1KUBERNETES(1)                      Jan 2015                      KUBERNETES(1)
2
3
4

NAME

6       kubectl create secret tls - Create a TLS secret
7
8
9

SYNOPSIS

11       kubectl create secret tls [OPTIONS]
12
13
14

DESCRIPTION

16       Create a TLS secret from the given public/private key pair.
17
18
19       The public/private key pair must exist before hand. The public key cer‐
20       tificate must be .PEM encoded and match the given private key.
21
22
23

OPTIONS

25       --allow-missing-template-keys=true
26           If true, ignore any errors in templates when a field or map key  is
27       missing  in  the  template.  Only applies to golang and jsonpath output
28       formats.
29
30
31       --append-hash=false
32           Append a hash of the secret to its name.
33
34
35       --cert=""
36           Path to PEM encoded public key certificate.
37
38
39       --dry-run=false
40           If true, only print the object that would be sent, without  sending
41       it.
42
43
44       --generator="secret-for-tls/v1"
45           The name of the API generator to use.
46
47
48       --key=""
49           Path to private key associated with given certificate.
50
51
52       -o, --output=""
53           Output    format.    One   of:   json|yaml|name|go-template|go-tem‐
54       plate-file|template|templatefile|jsonpath|jsonpath-file.
55
56
57       --save-config=false
58           If true, the configuration of current object will be saved  in  its
59       annotation.  Otherwise,  the annotation will be unchanged. This flag is
60       useful when you want to perform kubectl apply on  this  object  in  the
61       future.
62
63
64       --template=""
65           Template  string  or  path  to template file to use when -o=go-tem‐
66       plate, -o=go-template-file. The template format is golang  templates  [
67http://golang.org/pkg/text/template/#pkg-overview⟩].
68
69
70       --validate=true
71           If true, use a schema to validate the input before sending it
72
73
74

OPTIONS INHERITED FROM PARENT COMMANDS

76       --alsologtostderr=false
77           log to standard error as well as files
78
79
80       --application-metrics-count-limit=100
81           Max number of application metrics to store (per container)
82
83
84       --as=""
85           Username to impersonate for the operation
86
87
88       --as-group=[]
89           Group  to  impersonate for the operation, this flag can be repeated
90       to specify multiple groups.
91
92
93       --azure-container-registry-config=""
94           Path to the file containing Azure container registry  configuration
95       information.
96
97
98       --boot-id-file="/proc/sys/kernel/random/boot_id"
99           Comma-separated  list  of files to check for boot-id. Use the first
100       one that exists.
101
102
103       --cache-dir="/builddir/.kube/http-cache"
104           Default HTTP cache directory
105
106
107       --certificate-authority=""
108           Path to a cert file for the certificate authority
109
110
111       --client-certificate=""
112           Path to a client certificate file for TLS
113
114
115       --client-key=""
116           Path to a client key file for TLS
117
118
119       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
120           CIDRs opened in GCE firewall for LB traffic proxy  health checks
121
122
123       --cluster=""
124           The name of the kubeconfig cluster to use
125
126
127       --container-hints="/etc/cadvisor/container_hints.json"
128           location of the container hints file
129
130
131       --containerd="unix:///var/run/containerd.sock"
132           containerd endpoint
133
134
135       --context=""
136           The name of the kubeconfig context to use
137
138
139       --default-not-ready-toleration-seconds=300
140           Indicates    the    tolerationSeconds   of   the   toleration   for
141       notReady:NoExecute that is added by default to every pod that does  not
142       already have such a toleration.
143
144
145       --default-unreachable-toleration-seconds=300
146           Indicates  the  tolerationSeconds  of  the  toleration for unreach‐
147       able:NoExecute that is added by default to  every  pod  that  does  not
148       already have such a toleration.
149
150
151       --docker="unix:///var/run/docker.sock"
152           docker endpoint
153
154
155       --docker-env-metadata-whitelist=""
156           a  comma-separated  list of environment variable keys that needs to
157       be collected for docker containers
158
159
160       --docker-only=false
161           Only report docker containers in addition to root stats
162
163
164       --docker-root="/var/lib/docker"
165           DEPRECATED: docker root is read from docker info (this is  a  fall‐
166       back, default: /var/lib/docker)
167
168
169       --docker-tls=false
170           use TLS to connect to docker
171
172
173       --docker-tls-ca="ca.pem"
174           path to trusted CA
175
176
177       --docker-tls-cert="cert.pem"
178           path to client certificate
179
180
181       --docker-tls-key="key.pem"
182           path to private key
183
184
185       --enable-load-reader=false
186           Whether to enable cpu load reader
187
188
189       --event-storage-age-limit="default=0"
190           Max length of time for which to store events (per type). Value is a
191       comma separated list of key values, where  the  keys  are  event  types
192       (e.g.: creation, oom) or "default" and the value is a duration. Default
193       is applied to all non-specified event types
194
195
196       --event-storage-event-limit="default=0"
197           Max number of events to store (per type). Value is  a  comma  sepa‐
198       rated  list  of  key values, where the keys are event types (e.g.: cre‐
199       ation, oom) or "default" and  the  value  is  an  integer.  Default  is
200       applied to all non-specified event types
201
202
203       --global-housekeeping-interval=1m0s
204           Interval between global housekeepings
205
206
207       --housekeeping-interval=10s
208           Interval between container housekeepings
209
210
211       --insecure-skip-tls-verify=false
212           If true, the server's certificate will not be checked for validity.
213       This will make your HTTPS connections insecure
214
215
216       --kubeconfig=""
217           Path to the kubeconfig file to use for CLI requests.
218
219
220       --log-backtrace-at=:0
221           when logging hits line file:N, emit a stack trace
222
223
224       --log-cadvisor-usage=false
225           Whether to log the usage of the cAdvisor container
226
227
228       --log-dir=""
229           If non-empty, write log files in this directory
230
231
232       --log-file=""
233           If non-empty, use this log file
234
235
236       --log-flush-frequency=5s
237           Maximum number of seconds between log flushes
238
239
240       --logtostderr=true
241           log to standard error instead of files
242
243
244       --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
245           Comma-separated list of files to  check  for  machine-id.  Use  the
246       first one that exists.
247
248
249       --match-server-version=false
250           Require server version to match client version
251
252
253       --mesos-agent="127.0.0.1:5051"
254           Mesos agent address
255
256
257       --mesos-agent-timeout=10s
258           Mesos agent timeout
259
260
261       -n, --namespace=""
262           If present, the namespace scope for this CLI request
263
264
265       --password=""
266           Password for basic authentication to the API server
267
268
269       --profile="none"
270           Name of profile to capture. One of (none|cpu|heap|goroutine|thread‐
271       create|block|mutex)
272
273
274       --profile-output="profile.pprof"
275           Name of the file to write the profile to
276
277
278       --request-timeout="0"
279           The length of time to wait before giving  up  on  a  single  server
280       request. Non-zero values should contain a corresponding time unit (e.g.
281       1s, 2m, 3h). A value of zero means don't timeout requests.
282
283
284       -s, --server=""
285           The address and port of the Kubernetes API server
286
287
288       --skip-headers=false
289           If true, avoid header prefixes in the log messages
290
291
292       --stderrthreshold=2
293           logs at or above this threshold go to stderr
294
295
296       --storage-driver-buffer-duration=1m0s
297           Writes in the storage driver will be buffered  for  this  duration,
298       and committed to the non memory backends as a single transaction
299
300
301       --storage-driver-db="cadvisor"
302           database name
303
304
305       --storage-driver-host="localhost:8086"
306           database host:port
307
308
309       --storage-driver-password="root"
310           database password
311
312
313       --storage-driver-secure=false
314           use secure connection with database
315
316
317       --storage-driver-table="stats"
318           table name
319
320
321       --storage-driver-user="root"
322           database username
323
324
325       --token=""
326           Bearer token for authentication to the API server
327
328
329       --user=""
330           The name of the kubeconfig user to use
331
332
333       --username=""
334           Username for basic authentication to the API server
335
336
337       -v, --v=0
338           log level for V logs
339
340
341       --version=false
342           Print version information and quit
343
344
345       --vmodule=
346           comma-separated  list  of pattern=N settings for file-filtered log‐
347       ging
348
349
350

EXAMPLE

352                # Create a new TLS secret named tls-secret with the given key pair:
353                kubectl create secret tls tls-secret --cert=path/to/tls.cert --key=path/to/tls.key
354
355
356
357

SEE ALSO

359       kubectl-create-secret(1),
360
361
362

HISTORY

364       January 2015, Originally compiled by Eric Paris (eparis at  redhat  dot
365       com)  based  on the kubernetes source material, but hopefully they have
366       been automatically generated since!
367
368
369
370Eric Paris                  kubernetes User Manuals              KUBERNETES(1)
Impressum