1OC SECRETS(1)                      June 2016                     OC SECRETS(1)
2
3
4

NAME

6       oc secrets link - Link secrets to a ServiceAccount
7
8
9

SYNOPSIS

11       oc secrets link [OPTIONS]
12
13
14

DESCRIPTION

16       Link secrets to a service account
17
18
19       Linking  a  secret  enables a service account to automatically use that
20       secret for some forms of authentication.
21
22
23

OPTIONS

25       --for=[mount]
26           type of secret to link: mount or pull
27
28
29

OPTIONS INHERITED FROM PARENT COMMANDS

31       --allow_verification_with_non_compliant_keys=false
32           Allow  a  SignatureVerifier  to  use  keys  which  are  technically
33       non-compliant with RFC6962.
34
35
36       --alsologtostderr=false
37           log to standard error as well as files
38
39
40       --application_metrics_count_limit=100
41           Max number of application metrics to store (per container)
42
43
44       --as=""
45           Username to impersonate for the operation
46
47
48       --as-group=[]
49           Group  to  impersonate for the operation, this flag can be repeated
50       to specify multiple groups.
51
52
53       --azure-container-registry-config=""
54           Path to the file containing Azure container registry  configuration
55       information.
56
57
58       --boot_id_file="/proc/sys/kernel/random/boot_id"
59           Comma-separated  list  of files to check for boot-id. Use the first
60       one that exists.
61
62
63       --cache-dir="/builddir/.kube/http-cache"
64           Default HTTP cache directory
65
66
67       --certificate-authority=""
68           Path to a cert file for the certificate authority
69
70
71       --client-certificate=""
72           Path to a client certificate file for TLS
73
74
75       --client-key=""
76           Path to a client key file for TLS
77
78
79       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
80           CIDRs opened in GCE firewall for LB traffic proxy  health checks
81
82
83       --cluster=""
84           The name of the kubeconfig cluster to use
85
86
87       --container_hints="/etc/cadvisor/container_hints.json"
88           location of the container hints file
89
90
91       --containerd="unix:///var/run/containerd.sock"
92           containerd endpoint
93
94
95       --context=""
96           The name of the kubeconfig context to use
97
98
99       --default-not-ready-toleration-seconds=300
100           Indicates    the    tolerationSeconds   of   the   toleration   for
101       notReady:NoExecute that is added by default to every pod that does  not
102       already have such a toleration.
103
104
105       --default-unreachable-toleration-seconds=300
106           Indicates  the  tolerationSeconds  of  the  toleration for unreach‐
107       able:NoExecute that is added by default to  every  pod  that  does  not
108       already have such a toleration.
109
110
111       --docker="unix:///var/run/docker.sock"
112           docker endpoint
113
114
115       --docker-tls=false
116           use TLS to connect to docker
117
118
119       --docker-tls-ca="ca.pem"
120           path to trusted CA
121
122
123       --docker-tls-cert="cert.pem"
124           path to client certificate
125
126
127       --docker-tls-key="key.pem"
128           path to private key
129
130
131       --docker_env_metadata_whitelist=""
132           a  comma-separated  list of environment variable keys that needs to
133       be collected for docker containers
134
135
136       --docker_only=false
137           Only report docker containers in addition to root stats
138
139
140       --docker_root="/var/lib/docker"
141           DEPRECATED: docker root is read from docker info (this is  a  fall‐
142       back, default: /var/lib/docker)
143
144
145       --enable_load_reader=false
146           Whether to enable cpu load reader
147
148
149       --event_storage_age_limit="default=24h"
150           Max length of time for which to store events (per type). Value is a
151       comma separated list of key values, where  the  keys  are  event  types
152       (e.g.: creation, oom) or "default" and the value is a duration. Default
153       is applied to all non-specified event types
154
155
156       --event_storage_event_limit="default=100000"
157           Max number of events to store (per type). Value is  a  comma  sepa‐
158       rated  list  of  key values, where the keys are event types (e.g.: cre‐
159       ation, oom) or "default" and  the  value  is  an  integer.  Default  is
160       applied to all non-specified event types
161
162
163       --global_housekeeping_interval=0
164           Interval between global housekeepings
165
166
167       --housekeeping_interval=0
168           Interval between container housekeepings
169
170
171       --httptest.serve=""
172           if non-empty, httptest.NewServer serves on this address and blocks
173
174
175       --insecure-skip-tls-verify=false
176           If true, the server's certificate will not be checked for validity.
177       This will make your HTTPS connections insecure
178
179
180       --kubeconfig=""
181           Path to the kubeconfig file to use for CLI requests.
182
183
184       --log-flush-frequency=0
185           Maximum number of seconds between log flushes
186
187
188       --log_backtrace_at=:0
189           when logging hits line file:N, emit a stack trace
190
191
192       --log_cadvisor_usage=false
193           Whether to log the usage of the cAdvisor container
194
195
196       --log_dir=""
197           If non-empty, write log files in this directory
198
199
200       --logtostderr=true
201           log to standard error instead of files
202
203
204       --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
205           Comma-separated list of files to  check  for  machine-id.  Use  the
206       first one that exists.
207
208
209       --match-server-version=false
210           Require server version to match client version
211
212
213       -n, --namespace=""
214           If present, the namespace scope for this CLI request
215
216
217       --request-timeout="0"
218           The  length  of  time  to  wait before giving up on a single server
219       request. Non-zero values should contain a corresponding time unit (e.g.
220       1s, 2m, 3h). A value of zero means don't timeout requests.
221
222
223       -s, --server=""
224           The address and port of the Kubernetes API server
225
226
227       --stderrthreshold=2
228           logs at or above this threshold go to stderr
229
230
231       --storage_driver_buffer_duration=0
232           Writes  in  the  storage driver will be buffered for this duration,
233       and committed to the non memory backends as a single transaction
234
235
236       --storage_driver_db="cadvisor"
237           database name
238
239
240       --storage_driver_host="localhost:8086"
241           database host:port
242
243
244       --storage_driver_password="root"
245           database password
246
247
248       --storage_driver_secure=false
249           use secure connection with database
250
251
252       --storage_driver_table="stats"
253           table name
254
255
256       --storage_driver_user="root"
257           database username
258
259
260       --token=""
261           Bearer token for authentication to the API server
262
263
264       --user=""
265           The name of the kubeconfig user to use
266
267
268       -v, --v=0
269           log level for V logs
270
271
272       --version=false
273           Print version information and quit
274
275
276       --vmodule=
277           comma-separated list of pattern=N settings for  file-filtered  log‐
278       ging
279
280
281

EXAMPLE

283                # Add an image pull secret to a service account to automatically use it for pulling pod images:
284                oc secrets link serviceaccount-name pull-secret --for=pull
285
286                # Add an image pull secret to a service account to automatically use it for both pulling and pushing build images:
287                oc secrets link builder builder-image-secret --for=pull,mount
288
289                # If the cluster's serviceAccountConfig is operating with limitSecretReferences: True, secrets must be added to the pod's service account whitelist in order to be available to the pod:
290                oc secrets link pod-sa pod-secret
291
292
293
294

SEE ALSO

296       oc-secrets(1),
297
298
299

HISTORY

301       June 2016, Ported from the Kubernetes man-doc generator
302
303
304
305Openshift                  Openshift CLI User Manuals            OC SECRETS(1)
Impressum