1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2Eric Paris Jan 2015
6
9 kubectl create role - Create a role with single rule.
10
14 kubectl create role [OPTIONS]
15
19 Create a role with single rule.
20
24 --allow-missing-template-keys=true If true, ignore any errors in
25 templates when a field or map key is missing in the template. Only ap‐
26 plies to golang and jsonpath output formats.
27 --dry-run="none" Must be "none", "server", or "client". If client
30 strategy, only print the object that would be sent, without sending it.
31 If server strategy, submit server-side request without persisting the
32 resource.
33 --field-manager="kubectl-create" Name of the manager used to track
36 field ownership.
37 -o, --output="" Output format. One of: json|yaml|name|go-tem‐
40 plate|go-template-file|template|templatefile|jsonpath|json‐
41 path-as-json|jsonpath-file.
42 --resource=[] Resource that the rule applies to
45 --resource-name=[] Resource in the white list that the rule ap‐
48 plies to, repeat this flag for multiple items
49 --save-config=false If true, the configuration of current object
52 will be saved in its annotation. Otherwise, the annotation will be un‐
53 changed. This flag is useful when you want to perform kubectl apply on
54 this object in the future.
55 --template="" Template string or path to template file to use when
58 -o=go-template, -o=go-template-file. The template format is golang tem‐
59 plates [http://golang.org/pkg/text/template/#pkg-overview].
60 --validate=true If true, use a schema to validate the input before
63 sending it
64 --verb=[] Verb that applies to the resources contained in the rule
67
71 --add-dir-header=false If true, adds the file directory to the
72 header of the log messages
73 --alsologtostderr=false log to standard error as well as files
76 --application-metrics-count-limit=100 Max number of application
79 metrics to store (per container)
80 --as="" Username to impersonate for the operation
83 --as-group=[] Group to impersonate for the operation, this flag
86 can be repeated to specify multiple groups.
87 --azure-container-registry-config="" Path to the file containing
90 Azure container registry configuration information.
91 --boot-id-file="/proc/sys/kernel/random/boot_id" Comma-separated
94 list of files to check for boot-id. Use the first one that exists.
95 --cache-dir="/builddir/.kube/cache" Default cache directory
98 --certificate-authority="" Path to a cert file for the certificate
101 authority
102 --client-certificate="" Path to a client certificate file for TLS
105 --client-key="" Path to a client key file for TLS
108 --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
111 CIDRs opened in GCE firewall for L7 LB traffic proxy health
112 checks
113 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
116 CIDRs opened in GCE firewall for L4 LB traffic proxy health
117 checks
118 --cluster="" The name of the kubeconfig cluster to use
121 --container-hints="/etc/cadvisor/container_hints.json" location of
124 the container hints file
125 --containerd="/run/containerd/containerd.sock" containerd endpoint
128 --containerd-namespace="k8s.io" containerd namespace
131 --context="" The name of the kubeconfig context to use
134 --default-not-ready-toleration-seconds=300 Indicates the tolera‐
137 tionSeconds of the toleration for notReady:NoExecute that is added by
138 default to every pod that does not already have such a toleration.
139 --default-unreachable-toleration-seconds=300 Indicates the tolera‐
142 tionSeconds of the toleration for unreachable:NoExecute that is added
143 by default to every pod that does not already have such a toleration.
144 --disable-root-cgroup-stats=false Disable collecting root Cgroup
147 stats
148 --docker="unix:///var/run/docker.sock" docker endpoint
151 --docker-env-metadata-whitelist="" a comma-separated list of envi‐
154 ronment variable keys matched with specified prefix that needs to be
155 collected for docker containers
156 --docker-only=false Only report docker containers in addition to
159 root stats
160 --docker-root="/var/lib/docker" DEPRECATED: docker root is read
163 from docker info (this is a fallback, default: /var/lib/docker)
164 --docker-tls=false use TLS to connect to docker
167 --docker-tls-ca="ca.pem" path to trusted CA
170 --docker-tls-cert="cert.pem" path to client certificate
173 --docker-tls-key="key.pem" path to private key
176 --enable-load-reader=false Whether to enable cpu load reader
179 --event-storage-age-limit="default=0" Max length of time for which
182 to store events (per type). Value is a comma separated list of key val‐
183 ues, where the keys are event types (e.g.: creation, oom) or "default"
184 and the value is a duration. Default is applied to all non-specified
185 event types
186 --event-storage-event-limit="default=0" Max number of events to
189 store (per type). Value is a comma separated list of key values, where
190 the keys are event types (e.g.: creation, oom) or "default" and the
191 value is an integer. Default is applied to all non-specified event
192 types
193 --global-housekeeping-interval=1m0s Interval between global house‐
196 keepings
197 --housekeeping-interval=10s Interval between container housekeep‐
200 ings
201 --insecure-skip-tls-verify=false If true, the server's certificate
204 will not be checked for validity. This will make your HTTPS connections
205 insecure
206 --kubeconfig="" Path to the kubeconfig file to use for CLI re‐
209 quests.
210 --log-backtrace-at=:0 when logging hits line file:N, emit a stack
213 trace
214 --log-cadvisor-usage=false Whether to log the usage of the cAdvi‐
217 sor container
218 --log-dir="" If non-empty, write log files in this directory
221 --log-file="" If non-empty, use this log file
224 --log-file-max-size=1800 Defines the maximum size a log file can
227 grow to. Unit is megabytes. If the value is 0, the maximum file size is
228 unlimited.
229 --log-flush-frequency=5s Maximum number of seconds between log
232 flushes
233 --logtostderr=true log to standard error instead of files
236 --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
239 Comma-separated list of files to check for machine-id. Use the
240 first one that exists.
241 --match-server-version=false Require server version to match
244 client version
245 -n, --namespace="" If present, the namespace scope for this CLI
248 request
249 --one-output=false If true, only write logs to their native sever‐
252 ity level (vs also writing to each lower severity level
253 --password="" Password for basic authentication to the API server
256 --profile="none" Name of profile to capture. One of
259 (none|cpu|heap|goroutine|threadcreate|block|mutex)
260 --profile-output="profile.pprof" Name of the file to write the
263 profile to
264 --referenced-reset-interval=0 Reset interval for referenced bytes
267 (container_referenced_bytes metric), number of measurement cycles after
268 which referenced bytes are cleared, if set to 0 referenced bytes are
269 never cleared (default: 0)
270 --request-timeout="0" The length of time to wait before giving up
273 on a single server request. Non-zero values should contain a corre‐
274 sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
275 out requests.
276 -s, --server="" The address and port of the Kubernetes API server
279 --skip-headers=false If true, avoid header prefixes in the log
282 messages
283 --skip-log-headers=false If true, avoid headers when opening log
286 files
287 --stderrthreshold=2 logs at or above this threshold go to stderr
290 --storage-driver-buffer-duration=1m0s Writes in the storage driver
293 will be buffered for this duration, and committed to the non memory
294 backends as a single transaction
295 --storage-driver-db="cadvisor" database name
298 --storage-driver-host="localhost:8086" database host:port
301 --storage-driver-password="root" database password
304 --storage-driver-secure=false use secure connection with database
307 --storage-driver-table="stats" table name
310 --storage-driver-user="root" database username
313 --tls-server-name="" Server name to use for server certificate
316 validation. If it is not provided, the hostname used to contact the
317 server is used
318 --token="" Bearer token for authentication to the API server
321 --update-machine-info-interval=5m0s Interval between machine info
324 updates.
325 --user="" The name of the kubeconfig user to use
328 --username="" Username for basic authentication to the API server
331 -v, --v=0 number for the log level verbosity
334 --version=false Print version information and quit
337 --vmodule= comma-separated list of pattern=N settings for
340 file-filtered logging
341 --warnings-as-errors=false Treat warnings received from the server
344 as errors and exit with a non-zero exit code
345
349 # Create a Role named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
350 kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods
351 # Create a Role named "pod-reader" with ResourceName specified
353 kubectl create role pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod
354 # Create a Role named "foo" with API Group specified
356 kubectl create role foo --verb=get,list,watch --resource=rs.extensions
357 # Create a Role named "foo" with SubResource specified
359 kubectl create role foo --verb=get,list,watch --resource=pods,pods/status
360
365 kubectl-create(1),
366
370 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
371 com) based on the kubernetes source material, but hopefully they have
372 been automatically generated since!
373Manuals User KUBERNETES(1)(kubernetes)