1KUBERNETES(1)(kubernetes)                            KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7

NAME

9       kubectl  create secret generic - Create a secret from a local file, di‐
10       rectory or literal value
11
12
13

SYNOPSIS

15       kubectl create secret generic [OPTIONS]
16
17
18

DESCRIPTION

20       Create a secret based on a file, directory, or specified literal value.
21
22
23       A single secret may package one or more key/value pairs.
24
25
26       When creating a secret based on a file, the key  will  default  to  the
27       basename  of  the file, and the value will default to the file content.
28       If the basename is an invalid key or you wish to chose  your  own,  you
29       may specify an alternate key.
30
31
32       When  creating  a secret based on a directory, each file whose basename
33       is a valid key in the directory will be packaged into the  secret.  Any
34       directory  entries  except  regular files are ignored (e.g. subdirecto‐
35       ries, symlinks, devices, pipes, etc).
36
37
38

OPTIONS

40       --allow-missing-template-keys=true      If true, ignore any  errors  in
41       templates  when a field or map key is missing in the template. Only ap‐
42       plies to golang and jsonpath output formats.
43
44
45       --append-hash=false      Append a hash of the secret to its name.
46
47
48       --dry-run="none"      Must be "none", "server", or "client". If  client
49       strategy, only print the object that would be sent, without sending it.
50       If server strategy, submit server-side request without  persisting  the
51       resource.
52
53
54       --field-manager="kubectl-create"      Name of the manager used to track
55       field ownership.
56
57
58       --from-env-file=""      Specify the path to a file  to  read  lines  of
59       key=val pairs to create a secret (i.e. a Docker .env file).
60
61
62       --from-file=[]       Key  files can be specified using their file path,
63       in which case a default name will be given to them, or optionally  with
64       a name and file path, in which case the given name will be used.  Spec‐
65       ifying a directory will iterate each named file in the  directory  that
66       is a valid secret key.
67
68
69       --from-literal=[]      Specify a key and literal value to insert in se‐
70       cret (i.e. mykey=somevalue)
71
72
73       --generator="secret/v1"      The name of the API generator to use.
74
75
76       -o, --output=""       Output  format.  One  of:  json|yaml|name|go-tem‐
77       plate|go-template-file|template|templatefile|jsonpath|json‐
78       path-as-json|jsonpath-file.
79
80
81       --save-config=false      If true, the configuration of  current  object
82       will  be saved in its annotation. Otherwise, the annotation will be un‐
83       changed. This flag is useful when you want to perform kubectl apply  on
84       this object in the future.
85
86
87       --template=""      Template string or path to template file to use when
88       -o=go-template, -o=go-template-file. The template format is golang tem‐
89       plates [http://golang.org/pkg/text/template/#pkg-overview].
90
91
92       --type=""      The type of secret to create
93
94
95       --validate=true      If true, use a schema to validate the input before
96       sending it
97
98
99

OPTIONS INHERITED FROM PARENT COMMANDS

101       --add-dir-header=false      If true, adds the  file  directory  to  the
102       header of the log messages
103
104
105       --alsologtostderr=false      log to standard error as well as files
106
107
108       --application-metrics-count-limit=100       Max  number  of application
109       metrics to store (per container)
110
111
112       --as=""      Username to impersonate for the operation
113
114
115       --as-group=[]      Group to impersonate for the  operation,  this  flag
116       can be repeated to specify multiple groups.
117
118
119       --azure-container-registry-config=""       Path  to the file containing
120       Azure container registry configuration information.
121
122
123       --boot-id-file="/proc/sys/kernel/random/boot_id"        Comma-separated
124       list of files to check for boot-id. Use the first one that exists.
125
126
127       --cache-dir="/builddir/.kube/cache"      Default cache directory
128
129
130       --certificate-authority=""      Path to a cert file for the certificate
131       authority
132
133
134       --client-certificate=""      Path to a client certificate file for TLS
135
136
137       --client-key=""      Path to a client key file for TLS
138
139
140       --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
141            CIDRs  opened  in  GCE  firewall  for  L7 LB traffic proxy  health
142       checks
143
144
145       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
146            CIDRs  opened  in  GCE  firewall  for  L4 LB traffic proxy  health
147       checks
148
149
150       --cluster=""      The name of the kubeconfig cluster to use
151
152
153       --container-hints="/etc/cadvisor/container_hints.json"      location of
154       the container hints file
155
156
157       --containerd="/run/containerd/containerd.sock"      containerd endpoint
158
159
160       --containerd-namespace="k8s.io"      containerd namespace
161
162
163       --context=""      The name of the kubeconfig context to use
164
165
166       --default-not-ready-toleration-seconds=300       Indicates  the tolera‐
167       tionSeconds of the toleration for notReady:NoExecute that is  added  by
168       default to every pod that does not already have such a toleration.
169
170
171       --default-unreachable-toleration-seconds=300      Indicates the tolera‐
172       tionSeconds of the toleration for unreachable:NoExecute that  is  added
173       by default to every pod that does not already have such a toleration.
174
175
176       --disable-root-cgroup-stats=false       Disable  collecting root Cgroup
177       stats
178
179
180       --docker="unix:///var/run/docker.sock"      docker endpoint
181
182
183       --docker-env-metadata-whitelist=""      a comma-separated list of envi‐
184       ronment  variable  keys  matched with specified prefix that needs to be
185       collected for docker containers
186
187
188       --docker-only=false      Only report docker containers in  addition  to
189       root stats
190
191
192       --docker-root="/var/lib/docker"       DEPRECATED:  docker  root is read
193       from docker info (this is a fallback, default: /var/lib/docker)
194
195
196       --docker-tls=false      use TLS to connect to docker
197
198
199       --docker-tls-ca="ca.pem"      path to trusted CA
200
201
202       --docker-tls-cert="cert.pem"      path to client certificate
203
204
205       --docker-tls-key="key.pem"      path to private key
206
207
208       --enable-load-reader=false      Whether to enable cpu load reader
209
210
211       --event-storage-age-limit="default=0"      Max length of time for which
212       to store events (per type). Value is a comma separated list of key val‐
213       ues, where the keys are event types (e.g.: creation, oom) or  "default"
214       and  the  value  is a duration. Default is applied to all non-specified
215       event types
216
217
218       --event-storage-event-limit="default=0"      Max number  of  events  to
219       store  (per type). Value is a comma separated list of key values, where
220       the keys are event types (e.g.: creation, oom)  or  "default"  and  the
221       value  is  an  integer.  Default  is applied to all non-specified event
222       types
223
224
225       --global-housekeeping-interval=1m0s      Interval between global house‐
226       keepings
227
228
229       --housekeeping-interval=10s       Interval between container housekeep‐
230       ings
231
232
233       --insecure-skip-tls-verify=false      If true, the server's certificate
234       will not be checked for validity. This will make your HTTPS connections
235       insecure
236
237
238       --kubeconfig=""      Path to the kubeconfig file to  use  for  CLI  re‐
239       quests.
240
241
242       --log-backtrace-at=:0       when logging hits line file:N, emit a stack
243       trace
244
245
246       --log-cadvisor-usage=false      Whether to log the usage of the  cAdvi‐
247       sor container
248
249
250       --log-dir=""      If non-empty, write log files in this directory
251
252
253       --log-file=""      If non-empty, use this log file
254
255
256       --log-file-max-size=1800       Defines  the maximum size a log file can
257       grow to. Unit is megabytes. If the value is 0, the maximum file size is
258       unlimited.
259
260
261       --log-flush-frequency=5s       Maximum  number  of  seconds between log
262       flushes
263
264
265       --logtostderr=true      log to standard error instead of files
266
267
268       --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
269            Comma-separated  list  of  files  to check for machine-id. Use the
270       first one that exists.
271
272
273       --match-server-version=false       Require  server  version  to   match
274       client version
275
276
277       -n,  --namespace=""       If  present, the namespace scope for this CLI
278       request
279
280
281       --one-output=false      If true, only write logs to their native sever‐
282       ity level (vs also writing to each lower severity level
283
284
285       --password=""      Password for basic authentication to the API server
286
287
288       --profile="none"         Name   of   profile   to   capture.   One   of
289       (none|cpu|heap|goroutine|threadcreate|block|mutex)
290
291
292       --profile-output="profile.pprof"      Name of the  file  to  write  the
293       profile to
294
295
296       --referenced-reset-interval=0       Reset interval for referenced bytes
297       (container_referenced_bytes metric), number of measurement cycles after
298       which  referenced  bytes  are cleared, if set to 0 referenced bytes are
299       never cleared (default: 0)
300
301
302       --request-timeout="0"      The length of time to wait before giving  up
303       on  a  single  server  request. Non-zero values should contain a corre‐
304       sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
305       out requests.
306
307
308       -s, --server=""      The address and port of the Kubernetes API server
309
310
311       --skip-headers=false       If  true,  avoid  header prefixes in the log
312       messages
313
314
315       --skip-log-headers=false      If true, avoid headers when  opening  log
316       files
317
318
319       --stderrthreshold=2      logs at or above this threshold go to stderr
320
321
322       --storage-driver-buffer-duration=1m0s      Writes in the storage driver
323       will be buffered for this duration, and committed  to  the  non  memory
324       backends as a single transaction
325
326
327       --storage-driver-db="cadvisor"      database name
328
329
330       --storage-driver-host="localhost:8086"      database host:port
331
332
333       --storage-driver-password="root"      database password
334
335
336       --storage-driver-secure=false      use secure connection with database
337
338
339       --storage-driver-table="stats"      table name
340
341
342       --storage-driver-user="root"      database username
343
344
345       --tls-server-name=""       Server  name  to  use for server certificate
346       validation. If it is not provided, the hostname  used  to  contact  the
347       server is used
348
349
350       --token=""      Bearer token for authentication to the API server
351
352
353       --update-machine-info-interval=5m0s       Interval between machine info
354       updates.
355
356
357       --user=""      The name of the kubeconfig user to use
358
359
360       --username=""      Username for basic authentication to the API server
361
362
363       -v, --v=0      number for the log level verbosity
364
365
366       --version=false      Print version information and quit
367
368
369       --vmodule=       comma-separated  list  of   pattern=N   settings   for
370       file-filtered logging
371
372
373       --warnings-as-errors=false      Treat warnings received from the server
374       as errors and exit with a non-zero exit code
375
376
377

EXAMPLE

379                # Create a new secret named my-secret with keys for each file in folder bar
380                kubectl create secret generic my-secret --from-file=path/to/bar
381
382                # Create a new secret named my-secret with specified keys instead of names on disk
383                kubectl create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa --from-file=ssh-publickey=path/to/id_rsa.pub
384
385                # Create a new secret named my-secret with key1=supersecret and key2=topsecret
386                kubectl create secret generic my-secret --from-literal=key1=supersecret --from-literal=key2=topsecret
387
388                # Create a new secret named my-secret using a combination of a file and a literal
389                kubectl create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa --from-literal=passphrase=topsecret
390
391                # Create a new secret named my-secret from an env file
392                kubectl create secret generic my-secret --from-env-file=path/to/bar.env
393
394
395
396

SEE ALSO

398       kubectl-create-secret(1),
399
400
401

HISTORY

403       January 2015, Originally compiled by Eric Paris (eparis at  redhat  dot
404       com)  based  on the kubernetes source material, but hopefully they have
405       been automatically generated since!
406
407
408
409Manuals                              User            KUBERNETES(1)(kubernetes)
Impressum