6xSrSSKJr SSKJr SSKJr SSKJr SSKrSSKrSSKJ r SSK J r SS K J r SS K Jr SS K Jr SS K Jr SS KJr SSKJr \ R,"\ R.R0\ R.R2\ R.R45"SS\ R655rg)z5Generate RBAC policy files for Connect Gateway users.)absolute_import)division)print_function)unicode_literalsN)base) kube_util) rbac_util) exceptions)log) properties) console_io)filesc.\rSrSrSr\S5rSrSrg)GenerateGatewayRbac#ar Generate RBAC policy files for connected clusters by the user. {command} generates RBAC policies to be used by Connect Gateway API. Upon success, this command will write the output RBAC policy to the designated local file in dry run mode. Override RBAC policy: Y to override previous RBAC policy, N to stop. If overriding the --role, Y will clean up the previous RBAC policy and then apply the new one. ## EXAMPLES The current implementation supports multiple modes: Dry run mode to generate the RBAC policy file, and write to local directory: $ {command} --membership=my-cluster --users=foo@example.com,test-acct@test-project.iam.gserviceaccount.com --role=clusterrole/cluster-admin --rbac-output-file=./rbac.yaml Dry run mode to generate the RBAC policy, and print on screen: $ {command} --membership=my-cluster --users=foo@example.com,test-acct@test-project.iam.gserviceaccount.com --role=clusterrole/cluster-admin Anthos support mode, generate the RBAC policy file with read-only permission for TSE/Eng to debug customers' clusters: $ {command} --membership=my-cluster --anthos-support Apply mode, generate the RBAC policy and apply it to the specified cluster: $ {command} --membership=my-cluster --users=foo@example.com,test-acct@test-project.iam.gserviceaccount.com --role=clusterrole/cluster-admin --context=my-cluster-context --kubeconfig=/home/user/custom_kubeconfig --apply Revoke mode, revoke the RBAC policy for the specified users: $ {command} --membership=my-cluster --users=foo@example.com,test-acct@test-project.iam.gserviceaccount.com --role=clusterrole/cluster-admin --context=my-cluster-context --kubeconfig=/home/user/custom_kubeconfig --revoke The role to be granted to the users can either be cluster-scoped or namespace-scoped. To grant a namespace-scoped role to the users in dry run mode, run: $ {command} --membership=my-cluster --users=foo@example.com,test-acct@test-project.iam.gserviceaccount.com --role=role/mynamespace/namespace-reader The users provided can be using a Google identity (only email) or using external identity providers (starting with "principal://iam.googleapis.com"): $ {command} --membership=my-cluster --users=foo@example.com,principal://iam.googleapis.com/locations/global/workforcePools/pool/subject/user --role=clusterrole/cluster-admin --context=my-cluster-context --kubeconfig=/home/user/custom_kubeconfig --apply The groups can be provided as a Google identity (only email) or an external identity (starting with "principalSet://iam.googleapis.com"): $ {command} --membership=my-cluster --groups=group@example.com,principalSet://iam.googleapis.com/locations/global/workforcePools/pool/group/ExampleGroup --role=clusterrole/cluster-admin --context=my-cluster-context --kubeconfig=/home/user/custom_kubeconfig --apply c>URS[[R"S5S9 URS[[R"S5S9 URS[[R"S5S9 URSS [R"S 5S 9 URS [[R"S 5S9 URS[[R"S5S9 URSS [R"S5S 9 UR SS9nURS[[R"S5S9 URS[[R"S5S9 URSS [R"S5S 9 g)Nz --membershipz> Membership name to assign RBAC policy with. )typehelpz--rolez9 Namespace scoped role or cluster role. z--rbac-output-filea If specified, this command will execute in dry run mode and write to the file specified with this flag: the generated RBAC policy will not be applied to Kubernetes clusters,instead it will be written to the designated local file. z--apply store_truezu If specified, this command will generate RBAC policy and apply to the specified cluster. )actionrz --contextz The cluster context as it appears in the kubeconfig file. You can get this value from the command line by running command: `kubectl config current-context`. z --kubeconfigz The kubeconfig file containing an entry for the cluster. Defaults to $KUBECONFIG if it is set in the environment, otherwise defaults to $HOME/.kube/config. z--revokezl If specified, this command will revoke the RBAC policy for the specified users. T)requiredz--groupszJ Group email address or third-party IAM group principal. z--userszm User's email address, service account email address, or third-party IAM subject principal. z--anthos-supportzj If specified, this command will generate RBAC policy file for anthos support. ) add_argumentstrtextwrapdedentadd_mutually_exclusive_group)clsparser identitiess @lib/surface/container/fleet/memberships/generate_gateway_rbac.pyArgsGenerateGatewayRbac.Argsps   __     __     __     __     __     __  __  44d4CJ  __    __   __  c [RRS5 [RR R R5n[R"U5 UR(Ga?[RRSRURUR 55 ["R$"['USS5['USS5S9nUR)5 [+5nUR,(a-UR,R/S5Vs/sHoUS4PM nnOvUR0(a(UR3[R4"U5S45 O=UR6(a,UR6R/S5Vs/sHofS4PM nnUHupxS RU5n [8R:"U SS 9 [RRS 5 [RRS RU55 UR=UR>UR@UUUUR05n URCU 5(dM[RRS RU55 M SSS5 g[RD"X5n URF(a9[RRSRURF55 O>[RRS5 [RRS5 Sn [IU RK55HnXRMU5- n M [RN"URF(a URFOSU SSSS9 URP(Ga5[RRSRURUR 55 ["R$"['USS5['USS5S9nUR)5 U RK5GHupx[RRT"5n U S-nU RMXx45n[RRV"X5 UR=UR>UR@UUUUR05n URYU 5(GdSnSnUR[U5unnUb0Sn[RRSRU55 UbSU;alUR]SX!R>U5nUR_UUR@5n[RRSRU55 SnSnO&[`Rb"SRUU55eU(aSn [8R:"U SS 9 U(a[RRS 5 [RRSRU55 URCU 5(a.[RRS RU55 [RRSRU55 UReU5 SSS5 [RRS5 GM SSS5 ggs snfs snf!,(df  GNi=f![fa4n[RRSRU55 eSnAff=f!,(df  N=f!,(df  g=f) NzValidating input arguments.zGRevoking the RBAC policy from cluster with kubeconfig: {}, context: {} kubeconfigcontext)r%r&,TFz*The RBAC policy for {} will be cleaned up.)message cancel_on_noz,--------------------------------------------z%Start cleaning up RBAC policy for: {}z5Finished cleaning up the previous RBAC policy for: {}z.Generated RBAC policy is written to file: {} zGenerated RBAC policy is: z--------------------------------------------- -) overwritebinaryprivatezNApplying the generate RBAC policy to cluster with kubeconfig: {}, context: {} z /rbac.yamlz0The new RBAC policy has diff with previous: {}z Invalid value permissionzA*\( \5C\=3\<]7=H]&?\%,]7 \ \"% ]# //] ]# #]&& ]4 0]77 ^N) __name__ __module__ __qualname____firstlineno____doc__ classmethodr!rr__static_attributes__rtr#r rr#s' FPQQfpOr#r)ry __future__rrrrr8rgooglecloudsdk.callioper*googlecloudsdk.command_lib.container.fleetrr googlecloudsdk.corer r r googlecloudsdk.core.consoler googlecloudsdk.core.utilrrR ReleaseTracks ReleaseTrackALPHABETAGACommandrrtr#r rs<&%' (@@*#*28T..33T5F5F5I5INO$,,NONOr#