1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7
9 kubectl auth reconcile - Reconciles rules for RBAC Role, RoleBinding,
10 ClusterRole, and ClusterRole binding objects
11
12
13
15 kubectl auth reconcile [OPTIONS]
16
17
18
20 Reconciles rules for RBAC Role, RoleBinding, ClusterRole, and Cluster‐
21 Role binding objects.
22
23
24 Missing objects are created, and the containing namespace is created
25 for namespaced objects, if required.
26
27
28 Existing roles are updated to include the permissions in the input ob‐
29 jects, and remove extra permissions if --remove-extra-permissions is
30 specified.
31
32
33 Existing bindings are updated to include the subjects in the input ob‐
34 jects, and remove extra subjects if --remove-extra-subjects is speci‐
35 fied.
36
37
38 This is preferred to 'apply' for RBAC resources so that semanti‐
39 cally-aware merging of rules and subjects is done.
40
41
42
44 --allow-missing-template-keys=true If true, ignore any errors in
45 templates when a field or map key is missing in the template. Only ap‐
46 plies to golang and jsonpath output formats.
47
48
49 --dry-run="none" Must be "none", "server", or "client". If client
50 strategy, only print the object that would be sent, without sending it.
51 If server strategy, submit server-side request without persisting the
52 resource.
53
54
55 -f, --filename=[] Filename, directory, or URL to files identifying
56 the resource to reconcile.
57
58
59 -k, --kustomize="" Process the kustomization directory. This flag
60 can't be used together with -f or -R.
61
62
63 -o, --output="" Output format. One of: json|yaml|name|go-tem‐
64 plate|go-template-file|template|templatefile|jsonpath|json‐
65 path-as-json|jsonpath-file.
66
67
68 -R, --recursive=false Process the directory used in -f, --filename
69 recursively. Useful when you want to manage related manifests organized
70 within the same directory.
71
72
73 --remove-extra-permissions=false If true, removes extra permis‐
74 sions added to roles
75
76
77 --remove-extra-subjects=false If true, removes extra subjects
78 added to rolebindings
79
80
81 --template="" Template string or path to template file to use when
82 -o=go-template, -o=go-template-file. The template format is golang tem‐
83 plates [http://golang.org/pkg/text/template/#pkg-overview].
84
85
86
88 --add-dir-header=false If true, adds the file directory to the
89 header of the log messages
90
91
92 --alsologtostderr=false log to standard error as well as files
93
94
95 --application-metrics-count-limit=100 Max number of application
96 metrics to store (per container)
97
98
99 --as="" Username to impersonate for the operation
100
101
102 --as-group=[] Group to impersonate for the operation, this flag
103 can be repeated to specify multiple groups.
104
105
106 --azure-container-registry-config="" Path to the file containing
107 Azure container registry configuration information.
108
109
110 --boot-id-file="/proc/sys/kernel/random/boot_id" Comma-separated
111 list of files to check for boot-id. Use the first one that exists.
112
113
114 --cache-dir="/builddir/.kube/cache" Default cache directory
115
116
117 --certificate-authority="" Path to a cert file for the certificate
118 authority
119
120
121 --client-certificate="" Path to a client certificate file for TLS
122
123
124 --client-key="" Path to a client key file for TLS
125
126
127 --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
128 CIDRs opened in GCE firewall for L7 LB traffic proxy health
129 checks
130
131
132 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
133 CIDRs opened in GCE firewall for L4 LB traffic proxy health
134 checks
135
136
137 --cluster="" The name of the kubeconfig cluster to use
138
139
140 --container-hints="/etc/cadvisor/container_hints.json" location of
141 the container hints file
142
143
144 --containerd="/run/containerd/containerd.sock" containerd endpoint
145
146
147 --containerd-namespace="k8s.io" containerd namespace
148
149
150 --context="" The name of the kubeconfig context to use
151
152
153 --default-not-ready-toleration-seconds=300 Indicates the tolera‐
154 tionSeconds of the toleration for notReady:NoExecute that is added by
155 default to every pod that does not already have such a toleration.
156
157
158 --default-unreachable-toleration-seconds=300 Indicates the tolera‐
159 tionSeconds of the toleration for unreachable:NoExecute that is added
160 by default to every pod that does not already have such a toleration.
161
162
163 --disable-root-cgroup-stats=false Disable collecting root Cgroup
164 stats
165
166
167 --docker="unix:///var/run/docker.sock" docker endpoint
168
169
170 --docker-env-metadata-whitelist="" a comma-separated list of envi‐
171 ronment variable keys matched with specified prefix that needs to be
172 collected for docker containers
173
174
175 --docker-only=false Only report docker containers in addition to
176 root stats
177
178
179 --docker-root="/var/lib/docker" DEPRECATED: docker root is read
180 from docker info (this is a fallback, default: /var/lib/docker)
181
182
183 --docker-tls=false use TLS to connect to docker
184
185
186 --docker-tls-ca="ca.pem" path to trusted CA
187
188
189 --docker-tls-cert="cert.pem" path to client certificate
190
191
192 --docker-tls-key="key.pem" path to private key
193
194
195 --enable-load-reader=false Whether to enable cpu load reader
196
197
198 --event-storage-age-limit="default=0" Max length of time for which
199 to store events (per type). Value is a comma separated list of key val‐
200 ues, where the keys are event types (e.g.: creation, oom) or "default"
201 and the value is a duration. Default is applied to all non-specified
202 event types
203
204
205 --event-storage-event-limit="default=0" Max number of events to
206 store (per type). Value is a comma separated list of key values, where
207 the keys are event types (e.g.: creation, oom) or "default" and the
208 value is an integer. Default is applied to all non-specified event
209 types
210
211
212 --global-housekeeping-interval=1m0s Interval between global house‐
213 keepings
214
215
216 --housekeeping-interval=10s Interval between container housekeep‐
217 ings
218
219
220 --insecure-skip-tls-verify=false If true, the server's certificate
221 will not be checked for validity. This will make your HTTPS connections
222 insecure
223
224
225 --kubeconfig="" Path to the kubeconfig file to use for CLI re‐
226 quests.
227
228
229 --log-backtrace-at=:0 when logging hits line file:N, emit a stack
230 trace
231
232
233 --log-cadvisor-usage=false Whether to log the usage of the cAdvi‐
234 sor container
235
236
237 --log-dir="" If non-empty, write log files in this directory
238
239
240 --log-file="" If non-empty, use this log file
241
242
243 --log-file-max-size=1800 Defines the maximum size a log file can
244 grow to. Unit is megabytes. If the value is 0, the maximum file size is
245 unlimited.
246
247
248 --log-flush-frequency=5s Maximum number of seconds between log
249 flushes
250
251
252 --logtostderr=true log to standard error instead of files
253
254
255 --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
256 Comma-separated list of files to check for machine-id. Use the
257 first one that exists.
258
259
260 --match-server-version=false Require server version to match
261 client version
262
263
264 -n, --namespace="" If present, the namespace scope for this CLI
265 request
266
267
268 --one-output=false If true, only write logs to their native sever‐
269 ity level (vs also writing to each lower severity level
270
271
272 --password="" Password for basic authentication to the API server
273
274
275 --profile="none" Name of profile to capture. One of
276 (none|cpu|heap|goroutine|threadcreate|block|mutex)
277
278
279 --profile-output="profile.pprof" Name of the file to write the
280 profile to
281
282
283 --referenced-reset-interval=0 Reset interval for referenced bytes
284 (container_referenced_bytes metric), number of measurement cycles after
285 which referenced bytes are cleared, if set to 0 referenced bytes are
286 never cleared (default: 0)
287
288
289 --request-timeout="0" The length of time to wait before giving up
290 on a single server request. Non-zero values should contain a corre‐
291 sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
292 out requests.
293
294
295 -s, --server="" The address and port of the Kubernetes API server
296
297
298 --skip-headers=false If true, avoid header prefixes in the log
299 messages
300
301
302 --skip-log-headers=false If true, avoid headers when opening log
303 files
304
305
306 --stderrthreshold=2 logs at or above this threshold go to stderr
307
308
309 --storage-driver-buffer-duration=1m0s Writes in the storage driver
310 will be buffered for this duration, and committed to the non memory
311 backends as a single transaction
312
313
314 --storage-driver-db="cadvisor" database name
315
316
317 --storage-driver-host="localhost:8086" database host:port
318
319
320 --storage-driver-password="root" database password
321
322
323 --storage-driver-secure=false use secure connection with database
324
325
326 --storage-driver-table="stats" table name
327
328
329 --storage-driver-user="root" database username
330
331
332 --tls-server-name="" Server name to use for server certificate
333 validation. If it is not provided, the hostname used to contact the
334 server is used
335
336
337 --token="" Bearer token for authentication to the API server
338
339
340 --update-machine-info-interval=5m0s Interval between machine info
341 updates.
342
343
344 --user="" The name of the kubeconfig user to use
345
346
347 --username="" Username for basic authentication to the API server
348
349
350 -v, --v=0 number for the log level verbosity
351
352
353 --version=false Print version information and quit
354
355
356 --vmodule= comma-separated list of pattern=N settings for
357 file-filtered logging
358
359
360 --warnings-as-errors=false Treat warnings received from the server
361 as errors and exit with a non-zero exit code
362
363
364
366 # Reconcile rbac resources from a file
367 kubectl auth reconcile -f my-rbac-rules.yaml
368
369
370
371
373 kubectl-auth(1),
374
375
376
378 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
379 com) based on the kubernetes source material, but hopefully they have
380 been automatically generated since!
381
382
383
384Manuals User KUBERNETES(1)(kubernetes)