1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2Eric Paris Jan 2015
6
9 kubectl create clusterrole - Create a ClusterRole.
10
14 kubectl create clusterrole [OPTIONS]
15
19 Create a ClusterRole.
20
24 --aggregation-rule= An aggregation label selector for combining
25 ClusterRoles.
26 --allow-missing-template-keys=true If true, ignore any errors in
29 templates when a field or map key is missing in the template. Only ap‐
30 plies to golang and jsonpath output formats.
31 --dry-run="none" Must be "none", "server", or "client". If client
34 strategy, only print the object that would be sent, without sending it.
35 If server strategy, submit server-side request without persisting the
36 resource.
37 --field-manager="kubectl-create" Name of the manager used to track
40 field ownership.
41 --non-resource-url=[] A partial url that user should have access
44 to.
45 -o, --output="" Output format. One of: json|yaml|name|go-tem‐
48 plate|go-template-file|template|templatefile|jsonpath|json‐
49 path-as-json|jsonpath-file.
50 --resource=[] Resource that the rule applies to
53 --resource-name=[] Resource in the white list that the rule ap‐
56 plies to, repeat this flag for multiple items
57 --save-config=false If true, the configuration of current object
60 will be saved in its annotation. Otherwise, the annotation will be un‐
61 changed. This flag is useful when you want to perform kubectl apply on
62 this object in the future.
63 --template="" Template string or path to template file to use when
66 -o=go-template, -o=go-template-file. The template format is golang tem‐
67 plates [http://golang.org/pkg/text/template/#pkg-overview].
68 --validate=true If true, use a schema to validate the input before
71 sending it
72 --verb=[] Verb that applies to the resources contained in the rule
75
79 --add-dir-header=false If true, adds the file directory to the
80 header of the log messages
81 --alsologtostderr=false log to standard error as well as files
84 --application-metrics-count-limit=100 Max number of application
87 metrics to store (per container)
88 --as="" Username to impersonate for the operation
91 --as-group=[] Group to impersonate for the operation, this flag
94 can be repeated to specify multiple groups.
95 --azure-container-registry-config="" Path to the file containing
98 Azure container registry configuration information.
99 --boot-id-file="/proc/sys/kernel/random/boot_id" Comma-separated
102 list of files to check for boot-id. Use the first one that exists.
103 --cache-dir="/builddir/.kube/cache" Default cache directory
106 --certificate-authority="" Path to a cert file for the certificate
109 authority
110 --client-certificate="" Path to a client certificate file for TLS
113 --client-key="" Path to a client key file for TLS
116 --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
119 CIDRs opened in GCE firewall for L7 LB traffic proxy health
120 checks
121 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
124 CIDRs opened in GCE firewall for L4 LB traffic proxy health
125 checks
126 --cluster="" The name of the kubeconfig cluster to use
129 --container-hints="/etc/cadvisor/container_hints.json" location of
132 the container hints file
133 --containerd="/run/containerd/containerd.sock" containerd endpoint
136 --containerd-namespace="k8s.io" containerd namespace
139 --context="" The name of the kubeconfig context to use
142 --default-not-ready-toleration-seconds=300 Indicates the tolera‐
145 tionSeconds of the toleration for notReady:NoExecute that is added by
146 default to every pod that does not already have such a toleration.
147 --default-unreachable-toleration-seconds=300 Indicates the tolera‐
150 tionSeconds of the toleration for unreachable:NoExecute that is added
151 by default to every pod that does not already have such a toleration.
152 --disable-root-cgroup-stats=false Disable collecting root Cgroup
155 stats
156 --docker="unix:///var/run/docker.sock" docker endpoint
159 --docker-env-metadata-whitelist="" a comma-separated list of envi‐
162 ronment variable keys matched with specified prefix that needs to be
163 collected for docker containers
164 --docker-only=false Only report docker containers in addition to
167 root stats
168 --docker-root="/var/lib/docker" DEPRECATED: docker root is read
171 from docker info (this is a fallback, default: /var/lib/docker)
172 --docker-tls=false use TLS to connect to docker
175 --docker-tls-ca="ca.pem" path to trusted CA
178 --docker-tls-cert="cert.pem" path to client certificate
181 --docker-tls-key="key.pem" path to private key
184 --enable-load-reader=false Whether to enable cpu load reader
187 --event-storage-age-limit="default=0" Max length of time for which
190 to store events (per type). Value is a comma separated list of key val‐
191 ues, where the keys are event types (e.g.: creation, oom) or "default"
192 and the value is a duration. Default is applied to all non-specified
193 event types
194 --event-storage-event-limit="default=0" Max number of events to
197 store (per type). Value is a comma separated list of key values, where
198 the keys are event types (e.g.: creation, oom) or "default" and the
199 value is an integer. Default is applied to all non-specified event
200 types
201 --global-housekeeping-interval=1m0s Interval between global house‐
204 keepings
205 --housekeeping-interval=10s Interval between container housekeep‐
208 ings
209 --insecure-skip-tls-verify=false If true, the server's certificate
212 will not be checked for validity. This will make your HTTPS connections
213 insecure
214 --kubeconfig="" Path to the kubeconfig file to use for CLI re‐
217 quests.
218 --log-backtrace-at=:0 when logging hits line file:N, emit a stack
221 trace
222 --log-cadvisor-usage=false Whether to log the usage of the cAdvi‐
225 sor container
226 --log-dir="" If non-empty, write log files in this directory
229 --log-file="" If non-empty, use this log file
232 --log-file-max-size=1800 Defines the maximum size a log file can
235 grow to. Unit is megabytes. If the value is 0, the maximum file size is
236 unlimited.
237 --log-flush-frequency=5s Maximum number of seconds between log
240 flushes
241 --logtostderr=true log to standard error instead of files
244 --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
247 Comma-separated list of files to check for machine-id. Use the
248 first one that exists.
249 --match-server-version=false Require server version to match
252 client version
253 -n, --namespace="" If present, the namespace scope for this CLI
256 request
257 --one-output=false If true, only write logs to their native sever‐
260 ity level (vs also writing to each lower severity level
261 --password="" Password for basic authentication to the API server
264 --profile="none" Name of profile to capture. One of
267 (none|cpu|heap|goroutine|threadcreate|block|mutex)
268 --profile-output="profile.pprof" Name of the file to write the
271 profile to
272 --referenced-reset-interval=0 Reset interval for referenced bytes
275 (container_referenced_bytes metric), number of measurement cycles after
276 which referenced bytes are cleared, if set to 0 referenced bytes are
277 never cleared (default: 0)
278 --request-timeout="0" The length of time to wait before giving up
281 on a single server request. Non-zero values should contain a corre‐
282 sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
283 out requests.
284 -s, --server="" The address and port of the Kubernetes API server
287 --skip-headers=false If true, avoid header prefixes in the log
290 messages
291 --skip-log-headers=false If true, avoid headers when opening log
294 files
295 --stderrthreshold=2 logs at or above this threshold go to stderr
298 --storage-driver-buffer-duration=1m0s Writes in the storage driver
301 will be buffered for this duration, and committed to the non memory
302 backends as a single transaction
303 --storage-driver-db="cadvisor" database name
306 --storage-driver-host="localhost:8086" database host:port
309 --storage-driver-password="root" database password
312 --storage-driver-secure=false use secure connection with database
315 --storage-driver-table="stats" table name
318 --storage-driver-user="root" database username
321 --tls-server-name="" Server name to use for server certificate
324 validation. If it is not provided, the hostname used to contact the
325 server is used
326 --token="" Bearer token for authentication to the API server
329 --update-machine-info-interval=5m0s Interval between machine info
332 updates.
333 --user="" The name of the kubeconfig user to use
336 --username="" Username for basic authentication to the API server
339 -v, --v=0 number for the log level verbosity
342 --version=false Print version information and quit
345 --vmodule= comma-separated list of pattern=N settings for
348 file-filtered logging
349 --warnings-as-errors=false Treat warnings received from the server
352 as errors and exit with a non-zero exit code
353
357 # Create a ClusterRole named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
358 kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods
359 # Create a ClusterRole named "pod-reader" with ResourceName specified
361 kubectl create clusterrole pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod
362 # Create a ClusterRole named "foo" with API Group specified
364 kubectl create clusterrole foo --verb=get,list,watch --resource=rs.extensions
365 # Create a ClusterRole named "foo" with SubResource specified
367 kubectl create clusterrole foo --verb=get,list,watch --resource=pods,pods/status
368 # Create a ClusterRole name "foo" with NonResourceURL specified
370 kubectl create clusterrole "foo" --verb=get --non-resource-url=/logs/*
371 # Create a ClusterRole name "monitoring" with AggregationRule specified
373 kubectl create clusterrole monitoring --aggregation-rule="rbac.example.com/aggregate-to-monitoring=true"
374
379 kubectl-create(1),
380
384 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
385 com) based on the kubernetes source material, but hopefully they have
386 been automatically generated since!
387Manuals User KUBERNETES(1)(kubernetes)