1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7
9 kubectl certificate approve - Approve a certificate signing request
10
11
12
14 kubectl certificate approve [OPTIONS]
15
16
17
19 Approve a certificate signing request.
20
21
22 kubectl certificate approve allows a cluster admin to approve a cer‐
23 tificate signing request (CSR). This action tells a certificate signing
24 controller to issue a certificate to the requestor with the attributes
25 requested in the CSR.
26
27
28 SECURITY NOTICE: Depending on the requested attributes, the issued cer‐
29 tificate can potentially grant a requester access to cluster resources
30 or to authenticate as a requested identity. Before approving a CSR, en‐
31 sure you understand what the signed certificate can do.
32
33
34
36 --allow-missing-template-keys=true If true, ignore any errors in
37 templates when a field or map key is missing in the template. Only ap‐
38 plies to golang and jsonpath output formats.
39
40
41 -f, --filename=[] Filename, directory, or URL to files identifying
42 the resource to update
43
44
45 --force=false Update the CSR even if it is already approved.
46
47
48 -k, --kustomize="" Process the kustomization directory. This flag
49 can't be used together with -f or -R.
50
51
52 -o, --output="" Output format. One of: json|yaml|name|go-tem‐
53 plate|go-template-file|template|templatefile|jsonpath|json‐
54 path-as-json|jsonpath-file.
55
56
57 -R, --recursive=false Process the directory used in -f, --filename
58 recursively. Useful when you want to manage related manifests organized
59 within the same directory.
60
61
62 --template="" Template string or path to template file to use when
63 -o=go-template, -o=go-template-file. The template format is golang tem‐
64 plates [http://golang.org/pkg/text/template/#pkg-overview].
65
66
67
69 --add-dir-header=false If true, adds the file directory to the
70 header of the log messages
71
72
73 --alsologtostderr=false log to standard error as well as files
74
75
76 --application-metrics-count-limit=100 Max number of application
77 metrics to store (per container)
78
79
80 --as="" Username to impersonate for the operation
81
82
83 --as-group=[] Group to impersonate for the operation, this flag
84 can be repeated to specify multiple groups.
85
86
87 --azure-container-registry-config="" Path to the file containing
88 Azure container registry configuration information.
89
90
91 --boot-id-file="/proc/sys/kernel/random/boot_id" Comma-separated
92 list of files to check for boot-id. Use the first one that exists.
93
94
95 --cache-dir="/builddir/.kube/cache" Default cache directory
96
97
98 --certificate-authority="" Path to a cert file for the certificate
99 authority
100
101
102 --client-certificate="" Path to a client certificate file for TLS
103
104
105 --client-key="" Path to a client key file for TLS
106
107
108 --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
109 CIDRs opened in GCE firewall for L7 LB traffic proxy health
110 checks
111
112
113 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
114 CIDRs opened in GCE firewall for L4 LB traffic proxy health
115 checks
116
117
118 --cluster="" The name of the kubeconfig cluster to use
119
120
121 --container-hints="/etc/cadvisor/container_hints.json" location of
122 the container hints file
123
124
125 --containerd="/run/containerd/containerd.sock" containerd endpoint
126
127
128 --containerd-namespace="k8s.io" containerd namespace
129
130
131 --context="" The name of the kubeconfig context to use
132
133
134 --default-not-ready-toleration-seconds=300 Indicates the tolera‐
135 tionSeconds of the toleration for notReady:NoExecute that is added by
136 default to every pod that does not already have such a toleration.
137
138
139 --default-unreachable-toleration-seconds=300 Indicates the tolera‐
140 tionSeconds of the toleration for unreachable:NoExecute that is added
141 by default to every pod that does not already have such a toleration.
142
143
144 --disable-root-cgroup-stats=false Disable collecting root Cgroup
145 stats
146
147
148 --docker="unix:///var/run/docker.sock" docker endpoint
149
150
151 --docker-env-metadata-whitelist="" a comma-separated list of envi‐
152 ronment variable keys matched with specified prefix that needs to be
153 collected for docker containers
154
155
156 --docker-only=false Only report docker containers in addition to
157 root stats
158
159
160 --docker-root="/var/lib/docker" DEPRECATED: docker root is read
161 from docker info (this is a fallback, default: /var/lib/docker)
162
163
164 --docker-tls=false use TLS to connect to docker
165
166
167 --docker-tls-ca="ca.pem" path to trusted CA
168
169
170 --docker-tls-cert="cert.pem" path to client certificate
171
172
173 --docker-tls-key="key.pem" path to private key
174
175
176 --enable-load-reader=false Whether to enable cpu load reader
177
178
179 --event-storage-age-limit="default=0" Max length of time for which
180 to store events (per type). Value is a comma separated list of key val‐
181 ues, where the keys are event types (e.g.: creation, oom) or "default"
182 and the value is a duration. Default is applied to all non-specified
183 event types
184
185
186 --event-storage-event-limit="default=0" Max number of events to
187 store (per type). Value is a comma separated list of key values, where
188 the keys are event types (e.g.: creation, oom) or "default" and the
189 value is an integer. Default is applied to all non-specified event
190 types
191
192
193 --global-housekeeping-interval=1m0s Interval between global house‐
194 keepings
195
196
197 --housekeeping-interval=10s Interval between container housekeep‐
198 ings
199
200
201 --insecure-skip-tls-verify=false If true, the server's certificate
202 will not be checked for validity. This will make your HTTPS connections
203 insecure
204
205
206 --kubeconfig="" Path to the kubeconfig file to use for CLI re‐
207 quests.
208
209
210 --log-backtrace-at=:0 when logging hits line file:N, emit a stack
211 trace
212
213
214 --log-cadvisor-usage=false Whether to log the usage of the cAdvi‐
215 sor container
216
217
218 --log-dir="" If non-empty, write log files in this directory
219
220
221 --log-file="" If non-empty, use this log file
222
223
224 --log-file-max-size=1800 Defines the maximum size a log file can
225 grow to. Unit is megabytes. If the value is 0, the maximum file size is
226 unlimited.
227
228
229 --log-flush-frequency=5s Maximum number of seconds between log
230 flushes
231
232
233 --logtostderr=true log to standard error instead of files
234
235
236 --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
237 Comma-separated list of files to check for machine-id. Use the
238 first one that exists.
239
240
241 --match-server-version=false Require server version to match
242 client version
243
244
245 -n, --namespace="" If present, the namespace scope for this CLI
246 request
247
248
249 --one-output=false If true, only write logs to their native sever‐
250 ity level (vs also writing to each lower severity level
251
252
253 --password="" Password for basic authentication to the API server
254
255
256 --profile="none" Name of profile to capture. One of
257 (none|cpu|heap|goroutine|threadcreate|block|mutex)
258
259
260 --profile-output="profile.pprof" Name of the file to write the
261 profile to
262
263
264 --referenced-reset-interval=0 Reset interval for referenced bytes
265 (container_referenced_bytes metric), number of measurement cycles after
266 which referenced bytes are cleared, if set to 0 referenced bytes are
267 never cleared (default: 0)
268
269
270 --request-timeout="0" The length of time to wait before giving up
271 on a single server request. Non-zero values should contain a corre‐
272 sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
273 out requests.
274
275
276 -s, --server="" The address and port of the Kubernetes API server
277
278
279 --skip-headers=false If true, avoid header prefixes in the log
280 messages
281
282
283 --skip-log-headers=false If true, avoid headers when opening log
284 files
285
286
287 --stderrthreshold=2 logs at or above this threshold go to stderr
288
289
290 --storage-driver-buffer-duration=1m0s Writes in the storage driver
291 will be buffered for this duration, and committed to the non memory
292 backends as a single transaction
293
294
295 --storage-driver-db="cadvisor" database name
296
297
298 --storage-driver-host="localhost:8086" database host:port
299
300
301 --storage-driver-password="root" database password
302
303
304 --storage-driver-secure=false use secure connection with database
305
306
307 --storage-driver-table="stats" table name
308
309
310 --storage-driver-user="root" database username
311
312
313 --tls-server-name="" Server name to use for server certificate
314 validation. If it is not provided, the hostname used to contact the
315 server is used
316
317
318 --token="" Bearer token for authentication to the API server
319
320
321 --update-machine-info-interval=5m0s Interval between machine info
322 updates.
323
324
325 --user="" The name of the kubeconfig user to use
326
327
328 --username="" Username for basic authentication to the API server
329
330
331 -v, --v=0 number for the log level verbosity
332
333
334 --version=false Print version information and quit
335
336
337 --vmodule= comma-separated list of pattern=N settings for
338 file-filtered logging
339
340
341 --warnings-as-errors=false Treat warnings received from the server
342 as errors and exit with a non-zero exit code
343
344
345
347 kubectl-certificate(1),
348
349
350
352 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
353 com) based on the kubernetes source material, but hopefully they have
354 been automatically generated since!
355
356
357
358Manuals User KUBERNETES(1)(kubernetes)