diff --git a/completions/bash/ocitools b/completions/bash/ocitools
index 3664dfb02..d3196a1ec 100644
--- a/completions/bash/ocitools
+++ b/completions/bash/ocitools
@@ -274,6 +274,7 @@ _ocitools_generate() {
 	      --bind
 	      --cap-add
 	      --cap-drop
+	      --cgroup
 	      --cwd
 	      --env
 	      --gid
@@ -281,8 +282,12 @@ _ocitools_generate() {
 	      --groups
 	      --hostname
 	      --help
+	      --ipc
+	      --mount
 	      --mount-cgroups
+	      --network
 	      --os
+	      --pid
 	      --poststart
 	      --poststop
 	      --prestart
@@ -297,17 +302,14 @@ _ocitools_generate() {
 	      --tmpfs
 	      --uid
 	      --uidmappings
+	      --uts
 	"
 
 	local boolean_options="
-	      --ipc
-	      --network
 	      --no-new-privileges
-	      --mount
-	      --pid
 	      --privileged
 	      --read-only
-	      --uts
+	      --tty
 	"
 
 	local all_options="$options_with_args $boolean_options"
diff --git a/generate.go b/generate.go
index 97cfe46c9..da344485e 100644
--- a/generate.go
+++ b/generate.go
@@ -27,6 +27,7 @@ var generateFlags = []cli.Flag{
 	cli.StringSliceFlag{Name: "groups", Usage: "supplementary groups for the process"},
 	cli.StringSliceFlag{Name: "cap-add", Usage: "add capabilities"},
 	cli.StringSliceFlag{Name: "cap-drop", Usage: "drop capabilities"},
+	cli.StringFlag{Name: "cgroup", Usage: "cgroup namespace"},
 	cli.StringFlag{Name: "network", Usage: "network namespace"},
 	cli.StringFlag{Name: "mount", Usage: "mount namespace"},
 	cli.StringFlag{Name: "pid", Usage: "pid namespace"},
@@ -672,6 +673,8 @@ func mapStrToNamespace(ns string, path string) rspec.Namespace {
 		return rspec.Namespace{Type: rspec.UTSNamespace, Path: path}
 	case "user":
 		return rspec.Namespace{Type: rspec.UserNamespace, Path: path}
+	case "cgroup":
+		return rspec.Namespace{Type: rspec.CgroupNamespace, Path: path}
 	default:
 		logrus.Fatalf("Should not reach here!")
 	}
@@ -684,7 +687,7 @@ func setupNamespaces(spec *rspec.Spec, context *cli.Context) {
 		needsNewUser = true
 	}
 
-	namespaces := []string{"network", "pid", "mount", "ipc", "uts", "user"}
+	namespaces := []string{"network", "pid", "mount", "ipc", "uts", "user", "cgroup"}
 	for _, nsName := range namespaces {
 		if !context.IsSet(nsName) && !(needsNewUser && nsName == "user") {
 			continue
diff --git a/man/ocitools-generate.1.md b/man/ocitools-generate.1.md
index f8a9be0f3..cf1d4ada2 100644
--- a/man/ocitools-generate.1.md
+++ b/man/ocitools-generate.1.md
@@ -44,6 +44,11 @@ compatible runtime like runC to run a container.
 **--cap-drop**=[]
   Drop Linux capabilities
 
+**--cgroup**=[*PATH*]
+  Use a Cgroup namespace.  If *PATH* is set, join that namespace.  If it
+  is unset, create a new namespace.  The special *PATH* `host` removes
+  any existing Cgroup namespace from the configuration.
+
 **--cgroups-path**=""
   Specifiy the path to the cgroups relative to the cgroups mount point.