1OC ADM POLICY(1)                   June 2016                  OC ADM POLICY(1)
2
3
4

NAME

6       oc  adm policy add-role-to-group - Add a role to groups for the current
7       project
8
9
10

SYNOPSIS

12       oc adm policy add-role-to-group [OPTIONS]
13
14
15

DESCRIPTION

17       Add a role to groups for the current project
18
19
20       This command allows you to grant a group access to  specific  resources
21       and actions within the current project, by assigning them to a role. It
22       creates or modifies a RoleBinding referencing the specified role adding
23       the group(s) to the list of subjects. The command does not require that
24       the matching role or group resources exist and will create the  binding
25       successfully  even when the role or group do not exist or when the user
26       does not have access to view them.
27
28
29       If the --rolebinding-name argument is supplied, it  will  look  for  an
30       existing rolebinding with that name. The role on the matching rolebind‐
31       ing MUST match the role name supplied to the command. If no rolebinding
32       name is given, a default name will be used. When --role-namespace argu‐
33       ment is specified as a non-empty  value,  it  MUST  match  the  current
34       namespace.  When role-namespace is specified, the rolebinding will ref‐
35       erence a namespaced Role. Otherwise, the rolebinding will  reference  a
36       ClusterRole resource.
37
38
39       To  learn more, see information about RBAC and policy, or use the 'get'
40       and 'describe' commands on  the  following  resources:  'clusterroles',
41       'clusterrolebindings',  'roles', 'rolebindings', 'users', 'groups', and
42       'serviceaccounts'.
43
44
45

OPTIONS

47       --allow-missing-template-keys=true
48           If true, ignore any errors in templates when a field or map key  is
49       missing  in  the  template.  Only applies to golang and jsonpath output
50       formats.
51
52
53       --dry-run=false
54           If true, only print the object that would be sent, without  sending
55       it.
56
57
58       --no-headers=false
59           When  using the default or custom-column output format, don't print
60       headers (default print headers).
61
62
63       -o, --output=""
64           Output format. One of:  json|yaml|wide|name|custom-columns=...|cus‐
65       tom-columns-file=...|go-template=...|go-template-file=...|json‐
66       path=...|jsonpath-file=...  See   custom   columns   [   ⟨http://kuber‐
67       netes.io/docs/user-guide/kubectl-overview/#custom-columns⟩],     golang
68       template  [  ⟨http://golang.org/pkg/text/template/#pkg-overview⟩]   and
69       jsonpath template [ ⟨http://kubernetes.io/docs/user-guide/jsonpath⟩].
70
71
72       --role-namespace=""
73           namespace  where the role is located: empty means a role defined in
74       cluster policy
75
76
77       --rolebinding-name=""
78           Name of the rolebinding to modify or create. If left empty  creates
79       a new rolebinding with a default name
80
81
82       --show-labels=false
83           When  printing,  show  all  labels as the last column (default hide
84       labels column)
85
86
87       --sort-by=""
88           If non-empty, sort list types using this field specification.   The
89       field  specification  is  expressed  as  a  JSONPath  expression  (e.g.
90       '{.metadata.name}'). The field in the API resource  specified  by  this
91       JSONPath expression must be an integer or a string.
92
93
94       --template=""
95           Template  string  or  path  to template file to use when -o=go-tem‐
96       plate, -o=go-template-file. The template format is golang  templates  [
97       ⟨http://golang.org/pkg/text/template/#pkg-overview⟩].
98
99
100

OPTIONS INHERITED FROM PARENT COMMANDS

102       --allow_verification_with_non_compliant_keys=false
103           Allow  a  SignatureVerifier  to  use  keys  which  are  technically
104       non-compliant with RFC6962.
105
106
107       --alsologtostderr=false
108           log to standard error as well as files
109
110
111       --application_metrics_count_limit=100
112           Max number of application metrics to store (per container)
113
114
115       --as=""
116           Username to impersonate for the operation
117
118
119       --as-group=[]
120           Group to impersonate for the operation, this flag can  be  repeated
121       to specify multiple groups.
122
123
124       --azure-container-registry-config=""
125           Path  to the file containing Azure container registry configuration
126       information.
127
128
129       --boot_id_file="/proc/sys/kernel/random/boot_id"
130           Comma-separated list of files to check for boot-id. Use  the  first
131       one that exists.
132
133
134       --cache-dir="/builddir/.kube/http-cache"
135           Default HTTP cache directory
136
137
138       --certificate-authority=""
139           Path to a cert file for the certificate authority
140
141
142       --client-certificate=""
143           Path to a client certificate file for TLS
144
145
146       --client-key=""
147           Path to a client key file for TLS
148
149
150       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
151           CIDRs opened in GCE firewall for LB traffic proxy  health checks
152
153
154       --cluster=""
155           The name of the kubeconfig cluster to use
156
157
158       --container_hints="/etc/cadvisor/container_hints.json"
159           location of the container hints file
160
161
162       --containerd="unix:///var/run/containerd.sock"
163           containerd endpoint
164
165
166       --context=""
167           The name of the kubeconfig context to use
168
169
170       --default-not-ready-toleration-seconds=300
171           Indicates   the   tolerationSeconds   of   the    toleration    for
172       notReady:NoExecute  that is added by default to every pod that does not
173       already have such a toleration.
174
175
176       --default-unreachable-toleration-seconds=300
177           Indicates the tolerationSeconds  of  the  toleration  for  unreach‐
178       able:NoExecute  that  is  added  by  default to every pod that does not
179       already have such a toleration.
180
181
182       --docker="unix:///var/run/docker.sock"
183           docker endpoint
184
185
186       --docker-tls=false
187           use TLS to connect to docker
188
189
190       --docker-tls-ca="ca.pem"
191           path to trusted CA
192
193
194       --docker-tls-cert="cert.pem"
195           path to client certificate
196
197
198       --docker-tls-key="key.pem"
199           path to private key
200
201
202       --docker_env_metadata_whitelist=""
203           a comma-separated list of environment variable keys that  needs  to
204       be collected for docker containers
205
206
207       --docker_only=false
208           Only report docker containers in addition to root stats
209
210
211       --docker_root="/var/lib/docker"
212           DEPRECATED:  docker  root is read from docker info (this is a fall‐
213       back, default: /var/lib/docker)
214
215
216       --enable_load_reader=false
217           Whether to enable cpu load reader
218
219
220       --event_storage_age_limit="default=24h"
221           Max length of time for which to store events (per type). Value is a
222       comma  separated  list  of  key  values, where the keys are event types
223       (e.g.: creation, oom) or "default" and the value is a duration. Default
224       is applied to all non-specified event types
225
226
227       --event_storage_event_limit="default=100000"
228           Max  number  of  events to store (per type). Value is a comma sepa‐
229       rated list of key values, where the keys are event  types  (e.g.:  cre‐
230       ation,  oom)  or  "default"  and  the  value  is an integer. Default is
231       applied to all non-specified event types
232
233
234       --global_housekeeping_interval=0
235           Interval between global housekeepings
236
237
238       --housekeeping_interval=0
239           Interval between container housekeepings
240
241
242       --httptest.serve=""
243           if non-empty, httptest.NewServer serves on this address and blocks
244
245
246       --insecure-skip-tls-verify=false
247           If true, the server's certificate will not be checked for validity.
248       This will make your HTTPS connections insecure
249
250
251       --kubeconfig=""
252           Path to the kubeconfig file to use for CLI requests.
253
254
255       --log-flush-frequency=0
256           Maximum number of seconds between log flushes
257
258
259       --log_backtrace_at=:0
260           when logging hits line file:N, emit a stack trace
261
262
263       --log_cadvisor_usage=false
264           Whether to log the usage of the cAdvisor container
265
266
267       --log_dir=""
268           If non-empty, write log files in this directory
269
270
271       --logtostderr=true
272           log to standard error instead of files
273
274
275       --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
276           Comma-separated  list  of  files  to  check for machine-id. Use the
277       first one that exists.
278
279
280       --match-server-version=false
281           Require server version to match client version
282
283
284       -n, --namespace=""
285           If present, the namespace scope for this CLI request
286
287
288       --request-timeout="0"
289           The length of time to wait before giving  up  on  a  single  server
290       request. Non-zero values should contain a corresponding time unit (e.g.
291       1s, 2m, 3h). A value of zero means don't timeout requests.
292
293
294       -s, --server=""
295           The address and port of the Kubernetes API server
296
297
298       --stderrthreshold=2
299           logs at or above this threshold go to stderr
300
301
302       --storage_driver_buffer_duration=0
303           Writes in the storage driver will be buffered  for  this  duration,
304       and committed to the non memory backends as a single transaction
305
306
307       --storage_driver_db="cadvisor"
308           database name
309
310
311       --storage_driver_host="localhost:8086"
312           database host:port
313
314
315       --storage_driver_password="root"
316           database password
317
318
319       --storage_driver_secure=false
320           use secure connection with database
321
322
323       --storage_driver_table="stats"
324           table name
325
326
327       --storage_driver_user="root"
328           database username
329
330
331       --token=""
332           Bearer token for authentication to the API server
333
334
335       --user=""
336           The name of the kubeconfig user to use
337
338
339       -v, --v=0
340           log level for V logs
341
342
343       --version=false
344           Print version information and quit
345
346
347       --vmodule=
348           comma-separated  list  of pattern=N settings for file-filtered log‐
349       ging
350
351
352

SEE ALSO

354       oc-adm-policy(1),
355
356
357

HISTORY

359       June 2016, Ported from the Kubernetes man-doc generator
360
361
362
363Openshift                  Openshift CLI User Manuals         OC ADM POLICY(1)