1KUBERNETES(1) Jan 2015 KUBERNETES(1)
2
6 kubectl create secret tls - Create a TLS secret
7
11 kubectl create secret tls [OPTIONS]
12
16 Create a TLS secret from the given public/private key pair.
17 The public/private key pair must exist before hand. The public key cer‐
20 tificate must be .PEM encoded and match the given private key.
21
25 --allow-missing-template-keys=true
26 If true, ignore any errors in templates when a field or map key is
27 missing in the template. Only applies to golang and jsonpath output
28 formats.
29 --append-hash=false
32 Append a hash of the secret to its name.
33 --cert=""
36 Path to PEM encoded public key certificate.
37 --dry-run=false
40 If true, only print the object that would be sent, without sending
41 it.
42 --generator="secret-for-tls/v1"
45 The name of the API generator to use.
46 --key=""
49 Path to private key associated with given certificate.
50 -o, --output=""
53 Output format. One of: json|yaml|name|go-template|go-tem‐
54 plate-file|template|templatefile|jsonpath|jsonpath-file.
55 --save-config=false
58 If true, the configuration of current object will be saved in its
59 annotation. Otherwise, the annotation will be unchanged. This flag is
60 useful when you want to perform kubectl apply on this object in the
61 future.
62 --template=""
65 Template string or path to template file to use when -o=go-tem‐
66 plate, -o=go-template-file. The template format is golang templates [
67 ⟨http://golang.org/pkg/text/template/#pkg-overview⟩].
68 --validate=true
71 If true, use a schema to validate the input before sending it
72
76 --alsologtostderr=false
77 log to standard error as well as files
78 --application-metrics-count-limit=100
81 Max number of application metrics to store (per container)
82 --as=""
85 Username to impersonate for the operation
86 --as-group=[]
89 Group to impersonate for the operation, this flag can be repeated
90 to specify multiple groups.
91 --azure-container-registry-config=""
94 Path to the file containing Azure container registry configuration
95 information.
96 --boot-id-file="/proc/sys/kernel/random/boot_id"
99 Comma-separated list of files to check for boot-id. Use the first
100 one that exists.
101 --cache-dir="/builddir/.kube/http-cache"
104 Default HTTP cache directory
105 --certificate-authority=""
108 Path to a cert file for the certificate authority
109 --client-certificate=""
112 Path to a client certificate file for TLS
113 --client-key=""
116 Path to a client key file for TLS
117 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
120 CIDRs opened in GCE firewall for LB traffic proxy health checks
121 --cluster=""
124 The name of the kubeconfig cluster to use
125 --container-hints="/etc/cadvisor/container_hints.json"
128 location of the container hints file
129 --containerd="unix:///var/run/containerd.sock"
132 containerd endpoint
133 --context=""
136 The name of the kubeconfig context to use
137 --default-not-ready-toleration-seconds=300
140 Indicates the tolerationSeconds of the toleration for
141 notReady:NoExecute that is added by default to every pod that does not
142 already have such a toleration.
143 --default-unreachable-toleration-seconds=300
146 Indicates the tolerationSeconds of the toleration for unreach‐
147 able:NoExecute that is added by default to every pod that does not
148 already have such a toleration.
149 --docker="unix:///var/run/docker.sock"
152 docker endpoint
153 --docker-env-metadata-whitelist=""
156 a comma-separated list of environment variable keys that needs to
157 be collected for docker containers
158 --docker-only=false
161 Only report docker containers in addition to root stats
162 --docker-root="/var/lib/docker"
165 DEPRECATED: docker root is read from docker info (this is a fall‐
166 back, default: /var/lib/docker)
167 --docker-tls=false
170 use TLS to connect to docker
171 --docker-tls-ca="ca.pem"
174 path to trusted CA
175 --docker-tls-cert="cert.pem"
178 path to client certificate
179 --docker-tls-key="key.pem"
182 path to private key
183 --enable-load-reader=false
186 Whether to enable cpu load reader
187 --event-storage-age-limit="default=0"
190 Max length of time for which to store events (per type). Value is a
191 comma separated list of key values, where the keys are event types
192 (e.g.: creation, oom) or "default" and the value is a duration. Default
193 is applied to all non-specified event types
194 --event-storage-event-limit="default=0"
197 Max number of events to store (per type). Value is a comma sepa‐
198 rated list of key values, where the keys are event types (e.g.: cre‐
199 ation, oom) or "default" and the value is an integer. Default is
200 applied to all non-specified event types
201 --global-housekeeping-interval=1m0s
204 Interval between global housekeepings
205 --housekeeping-interval=10s
208 Interval between container housekeepings
209 --insecure-skip-tls-verify=false
212 If true, the server's certificate will not be checked for validity.
213 This will make your HTTPS connections insecure
214 --kubeconfig=""
217 Path to the kubeconfig file to use for CLI requests.
218 --log-backtrace-at=:0
221 when logging hits line file:N, emit a stack trace
222 --log-cadvisor-usage=false
225 Whether to log the usage of the cAdvisor container
226 --log-dir=""
229 If non-empty, write log files in this directory
230 --log-file=""
233 If non-empty, use this log file
234 --log-flush-frequency=5s
237 Maximum number of seconds between log flushes
238 --logtostderr=true
241 log to standard error instead of files
242 --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
245 Comma-separated list of files to check for machine-id. Use the
246 first one that exists.
247 --match-server-version=false
250 Require server version to match client version
251 --mesos-agent="127.0.0.1:5051"
254 Mesos agent address
255 --mesos-agent-timeout=10s
258 Mesos agent timeout
259 -n, --namespace=""
262 If present, the namespace scope for this CLI request
263 --password=""
266 Password for basic authentication to the API server
267 --profile="none"
270 Name of profile to capture. One of (none|cpu|heap|goroutine|thread‐
271 create|block|mutex)
272 --profile-output="profile.pprof"
275 Name of the file to write the profile to
276 --request-timeout="0"
279 The length of time to wait before giving up on a single server
280 request. Non-zero values should contain a corresponding time unit (e.g.
281 1s, 2m, 3h). A value of zero means don't timeout requests.
282 -s, --server=""
285 The address and port of the Kubernetes API server
286 --skip-headers=false
289 If true, avoid header prefixes in the log messages
290 --stderrthreshold=2
293 logs at or above this threshold go to stderr
294 --storage-driver-buffer-duration=1m0s
297 Writes in the storage driver will be buffered for this duration,
298 and committed to the non memory backends as a single transaction
299 --storage-driver-db="cadvisor"
302 database name
303 --storage-driver-host="localhost:8086"
306 database host:port
307 --storage-driver-password="root"
310 database password
311 --storage-driver-secure=false
314 use secure connection with database
315 --storage-driver-table="stats"
318 table name
319 --storage-driver-user="root"
322 database username
323 --token=""
326 Bearer token for authentication to the API server
327 --user=""
330 The name of the kubeconfig user to use
331 --username=""
334 Username for basic authentication to the API server
335 -v, --v=0
338 log level for V logs
339 --version=false
342 Print version information and quit
343 --vmodule=
346 comma-separated list of pattern=N settings for file-filtered log‐
347 ging
348
352 # Create a new TLS secret named tls-secret with the given key pair:
353 kubectl create secret tls tls-secret --cert=path/to/tls.cert --key=path/to/tls.key
354
359 kubectl-create-secret(1),
360
364 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
365 com) based on the kubernetes source material, but hopefully they have
366 been automatically generated since!
367Eric Paris kubernetes User Manuals KUBERNETES(1)