1KUBERNETES(1) Jan 2015 KUBERNETES(1)
2
6 kubectl create secret tls - Create a TLS secret
7
11 kubectl create secret tls [OPTIONS]
12
16 Create a TLS secret from the given public/private key pair.
17 The public/private key pair must exist before hand. The public key cer‐
20 tificate must be .PEM encoded and match the given private key.
21
25 --allow-missing-template-keys=true
26 If true, ignore any errors in templates when a field or map key is
27 missing in the template. Only applies to golang and jsonpath output
28 formats.
29 --append-hash=false
32 Append a hash of the secret to its name.
33 --cert=""
36 Path to PEM encoded public key certificate.
37 --dry-run=false
40 If true, only print the object that would be sent, without sending
41 it.
42 --generator="secret-for-tls/v1"
45 The name of the API generator to use.
46 --key=""
49 Path to private key associated with given certificate.
50 -o, --output=""
53 Output format. One of: json|yaml|name|template|go-template|go-tem‐
54 plate-file|templatefile|jsonpath|jsonpath-file.
55 --save-config=false
58 If true, the configuration of current object will be saved in its
59 annotation. Otherwise, the annotation will be unchanged. This flag is
60 useful when you want to perform kubectl apply on this object in the
61 future.
62 --template=""
65 Template string or path to template file to use when -o=go-tem‐
66 plate, -o=go-template-file. The template format is golang templates [
67 ⟨http://golang.org/pkg/text/template/#pkg-overview⟩].
68 --validate=true
71 If true, use a schema to validate the input before sending it
72
76 --allow-verification-with-non-compliant-keys=false
77 Allow a SignatureVerifier to use keys which are technically
78 non-compliant with RFC6962.
79 --alsologtostderr=false
82 log to standard error as well as files
83 --application-metrics-count-limit=100
86 Max number of application metrics to store (per container)
87 --as=""
90 Username to impersonate for the operation
91 --as-group=[]
94 Group to impersonate for the operation, this flag can be repeated
95 to specify multiple groups.
96 --azure-container-registry-config=""
99 Path to the file containing Azure container registry configuration
100 information.
101 --boot-id-file="/proc/sys/kernel/random/boot_id"
104 Comma-separated list of files to check for boot-id. Use the first
105 one that exists.
106 --cache-dir="/builddir/.kube/http-cache"
109 Default HTTP cache directory
110 --certificate-authority=""
113 Path to a cert file for the certificate authority
114 --client-certificate=""
117 Path to a client certificate file for TLS
118 --client-key=""
121 Path to a client key file for TLS
122 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
125 CIDRs opened in GCE firewall for LB traffic proxy health checks
126 --cluster=""
129 The name of the kubeconfig cluster to use
130 --container-hints="/etc/cadvisor/container_hints.json"
133 location of the container hints file
134 --containerd="unix:///var/run/containerd.sock"
137 containerd endpoint
138 --context=""
141 The name of the kubeconfig context to use
142 --default-not-ready-toleration-seconds=300
145 Indicates the tolerationSeconds of the toleration for
146 notReady:NoExecute that is added by default to every pod that does not
147 already have such a toleration.
148 --default-unreachable-toleration-seconds=300
151 Indicates the tolerationSeconds of the toleration for unreach‐
152 able:NoExecute that is added by default to every pod that does not
153 already have such a toleration.
154 --docker="unix:///var/run/docker.sock"
157 docker endpoint
158 --docker-env-metadata-whitelist=""
161 a comma-separated list of environment variable keys that needs to
162 be collected for docker containers
163 --docker-only=false
166 Only report docker containers in addition to root stats
167 --docker-root="/var/lib/docker"
170 DEPRECATED: docker root is read from docker info (this is a fall‐
171 back, default: /var/lib/docker)
172 --docker-tls=false
175 use TLS to connect to docker
176 --docker-tls-ca="ca.pem"
179 path to trusted CA
180 --docker-tls-cert="cert.pem"
183 path to client certificate
184 --docker-tls-key="key.pem"
187 path to private key
188 --enable-load-reader=false
191 Whether to enable cpu load reader
192 --event-storage-age-limit="default=0"
195 Max length of time for which to store events (per type). Value is a
196 comma separated list of key values, where the keys are event types
197 (e.g.: creation, oom) or "default" and the value is a duration. Default
198 is applied to all non-specified event types
199 --event-storage-event-limit="default=0"
202 Max number of events to store (per type). Value is a comma sepa‐
203 rated list of key values, where the keys are event types (e.g.: cre‐
204 ation, oom) or "default" and the value is an integer. Default is
205 applied to all non-specified event types
206 --global-housekeeping-interval=1m0s
209 Interval between global housekeepings
210 --google-json-key=""
213 The Google Cloud Platform Service Account JSON Key to use for
214 authentication.
215 --housekeeping-interval=10s
218 Interval between container housekeepings
219 --insecure-skip-tls-verify=false
222 If true, the server's certificate will not be checked for validity.
223 This will make your HTTPS connections insecure
224 --kubeconfig=""
227 Path to the kubeconfig file to use for CLI requests.
228 --log-backtrace-at=:0
231 when logging hits line file:N, emit a stack trace
232 --log-cadvisor-usage=false
235 Whether to log the usage of the cAdvisor container
236 --log-dir=""
239 If non-empty, write log files in this directory
240 --log-flush-frequency=5s
243 Maximum number of seconds between log flushes
244 --logtostderr=true
247 log to standard error instead of files
248 --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
251 Comma-separated list of files to check for machine-id. Use the
252 first one that exists.
253 --match-server-version=false
256 Require server version to match client version
257 --mesos-agent="127.0.0.1:5051"
260 Mesos agent address
261 --mesos-agent-timeout=10s
264 Mesos agent timeout
265 -n, --namespace=""
268 If present, the namespace scope for this CLI request
269 --request-timeout="0"
272 The length of time to wait before giving up on a single server
273 request. Non-zero values should contain a corresponding time unit (e.g.
274 1s, 2m, 3h). A value of zero means don't timeout requests.
275 -s, --server=""
278 The address and port of the Kubernetes API server
279 --stderrthreshold=2
282 logs at or above this threshold go to stderr
283 --storage-driver-buffer-duration=1m0s
286 Writes in the storage driver will be buffered for this duration,
287 and committed to the non memory backends as a single transaction
288 --storage-driver-db="cadvisor"
291 database name
292 --storage-driver-host="localhost:8086"
295 database host:port
296 --storage-driver-password="root"
299 database password
300 --storage-driver-secure=false
303 use secure connection with database
304 --storage-driver-table="stats"
307 table name
308 --storage-driver-user="root"
311 database username
312 --token=""
315 Bearer token for authentication to the API server
316 --user=""
319 The name of the kubeconfig user to use
320 -v, --v=0
323 log level for V logs
324 --version=false
327 Print version information and quit
328 --vmodule=
331 comma-separated list of pattern=N settings for file-filtered log‐
332 ging
333
337 # Create a new TLS secret named tls-secret with the given key pair:
338 kubectl create secret tls tls-secret --cert=path/to/tls.cert --key=path/to/tls.key
339
344 kubectl-create-secret(1),
345
349 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
350 com) based on the kubernetes source material, but hopefully they have
351 been automatically generated since!
352Eric Paris kubernetes User Manuals KUBERNETES(1)