- NAME
-
- gcloud container fleet memberships generate-gateway-rbac - generate RBAC policy files for connected clusters by the user
- SYNOPSIS
-
-
gcloud container fleet memberships generate-gateway-rbac(--anthos-support|--groups=GROUPS|--users=USERS) [--apply] [--context=CONTEXT] [--kubeconfig=KUBECONFIG] [--membership=MEMBERSHIP] [--rbac-output-file=RBAC_OUTPUT_FILE] [--revoke] [--role=ROLE] [GCLOUD_WIDE_FLAG …]
-
- DESCRIPTION
- gcloud container fleet memberships generate-gateway-rbac generates RBAC policies
to be used by Connect Gateway API.
Upon success, this command will write the output RBAC policy to the designated local file in dry run mode.
Override RBAC policy: Y to override previous RBAC policy, N to stop. If overriding the --role, Y will clean up the previous RBAC policy and then apply the new one.
- EXAMPLES
- The current implementation supports multiple modes:
Dry run mode to generate the RBAC policy file, and write to local directory:
gcloud container fleet memberships generate-gateway-rbac --membership = my-cluster --users = foo@example.com,test-acct@test-project.iam.gserviceaccount.com --role = clusterrole/cluster-admin --rbac-output-file = ./rbac.yamlDry run mode to generate the RBAC policy, and print on screen:
gcloud container fleet memberships generate-gateway-rbac --membership = my-cluster --users = foo@example.com,test-acct@test-project.iam.gserviceaccount.com --role = clusterrole/cluster-adminAnthos support mode, generate the RBAC policy file with read-only permission for TSE/Eng to debug customers' clusters:
gcloud container fleet memberships generate-gateway-rbac --membership = my-cluster --anthos-supportApply mode, generate the RBAC policy and apply it to the specified cluster:
gcloud container fleet memberships generate-gateway-rbac --membership = my-cluster --users = foo@example.com,test-acct@test-project.iam.gserviceaccount.com --role = clusterrole/cluster-admin --context = my-cluster-context --kubeconfig = /home/user/custom_kubeconfig --applyRevoke mode, revoke the RBAC policy for the specified users:
gcloud container fleet memberships generate-gateway-rbac --membership = my-cluster --users = foo@example.com,test-acct@test-project.iam.gserviceaccount.com --role = clusterrole/cluster-admin --context = my-cluster-context --kubeconfig = /home/user/custom_kubeconfig --revokeThe role to be granted to the users can either be cluster-scoped or namespace-scoped. To grant a namespace-scoped role to the users in dry run mode, run:
gcloud container fleet memberships generate-gateway-rbac --membership = my-cluster --users = foo@example.com,test-acct@test-project.iam.gserviceaccount.com --role = role/mynamespace/namespace-readerThe users provided can be using a Google identity (only email) or using external identity providers (starting with "principal://iam.googleapis.com"):
gcloud container fleet memberships generate-gateway-rbac --membership = my-cluster --users = foo@example.com,principal://iam.googleapis.com/locations/global/workforcePools/pool/subject/user --role = clusterrole/cluster-admin --context = my-cluster-context --kubeconfig = /home/user/custom_kubeconfig --applyThe groups can be provided as a Google identity (only email) or an external identity (starting with "principalSet://iam.googleapis.com"):
gcloud container fleet memberships generate-gateway-rbac --membership = my-cluster --groups = group@example.com,principalSet://iam.googleapis.com/locations/global/workforcePools/pool/group/ExampleGroup --role = clusterrole/cluster-admin --context = my-cluster-context --kubeconfig = /home/user/custom_kubeconfig --apply - REQUIRED FLAGS
-
- Exactly one of these must be specified:
-
--anthos-support - If specified, this command will generate RBAC policy file for anthos support.
-
--groups=GROUPS - Group email address or third-party IAM group principal.
-
--users=USERS - User's email address, service account email address, or third-party IAM subject principal.
-
- Exactly one of these must be specified:
- OPTIONAL FLAGS
-
-
--apply - If specified, this command will generate RBAC policy and apply to the specified cluster.
-
--context=CONTEXT - The cluster context as it appears in the kubeconfig file. You can get this value
from the command line by running command:
kubectl config current-context. -
--kubeconfig=KUBECONFIG - The kubeconfig file containing an entry for the cluster. Defaults to $KUBECONFIG if it is set in the environment, otherwise defaults to $HOME/.kube/config.
-
--membership=MEMBERSHIP - Membership name to assign RBAC policy with.
-
--rbac-output-file=RBAC_OUTPUT_FILE - If specified, this command will execute in dry run mode and write to the file specified with this flag: the generated RBAC policy will not be applied to Kubernetes clusters,instead it will be written to the designated local file.
-
--revoke - If specified, this command will revoke the RBAC policy for the specified users.
-
--role=ROLE - Namespace scoped role or cluster role.
-
- GCLOUD WIDE FLAGS
- These flags are available to all commands:
--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.Run
$ gcloud helpfor details. - NOTES
- These variants are also available:
gcloud alpha container fleet memberships generate-gateway-rbacgcloud beta container fleet memberships generate-gateway-rbac
gcloud container fleet memberships generate-gateway-rbac
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License , and code samples are licensed under the Apache 2.0 License . For details, see the Google Developers Site Policies . Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-05-27 UTC.
