1OC POLICY(1) June 2016 OC POLICY(1)
2
3
4
6 oc policy scc-subject-review - Check whether a user or a ServiceAccount
7 can create a Pod.
8
9
10
12 oc policy scc-subject-review [OPTIONS]
13
14
15
17 Check whether a User, Service Account or a Group can create a Pod. It
18 returns a list of Security Context Constraints that will admit the
19 resource. If User is specified but not Groups, it is interpreted as
20 "What if User is not a member of any groups". If User and Groups are
21 empty, then the check is performed using the current user
22
23
24
26 --allow-missing-template-keys=true
27 If true, ignore any errors in templates when a field or map key is
28 missing in the template. Only applies to golang and jsonpath output
29 formats.
30
31
32 -f, --filename=[]
33 Filename, directory, or URL to files Filename, directory, or URL to
34 a file identifying the resource to get from a server.
35
36
37 -g, --groups=[]
38 Comma separated, list of groups. Review will be performed on behalf
39 of these groups
40
41
42 --no-headers=false
43 When using the default or custom-column output format, don't print
44 headers (default print headers).
45
46
47 -o, --output=""
48 Output format. One of: json|yaml|wide|name|custom-columns=...|cus‐
49 tom-columns-file=...|go-template=...|go-template-file=...|json‐
50 path=...|jsonpath-file=... See custom columns [ ⟨http://kuber‐
51 netes.io/docs/user-guide/kubectl-overview/#custom-columns⟩], golang
52 template [ ⟨http://golang.org/pkg/text/template/#pkg-overview⟩] and
53 jsonpath template [ ⟨http://kubernetes.io/docs/user-guide/jsonpath⟩].
54
55
56 -R, --recursive=false
57 Process the directory used in -f, --filename recursively. Useful
58 when you want to manage related manifests organized within the same
59 directory.
60
61
62 -z, --serviceaccount=""
63 service account in the current namespace to use as a user
64
65
66 --show-labels=false
67 When printing, show all labels as the last column (default hide
68 labels column)
69
70
71 --sort-by=""
72 If non-empty, sort list types using this field specification. The
73 field specification is expressed as a JSONPath expression (e.g.
74 '{.metadata.name}'). The field in the API resource specified by this
75 JSONPath expression must be an integer or a string.
76
77
78 --template=""
79 Template string or path to template file to use when -o=go-tem‐
80 plate, -o=go-template-file. The template format is golang templates [
81 ⟨http://golang.org/pkg/text/template/#pkg-overview⟩].
82
83
84
86 --allow_verification_with_non_compliant_keys=false
87 Allow a SignatureVerifier to use keys which are technically
88 non-compliant with RFC6962.
89
90
91 --alsologtostderr=false
92 log to standard error as well as files
93
94
95 --application_metrics_count_limit=100
96 Max number of application metrics to store (per container)
97
98
99 --as=""
100 Username to impersonate for the operation
101
102
103 --as-group=[]
104 Group to impersonate for the operation, this flag can be repeated
105 to specify multiple groups.
106
107
108 --azure-container-registry-config=""
109 Path to the file containing Azure container registry configuration
110 information.
111
112
113 --boot_id_file="/proc/sys/kernel/random/boot_id"
114 Comma-separated list of files to check for boot-id. Use the first
115 one that exists.
116
117
118 --cache-dir="/builddir/.kube/http-cache"
119 Default HTTP cache directory
120
121
122 --certificate-authority=""
123 Path to a cert file for the certificate authority
124
125
126 --client-certificate=""
127 Path to a client certificate file for TLS
128
129
130 --client-key=""
131 Path to a client key file for TLS
132
133
134 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
135 CIDRs opened in GCE firewall for LB traffic proxy health checks
136
137
138 --cluster=""
139 The name of the kubeconfig cluster to use
140
141
142 --container_hints="/etc/cadvisor/container_hints.json"
143 location of the container hints file
144
145
146 --containerd="unix:///var/run/containerd.sock"
147 containerd endpoint
148
149
150 --context=""
151 The name of the kubeconfig context to use
152
153
154 --default-not-ready-toleration-seconds=300
155 Indicates the tolerationSeconds of the toleration for
156 notReady:NoExecute that is added by default to every pod that does not
157 already have such a toleration.
158
159
160 --default-unreachable-toleration-seconds=300
161 Indicates the tolerationSeconds of the toleration for unreach‐
162 able:NoExecute that is added by default to every pod that does not
163 already have such a toleration.
164
165
166 --docker="unix:///var/run/docker.sock"
167 docker endpoint
168
169
170 --docker-tls=false
171 use TLS to connect to docker
172
173
174 --docker-tls-ca="ca.pem"
175 path to trusted CA
176
177
178 --docker-tls-cert="cert.pem"
179 path to client certificate
180
181
182 --docker-tls-key="key.pem"
183 path to private key
184
185
186 --docker_env_metadata_whitelist=""
187 a comma-separated list of environment variable keys that needs to
188 be collected for docker containers
189
190
191 --docker_only=false
192 Only report docker containers in addition to root stats
193
194
195 --docker_root="/var/lib/docker"
196 DEPRECATED: docker root is read from docker info (this is a fall‐
197 back, default: /var/lib/docker)
198
199
200 --enable_load_reader=false
201 Whether to enable cpu load reader
202
203
204 --event_storage_age_limit="default=24h"
205 Max length of time for which to store events (per type). Value is a
206 comma separated list of key values, where the keys are event types
207 (e.g.: creation, oom) or "default" and the value is a duration. Default
208 is applied to all non-specified event types
209
210
211 --event_storage_event_limit="default=100000"
212 Max number of events to store (per type). Value is a comma sepa‐
213 rated list of key values, where the keys are event types (e.g.: cre‐
214 ation, oom) or "default" and the value is an integer. Default is
215 applied to all non-specified event types
216
217
218 --global_housekeeping_interval=0
219 Interval between global housekeepings
220
221
222 --housekeeping_interval=0
223 Interval between container housekeepings
224
225
226 --insecure-skip-tls-verify=false
227 If true, the server's certificate will not be checked for validity.
228 This will make your HTTPS connections insecure
229
230
231 --kubeconfig=""
232 Path to the kubeconfig file to use for CLI requests.
233
234
235 --log-flush-frequency=0
236 Maximum number of seconds between log flushes
237
238
239 --log_backtrace_at=:0
240 when logging hits line file:N, emit a stack trace
241
242
243 --log_cadvisor_usage=false
244 Whether to log the usage of the cAdvisor container
245
246
247 --log_dir=""
248 If non-empty, write log files in this directory
249
250
251 --logtostderr=true
252 log to standard error instead of files
253
254
255 --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
256 Comma-separated list of files to check for machine-id. Use the
257 first one that exists.
258
259
260 --match-server-version=false
261 Require server version to match client version
262
263
264 -n, --namespace=""
265 If present, the namespace scope for this CLI request
266
267
268 --request-timeout="0"
269 The length of time to wait before giving up on a single server
270 request. Non-zero values should contain a corresponding time unit (e.g.
271 1s, 2m, 3h). A value of zero means don't timeout requests.
272
273
274 -s, --server=""
275 The address and port of the Kubernetes API server
276
277
278 --stderrthreshold=2
279 logs at or above this threshold go to stderr
280
281
282 --storage_driver_buffer_duration=0
283 Writes in the storage driver will be buffered for this duration,
284 and committed to the non memory backends as a single transaction
285
286
287 --storage_driver_db="cadvisor"
288 database name
289
290
291 --storage_driver_host="localhost:8086"
292 database host:port
293
294
295 --storage_driver_password="root"
296 database password
297
298
299 --storage_driver_secure=false
300 use secure connection with database
301
302
303 --storage_driver_table="stats"
304 table name
305
306
307 --storage_driver_user="root"
308 database username
309
310
311 --token=""
312 Bearer token for authentication to the API server
313
314
315 --user=""
316 The name of the kubeconfig user to use
317
318
319 -v, --v=0
320 log level for V logs
321
322
323 --version=false
324 Print version information and quit
325
326
327 --vmodule=
328 comma-separated list of pattern=N settings for file-filtered log‐
329 ging
330
331
332
334 # Check whether user bob can create a pod specified in myresource.yaml
335 $ oc policy scc-subject-review -u bob -f myresource.yaml
336
337 # Check whether user bob who belongs to projectAdmin group can create a pod specified in myresource.yaml
338 $ oc policy scc-subject-review -u bob -g projectAdmin -f myresource.yaml
339
340 # Check whether ServiceAccount specified in podTemplateSpec in myresourcewithsa.yaml can create the Pod
341 $ oc policy scc-subject-review -f myresourcewithsa.yaml
342
343
344
345
347 oc-policy(1),
348
349
350
352 June 2016, Ported from the Kubernetes man-doc generator
353
354
355
356Openshift Openshift CLI User Manuals OC POLICY(1)