1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7
9 kubectl create secret tls - Create a TLS secret
10
11
12
14 kubectl create secret tls [OPTIONS]
15
16
17
19 Create a TLS secret from the given public/private key pair.
20
21
22 The public/private key pair must exist before hand. The public key cer‐
23 tificate must be .PEM encoded and match the given private key.
24
25
26
28 --allow-missing-template-keys=true If true, ignore any errors in
29 templates when a field or map key is missing in the template. Only ap‐
30 plies to golang and jsonpath output formats.
31
32
33 --append-hash=false Append a hash of the secret to its name.
34
35
36 --cert="" Path to PEM encoded public key certificate.
37
38
39 --dry-run="none" Must be "none", "server", or "client". If client
40 strategy, only print the object that would be sent, without sending it.
41 If server strategy, submit server-side request without persisting the
42 resource.
43
44
45 --field-manager="kubectl-create" Name of the manager used to track
46 field ownership.
47
48
49 --generator="secret-for-tls/v1" The name of the API generator to
50 use.
51
52
53 --key="" Path to private key associated with given certificate.
54
55
56 -o, --output="" Output format. One of: json|yaml|name|go-tem‐
57 plate|go-template-file|template|templatefile|jsonpath|json‐
58 path-as-json|jsonpath-file.
59
60
61 --save-config=false If true, the configuration of current object
62 will be saved in its annotation. Otherwise, the annotation will be un‐
63 changed. This flag is useful when you want to perform kubectl apply on
64 this object in the future.
65
66
67 --template="" Template string or path to template file to use when
68 -o=go-template, -o=go-template-file. The template format is golang tem‐
69 plates [http://golang.org/pkg/text/template/#pkg-overview].
70
71
72 --validate=true If true, use a schema to validate the input before
73 sending it
74
75
76
78 --add-dir-header=false If true, adds the file directory to the
79 header of the log messages
80
81
82 --alsologtostderr=false log to standard error as well as files
83
84
85 --application-metrics-count-limit=100 Max number of application
86 metrics to store (per container)
87
88
89 --as="" Username to impersonate for the operation
90
91
92 --as-group=[] Group to impersonate for the operation, this flag
93 can be repeated to specify multiple groups.
94
95
96 --azure-container-registry-config="" Path to the file containing
97 Azure container registry configuration information.
98
99
100 --boot-id-file="/proc/sys/kernel/random/boot_id" Comma-separated
101 list of files to check for boot-id. Use the first one that exists.
102
103
104 --cache-dir="/builddir/.kube/cache" Default cache directory
105
106
107 --certificate-authority="" Path to a cert file for the certificate
108 authority
109
110
111 --client-certificate="" Path to a client certificate file for TLS
112
113
114 --client-key="" Path to a client key file for TLS
115
116
117 --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
118 CIDRs opened in GCE firewall for L7 LB traffic proxy health
119 checks
120
121
122 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
123 CIDRs opened in GCE firewall for L4 LB traffic proxy health
124 checks
125
126
127 --cluster="" The name of the kubeconfig cluster to use
128
129
130 --container-hints="/etc/cadvisor/container_hints.json" location of
131 the container hints file
132
133
134 --containerd="/run/containerd/containerd.sock" containerd endpoint
135
136
137 --containerd-namespace="k8s.io" containerd namespace
138
139
140 --context="" The name of the kubeconfig context to use
141
142
143 --default-not-ready-toleration-seconds=300 Indicates the tolera‐
144 tionSeconds of the toleration for notReady:NoExecute that is added by
145 default to every pod that does not already have such a toleration.
146
147
148 --default-unreachable-toleration-seconds=300 Indicates the tolera‐
149 tionSeconds of the toleration for unreachable:NoExecute that is added
150 by default to every pod that does not already have such a toleration.
151
152
153 --disable-root-cgroup-stats=false Disable collecting root Cgroup
154 stats
155
156
157 --docker="unix:///var/run/docker.sock" docker endpoint
158
159
160 --docker-env-metadata-whitelist="" a comma-separated list of envi‐
161 ronment variable keys matched with specified prefix that needs to be
162 collected for docker containers
163
164
165 --docker-only=false Only report docker containers in addition to
166 root stats
167
168
169 --docker-root="/var/lib/docker" DEPRECATED: docker root is read
170 from docker info (this is a fallback, default: /var/lib/docker)
171
172
173 --docker-tls=false use TLS to connect to docker
174
175
176 --docker-tls-ca="ca.pem" path to trusted CA
177
178
179 --docker-tls-cert="cert.pem" path to client certificate
180
181
182 --docker-tls-key="key.pem" path to private key
183
184
185 --enable-load-reader=false Whether to enable cpu load reader
186
187
188 --event-storage-age-limit="default=0" Max length of time for which
189 to store events (per type). Value is a comma separated list of key val‐
190 ues, where the keys are event types (e.g.: creation, oom) or "default"
191 and the value is a duration. Default is applied to all non-specified
192 event types
193
194
195 --event-storage-event-limit="default=0" Max number of events to
196 store (per type). Value is a comma separated list of key values, where
197 the keys are event types (e.g.: creation, oom) or "default" and the
198 value is an integer. Default is applied to all non-specified event
199 types
200
201
202 --global-housekeeping-interval=1m0s Interval between global house‐
203 keepings
204
205
206 --housekeeping-interval=10s Interval between container housekeep‐
207 ings
208
209
210 --insecure-skip-tls-verify=false If true, the server's certificate
211 will not be checked for validity. This will make your HTTPS connections
212 insecure
213
214
215 --kubeconfig="" Path to the kubeconfig file to use for CLI re‐
216 quests.
217
218
219 --log-backtrace-at=:0 when logging hits line file:N, emit a stack
220 trace
221
222
223 --log-cadvisor-usage=false Whether to log the usage of the cAdvi‐
224 sor container
225
226
227 --log-dir="" If non-empty, write log files in this directory
228
229
230 --log-file="" If non-empty, use this log file
231
232
233 --log-file-max-size=1800 Defines the maximum size a log file can
234 grow to. Unit is megabytes. If the value is 0, the maximum file size is
235 unlimited.
236
237
238 --log-flush-frequency=5s Maximum number of seconds between log
239 flushes
240
241
242 --logtostderr=true log to standard error instead of files
243
244
245 --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
246 Comma-separated list of files to check for machine-id. Use the
247 first one that exists.
248
249
250 --match-server-version=false Require server version to match
251 client version
252
253
254 -n, --namespace="" If present, the namespace scope for this CLI
255 request
256
257
258 --one-output=false If true, only write logs to their native sever‐
259 ity level (vs also writing to each lower severity level
260
261
262 --password="" Password for basic authentication to the API server
263
264
265 --profile="none" Name of profile to capture. One of
266 (none|cpu|heap|goroutine|threadcreate|block|mutex)
267
268
269 --profile-output="profile.pprof" Name of the file to write the
270 profile to
271
272
273 --referenced-reset-interval=0 Reset interval for referenced bytes
274 (container_referenced_bytes metric), number of measurement cycles after
275 which referenced bytes are cleared, if set to 0 referenced bytes are
276 never cleared (default: 0)
277
278
279 --request-timeout="0" The length of time to wait before giving up
280 on a single server request. Non-zero values should contain a corre‐
281 sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
282 out requests.
283
284
285 -s, --server="" The address and port of the Kubernetes API server
286
287
288 --skip-headers=false If true, avoid header prefixes in the log
289 messages
290
291
292 --skip-log-headers=false If true, avoid headers when opening log
293 files
294
295
296 --stderrthreshold=2 logs at or above this threshold go to stderr
297
298
299 --storage-driver-buffer-duration=1m0s Writes in the storage driver
300 will be buffered for this duration, and committed to the non memory
301 backends as a single transaction
302
303
304 --storage-driver-db="cadvisor" database name
305
306
307 --storage-driver-host="localhost:8086" database host:port
308
309
310 --storage-driver-password="root" database password
311
312
313 --storage-driver-secure=false use secure connection with database
314
315
316 --storage-driver-table="stats" table name
317
318
319 --storage-driver-user="root" database username
320
321
322 --tls-server-name="" Server name to use for server certificate
323 validation. If it is not provided, the hostname used to contact the
324 server is used
325
326
327 --token="" Bearer token for authentication to the API server
328
329
330 --update-machine-info-interval=5m0s Interval between machine info
331 updates.
332
333
334 --user="" The name of the kubeconfig user to use
335
336
337 --username="" Username for basic authentication to the API server
338
339
340 -v, --v=0 number for the log level verbosity
341
342
343 --version=false Print version information and quit
344
345
346 --vmodule= comma-separated list of pattern=N settings for
347 file-filtered logging
348
349
350 --warnings-as-errors=false Treat warnings received from the server
351 as errors and exit with a non-zero exit code
352
353
354
356 # Create a new TLS secret named tls-secret with the given key pair:
357 kubectl create secret tls tls-secret --cert=path/to/tls.cert --key=path/to/tls.key
358
359
360
361
363 kubectl-create-secret(1),
364
365
366
368 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
369 com) based on the kubernetes source material, but hopefully they have
370 been automatically generated since!
371
372
373
374Manuals User KUBERNETES(1)(kubernetes)