1OC ADM(1)                          June 2016                         OC ADM(1)
2
3
4

NAME

6       oc adm policy - Manage policy
7
8
9

SYNOPSIS

11       oc adm policy [OPTIONS]
12
13
14

DESCRIPTION

16       Manage policy on the cluster
17
18
19       These  commands  allow  you to assign and manage the roles and policies
20       that apply to users. The reconcile commands  allow  you  to  reset  and
21       upgrade your system policies to the latest default policies.
22
23
24       To  see  more  information  on  roles  and  policies, use the 'get' and
25       'describe' commands on the following resources: 'clusterroles',  'clus‐
26       terpolicy',  'clusterrolebindings',  'roles', 'policy', 'rolebindings',
27       and 'scc'.
28
29
30

OPTIONS INHERITED FROM PARENT COMMANDS

32       --allow_verification_with_non_compliant_keys=false
33           Allow  a  SignatureVerifier  to  use  keys  which  are  technically
34       non-compliant with RFC6962.
35
36
37       --alsologtostderr=false
38           log to standard error as well as files
39
40
41       --application_metrics_count_limit=100
42           Max number of application metrics to store (per container)
43
44
45       --as=""
46           Username to impersonate for the operation
47
48
49       --as-group=[]
50           Group  to  impersonate for the operation, this flag can be repeated
51       to specify multiple groups.
52
53
54       --azure-container-registry-config=""
55           Path to the file containing Azure container registry  configuration
56       information.
57
58
59       --boot_id_file="/proc/sys/kernel/random/boot_id"
60           Comma-separated  list  of files to check for boot-id. Use the first
61       one that exists.
62
63
64       --cache-dir="/builddir/.kube/http-cache"
65           Default HTTP cache directory
66
67
68       --certificate-authority=""
69           Path to a cert file for the certificate authority
70
71
72       --client-certificate=""
73           Path to a client certificate file for TLS
74
75
76       --client-key=""
77           Path to a client key file for TLS
78
79
80       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
81           CIDRs opened in GCE firewall for LB traffic proxy  health checks
82
83
84       --cluster=""
85           The name of the kubeconfig cluster to use
86
87
88       --container_hints="/etc/cadvisor/container_hints.json"
89           location of the container hints file
90
91
92       --containerd="unix:///var/run/containerd.sock"
93           containerd endpoint
94
95
96       --context=""
97           The name of the kubeconfig context to use
98
99
100       --default-not-ready-toleration-seconds=300
101           Indicates    the    tolerationSeconds   of   the   toleration   for
102       notReady:NoExecute that is added by default to every pod that does  not
103       already have such a toleration.
104
105
106       --default-unreachable-toleration-seconds=300
107           Indicates  the  tolerationSeconds  of  the  toleration for unreach‐
108       able:NoExecute that is added by default to  every  pod  that  does  not
109       already have such a toleration.
110
111
112       --docker="unix:///var/run/docker.sock"
113           docker endpoint
114
115
116       --docker-tls=false
117           use TLS to connect to docker
118
119
120       --docker-tls-ca="ca.pem"
121           path to trusted CA
122
123
124       --docker-tls-cert="cert.pem"
125           path to client certificate
126
127
128       --docker-tls-key="key.pem"
129           path to private key
130
131
132       --docker_env_metadata_whitelist=""
133           a  comma-separated  list of environment variable keys that needs to
134       be collected for docker containers
135
136
137       --docker_only=false
138           Only report docker containers in addition to root stats
139
140
141       --docker_root="/var/lib/docker"
142           DEPRECATED: docker root is read from docker info (this is  a  fall‐
143       back, default: /var/lib/docker)
144
145
146       --enable_load_reader=false
147           Whether to enable cpu load reader
148
149
150       --event_storage_age_limit="default=24h"
151           Max length of time for which to store events (per type). Value is a
152       comma separated list of key values, where  the  keys  are  event  types
153       (e.g.: creation, oom) or "default" and the value is a duration. Default
154       is applied to all non-specified event types
155
156
157       --event_storage_event_limit="default=100000"
158           Max number of events to store (per type). Value is  a  comma  sepa‐
159       rated  list  of  key values, where the keys are event types (e.g.: cre‐
160       ation, oom) or "default" and  the  value  is  an  integer.  Default  is
161       applied to all non-specified event types
162
163
164       --global_housekeeping_interval=0
165           Interval between global housekeepings
166
167
168       --housekeeping_interval=0
169           Interval between container housekeepings
170
171
172       --httptest.serve=""
173           if non-empty, httptest.NewServer serves on this address and blocks
174
175
176       --insecure-skip-tls-verify=false
177           If true, the server's certificate will not be checked for validity.
178       This will make your HTTPS connections insecure
179
180
181       --kubeconfig=""
182           Path to the kubeconfig file to use for CLI requests.
183
184
185       --log-flush-frequency=0
186           Maximum number of seconds between log flushes
187
188
189       --log_backtrace_at=:0
190           when logging hits line file:N, emit a stack trace
191
192
193       --log_cadvisor_usage=false
194           Whether to log the usage of the cAdvisor container
195
196
197       --log_dir=""
198           If non-empty, write log files in this directory
199
200
201       --logtostderr=true
202           log to standard error instead of files
203
204
205       --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
206           Comma-separated list of files to  check  for  machine-id.  Use  the
207       first one that exists.
208
209
210       --match-server-version=false
211           Require server version to match client version
212
213
214       -n, --namespace=""
215           If present, the namespace scope for this CLI request
216
217
218       --request-timeout="0"
219           The  length  of  time  to  wait before giving up on a single server
220       request. Non-zero values should contain a corresponding time unit (e.g.
221       1s, 2m, 3h). A value of zero means don't timeout requests.
222
223
224       -s, --server=""
225           The address and port of the Kubernetes API server
226
227
228       --stderrthreshold=2
229           logs at or above this threshold go to stderr
230
231
232       --storage_driver_buffer_duration=0
233           Writes  in  the  storage driver will be buffered for this duration,
234       and committed to the non memory backends as a single transaction
235
236
237       --storage_driver_db="cadvisor"
238           database name
239
240
241       --storage_driver_host="localhost:8086"
242           database host:port
243
244
245       --storage_driver_password="root"
246           database password
247
248
249       --storage_driver_secure=false
250           use secure connection with database
251
252
253       --storage_driver_table="stats"
254           table name
255
256
257       --storage_driver_user="root"
258           database username
259
260
261       --token=""
262           Bearer token for authentication to the API server
263
264
265       --user=""
266           The name of the kubeconfig user to use
267
268
269       -v, --v=0
270           log level for V logs
271
272
273       --version=false
274           Print version information and quit
275
276
277       --vmodule=
278           comma-separated list of pattern=N settings for  file-filtered  log‐
279       ging
280
281
282

SEE ALSO

284       oc-adm(1),    oc-adm-policy-add-cluster-role-to-group(1),   oc-adm-pol‐
285       icy-add-cluster-role-to-user(1),    oc-adm-policy-add-role-to-group(1),
286       oc-adm-policy-add-role-to-user(1),   oc-adm-policy-add-scc-to-group(1),
287       oc-adm-policy-add-scc-to-user(1),         oc-adm-policy-reconcile-clus‐
288       ter-role-bindings(1),         oc-adm-policy-reconcile-cluster-roles(1),
289       oc-adm-policy-reconcile-sccs(1),             oc-adm-policy-remove-clus‐
290       ter-role-from-group(1), oc-adm-policy-remove-cluster-role-from-user(1),
291       oc-adm-policy-remove-group(1), oc-adm-policy-remove-role-from-group(1),
292       oc-adm-policy-remove-role-from-user(1),                     oc-adm-pol‐
293       icy-remove-scc-from-group(1),    oc-adm-policy-remove-scc-from-user(1),
294       oc-adm-policy-remove-user(1),  oc-adm-policy-scc-review(1), oc-adm-pol‐
295       icy-scc-subject-review(1), oc-adm-policy-who-can(1),
296
297
298

HISTORY

300       June 2016, Ported from the Kubernetes man-doc generator
301
302
303
304Openshift                  Openshift CLI User Manuals                OC ADM(1)
Impressum