kubectl-auth-reconcile(1)

1KUBERNETES(1)                      Jan 2015                      KUBERNETES(1)
2
3
4

NAME

6       kubectl  auth  reconcile - Reconciles rules for RBAC Role, RoleBinding,
7       ClusterRole, and ClusterRole binding objects
8
9
10

SYNOPSIS

12       kubectl auth reconcile [OPTIONS]
13
14
15

DESCRIPTION

17       Reconciles rules for RBAC Role, RoleBinding, ClusterRole, and  Cluster‐
18       Role binding objects.
19
20
21       This  is  preferred  to  'apply' for RBAC resources so that proper rule
22       coverage checks are done.
23
24
25

OPTIONS

27       --allow-missing-template-keys=true
28           If true, ignore any errors in templates when a field or map key  is
29       missing  in  the  template.  Only applies to golang and jsonpath output
30       formats.
31
32
33       --dry-run=false
34           If true, display results but do not submit changes
35
36
37       -f, --filename=[]
38           Filename, directory, or URL to files identifying  the  resource  to
39       reconcile.
40
41
42       -o, --output=""
43           Output  format.  One  of: json|yaml|name|go-template-file|template‐
44       file|template|go-template|jsonpath-file|jsonpath.
45
46
47       -R, --recursive=false
48           Process the directory used in -f,  --filename  recursively.  Useful
49       when  you  want  to  manage related manifests organized within the same
50       directory.
51
52
53       --remove-extra-permissions=false
54           If true, removes extra permissions added to roles
55
56
57       --remove-extra-subjects=false
58           If true, removes extra subjects added to rolebindings
59
60
61       --template=""
62           Template string or path to template file  to  use  when  -o=go-tem‐
63       plate,  -o=go-template-file.  The template format is golang templates [
64       ⟨http://golang.org/pkg/text/template/#pkg-overview⟩].
65
66
67

OPTIONS INHERITED FROM PARENT COMMANDS

69       --allow-verification-with-non-compliant-keys=false
70           Allow  a  SignatureVerifier  to  use  keys  which  are  technically
71       non-compliant with RFC6962.
72
73
74       --alsologtostderr=false
75           log to standard error as well as files
76
77
78       --application-metrics-count-limit=100
79           Max number of application metrics to store (per container)
80
81
82       --as=""
83           Username to impersonate for the operation
84
85
86       --as-group=[]
87           Group  to  impersonate for the operation, this flag can be repeated
88       to specify multiple groups.
89
90
91       --azure-container-registry-config=""
92           Path to the file containing Azure container registry  configuration
93       information.
94
95
96       --boot-id-file="/proc/sys/kernel/random/boot_id"
97           Comma-separated  list  of files to check for boot-id. Use the first
98       one that exists.
99
100
101       --cache-dir="/builddir/.kube/http-cache"
102           Default HTTP cache directory
103
104
105       --certificate-authority=""
106           Path to a cert file for the certificate authority
107
108
109       --client-certificate=""
110           Path to a client certificate file for TLS
111
112
113       --client-key=""
114           Path to a client key file for TLS
115
116
117       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
118           CIDRs opened in GCE firewall for LB traffic proxy  health checks
119
120
121       --cluster=""
122           The name of the kubeconfig cluster to use
123
124
125       --container-hints="/etc/cadvisor/container_hints.json"
126           location of the container hints file
127
128
129       --containerd="unix:///var/run/containerd.sock"
130           containerd endpoint
131
132
133       --context=""
134           The name of the kubeconfig context to use
135
136
137       --default-not-ready-toleration-seconds=300
138           Indicates    the    tolerationSeconds   of   the   toleration   for
139       notReady:NoExecute that is added by default to every pod that does  not
140       already have such a toleration.
141
142
143       --default-unreachable-toleration-seconds=300
144           Indicates  the  tolerationSeconds  of  the  toleration for unreach‐
145       able:NoExecute that is added by default to  every  pod  that  does  not
146       already have such a toleration.
147
148
149       --docker="unix:///var/run/docker.sock"
150           docker endpoint
151
152
153       --docker-env-metadata-whitelist=""
154           a  comma-separated  list of environment variable keys that needs to
155       be collected for docker containers
156
157
158       --docker-only=false
159           Only report docker containers in addition to root stats
160
161
162       --docker-root="/var/lib/docker"
163           DEPRECATED: docker root is read from docker info (this is  a  fall‐
164       back, default: /var/lib/docker)
165
166
167       --docker-tls=false
168           use TLS to connect to docker
169
170
171       --docker-tls-ca="ca.pem"
172           path to trusted CA
173
174
175       --docker-tls-cert="cert.pem"
176           path to client certificate
177
178
179       --docker-tls-key="key.pem"
180           path to private key
181
182
183       --enable-load-reader=false
184           Whether to enable cpu load reader
185
186
187       --event-storage-age-limit="default=0"
188           Max length of time for which to store events (per type). Value is a
189       comma separated list of key values, where  the  keys  are  event  types
190       (e.g.: creation, oom) or "default" and the value is a duration. Default
191       is applied to all non-specified event types
192
193
194       --event-storage-event-limit="default=0"
195           Max number of events to store (per type). Value is  a  comma  sepa‐
196       rated  list  of  key values, where the keys are event types (e.g.: cre‐
197       ation, oom) or "default" and  the  value  is  an  integer.  Default  is
198       applied to all non-specified event types
199
200
201       --global-housekeeping-interval=1m0s
202           Interval between global housekeepings
203
204
205       --google-json-key=""
206           The  Google  Cloud  Platform  Service  Account  JSON Key to use for
207       authentication.
208
209
210       --housekeeping-interval=10s
211           Interval between container housekeepings
212
213
214       --insecure-skip-tls-verify=false
215           If true, the server's certificate will not be checked for validity.
216       This will make your HTTPS connections insecure
217
218
219       --kubeconfig=""
220           Path to the kubeconfig file to use for CLI requests.
221
222
223       --log-backtrace-at=:0
224           when logging hits line file:N, emit a stack trace
225
226
227       --log-cadvisor-usage=false
228           Whether to log the usage of the cAdvisor container
229
230
231       --log-dir=""
232           If non-empty, write log files in this directory
233
234
235       --log-flush-frequency=5s
236           Maximum number of seconds between log flushes
237
238
239       --logtostderr=true
240           log to standard error instead of files
241
242
243       --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
244           Comma-separated  list  of  files  to  check for machine-id. Use the
245       first one that exists.
246
247
248       --match-server-version=false
249           Require server version to match client version
250
251
252       --mesos-agent="127.0.0.1:5051"
253           Mesos agent address
254
255
256       --mesos-agent-timeout=10s
257           Mesos agent timeout
258
259
260       -n, --namespace=""
261           If present, the namespace scope for this CLI request
262
263
264       --request-timeout="0"
265           The length of time to wait before giving  up  on  a  single  server
266       request. Non-zero values should contain a corresponding time unit (e.g.
267       1s, 2m, 3h). A value of zero means don't timeout requests.
268
269
270       -s, --server=""
271           The address and port of the Kubernetes API server
272
273
274       --stderrthreshold=2
275           logs at or above this threshold go to stderr
276
277
278       --storage-driver-buffer-duration=1m0s
279           Writes in the storage driver will be buffered  for  this  duration,
280       and committed to the non memory backends as a single transaction
281
282
283       --storage-driver-db="cadvisor"
284           database name
285
286
287       --storage-driver-host="localhost:8086"
288           database host:port
289
290
291       --storage-driver-password="root"
292           database password
293
294
295       --storage-driver-secure=false
296           use secure connection with database
297
298
299       --storage-driver-table="stats"
300           table name
301
302
303       --storage-driver-user="root"
304           database username
305
306
307       --token=""
308           Bearer token for authentication to the API server
309
310
311       --user=""
312           The name of the kubeconfig user to use
313
314
315       -v, --v=0
316           log level for V logs
317
318
319       --version=false
320           Print version information and quit
321
322
323       --vmodule=
324           comma-separated  list  of pattern=N settings for file-filtered log‐
325       ging
326
327
328

EXAMPLE

330                # Reconcile rbac resources from a file
331                kubectl auth reconcile -f my-rbac-rules.yaml
332
333
334
335

HISTORY

342       January 2015, Originally compiled by Eric Paris (eparis at  redhat  dot
343       com)  based  on the kubernetes source material, but hopefully they have
344       been automatically generated since!
345
346
347
348Eric Paris                  kubernetes User Manuals              KUBERNETES(1)