1OC ADM POLICY(1) June 2016 OC ADM POLICY(1)
2
3
4
6 oc adm policy add-scc-to-user - Add security context constraint to
7 users or a service account
8
9
10
12 oc adm policy add-scc-to-user [OPTIONS]
13
14
15
17 Add security context constraint to users or a service account
18
19
20
22 --allow-missing-template-keys=true
23 If true, ignore any errors in templates when a field or map key is
24 missing in the template. Only applies to golang and jsonpath output
25 formats.
26
27
28 --dry-run=false
29 If true, only print the object that would be sent, without sending
30 it.
31
32
33 --no-headers=false
34 When using the default or custom-column output format, don't print
35 headers (default print headers).
36
37
38 -o, --output=""
39 Output format. One of: json|yaml|wide|name|custom-columns=...|cus‐
40 tom-columns-file=...|go-template=...|go-template-file=...|json‐
41 path=...|jsonpath-file=... See custom columns [ ⟨http://kuber‐
42 netes.io/docs/user-guide/kubectl-overview/#custom-columns⟩], golang
43 template [ ⟨http://golang.org/pkg/text/template/#pkg-overview⟩] and
44 jsonpath template [ ⟨http://kubernetes.io/docs/user-guide/jsonpath⟩].
45
46
47 -z, --serviceaccount=[]
48 service account in the current namespace to use as a user
49
50
51 --show-labels=false
52 When printing, show all labels as the last column (default hide
53 labels column)
54
55
56 --sort-by=""
57 If non-empty, sort list types using this field specification. The
58 field specification is expressed as a JSONPath expression (e.g.
59 '{.metadata.name}'). The field in the API resource specified by this
60 JSONPath expression must be an integer or a string.
61
62
63 --template=""
64 Template string or path to template file to use when -o=go-tem‐
65 plate, -o=go-template-file. The template format is golang templates [
66 ⟨http://golang.org/pkg/text/template/#pkg-overview⟩].
67
68
69
71 --allow_verification_with_non_compliant_keys=false
72 Allow a SignatureVerifier to use keys which are technically
73 non-compliant with RFC6962.
74
75
76 --alsologtostderr=false
77 log to standard error as well as files
78
79
80 --application_metrics_count_limit=100
81 Max number of application metrics to store (per container)
82
83
84 --as=""
85 Username to impersonate for the operation
86
87
88 --as-group=[]
89 Group to impersonate for the operation, this flag can be repeated
90 to specify multiple groups.
91
92
93 --azure-container-registry-config=""
94 Path to the file containing Azure container registry configuration
95 information.
96
97
98 --boot_id_file="/proc/sys/kernel/random/boot_id"
99 Comma-separated list of files to check for boot-id. Use the first
100 one that exists.
101
102
103 --cache-dir="/builddir/.kube/http-cache"
104 Default HTTP cache directory
105
106
107 --certificate-authority=""
108 Path to a cert file for the certificate authority
109
110
111 --client-certificate=""
112 Path to a client certificate file for TLS
113
114
115 --client-key=""
116 Path to a client key file for TLS
117
118
119 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
120 CIDRs opened in GCE firewall for LB traffic proxy health checks
121
122
123 --cluster=""
124 The name of the kubeconfig cluster to use
125
126
127 --container_hints="/etc/cadvisor/container_hints.json"
128 location of the container hints file
129
130
131 --containerd="unix:///var/run/containerd.sock"
132 containerd endpoint
133
134
135 --context=""
136 The name of the kubeconfig context to use
137
138
139 --default-not-ready-toleration-seconds=300
140 Indicates the tolerationSeconds of the toleration for
141 notReady:NoExecute that is added by default to every pod that does not
142 already have such a toleration.
143
144
145 --default-unreachable-toleration-seconds=300
146 Indicates the tolerationSeconds of the toleration for unreach‐
147 able:NoExecute that is added by default to every pod that does not
148 already have such a toleration.
149
150
151 --docker="unix:///var/run/docker.sock"
152 docker endpoint
153
154
155 --docker-tls=false
156 use TLS to connect to docker
157
158
159 --docker-tls-ca="ca.pem"
160 path to trusted CA
161
162
163 --docker-tls-cert="cert.pem"
164 path to client certificate
165
166
167 --docker-tls-key="key.pem"
168 path to private key
169
170
171 --docker_env_metadata_whitelist=""
172 a comma-separated list of environment variable keys that needs to
173 be collected for docker containers
174
175
176 --docker_only=false
177 Only report docker containers in addition to root stats
178
179
180 --docker_root="/var/lib/docker"
181 DEPRECATED: docker root is read from docker info (this is a fall‐
182 back, default: /var/lib/docker)
183
184
185 --enable_load_reader=false
186 Whether to enable cpu load reader
187
188
189 --event_storage_age_limit="default=24h"
190 Max length of time for which to store events (per type). Value is a
191 comma separated list of key values, where the keys are event types
192 (e.g.: creation, oom) or "default" and the value is a duration. Default
193 is applied to all non-specified event types
194
195
196 --event_storage_event_limit="default=100000"
197 Max number of events to store (per type). Value is a comma sepa‐
198 rated list of key values, where the keys are event types (e.g.: cre‐
199 ation, oom) or "default" and the value is an integer. Default is
200 applied to all non-specified event types
201
202
203 --global_housekeeping_interval=0
204 Interval between global housekeepings
205
206
207 --housekeeping_interval=0
208 Interval between container housekeepings
209
210
211 --httptest.serve=""
212 if non-empty, httptest.NewServer serves on this address and blocks
213
214
215 --insecure-skip-tls-verify=false
216 If true, the server's certificate will not be checked for validity.
217 This will make your HTTPS connections insecure
218
219
220 --kubeconfig=""
221 Path to the kubeconfig file to use for CLI requests.
222
223
224 --log-flush-frequency=0
225 Maximum number of seconds between log flushes
226
227
228 --log_backtrace_at=:0
229 when logging hits line file:N, emit a stack trace
230
231
232 --log_cadvisor_usage=false
233 Whether to log the usage of the cAdvisor container
234
235
236 --log_dir=""
237 If non-empty, write log files in this directory
238
239
240 --logtostderr=true
241 log to standard error instead of files
242
243
244 --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
245 Comma-separated list of files to check for machine-id. Use the
246 first one that exists.
247
248
249 --match-server-version=false
250 Require server version to match client version
251
252
253 -n, --namespace=""
254 If present, the namespace scope for this CLI request
255
256
257 --request-timeout="0"
258 The length of time to wait before giving up on a single server
259 request. Non-zero values should contain a corresponding time unit (e.g.
260 1s, 2m, 3h). A value of zero means don't timeout requests.
261
262
263 -s, --server=""
264 The address and port of the Kubernetes API server
265
266
267 --stderrthreshold=2
268 logs at or above this threshold go to stderr
269
270
271 --storage_driver_buffer_duration=0
272 Writes in the storage driver will be buffered for this duration,
273 and committed to the non memory backends as a single transaction
274
275
276 --storage_driver_db="cadvisor"
277 database name
278
279
280 --storage_driver_host="localhost:8086"
281 database host:port
282
283
284 --storage_driver_password="root"
285 database password
286
287
288 --storage_driver_secure=false
289 use secure connection with database
290
291
292 --storage_driver_table="stats"
293 table name
294
295
296 --storage_driver_user="root"
297 database username
298
299
300 --token=""
301 Bearer token for authentication to the API server
302
303
304 --user=""
305 The name of the kubeconfig user to use
306
307
308 -v, --v=0
309 log level for V logs
310
311
312 --version=false
313 Print version information and quit
314
315
316 --vmodule=
317 comma-separated list of pattern=N settings for file-filtered log‐
318 ging
319
320
321
323 # Add the 'restricted' security context contraint to user1 and user2
324 oc adm policy add-scc-to-user restricted user1 user2
325
326 # Add the 'privileged' security context contraint to the service account serviceaccount1 in the current namespace
327 oc adm policy add-scc-to-user privileged -z serviceaccount1
328
329
330
331
333 oc-adm-policy(1),
334
335
336
338 June 2016, Ported from the Kubernetes man-doc generator
339
340
341
342Openshift Openshift CLI User Manuals OC ADM POLICY(1)