1OC ADM POLICY(1)                   June 2016                  OC ADM POLICY(1)
2
3
4

NAME

6       oc adm policy add-role-to-user - Add a role to users or serviceaccounts
7       for the current project
8
9
10

SYNOPSIS

12       oc adm policy add-role-to-user [OPTIONS]
13
14
15

DESCRIPTION

17       Add a role to users or service accounts for the current project
18
19
20       This command allows you to grant a user access  to  specific  resources
21       and actions within the current project, by assigning them to a role. It
22       creates or modifies a RoleBinding referencing the specified role adding
23       the  user(s)  or serviceaccount(s) to the list of subjects. The command
24       does  not  require  that  the  matching  role  or   user/serviceaccount
25       resources  exist and will create the binding successfully even when the
26       role or user/serviceaccount do not exist or when the user does not have
27       access to view them.
28
29
30       If  the  --rolebinding-name  argument  is supplied, it will look for an
31       existing rolebinding with that name. The role on the matching rolebind‐
32       ing MUST match the role name supplied to the command. If no rolebinding
33       name is given, a default name will be used. When --role-namespace argu‐
34       ment  is  specified  as  a  non-empty  value, it MUST match the current
35       namespace. When role-namespace is specified, the rolebinding will  ref‐
36       erence  a  namespaced Role. Otherwise, the rolebinding will reference a
37       ClusterRole resource.
38
39
40       To learn more, see information about RBAC and policy, or use the  'get'
41       and  'describe'  commands  on  the following resources: 'clusterroles',
42       'clusterrolebindings', 'roles', 'rolebindings', 'users', 'groups',  and
43       'serviceaccounts'.
44
45
46

OPTIONS

48       --allow-missing-template-keys=true
49           If  true, ignore any errors in templates when a field or map key is
50       missing in the template. Only applies to  golang  and  jsonpath  output
51       formats.
52
53
54       --dry-run=false
55           If  true, only print the object that would be sent, without sending
56       it.
57
58
59       --no-headers=false
60           When using the default or custom-column output format, don't  print
61       headers (default print headers).
62
63
64       -o, --output=""
65           Output  format. One of: json|yaml|wide|name|custom-columns=...|cus‐
66       tom-columns-file=...|go-template=...|go-template-file=...|json‐
67       path=...|jsonpath-file=...   See   custom   columns   [  ⟨http://kuber
68       netes.io/docs/user-guide/kubectl-overview/#custom-columns⟩],     golang
69       template   [  ⟨http://golang.org/pkg/text/template/#pkg-overview⟩]  and
70       jsonpath template [ ⟨http://kubernetes.io/docs/user-guide/jsonpath⟩].
71
72
73       --role-namespace=""
74           namespace where the role is located: empty means a role defined  in
75       cluster policy
76
77
78       --rolebinding-name=""
79           Name  of the rolebinding to modify or create. If left empty creates
80       a new rolebinding with a default name
81
82
83       -z, --serviceaccount=[]
84           service account in the current namespace to use as a user
85
86
87       --show-labels=false
88           When printing, show all labels as the  last  column  (default  hide
89       labels column)
90
91
92       --sort-by=""
93           If  non-empty, sort list types using this field specification.  The
94       field  specification  is  expressed  as  a  JSONPath  expression  (e.g.
95       '{.metadata.name}').  The  field  in the API resource specified by this
96       JSONPath expression must be an integer or a string.
97
98
99       --template=""
100           Template string or path to template file  to  use  when  -o=go-tem‐
101       plate,  -o=go-template-file.  The template format is golang templates [
102http://golang.org/pkg/text/template/#pkg-overview⟩].
103
104
105

OPTIONS INHERITED FROM PARENT COMMANDS

107       --allow_verification_with_non_compliant_keys=false
108           Allow  a  SignatureVerifier  to  use  keys  which  are  technically
109       non-compliant with RFC6962.
110
111
112       --alsologtostderr=false
113           log to standard error as well as files
114
115
116       --application_metrics_count_limit=100
117           Max number of application metrics to store (per container)
118
119
120       --as=""
121           Username to impersonate for the operation
122
123
124       --as-group=[]
125           Group  to  impersonate for the operation, this flag can be repeated
126       to specify multiple groups.
127
128
129       --azure-container-registry-config=""
130           Path to the file containing Azure container registry  configuration
131       information.
132
133
134       --boot_id_file="/proc/sys/kernel/random/boot_id"
135           Comma-separated  list  of files to check for boot-id. Use the first
136       one that exists.
137
138
139       --cache-dir="/builddir/.kube/http-cache"
140           Default HTTP cache directory
141
142
143       --certificate-authority=""
144           Path to a cert file for the certificate authority
145
146
147       --client-certificate=""
148           Path to a client certificate file for TLS
149
150
151       --client-key=""
152           Path to a client key file for TLS
153
154
155       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
156           CIDRs opened in GCE firewall for LB traffic proxy  health checks
157
158
159       --cluster=""
160           The name of the kubeconfig cluster to use
161
162
163       --container_hints="/etc/cadvisor/container_hints.json"
164           location of the container hints file
165
166
167       --containerd="unix:///var/run/containerd.sock"
168           containerd endpoint
169
170
171       --context=""
172           The name of the kubeconfig context to use
173
174
175       --default-not-ready-toleration-seconds=300
176           Indicates    the    tolerationSeconds   of   the   toleration   for
177       notReady:NoExecute that is added by default to every pod that does  not
178       already have such a toleration.
179
180
181       --default-unreachable-toleration-seconds=300
182           Indicates  the  tolerationSeconds  of  the  toleration for unreach‐
183       able:NoExecute that is added by default to  every  pod  that  does  not
184       already have such a toleration.
185
186
187       --docker="unix:///var/run/docker.sock"
188           docker endpoint
189
190
191       --docker-tls=false
192           use TLS to connect to docker
193
194
195       --docker-tls-ca="ca.pem"
196           path to trusted CA
197
198
199       --docker-tls-cert="cert.pem"
200           path to client certificate
201
202
203       --docker-tls-key="key.pem"
204           path to private key
205
206
207       --docker_env_metadata_whitelist=""
208           a  comma-separated  list of environment variable keys that needs to
209       be collected for docker containers
210
211
212       --docker_only=false
213           Only report docker containers in addition to root stats
214
215
216       --docker_root="/var/lib/docker"
217           DEPRECATED: docker root is read from docker info (this is  a  fall‐
218       back, default: /var/lib/docker)
219
220
221       --enable_load_reader=false
222           Whether to enable cpu load reader
223
224
225       --event_storage_age_limit="default=24h"
226           Max length of time for which to store events (per type). Value is a
227       comma separated list of key values, where  the  keys  are  event  types
228       (e.g.: creation, oom) or "default" and the value is a duration. Default
229       is applied to all non-specified event types
230
231
232       --event_storage_event_limit="default=100000"
233           Max number of events to store (per type). Value is  a  comma  sepa‐
234       rated  list  of  key values, where the keys are event types (e.g.: cre‐
235       ation, oom) or "default" and  the  value  is  an  integer.  Default  is
236       applied to all non-specified event types
237
238
239       --global_housekeeping_interval=0
240           Interval between global housekeepings
241
242
243       --housekeeping_interval=0
244           Interval between container housekeepings
245
246
247       --httptest.serve=""
248           if non-empty, httptest.NewServer serves on this address and blocks
249
250
251       --insecure-skip-tls-verify=false
252           If true, the server's certificate will not be checked for validity.
253       This will make your HTTPS connections insecure
254
255
256       --kubeconfig=""
257           Path to the kubeconfig file to use for CLI requests.
258
259
260       --log-flush-frequency=0
261           Maximum number of seconds between log flushes
262
263
264       --log_backtrace_at=:0
265           when logging hits line file:N, emit a stack trace
266
267
268       --log_cadvisor_usage=false
269           Whether to log the usage of the cAdvisor container
270
271
272       --log_dir=""
273           If non-empty, write log files in this directory
274
275
276       --logtostderr=true
277           log to standard error instead of files
278
279
280       --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
281           Comma-separated list of files to  check  for  machine-id.  Use  the
282       first one that exists.
283
284
285       --match-server-version=false
286           Require server version to match client version
287
288
289       -n, --namespace=""
290           If present, the namespace scope for this CLI request
291
292
293       --request-timeout="0"
294           The  length  of  time  to  wait before giving up on a single server
295       request. Non-zero values should contain a corresponding time unit (e.g.
296       1s, 2m, 3h). A value of zero means don't timeout requests.
297
298
299       -s, --server=""
300           The address and port of the Kubernetes API server
301
302
303       --stderrthreshold=2
304           logs at or above this threshold go to stderr
305
306
307       --storage_driver_buffer_duration=0
308           Writes  in  the  storage driver will be buffered for this duration,
309       and committed to the non memory backends as a single transaction
310
311
312       --storage_driver_db="cadvisor"
313           database name
314
315
316       --storage_driver_host="localhost:8086"
317           database host:port
318
319
320       --storage_driver_password="root"
321           database password
322
323
324       --storage_driver_secure=false
325           use secure connection with database
326
327
328       --storage_driver_table="stats"
329           table name
330
331
332       --storage_driver_user="root"
333           database username
334
335
336       --token=""
337           Bearer token for authentication to the API server
338
339
340       --user=""
341           The name of the kubeconfig user to use
342
343
344       -v, --v=0
345           log level for V logs
346
347
348       --version=false
349           Print version information and quit
350
351
352       --vmodule=
353           comma-separated list of pattern=N settings for  file-filtered  log‐
354       ging
355
356
357

EXAMPLE

359                # Add the 'view' role to user1 for the current project
360                oc adm policy add-role-to-user view user1
361
362                # Add the 'edit' role to serviceaccount1 for the current project
363                oc adm policy add-role-to-user edit -z serviceaccount1
364
365
366
367

SEE ALSO

369       oc-adm-policy(1),
370
371
372

HISTORY

374       June 2016, Ported from the Kubernetes man-doc generator
375
376
377
378Openshift                  Openshift CLI User Manuals         OC ADM POLICY(1)
Impressum