1OC AUTH(1)                         June 2016                        OC AUTH(1)
2
3
4

NAME

6       oc  auth reconcile - Reconciles rules for RBAC Role, RoleBinding, Clus‐
7       terRole, and ClusterRole binding objects
8
9
10

SYNOPSIS

12       oc auth reconcile [OPTIONS]
13
14
15

DESCRIPTION

17       Reconciles rules for RBAC Role, RoleBinding, ClusterRole, and  Cluster‐
18       Role binding objects.
19
20
21       This  is  preferred  to  'apply' for RBAC resources so that proper rule
22       coverage checks are done.
23
24
25

OPTIONS

27       --allow-missing-template-keys=true
28           If true, ignore any errors in templates when a field or map key  is
29       missing  in  the  template.  Only applies to golang and jsonpath output
30       formats.
31
32
33       --dry-run=false
34           If true, display results but do not submit changes
35
36
37       -f, --filename=[]
38           Filename, directory, or URL to files identifying  the  resource  to
39       reconcile.
40
41
42       -o, --output=""
43           Output  format. One of: json|yaml|name|template|go-template|go-tem‐
44       plate-file|templatefile|jsonpath|jsonpath-file.
45
46
47       -R, --recursive=false
48           Process the directory used in -f,  --filename  recursively.  Useful
49       when  you  want  to  manage related manifests organized within the same
50       directory.
51
52
53       --remove-extra-permissions=false
54           If true, removes extra permissions added to roles
55
56
57       --remove-extra-subjects=false
58           If true, removes extra subjects added to rolebindings
59
60
61       --template=""
62           Template string or path to template file  to  use  when  -o=go-tem‐
63       plate,  -o=go-template-file.  The template format is golang templates [
64http://golang.org/pkg/text/template/#pkg-overview⟩].
65
66
67

OPTIONS INHERITED FROM PARENT COMMANDS

69       --allow_verification_with_non_compliant_keys=false
70           Allow  a  SignatureVerifier  to  use  keys  which  are  technically
71       non-compliant with RFC6962.
72
73
74       --alsologtostderr=false
75           log to standard error as well as files
76
77
78       --application_metrics_count_limit=100
79           Max number of application metrics to store (per container)
80
81
82       --as=""
83           Username to impersonate for the operation
84
85
86       --as-group=[]
87           Group  to  impersonate for the operation, this flag can be repeated
88       to specify multiple groups.
89
90
91       --azure-container-registry-config=""
92           Path to the file containing Azure container registry  configuration
93       information.
94
95
96       --boot_id_file="/proc/sys/kernel/random/boot_id"
97           Comma-separated  list  of files to check for boot-id. Use the first
98       one that exists.
99
100
101       --cache-dir="/builddir/.kube/http-cache"
102           Default HTTP cache directory
103
104
105       --certificate-authority=""
106           Path to a cert file for the certificate authority
107
108
109       --client-certificate=""
110           Path to a client certificate file for TLS
111
112
113       --client-key=""
114           Path to a client key file for TLS
115
116
117       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
118           CIDRs opened in GCE firewall for LB traffic proxy  health checks
119
120
121       --cluster=""
122           The name of the kubeconfig cluster to use
123
124
125       --container_hints="/etc/cadvisor/container_hints.json"
126           location of the container hints file
127
128
129       --containerd="unix:///var/run/containerd.sock"
130           containerd endpoint
131
132
133       --context=""
134           The name of the kubeconfig context to use
135
136
137       --default-not-ready-toleration-seconds=300
138           Indicates    the    tolerationSeconds   of   the   toleration   for
139       notReady:NoExecute that is added by default to every pod that does  not
140       already have such a toleration.
141
142
143       --default-unreachable-toleration-seconds=300
144           Indicates  the  tolerationSeconds  of  the  toleration for unreach‐
145       able:NoExecute that is added by default to  every  pod  that  does  not
146       already have such a toleration.
147
148
149       --docker="unix:///var/run/docker.sock"
150           docker endpoint
151
152
153       --docker-tls=false
154           use TLS to connect to docker
155
156
157       --docker-tls-ca="ca.pem"
158           path to trusted CA
159
160
161       --docker-tls-cert="cert.pem"
162           path to client certificate
163
164
165       --docker-tls-key="key.pem"
166           path to private key
167
168
169       --docker_env_metadata_whitelist=""
170           a  comma-separated  list of environment variable keys that needs to
171       be collected for docker containers
172
173
174       --docker_only=false
175           Only report docker containers in addition to root stats
176
177
178       --docker_root="/var/lib/docker"
179           DEPRECATED: docker root is read from docker info (this is  a  fall‐
180       back, default: /var/lib/docker)
181
182
183       --enable_load_reader=false
184           Whether to enable cpu load reader
185
186
187       --event_storage_age_limit="default=24h"
188           Max length of time for which to store events (per type). Value is a
189       comma separated list of key values, where  the  keys  are  event  types
190       (e.g.: creation, oom) or "default" and the value is a duration. Default
191       is applied to all non-specified event types
192
193
194       --event_storage_event_limit="default=100000"
195           Max number of events to store (per type). Value is  a  comma  sepa‐
196       rated  list  of  key values, where the keys are event types (e.g.: cre‐
197       ation, oom) or "default" and  the  value  is  an  integer.  Default  is
198       applied to all non-specified event types
199
200
201       --global_housekeeping_interval=0
202           Interval between global housekeepings
203
204
205       --housekeeping_interval=0
206           Interval between container housekeepings
207
208
209       --insecure-skip-tls-verify=false
210           If true, the server's certificate will not be checked for validity.
211       This will make your HTTPS connections insecure
212
213
214       --kubeconfig=""
215           Path to the kubeconfig file to use for CLI requests.
216
217
218       --log-flush-frequency=0
219           Maximum number of seconds between log flushes
220
221
222       --log_backtrace_at=:0
223           when logging hits line file:N, emit a stack trace
224
225
226       --log_cadvisor_usage=false
227           Whether to log the usage of the cAdvisor container
228
229
230       --log_dir=""
231           If non-empty, write log files in this directory
232
233
234       --logtostderr=true
235           log to standard error instead of files
236
237
238       --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
239           Comma-separated list of files to  check  for  machine-id.  Use  the
240       first one that exists.
241
242
243       --match-server-version=false
244           Require server version to match client version
245
246
247       -n, --namespace=""
248           If present, the namespace scope for this CLI request
249
250
251       --request-timeout="0"
252           The  length  of  time  to  wait before giving up on a single server
253       request. Non-zero values should contain a corresponding time unit (e.g.
254       1s, 2m, 3h). A value of zero means don't timeout requests.
255
256
257       -s, --server=""
258           The address and port of the Kubernetes API server
259
260
261       --stderrthreshold=2
262           logs at or above this threshold go to stderr
263
264
265       --storage_driver_buffer_duration=0
266           Writes  in  the  storage driver will be buffered for this duration,
267       and committed to the non memory backends as a single transaction
268
269
270       --storage_driver_db="cadvisor"
271           database name
272
273
274       --storage_driver_host="localhost:8086"
275           database host:port
276
277
278       --storage_driver_password="root"
279           database password
280
281
282       --storage_driver_secure=false
283           use secure connection with database
284
285
286       --storage_driver_table="stats"
287           table name
288
289
290       --storage_driver_user="root"
291           database username
292
293
294       --token=""
295           Bearer token for authentication to the API server
296
297
298       --user=""
299           The name of the kubeconfig user to use
300
301
302       -v, --v=0
303           log level for V logs
304
305
306       --version=false
307           Print version information and quit
308
309
310       --vmodule=
311           comma-separated list of pattern=N settings for  file-filtered  log‐
312       ging
313
314
315

EXAMPLE

317                # Reconcile rbac resources from a file
318                oc auth reconcile -f my-rbac-rules.yaml
319
320
321
322

SEE ALSO

324       oc-auth(1),
325
326
327

HISTORY

329       June 2016, Ported from the Kubernetes man-doc generator
330
331
332
333Openshift                  Openshift CLI User Manuals               OC AUTH(1)
Impressum