oc-adm-policy-reconcile-cluster-role-bindings(1)

1OC ADM POLICY(1)                   June 2016                  OC ADM POLICY(1)
2
3
4

NAME

6       oc  adm  policy  reconcile-cluster-role-bindings  - Update cluster role
7       bindings to match the recommended bootstrap policy
8
9
10

SYNOPSIS

12       oc adm policy reconcile-cluster-role-bindings [OPTIONS]
13
14
15

DESCRIPTION

17       Update cluster role bindings to match the recommended bootstrap policy
18
19
20       This command will inspect the cluster role bindings against the  recom‐
21       mended  bootstrap  policy. Any cluster role binding that does not match
22       will be replaced by the recommended bootstrap role binding.  This  com‐
23       mand will not remove any additional cluster role bindings.
24
25
26       You  can  see  which  recommended cluster role bindings have changed by
27       choosing an output type.
28
29
30

OPTIONS

32       --additive-only=true
33           If true, preserves extra subjects in cluster role bindings.
34
35
36       --allow-missing-template-keys=true
37           If true, ignore any errors in templates when a field or map key  is
38       missing  in  the  template.  Only applies to golang and jsonpath output
39       formats.
40
41
42       --confirm=false
43           If true, specify that cluster role  bindings  should  be  modified.
44       Defaults  to  false, displaying what would be replaced but not actually
45       replacing anything.
46
47
48       --exclude-groups=[]
49           Do not add cluster role bindings for these group names.
50
51
52       --exclude-users=[]
53           Do not add cluster role bindings for these user names.
54
55
56       --no-headers=false
57           When using the default or custom-column output format, don't  print
58       headers (default print headers).
59
60
61       -o, --output="yaml"
62           Output  format. One of: json|yaml|wide|name|custom-columns=...|cus‐
63       tom-columns-file=...|go-template=...|go-template-file=...|json‐
64       path=...|jsonpath-file=...   See   custom   columns   [  ⟨http://kuber‐
65       netes.io/docs/user-guide/kubectl-overview/#custom-columns⟩],     golang
66       template   [  ⟨http://golang.org/pkg/text/template/#pkg-overview⟩]  and
67       jsonpath template [ ⟨http://kubernetes.io/docs/user-guide/jsonpath⟩].
68
69
70       --show-labels=false
71           When printing, show all labels as the  last  column  (default  hide
72       labels column)
73
74
75       --sort-by=""
76           If  non-empty, sort list types using this field specification.  The
77       field  specification  is  expressed  as  a  JSONPath  expression  (e.g.
78       '{.metadata.name}').  The  field  in the API resource specified by this
79       JSONPath expression must be an integer or a string.
80
81
82       --template=""
83           Template string or path to template file  to  use  when  -o=go-tem‐
84       plate,  -o=go-template-file.  The template format is golang templates [
85       ⟨http://golang.org/pkg/text/template/#pkg-overview⟩].
86
87
88

OPTIONS INHERITED FROM PARENT COMMANDS

90       --allow_verification_with_non_compliant_keys=false
91           Allow  a  SignatureVerifier  to  use  keys  which  are  technically
92       non-compliant with RFC6962.
93
94
95       --alsologtostderr=false
96           log to standard error as well as files
97
98
99       --application_metrics_count_limit=100
100           Max number of application metrics to store (per container)
101
102
103       --as=""
104           Username to impersonate for the operation
105
106
107       --as-group=[]
108           Group  to  impersonate for the operation, this flag can be repeated
109       to specify multiple groups.
110
111
112       --azure-container-registry-config=""
113           Path to the file containing Azure container registry  configuration
114       information.
115
116
117       --boot_id_file="/proc/sys/kernel/random/boot_id"
118           Comma-separated  list  of files to check for boot-id. Use the first
119       one that exists.
120
121
122       --cache-dir="/builddir/.kube/http-cache"
123           Default HTTP cache directory
124
125
126       --certificate-authority=""
127           Path to a cert file for the certificate authority
128
129
130       --client-certificate=""
131           Path to a client certificate file for TLS
132
133
134       --client-key=""
135           Path to a client key file for TLS
136
137
138       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
139           CIDRs opened in GCE firewall for LB traffic proxy  health checks
140
141
142       --cluster=""
143           The name of the kubeconfig cluster to use
144
145
146       --container_hints="/etc/cadvisor/container_hints.json"
147           location of the container hints file
148
149
150       --containerd="unix:///var/run/containerd.sock"
151           containerd endpoint
152
153
154       --context=""
155           The name of the kubeconfig context to use
156
157
158       --default-not-ready-toleration-seconds=300
159           Indicates    the    tolerationSeconds   of   the   toleration   for
160       notReady:NoExecute that is added by default to every pod that does  not
161       already have such a toleration.
162
163
164       --default-unreachable-toleration-seconds=300
165           Indicates  the  tolerationSeconds  of  the  toleration for unreach‐
166       able:NoExecute that is added by default to  every  pod  that  does  not
167       already have such a toleration.
168
169
170       --docker="unix:///var/run/docker.sock"
171           docker endpoint
172
173
174       --docker-tls=false
175           use TLS to connect to docker
176
177
178       --docker-tls-ca="ca.pem"
179           path to trusted CA
180
181
182       --docker-tls-cert="cert.pem"
183           path to client certificate
184
185
186       --docker-tls-key="key.pem"
187           path to private key
188
189
190       --docker_env_metadata_whitelist=""
191           a  comma-separated  list of environment variable keys that needs to
192       be collected for docker containers
193
194
195       --docker_only=false
196           Only report docker containers in addition to root stats
197
198
199       --docker_root="/var/lib/docker"
200           DEPRECATED: docker root is read from docker info (this is  a  fall‐
201       back, default: /var/lib/docker)
202
203
204       --enable_load_reader=false
205           Whether to enable cpu load reader
206
207
208       --event_storage_age_limit="default=24h"
209           Max length of time for which to store events (per type). Value is a
210       comma separated list of key values, where  the  keys  are  event  types
211       (e.g.: creation, oom) or "default" and the value is a duration. Default
212       is applied to all non-specified event types
213
214
215       --event_storage_event_limit="default=100000"
216           Max number of events to store (per type). Value is  a  comma  sepa‐
217       rated  list  of  key values, where the keys are event types (e.g.: cre‐
218       ation, oom) or "default" and  the  value  is  an  integer.  Default  is
219       applied to all non-specified event types
220
221
222       --global_housekeeping_interval=0
223           Interval between global housekeepings
224
225
226       --housekeeping_interval=0
227           Interval between container housekeepings
228
229
230       --httptest.serve=""
231           if non-empty, httptest.NewServer serves on this address and blocks
232
233
234       --insecure-skip-tls-verify=false
235           If true, the server's certificate will not be checked for validity.
236       This will make your HTTPS connections insecure
237
238
239       --kubeconfig=""
240           Path to the kubeconfig file to use for CLI requests.
241
242
243       --log-flush-frequency=0
244           Maximum number of seconds between log flushes
245
246
247       --log_backtrace_at=:0
248           when logging hits line file:N, emit a stack trace
249
250
251       --log_cadvisor_usage=false
252           Whether to log the usage of the cAdvisor container
253
254
255       --log_dir=""
256           If non-empty, write log files in this directory
257
258
259       --logtostderr=true
260           log to standard error instead of files
261
262
263       --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
264           Comma-separated list of files to  check  for  machine-id.  Use  the
265       first one that exists.
266
267
268       --match-server-version=false
269           Require server version to match client version
270
271
272       -n, --namespace=""
273           If present, the namespace scope for this CLI request
274
275
276       --request-timeout="0"
277           The  length  of  time  to  wait before giving up on a single server
278       request. Non-zero values should contain a corresponding time unit (e.g.
279       1s, 2m, 3h). A value of zero means don't timeout requests.
280
281
282       -s, --server=""
283           The address and port of the Kubernetes API server
284
285
286       --stderrthreshold=2
287           logs at or above this threshold go to stderr
288
289
290       --storage_driver_buffer_duration=0
291           Writes  in  the  storage driver will be buffered for this duration,
292       and committed to the non memory backends as a single transaction
293
294
295       --storage_driver_db="cadvisor"
296           database name
297
298
299       --storage_driver_host="localhost:8086"
300           database host:port
301
302
303       --storage_driver_password="root"
304           database password
305
306
307       --storage_driver_secure=false
308           use secure connection with database
309
310
311       --storage_driver_table="stats"
312           table name
313
314
315       --storage_driver_user="root"
316           database username
317
318
319       --token=""
320           Bearer token for authentication to the API server
321
322
323       --user=""
324           The name of the kubeconfig user to use
325
326
327       -v, --v=0
328           log level for V logs
329
330
331       --version=false
332           Print version information and quit
333
334
335       --vmodule=
336           comma-separated list of pattern=N settings for  file-filtered  log‐
337       ging
338
339
340

EXAMPLE

342                # Display the names of cluster role bindings that would be modified
343                oc adm policy reconcile-cluster-role-bindings -o name
344
345                # Display the cluster role bindings that would be modified, removing any extra subjects
346                oc adm policy reconcile-cluster-role-bindings --additive-only=false
347
348                # Update cluster role bindings that don't match the current defaults
349                oc adm policy reconcile-cluster-role-bindings --confirm
350
351                # Update cluster role bindings that don't match the current defaults, avoid adding roles to the system:authenticated group
352                oc adm policy reconcile-cluster-role-bindings --confirm --exclude-groups=system:authenticated
353
354                # Update cluster role bindings that don't match the current defaults, removing any extra subjects from the binding
355                oc adm policy reconcile-cluster-role-bindings --confirm --additive-only=false
356
357
358
359

HISTORY

366       June 2016, Ported from the Kubernetes man-doc generator
367
368
369
370Openshift                  Openshift CLI User Manuals         OC ADM POLICY(1)