1KUBERNETES(1) Jan 2015 KUBERNETES(1)
2
6 kubectl auth reconcile - Reconciles rules for RBAC Role, RoleBinding,
7 ClusterRole, and ClusterRole binding objects
8
12 kubectl auth reconcile [OPTIONS]
13
17 Reconciles rules for RBAC Role, RoleBinding, ClusterRole, and Cluster‐
18 Role binding objects.
19 Missing objects are created, and the containing namespace is created
22 for namespaced objects, if required.
23 Existing roles are updated to include the permissions in the input
26 objects, and remove extra permissions if --remove-extra-permissions is
27 specified.
28 Existing bindings are updated to include the subjects in the input
31 objects, and remove extra subjects if --remove-extra-subjects is speci‐
32 fied.
33 This is preferred to 'apply' for RBAC resources so that semanti‐
36 cally-aware merging of rules and subjects is done.
37
41 --allow-missing-template-keys=true
42 If true, ignore any errors in templates when a field or map key is
43 missing in the template. Only applies to golang and jsonpath output
44 formats.
45 --dry-run=false
48 If true, display results but do not submit changes
49 -f, --filename=[]
52 Filename, directory, or URL to files identifying the resource to
53 reconcile.
54 -k, --kustomize=""
57 Process the kustomization directory. This flag can't be used
58 together with -f or -R.
59 -o, --output=""
62 Output format. One of: json|yaml|name|go-template|go-tem‐
63 plate-file|template|templatefile|jsonpath|jsonpath-file.
64 -R, --recursive=false
67 Process the directory used in -f, --filename recursively. Useful
68 when you want to manage related manifests organized within the same
69 directory.
70 --remove-extra-permissions=false
73 If true, removes extra permissions added to roles
74 --remove-extra-subjects=false
77 If true, removes extra subjects added to rolebindings
78 --template=""
81 Template string or path to template file to use when -o=go-tem‐
82 plate, -o=go-template-file. The template format is golang templates [
83 ⟨http://golang.org/pkg/text/template/#pkg-overview⟩].
84
88 --alsologtostderr=false
89 log to standard error as well as files
90 --application-metrics-count-limit=100
93 Max number of application metrics to store (per container)
94 --as=""
97 Username to impersonate for the operation
98 --as-group=[]
101 Group to impersonate for the operation, this flag can be repeated
102 to specify multiple groups.
103 --azure-container-registry-config=""
106 Path to the file containing Azure container registry configuration
107 information.
108 --boot-id-file="/proc/sys/kernel/random/boot_id"
111 Comma-separated list of files to check for boot-id. Use the first
112 one that exists.
113 --cache-dir="/builddir/.kube/http-cache"
116 Default HTTP cache directory
117 --certificate-authority=""
120 Path to a cert file for the certificate authority
121 --client-certificate=""
124 Path to a client certificate file for TLS
125 --client-key=""
128 Path to a client key file for TLS
129 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
132 CIDRs opened in GCE firewall for LB traffic proxy health checks
133 --cluster=""
136 The name of the kubeconfig cluster to use
137 --container-hints="/etc/cadvisor/container_hints.json"
140 location of the container hints file
141 --containerd="/run/containerd/containerd.sock"
144 containerd endpoint
145 --containerd-namespace="k8s.io"
148 containerd namespace
149 --context=""
152 The name of the kubeconfig context to use
153 --default-not-ready-toleration-seconds=300
156 Indicates the tolerationSeconds of the toleration for
157 notReady:NoExecute that is added by default to every pod that does not
158 already have such a toleration.
159 --default-unreachable-toleration-seconds=300
162 Indicates the tolerationSeconds of the toleration for unreach‐
163 able:NoExecute that is added by default to every pod that does not
164 already have such a toleration.
165 --docker="unix:///var/run/docker.sock"
168 docker endpoint
169 --docker-env-metadata-whitelist=""
172 a comma-separated list of environment variable keys that needs to
173 be collected for docker containers
174 --docker-only=false
177 Only report docker containers in addition to root stats
178 --docker-root="/var/lib/docker"
181 DEPRECATED: docker root is read from docker info (this is a fall‐
182 back, default: /var/lib/docker)
183 --docker-tls=false
186 use TLS to connect to docker
187 --docker-tls-ca="ca.pem"
190 path to trusted CA
191 --docker-tls-cert="cert.pem"
194 path to client certificate
195 --docker-tls-key="key.pem"
198 path to private key
199 --enable-load-reader=false
202 Whether to enable cpu load reader
203 --event-storage-age-limit="default=0"
206 Max length of time for which to store events (per type). Value is a
207 comma separated list of key values, where the keys are event types
208 (e.g.: creation, oom) or "default" and the value is a duration. Default
209 is applied to all non-specified event types
210 --event-storage-event-limit="default=0"
213 Max number of events to store (per type). Value is a comma sepa‐
214 rated list of key values, where the keys are event types (e.g.: cre‐
215 ation, oom) or "default" and the value is an integer. Default is
216 applied to all non-specified event types
217 --global-housekeeping-interval=1m0s
220 Interval between global housekeepings
221 --housekeeping-interval=10s
224 Interval between container housekeepings
225 --insecure-skip-tls-verify=false
228 If true, the server's certificate will not be checked for validity.
229 This will make your HTTPS connections insecure
230 --kubeconfig=""
233 Path to the kubeconfig file to use for CLI requests.
234 --log-backtrace-at=:0
237 when logging hits line file:N, emit a stack trace
238 --log-cadvisor-usage=false
241 Whether to log the usage of the cAdvisor container
242 --log-dir=""
245 If non-empty, write log files in this directory
246 --log-file=""
249 If non-empty, use this log file
250 --log-file-max-size=1800
253 Defines the maximum size a log file can grow to. Unit is megabytes.
254 If the value is 0, the maximum file size is unlimited.
255 --log-flush-frequency=5s
258 Maximum number of seconds between log flushes
259 --logtostderr=true
262 log to standard error instead of files
263 --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
266 Comma-separated list of files to check for machine-id. Use the
267 first one that exists.
268 --match-server-version=false
271 Require server version to match client version
272 -n, --namespace=""
275 If present, the namespace scope for this CLI request
276 --password=""
279 Password for basic authentication to the API server
280 --profile="none"
283 Name of profile to capture. One of (none|cpu|heap|goroutine|thread‐
284 create|block|mutex)
285 --profile-output="profile.pprof"
288 Name of the file to write the profile to
289 --request-timeout="0"
292 The length of time to wait before giving up on a single server
293 request. Non-zero values should contain a corresponding time unit (e.g.
294 1s, 2m, 3h). A value of zero means don't timeout requests.
295 -s, --server=""
298 The address and port of the Kubernetes API server
299 --skip-headers=false
302 If true, avoid header prefixes in the log messages
303 --skip-log-headers=false
306 If true, avoid headers when opening log files
307 --stderrthreshold=2
310 logs at or above this threshold go to stderr
311 --storage-driver-buffer-duration=1m0s
314 Writes in the storage driver will be buffered for this duration,
315 and committed to the non memory backends as a single transaction
316 --storage-driver-db="cadvisor"
319 database name
320 --storage-driver-host="localhost:8086"
323 database host:port
324 --storage-driver-password="root"
327 database password
328 --storage-driver-secure=false
331 use secure connection with database
332 --storage-driver-table="stats"
335 table name
336 --storage-driver-user="root"
339 database username
340 --token=""
343 Bearer token for authentication to the API server
344 --update-machine-info-interval=5m0s
347 Interval between machine info updates.
348 --user=""
351 The name of the kubeconfig user to use
352 --username=""
355 Username for basic authentication to the API server
356 -v, --v=0
359 number for the log level verbosity
360 --version=false
363 Print version information and quit
364 --vmodule=
367 comma-separated list of pattern=N settings for file-filtered log‐
368 ging
369
373 # Reconcile rbac resources from a file
374 kubectl auth reconcile -f my-rbac-rules.yaml
375
380 kubectl-auth(1),
381
385 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
386 com) based on the kubernetes source material, but hopefully they have
387 been automatically generated since!
388Eric Paris kubernetes User Manuals KUBERNETES(1)