1OC ADM POLICY(1)                   June 2016                  OC ADM POLICY(1)
2
3
4

NAME

6       oc  adm  policy  add-scc-to-user  -  Add security context constraint to
7       users or a service account
8
9
10

SYNOPSIS

12       oc adm policy add-scc-to-user [OPTIONS]
13
14
15

DESCRIPTION

17       Add security context constraint to users or a service account
18
19
20

OPTIONS

22       --allow-missing-template-keys=true
23           If true, ignore any errors in templates when a field or map key  is
24       missing  in  the  template.  Only applies to golang and jsonpath output
25       formats.
26
27
28       --dry-run=false
29           If true, only print the object that would be sent, without  sending
30       it.
31
32
33       --no-headers=false
34           When  using the default or custom-column output format, don't print
35       headers (default print headers).
36
37
38       -o, --output=""
39           Output format. One of:  json|yaml|wide|name|custom-columns=...|cus‐
40       tom-columns-file=...|go-template=...|go-template-file=...|json‐
41       path=...|jsonpath-file=...  See   custom   columns   [   ⟨http://kuber
42       netes.io/docs/user-guide/kubectl-overview/#custom-columns⟩],     golang
43       template  [  ⟨http://golang.org/pkg/text/template/#pkg-overview⟩]   and
44       jsonpath template [ ⟨http://kubernetes.io/docs/user-guide/jsonpath⟩].
45
46
47       -z, --serviceaccount=[]
48           service account in the current namespace to use as a user
49
50
51       --show-labels=false
52           When  printing,  show  all  labels as the last column (default hide
53       labels column)
54
55
56       --sort-by=""
57           If non-empty, sort list types using this field specification.   The
58       field  specification  is  expressed  as  a  JSONPath  expression  (e.g.
59       '{.metadata.name}'). The field in the API resource  specified  by  this
60       JSONPath expression must be an integer or a string.
61
62
63       --template=""
64           Template  string  or  path  to template file to use when -o=go-tem‐
65       plate, -o=go-template-file. The template format is golang  templates  [
66http://golang.org/pkg/text/template/#pkg-overview⟩].
67
68
69

OPTIONS INHERITED FROM PARENT COMMANDS

71       --allow_verification_with_non_compliant_keys=false
72           Allow  a  SignatureVerifier  to  use  keys  which  are  technically
73       non-compliant with RFC6962.
74
75
76       --alsologtostderr=false
77           log to standard error as well as files
78
79
80       --application_metrics_count_limit=100
81           Max number of application metrics to store (per container)
82
83
84       --as=""
85           Username to impersonate for the operation
86
87
88       --as-group=[]
89           Group to impersonate for the operation, this flag can  be  repeated
90       to specify multiple groups.
91
92
93       --azure-container-registry-config=""
94           Path  to the file containing Azure container registry configuration
95       information.
96
97
98       --boot_id_file="/proc/sys/kernel/random/boot_id"
99           Comma-separated list of files to check for boot-id. Use  the  first
100       one that exists.
101
102
103       --cache-dir="/builddir/.kube/http-cache"
104           Default HTTP cache directory
105
106
107       --certificate-authority=""
108           Path to a cert file for the certificate authority
109
110
111       --client-certificate=""
112           Path to a client certificate file for TLS
113
114
115       --client-key=""
116           Path to a client key file for TLS
117
118
119       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
120           CIDRs opened in GCE firewall for LB traffic proxy  health checks
121
122
123       --cluster=""
124           The name of the kubeconfig cluster to use
125
126
127       --container_hints="/etc/cadvisor/container_hints.json"
128           location of the container hints file
129
130
131       --containerd="unix:///var/run/containerd.sock"
132           containerd endpoint
133
134
135       --context=""
136           The name of the kubeconfig context to use
137
138
139       --default-not-ready-toleration-seconds=300
140           Indicates   the   tolerationSeconds   of   the    toleration    for
141       notReady:NoExecute  that is added by default to every pod that does not
142       already have such a toleration.
143
144
145       --default-unreachable-toleration-seconds=300
146           Indicates the tolerationSeconds  of  the  toleration  for  unreach‐
147       able:NoExecute  that  is  added  by  default to every pod that does not
148       already have such a toleration.
149
150
151       --docker="unix:///var/run/docker.sock"
152           docker endpoint
153
154
155       --docker-tls=false
156           use TLS to connect to docker
157
158
159       --docker-tls-ca="ca.pem"
160           path to trusted CA
161
162
163       --docker-tls-cert="cert.pem"
164           path to client certificate
165
166
167       --docker-tls-key="key.pem"
168           path to private key
169
170
171       --docker_env_metadata_whitelist=""
172           a comma-separated list of environment variable keys that  needs  to
173       be collected for docker containers
174
175
176       --docker_only=false
177           Only report docker containers in addition to root stats
178
179
180       --docker_root="/var/lib/docker"
181           DEPRECATED:  docker  root is read from docker info (this is a fall‐
182       back, default: /var/lib/docker)
183
184
185       --enable_load_reader=false
186           Whether to enable cpu load reader
187
188
189       --event_storage_age_limit="default=24h"
190           Max length of time for which to store events (per type). Value is a
191       comma  separated  list  of  key  values, where the keys are event types
192       (e.g.: creation, oom) or "default" and the value is a duration. Default
193       is applied to all non-specified event types
194
195
196       --event_storage_event_limit="default=100000"
197           Max  number  of  events to store (per type). Value is a comma sepa‐
198       rated list of key values, where the keys are event  types  (e.g.:  cre‐
199       ation,  oom)  or  "default"  and  the  value  is an integer. Default is
200       applied to all non-specified event types
201
202
203       --global_housekeeping_interval=0
204           Interval between global housekeepings
205
206
207       --housekeeping_interval=0
208           Interval between container housekeepings
209
210
211       --httptest.serve=""
212           if non-empty, httptest.NewServer serves on this address and blocks
213
214
215       --insecure-skip-tls-verify=false
216           If true, the server's certificate will not be checked for validity.
217       This will make your HTTPS connections insecure
218
219
220       --kubeconfig=""
221           Path to the kubeconfig file to use for CLI requests.
222
223
224       --log-flush-frequency=0
225           Maximum number of seconds between log flushes
226
227
228       --log_backtrace_at=:0
229           when logging hits line file:N, emit a stack trace
230
231
232       --log_cadvisor_usage=false
233           Whether to log the usage of the cAdvisor container
234
235
236       --log_dir=""
237           If non-empty, write log files in this directory
238
239
240       --logtostderr=true
241           log to standard error instead of files
242
243
244       --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
245           Comma-separated  list  of  files  to  check for machine-id. Use the
246       first one that exists.
247
248
249       --match-server-version=false
250           Require server version to match client version
251
252
253       -n, --namespace=""
254           If present, the namespace scope for this CLI request
255
256
257       --request-timeout="0"
258           The length of time to wait before giving  up  on  a  single  server
259       request. Non-zero values should contain a corresponding time unit (e.g.
260       1s, 2m, 3h). A value of zero means don't timeout requests.
261
262
263       -s, --server=""
264           The address and port of the Kubernetes API server
265
266
267       --stderrthreshold=2
268           logs at or above this threshold go to stderr
269
270
271       --storage_driver_buffer_duration=0
272           Writes in the storage driver will be buffered  for  this  duration,
273       and committed to the non memory backends as a single transaction
274
275
276       --storage_driver_db="cadvisor"
277           database name
278
279
280       --storage_driver_host="localhost:8086"
281           database host:port
282
283
284       --storage_driver_password="root"
285           database password
286
287
288       --storage_driver_secure=false
289           use secure connection with database
290
291
292       --storage_driver_table="stats"
293           table name
294
295
296       --storage_driver_user="root"
297           database username
298
299
300       --token=""
301           Bearer token for authentication to the API server
302
303
304       --user=""
305           The name of the kubeconfig user to use
306
307
308       -v, --v=0
309           log level for V logs
310
311
312       --version=false
313           Print version information and quit
314
315
316       --vmodule=
317           comma-separated  list  of pattern=N settings for file-filtered log‐
318       ging
319
320
321

EXAMPLE

323                # Add the 'restricted' security context contraint to user1 and user2
324                oc adm policy add-scc-to-user restricted user1 user2
325
326                # Add the 'privileged' security context contraint to the service account serviceaccount1 in the current namespace
327                oc adm policy add-scc-to-user privileged -z serviceaccount1
328
329
330
331

SEE ALSO

333       oc-adm-policy(1),
334
335
336

HISTORY

338       June 2016, Ported from the Kubernetes man-doc generator
339
340
341
342Openshift                  Openshift CLI User Manuals         OC ADM POLICY(1)
Impressum