1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7
9 kubectl create secret generic - Create a secret from a local file, di‐
10 rectory or literal value
11
12
13
15 kubectl create secret generic [OPTIONS]
16
17
18
20 Create a secret based on a file, directory, or specified literal value.
21
22
23 A single secret may package one or more key/value pairs.
24
25
26 When creating a secret based on a file, the key will default to the
27 basename of the file, and the value will default to the file content.
28 If the basename is an invalid key or you wish to chose your own, you
29 may specify an alternate key.
30
31
32 When creating a secret based on a directory, each file whose basename
33 is a valid key in the directory will be packaged into the secret. Any
34 directory entries except regular files are ignored (e.g. subdirecto‐
35 ries, symlinks, devices, pipes, etc).
36
37
38
40 --allow-missing-template-keys=true If true, ignore any errors in
41 templates when a field or map key is missing in the template. Only ap‐
42 plies to golang and jsonpath output formats.
43
44
45 --append-hash=false Append a hash of the secret to its name.
46
47
48 --dry-run="none" Must be "none", "server", or "client". If client
49 strategy, only print the object that would be sent, without sending it.
50 If server strategy, submit server-side request without persisting the
51 resource.
52
53
54 --field-manager="kubectl-create" Name of the manager used to track
55 field ownership.
56
57
58 --from-env-file="" Specify the path to a file to read lines of
59 key=val pairs to create a secret (i.e. a Docker .env file).
60
61
62 --from-file=[] Key files can be specified using their file path,
63 in which case a default name will be given to them, or optionally with
64 a name and file path, in which case the given name will be used. Spec‐
65 ifying a directory will iterate each named file in the directory that
66 is a valid secret key.
67
68
69 --from-literal=[] Specify a key and literal value to insert in se‐
70 cret (i.e. mykey=somevalue)
71
72
73 --generator="secret/v1" The name of the API generator to use.
74
75
76 -o, --output="" Output format. One of: json|yaml|name|go-tem‐
77 plate|go-template-file|template|templatefile|jsonpath|json‐
78 path-as-json|jsonpath-file.
79
80
81 --save-config=false If true, the configuration of current object
82 will be saved in its annotation. Otherwise, the annotation will be un‐
83 changed. This flag is useful when you want to perform kubectl apply on
84 this object in the future.
85
86
87 --template="" Template string or path to template file to use when
88 -o=go-template, -o=go-template-file. The template format is golang tem‐
89 plates [http://golang.org/pkg/text/template/#pkg-overview].
90
91
92 --type="" The type of secret to create
93
94
95 --validate=true If true, use a schema to validate the input before
96 sending it
97
98
99
101 --add-dir-header=false If true, adds the file directory to the
102 header of the log messages
103
104
105 --alsologtostderr=false log to standard error as well as files
106
107
108 --application-metrics-count-limit=100 Max number of application
109 metrics to store (per container)
110
111
112 --as="" Username to impersonate for the operation
113
114
115 --as-group=[] Group to impersonate for the operation, this flag
116 can be repeated to specify multiple groups.
117
118
119 --azure-container-registry-config="" Path to the file containing
120 Azure container registry configuration information.
121
122
123 --boot-id-file="/proc/sys/kernel/random/boot_id" Comma-separated
124 list of files to check for boot-id. Use the first one that exists.
125
126
127 --cache-dir="/builddir/.kube/cache" Default cache directory
128
129
130 --certificate-authority="" Path to a cert file for the certificate
131 authority
132
133
134 --client-certificate="" Path to a client certificate file for TLS
135
136
137 --client-key="" Path to a client key file for TLS
138
139
140 --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
141 CIDRs opened in GCE firewall for L7 LB traffic proxy health
142 checks
143
144
145 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
146 CIDRs opened in GCE firewall for L4 LB traffic proxy health
147 checks
148
149
150 --cluster="" The name of the kubeconfig cluster to use
151
152
153 --container-hints="/etc/cadvisor/container_hints.json" location of
154 the container hints file
155
156
157 --containerd="/run/containerd/containerd.sock" containerd endpoint
158
159
160 --containerd-namespace="k8s.io" containerd namespace
161
162
163 --context="" The name of the kubeconfig context to use
164
165
166 --default-not-ready-toleration-seconds=300 Indicates the tolera‐
167 tionSeconds of the toleration for notReady:NoExecute that is added by
168 default to every pod that does not already have such a toleration.
169
170
171 --default-unreachable-toleration-seconds=300 Indicates the tolera‐
172 tionSeconds of the toleration for unreachable:NoExecute that is added
173 by default to every pod that does not already have such a toleration.
174
175
176 --disable-root-cgroup-stats=false Disable collecting root Cgroup
177 stats
178
179
180 --docker="unix:///var/run/docker.sock" docker endpoint
181
182
183 --docker-env-metadata-whitelist="" a comma-separated list of envi‐
184 ronment variable keys matched with specified prefix that needs to be
185 collected for docker containers
186
187
188 --docker-only=false Only report docker containers in addition to
189 root stats
190
191
192 --docker-root="/var/lib/docker" DEPRECATED: docker root is read
193 from docker info (this is a fallback, default: /var/lib/docker)
194
195
196 --docker-tls=false use TLS to connect to docker
197
198
199 --docker-tls-ca="ca.pem" path to trusted CA
200
201
202 --docker-tls-cert="cert.pem" path to client certificate
203
204
205 --docker-tls-key="key.pem" path to private key
206
207
208 --enable-load-reader=false Whether to enable cpu load reader
209
210
211 --event-storage-age-limit="default=0" Max length of time for which
212 to store events (per type). Value is a comma separated list of key val‐
213 ues, where the keys are event types (e.g.: creation, oom) or "default"
214 and the value is a duration. Default is applied to all non-specified
215 event types
216
217
218 --event-storage-event-limit="default=0" Max number of events to
219 store (per type). Value is a comma separated list of key values, where
220 the keys are event types (e.g.: creation, oom) or "default" and the
221 value is an integer. Default is applied to all non-specified event
222 types
223
224
225 --global-housekeeping-interval=1m0s Interval between global house‐
226 keepings
227
228
229 --housekeeping-interval=10s Interval between container housekeep‐
230 ings
231
232
233 --insecure-skip-tls-verify=false If true, the server's certificate
234 will not be checked for validity. This will make your HTTPS connections
235 insecure
236
237
238 --kubeconfig="" Path to the kubeconfig file to use for CLI re‐
239 quests.
240
241
242 --log-backtrace-at=:0 when logging hits line file:N, emit a stack
243 trace
244
245
246 --log-cadvisor-usage=false Whether to log the usage of the cAdvi‐
247 sor container
248
249
250 --log-dir="" If non-empty, write log files in this directory
251
252
253 --log-file="" If non-empty, use this log file
254
255
256 --log-file-max-size=1800 Defines the maximum size a log file can
257 grow to. Unit is megabytes. If the value is 0, the maximum file size is
258 unlimited.
259
260
261 --log-flush-frequency=5s Maximum number of seconds between log
262 flushes
263
264
265 --logtostderr=true log to standard error instead of files
266
267
268 --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
269 Comma-separated list of files to check for machine-id. Use the
270 first one that exists.
271
272
273 --match-server-version=false Require server version to match
274 client version
275
276
277 -n, --namespace="" If present, the namespace scope for this CLI
278 request
279
280
281 --one-output=false If true, only write logs to their native sever‐
282 ity level (vs also writing to each lower severity level
283
284
285 --password="" Password for basic authentication to the API server
286
287
288 --profile="none" Name of profile to capture. One of
289 (none|cpu|heap|goroutine|threadcreate|block|mutex)
290
291
292 --profile-output="profile.pprof" Name of the file to write the
293 profile to
294
295
296 --referenced-reset-interval=0 Reset interval for referenced bytes
297 (container_referenced_bytes metric), number of measurement cycles after
298 which referenced bytes are cleared, if set to 0 referenced bytes are
299 never cleared (default: 0)
300
301
302 --request-timeout="0" The length of time to wait before giving up
303 on a single server request. Non-zero values should contain a corre‐
304 sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
305 out requests.
306
307
308 -s, --server="" The address and port of the Kubernetes API server
309
310
311 --skip-headers=false If true, avoid header prefixes in the log
312 messages
313
314
315 --skip-log-headers=false If true, avoid headers when opening log
316 files
317
318
319 --stderrthreshold=2 logs at or above this threshold go to stderr
320
321
322 --storage-driver-buffer-duration=1m0s Writes in the storage driver
323 will be buffered for this duration, and committed to the non memory
324 backends as a single transaction
325
326
327 --storage-driver-db="cadvisor" database name
328
329
330 --storage-driver-host="localhost:8086" database host:port
331
332
333 --storage-driver-password="root" database password
334
335
336 --storage-driver-secure=false use secure connection with database
337
338
339 --storage-driver-table="stats" table name
340
341
342 --storage-driver-user="root" database username
343
344
345 --tls-server-name="" Server name to use for server certificate
346 validation. If it is not provided, the hostname used to contact the
347 server is used
348
349
350 --token="" Bearer token for authentication to the API server
351
352
353 --update-machine-info-interval=5m0s Interval between machine info
354 updates.
355
356
357 --user="" The name of the kubeconfig user to use
358
359
360 --username="" Username for basic authentication to the API server
361
362
363 -v, --v=0 number for the log level verbosity
364
365
366 --version=false Print version information and quit
367
368
369 --vmodule= comma-separated list of pattern=N settings for
370 file-filtered logging
371
372
373 --warnings-as-errors=false Treat warnings received from the server
374 as errors and exit with a non-zero exit code
375
376
377
379 # Create a new secret named my-secret with keys for each file in folder bar
380 kubectl create secret generic my-secret --from-file=path/to/bar
381
382 # Create a new secret named my-secret with specified keys instead of names on disk
383 kubectl create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa --from-file=ssh-publickey=path/to/id_rsa.pub
384
385 # Create a new secret named my-secret with key1=supersecret and key2=topsecret
386 kubectl create secret generic my-secret --from-literal=key1=supersecret --from-literal=key2=topsecret
387
388 # Create a new secret named my-secret using a combination of a file and a literal
389 kubectl create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa --from-literal=passphrase=topsecret
390
391 # Create a new secret named my-secret from an env file
392 kubectl create secret generic my-secret --from-env-file=path/to/bar.env
393
394
395
396
398 kubectl-create-secret(1),
399
400
401
403 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
404 com) based on the kubernetes source material, but hopefully they have
405 been automatically generated since!
406
407
408
409Manuals User KUBERNETES(1)(kubernetes)