1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2Eric Paris Jan 2015
6
9 kubectl create clusterrolebinding - Create a ClusterRoleBinding for a
10 particular ClusterRole
11
15 kubectl create clusterrolebinding [OPTIONS]
16
20 Create a ClusterRoleBinding for a particular ClusterRole.
21
25 --allow-missing-template-keys=true If true, ignore any errors in
26 templates when a field or map key is missing in the template. Only ap‐
27 plies to golang and jsonpath output formats.
28 --clusterrole="" ClusterRole this ClusterRoleBinding should refer‐
31 ence
32 --dry-run="none" Must be "none", "server", or "client". If client
35 strategy, only print the object that would be sent, without sending it.
36 If server strategy, submit server-side request without persisting the
37 resource.
38 --field-manager="kubectl-create" Name of the manager used to track
41 field ownership.
42 --group=[] Groups to bind to the clusterrole
45 -o, --output="" Output format. One of: json|yaml|name|go-tem‐
48 plate|go-template-file|template|templatefile|jsonpath|json‐
49 path-as-json|jsonpath-file.
50 --save-config=false If true, the configuration of current object
53 will be saved in its annotation. Otherwise, the annotation will be un‐
54 changed. This flag is useful when you want to perform kubectl apply on
55 this object in the future.
56 --serviceaccount=[] Service accounts to bind to the clusterrole,
59 in the format :
60 --template="" Template string or path to template file to use when
63 -o=go-template, -o=go-template-file. The template format is golang tem‐
64 plates [http://golang.org/pkg/text/template/#pkg-overview].
65 --validate=true If true, use a schema to validate the input before
68 sending it
69
73 --add-dir-header=false If true, adds the file directory to the
74 header of the log messages
75 --alsologtostderr=false log to standard error as well as files
78 --application-metrics-count-limit=100 Max number of application
81 metrics to store (per container)
82 --as="" Username to impersonate for the operation
85 --as-group=[] Group to impersonate for the operation, this flag
88 can be repeated to specify multiple groups.
89 --azure-container-registry-config="" Path to the file containing
92 Azure container registry configuration information.
93 --boot-id-file="/proc/sys/kernel/random/boot_id" Comma-separated
96 list of files to check for boot-id. Use the first one that exists.
97 --cache-dir="/builddir/.kube/cache" Default cache directory
100 --certificate-authority="" Path to a cert file for the certificate
103 authority
104 --client-certificate="" Path to a client certificate file for TLS
107 --client-key="" Path to a client key file for TLS
110 --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
113 CIDRs opened in GCE firewall for L7 LB traffic proxy health
114 checks
115 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
118 CIDRs opened in GCE firewall for L4 LB traffic proxy health
119 checks
120 --cluster="" The name of the kubeconfig cluster to use
123 --container-hints="/etc/cadvisor/container_hints.json" location of
126 the container hints file
127 --containerd="/run/containerd/containerd.sock" containerd endpoint
130 --containerd-namespace="k8s.io" containerd namespace
133 --context="" The name of the kubeconfig context to use
136 --default-not-ready-toleration-seconds=300 Indicates the tolera‐
139 tionSeconds of the toleration for notReady:NoExecute that is added by
140 default to every pod that does not already have such a toleration.
141 --default-unreachable-toleration-seconds=300 Indicates the tolera‐
144 tionSeconds of the toleration for unreachable:NoExecute that is added
145 by default to every pod that does not already have such a toleration.
146 --disable-root-cgroup-stats=false Disable collecting root Cgroup
149 stats
150 --docker="unix:///var/run/docker.sock" docker endpoint
153 --docker-env-metadata-whitelist="" a comma-separated list of envi‐
156 ronment variable keys matched with specified prefix that needs to be
157 collected for docker containers
158 --docker-only=false Only report docker containers in addition to
161 root stats
162 --docker-root="/var/lib/docker" DEPRECATED: docker root is read
165 from docker info (this is a fallback, default: /var/lib/docker)
166 --docker-tls=false use TLS to connect to docker
169 --docker-tls-ca="ca.pem" path to trusted CA
172 --docker-tls-cert="cert.pem" path to client certificate
175 --docker-tls-key="key.pem" path to private key
178 --enable-load-reader=false Whether to enable cpu load reader
181 --event-storage-age-limit="default=0" Max length of time for which
184 to store events (per type). Value is a comma separated list of key val‐
185 ues, where the keys are event types (e.g.: creation, oom) or "default"
186 and the value is a duration. Default is applied to all non-specified
187 event types
188 --event-storage-event-limit="default=0" Max number of events to
191 store (per type). Value is a comma separated list of key values, where
192 the keys are event types (e.g.: creation, oom) or "default" and the
193 value is an integer. Default is applied to all non-specified event
194 types
195 --global-housekeeping-interval=1m0s Interval between global house‐
198 keepings
199 --housekeeping-interval=10s Interval between container housekeep‐
202 ings
203 --insecure-skip-tls-verify=false If true, the server's certificate
206 will not be checked for validity. This will make your HTTPS connections
207 insecure
208 --kubeconfig="" Path to the kubeconfig file to use for CLI re‐
211 quests.
212 --log-backtrace-at=:0 when logging hits line file:N, emit a stack
215 trace
216 --log-cadvisor-usage=false Whether to log the usage of the cAdvi‐
219 sor container
220 --log-dir="" If non-empty, write log files in this directory
223 --log-file="" If non-empty, use this log file
226 --log-file-max-size=1800 Defines the maximum size a log file can
229 grow to. Unit is megabytes. If the value is 0, the maximum file size is
230 unlimited.
231 --log-flush-frequency=5s Maximum number of seconds between log
234 flushes
235 --logtostderr=true log to standard error instead of files
238 --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
241 Comma-separated list of files to check for machine-id. Use the
242 first one that exists.
243 --match-server-version=false Require server version to match
246 client version
247 -n, --namespace="" If present, the namespace scope for this CLI
250 request
251 --one-output=false If true, only write logs to their native sever‐
254 ity level (vs also writing to each lower severity level
255 --password="" Password for basic authentication to the API server
258 --profile="none" Name of profile to capture. One of
261 (none|cpu|heap|goroutine|threadcreate|block|mutex)
262 --profile-output="profile.pprof" Name of the file to write the
265 profile to
266 --referenced-reset-interval=0 Reset interval for referenced bytes
269 (container_referenced_bytes metric), number of measurement cycles after
270 which referenced bytes are cleared, if set to 0 referenced bytes are
271 never cleared (default: 0)
272 --request-timeout="0" The length of time to wait before giving up
275 on a single server request. Non-zero values should contain a corre‐
276 sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
277 out requests.
278 -s, --server="" The address and port of the Kubernetes API server
281 --skip-headers=false If true, avoid header prefixes in the log
284 messages
285 --skip-log-headers=false If true, avoid headers when opening log
288 files
289 --stderrthreshold=2 logs at or above this threshold go to stderr
292 --storage-driver-buffer-duration=1m0s Writes in the storage driver
295 will be buffered for this duration, and committed to the non memory
296 backends as a single transaction
297 --storage-driver-db="cadvisor" database name
300 --storage-driver-host="localhost:8086" database host:port
303 --storage-driver-password="root" database password
306 --storage-driver-secure=false use secure connection with database
309 --storage-driver-table="stats" table name
312 --storage-driver-user="root" database username
315 --tls-server-name="" Server name to use for server certificate
318 validation. If it is not provided, the hostname used to contact the
319 server is used
320 --token="" Bearer token for authentication to the API server
323 --update-machine-info-interval=5m0s Interval between machine info
326 updates.
327 --user="" The name of the kubeconfig user to use
330 --username="" Username for basic authentication to the API server
333 -v, --v=0 number for the log level verbosity
336 --version=false Print version information and quit
339 --vmodule= comma-separated list of pattern=N settings for
342 file-filtered logging
343 --warnings-as-errors=false Treat warnings received from the server
346 as errors and exit with a non-zero exit code
347
351 # Create a ClusterRoleBinding for user1, user2, and group1 using the cluster-admin ClusterRole
352 kubectl create clusterrolebinding cluster-admin --clusterrole=cluster-admin --user=user1 --user=user2 --group=group1
353
358 kubectl-create(1),
359
363 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
364 com) based on the kubernetes source material, but hopefully they have
365 been automatically generated since!
366Manuals User KUBERNETES(1)(kubernetes)