networking.k8s.io"] resources: ["ingressclasses", "ingresses"] verbs: ["get", "list", "watch"] - apiGroups: ["node.k8s.io"] resources: ["runtimeclasses"] verbs: ["get", "list", "watch"] - apiGroups: ["onprem.cluster.gke.io"] resources: ["onpremadminclusters", "onpremnodepools", "onpremuserclusters", "validations", "onpremplatforms", "onprembundles", "clusterstates"] verbs: ["get", "list", "watch"] - apiGroups: ["policy"] resources: ["poddisruptionbudgets", "podsecuritypolicies"] verbs: ["get", "list", "watch"] - apiGroups: ["rbac.authorization.k8s.io"] resources: ["clusterroles", "clusterrolebindings", "roles", "rolebindings"] verbs: ["get", "list", "watch"] - apiGroups: ["storage.k8s.io"] resources: ["csidrivers", "csinodes", "csistoragecapacities", "storageclasses", "volumeattachments"] verbs: ["get", "list", "watch"] - apiGroups: ["sriovnetwork.k8s.cni.cncf.io"] resources: ["sriovnetworknodepolicies", "sriovnetworknodestates", "sriovoperatorconfigs"] verbs: ["get", "list", "watch"] - apiGroups: ["vm.cluster.gke.io"] resources: ["gpuallocation", "guestenvironmentdata", "virtualmachineaccessrequest", "virtualmachinedisk", "virtualmachinepasswordresetrequest", "virtualmachinetype", "vmhighavailabilitypolicy", "vmruntime"] verbs: ["get", "list", "watch"] - apiGroups: ["vsphereproviderconfig.k8s.io"] resources: ["vsphereclusterproviderconfigs", "vspheremachineproviderconfigs"] verbs: ["get", "list", "watch"] - apiGroups: - '*' resources: ["componentstatuses", "configmaps", "endpoints", "events", "horizontalpodautoscalers", "limitranges", "namespaces", "nodes", "persistentvolumeclaims", "persistentvolumes", "pods", "pods/log", "podtemplates", "replicationcontrollers", "resourcequotas", "serviceaccounts", "services"] verbs: ["get", "list", "watch"] - nonResourceURLs: - '*' verbs: ["get"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: {anthos_metadata_name} labels: connect.gke.io/owner-feature: connect-gateway subjects:{users} roleRef: kind: ClusterRole name: anthos-support-reader apiGroup: rbac.authorization.k8s.io --- cj[R"S5n[R"S5nURUR55(aU[R R SU5 [URS55S:wa[R"S5eg URUR55(aU[R R SU5 [URS55S:wa[R"S 5eg [R"S 5e) z*Validation for the role in correct format. ^clusterrole/^role/zSpecified Cluster Role is:/ztCluster role is not specified in correct format. Please specify the cluster role as: clusterrole/cluster-permission.zSpecified Namespace Role is:z|Namespace role is not specified in correct format. Please specify the namespace role as: role/namespace/namespace-permissionzPlease specify either --role or --anthos-support in the flags.z=Please specify --groups: (--anthos-support --users) in flags.z)Please specify the --membership in flags.z)Please specify the --kubeconfig in flags.z&Please specify the --context in flags.z3Please specify either --apply or --revoke in flags.N) revokeanthos_supportrr rr!usersgroupsapply membership kubeconfigcontext)argss r ValidateArgsr-sx  tyy!!$))  - -H  YY DKK0C0C  - -G  ZZ ??  / / 5  ??  / / 5  <<  / / 2  [[TZZ  - -=  [[ ??  / / 5  ??  / / 5  <<  / / 2  r"c[R"[R"U55Rn[ R "5nU[ R:Xa[RUSS9$U[ R:Xa[RUSS9$U[ R:Xa[RUSS9$[R"S5e)z.Get P4SA account name for Anthos Support user.)project_number instance_namezstaging-z autopush-gkehub)rGet projects_util ParseProject projectNumberhub_util APIEndpointPROD_APIANTHOS_SUPPORT_USERformat STAGING_API AUTOPUSH_APImemberships_errorsUnknownApiEndpointOverrideError) project_idr0hub_endpoint_overrides r GetAnthosSupportUserrB8s##  ,M#..0h///  % %%R &  4 44  % %%Z &  5 55  % %%[ &   < "" r")!__doc__ __future__rrrrrVr+googlecloudsdk.api_lib.cloudresourcemanagerr*googlecloudsdk.command_lib.container.fleetrr r r76googlecloudsdk.command_lib.container.fleet.membershipsr r>#googlecloudsdk.command_lib.projectsr4googlecloudsdk.corer CLUSTER_ROLENAMESPACE_ROLEr:rQrSrTrRr!r-rBrar"r rls{@&%' DBIG_E# l>$ &" F+'R02jG,Xr"