1OC ADM POLICY(1)                   June 2016                  OC ADM POLICY(1)
2
3
4

NAME

6       oc  adm  policy  add-cluster-role-to-user - Add a role to users for all
7       projects in the cluster
8
9
10

SYNOPSIS

12       oc adm policy add-cluster-role-to-user [OPTIONS]
13
14
15

DESCRIPTION

17       Add a role to users or service accounts across all projects
18
19
20       This command allows you to grant a user access  to  specific  resources
21       and actions within the cluster, by assigning them to a role. It creates
22       or modifies a ClusterRoleBinding referencing the specified ClusterRole,
23       adding  the  user(s) or serviceaccount(s) to the list of subjects. This
24       command does not require that the matching cluster  role  or  user/ser‐
25       viceaccount  resources  exist  and will create the binding successfully
26       even when the role or user/serviceaccount do not exist or when the user
27       does not have access to view them.
28
29
30       If  the  --rolebinding-name  argument  is supplied, it will look for an
31       existing clusterrolebinding with that name. The role  on  the  matching
32       clusterrolebinding MUST match the role name supplied to the command. If
33       no rolebinding name is given, a default name will be used.
34
35
36       To learn more, see information about RBAC and policy, or use the  'get'
37       and  'describe'  commands  on  the following resources: 'clusterroles',
38       'clusterrolebindings', 'roles', 'rolebindings', 'users', 'groups',  and
39       'serviceaccounts'.
40
41
42

OPTIONS

44       --allow-missing-template-keys=true
45           If  true, ignore any errors in templates when a field or map key is
46       missing in the template. Only applies to  golang  and  jsonpath  output
47       formats.
48
49
50       --dry-run=false
51           If  true, only print the object that would be sent, without sending
52       it.
53
54
55       --no-headers=false
56           When using the default or custom-column output format, don't  print
57       headers (default print headers).
58
59
60       -o, --output=""
61           Output  format. One of: json|yaml|wide|name|custom-columns=...|cus‐
62       tom-columns-file=...|go-template=...|go-template-file=...|json‐
63       path=...|jsonpath-file=...   See   custom   columns   [  ⟨http://kuber‐
64       netes.io/docs/user-guide/kubectl-overview/#custom-columns⟩],     golang
65       template   [  ⟨http://golang.org/pkg/text/template/#pkg-overview⟩]  and
66       jsonpath template [ ⟨http://kubernetes.io/docs/user-guide/jsonpath⟩].
67
68
69       --rolebinding-name=""
70           Name of the rolebinding to modify or create. If left empty  creates
71       a new rolebindo.RoleBindingNameg with a default name
72
73
74       -z, --serviceaccount=[]
75           service account in the current namespace to use o.SANamess a user
76
77
78       --show-labels=false
79           When  printing,  show  all  labels as the last column (default hide
80       labels column)
81
82
83       --sort-by=""
84           If non-empty, sort list types using this field specification.   The
85       field  specification  is  expressed  as  a  JSONPath  expression  (e.g.
86       '{.metadata.name}'). The field in the API resource  specified  by  this
87       JSONPath expression must be an integer or a string.
88
89
90       --template=""
91           Template  string  or  path  to template file to use when -o=go-tem‐
92       plate, -o=go-template-file. The template format is golang  templates  [
93       ⟨http://golang.org/pkg/text/template/#pkg-overview⟩].
94
95
96

OPTIONS INHERITED FROM PARENT COMMANDS

98       --allow_verification_with_non_compliant_keys=false
99           Allow  a  SignatureVerifier  to  use  keys  which  are  technically
100       non-compliant with RFC6962.
101
102
103       --alsologtostderr=false
104           log to standard error as well as files
105
106
107       --application_metrics_count_limit=100
108           Max number of application metrics to store (per container)
109
110
111       --as=""
112           Username to impersonate for the operation
113
114
115       --as-group=[]
116           Group to impersonate for the operation, this flag can  be  repeated
117       to specify multiple groups.
118
119
120       --azure-container-registry-config=""
121           Path  to the file containing Azure container registry configuration
122       information.
123
124
125       --boot_id_file="/proc/sys/kernel/random/boot_id"
126           Comma-separated list of files to check for boot-id. Use  the  first
127       one that exists.
128
129
130       --cache-dir="/builddir/.kube/http-cache"
131           Default HTTP cache directory
132
133
134       --certificate-authority=""
135           Path to a cert file for the certificate authority
136
137
138       --client-certificate=""
139           Path to a client certificate file for TLS
140
141
142       --client-key=""
143           Path to a client key file for TLS
144
145
146       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
147           CIDRs opened in GCE firewall for LB traffic proxy  health checks
148
149
150       --cluster=""
151           The name of the kubeconfig cluster to use
152
153
154       --container_hints="/etc/cadvisor/container_hints.json"
155           location of the container hints file
156
157
158       --containerd="unix:///var/run/containerd.sock"
159           containerd endpoint
160
161
162       --context=""
163           The name of the kubeconfig context to use
164
165
166       --default-not-ready-toleration-seconds=300
167           Indicates   the   tolerationSeconds   of   the    toleration    for
168       notReady:NoExecute  that is added by default to every pod that does not
169       already have such a toleration.
170
171
172       --default-unreachable-toleration-seconds=300
173           Indicates the tolerationSeconds  of  the  toleration  for  unreach‐
174       able:NoExecute  that  is  added  by  default to every pod that does not
175       already have such a toleration.
176
177
178       --docker="unix:///var/run/docker.sock"
179           docker endpoint
180
181
182       --docker-tls=false
183           use TLS to connect to docker
184
185
186       --docker-tls-ca="ca.pem"
187           path to trusted CA
188
189
190       --docker-tls-cert="cert.pem"
191           path to client certificate
192
193
194       --docker-tls-key="key.pem"
195           path to private key
196
197
198       --docker_env_metadata_whitelist=""
199           a comma-separated list of environment variable keys that  needs  to
200       be collected for docker containers
201
202
203       --docker_only=false
204           Only report docker containers in addition to root stats
205
206
207       --docker_root="/var/lib/docker"
208           DEPRECATED:  docker  root is read from docker info (this is a fall‐
209       back, default: /var/lib/docker)
210
211
212       --enable_load_reader=false
213           Whether to enable cpu load reader
214
215
216       --event_storage_age_limit="default=24h"
217           Max length of time for which to store events (per type). Value is a
218       comma  separated  list  of  key  values, where the keys are event types
219       (e.g.: creation, oom) or "default" and the value is a duration. Default
220       is applied to all non-specified event types
221
222
223       --event_storage_event_limit="default=100000"
224           Max  number  of  events to store (per type). Value is a comma sepa‐
225       rated list of key values, where the keys are event  types  (e.g.:  cre‐
226       ation,  oom)  or  "default"  and  the  value  is an integer. Default is
227       applied to all non-specified event types
228
229
230       --global_housekeeping_interval=0
231           Interval between global housekeepings
232
233
234       --housekeeping_interval=0
235           Interval between container housekeepings
236
237
238       --httptest.serve=""
239           if non-empty, httptest.NewServer serves on this address and blocks
240
241
242       --insecure-skip-tls-verify=false
243           If true, the server's certificate will not be checked for validity.
244       This will make your HTTPS connections insecure
245
246
247       --kubeconfig=""
248           Path to the kubeconfig file to use for CLI requests.
249
250
251       --log-flush-frequency=0
252           Maximum number of seconds between log flushes
253
254
255       --log_backtrace_at=:0
256           when logging hits line file:N, emit a stack trace
257
258
259       --log_cadvisor_usage=false
260           Whether to log the usage of the cAdvisor container
261
262
263       --log_dir=""
264           If non-empty, write log files in this directory
265
266
267       --logtostderr=true
268           log to standard error instead of files
269
270
271       --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
272           Comma-separated  list  of  files  to  check for machine-id. Use the
273       first one that exists.
274
275
276       --match-server-version=false
277           Require server version to match client version
278
279
280       -n, --namespace=""
281           If present, the namespace scope for this CLI request
282
283
284       --request-timeout="0"
285           The length of time to wait before giving  up  on  a  single  server
286       request. Non-zero values should contain a corresponding time unit (e.g.
287       1s, 2m, 3h). A value of zero means don't timeout requests.
288
289
290       -s, --server=""
291           The address and port of the Kubernetes API server
292
293
294       --stderrthreshold=2
295           logs at or above this threshold go to stderr
296
297
298       --storage_driver_buffer_duration=0
299           Writes in the storage driver will be buffered  for  this  duration,
300       and committed to the non memory backends as a single transaction
301
302
303       --storage_driver_db="cadvisor"
304           database name
305
306
307       --storage_driver_host="localhost:8086"
308           database host:port
309
310
311       --storage_driver_password="root"
312           database password
313
314
315       --storage_driver_secure=false
316           use secure connection with database
317
318
319       --storage_driver_table="stats"
320           table name
321
322
323       --storage_driver_user="root"
324           database username
325
326
327       --token=""
328           Bearer token for authentication to the API server
329
330
331       --user=""
332           The name of the kubeconfig user to use
333
334
335       -v, --v=0
336           log level for V logs
337
338
339       --version=false
340           Print version information and quit
341
342
343       --vmodule=
344           comma-separated  list  of pattern=N settings for file-filtered log‐
345       ging
346
347
348

SEE ALSO

350       oc-adm-policy(1),
351
352
353

HISTORY

355       June 2016, Ported from the Kubernetes man-doc generator
356
357
358
359Openshift                  Openshift CLI User Manuals         OC ADM POLICY(1)