1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2Eric Paris Jan 2015
6
9 kubectl create secret tls - Create a TLS secret
10
14 kubectl create secret tls [OPTIONS]
15
19 Create a TLS secret from the given public/private key pair.
20 The public/private key pair must exist before hand. The public key cer‐
23 tificate must be .PEM encoded and match the given private key.
24
28 --allow-missing-template-keys=true If true, ignore any errors in
29 templates when a field or map key is missing in the template. Only ap‐
30 plies to golang and jsonpath output formats.
31 --append-hash=false Append a hash of the secret to its name.
34 --cert="" Path to PEM encoded public key certificate.
37 --dry-run="none" Must be "none", "server", or "client". If client
40 strategy, only print the object that would be sent, without sending it.
41 If server strategy, submit server-side request without persisting the
42 resource.
43 --field-manager="kubectl-create" Name of the manager used to track
46 field ownership.
47 --generator="secret-for-tls/v1" The name of the API generator to
50 use.
51 --key="" Path to private key associated with given certificate.
54 -o, --output="" Output format. One of: json|yaml|name|go-tem‐
57 plate|go-template-file|template|templatefile|jsonpath|json‐
58 path-as-json|jsonpath-file.
59 --save-config=false If true, the configuration of current object
62 will be saved in its annotation. Otherwise, the annotation will be un‐
63 changed. This flag is useful when you want to perform kubectl apply on
64 this object in the future.
65 --template="" Template string or path to template file to use when
68 -o=go-template, -o=go-template-file. The template format is golang tem‐
69 plates [http://golang.org/pkg/text/template/#pkg-overview].
70 --validate=true If true, use a schema to validate the input before
73 sending it
74
78 --add-dir-header=false If true, adds the file directory to the
79 header of the log messages
80 --alsologtostderr=false log to standard error as well as files
83 --application-metrics-count-limit=100 Max number of application
86 metrics to store (per container)
87 --as="" Username to impersonate for the operation
90 --as-group=[] Group to impersonate for the operation, this flag
93 can be repeated to specify multiple groups.
94 --azure-container-registry-config="" Path to the file containing
97 Azure container registry configuration information.
98 --boot-id-file="/proc/sys/kernel/random/boot_id" Comma-separated
101 list of files to check for boot-id. Use the first one that exists.
102 --cache-dir="/builddir/.kube/cache" Default cache directory
105 --certificate-authority="" Path to a cert file for the certificate
108 authority
109 --client-certificate="" Path to a client certificate file for TLS
112 --client-key="" Path to a client key file for TLS
115 --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
118 CIDRs opened in GCE firewall for L7 LB traffic proxy health
119 checks
120 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
123 CIDRs opened in GCE firewall for L4 LB traffic proxy health
124 checks
125 --cluster="" The name of the kubeconfig cluster to use
128 --container-hints="/etc/cadvisor/container_hints.json" location of
131 the container hints file
132 --containerd="/run/containerd/containerd.sock" containerd endpoint
135 --containerd-namespace="k8s.io" containerd namespace
138 --context="" The name of the kubeconfig context to use
141 --default-not-ready-toleration-seconds=300 Indicates the tolera‐
144 tionSeconds of the toleration for notReady:NoExecute that is added by
145 default to every pod that does not already have such a toleration.
146 --default-unreachable-toleration-seconds=300 Indicates the tolera‐
149 tionSeconds of the toleration for unreachable:NoExecute that is added
150 by default to every pod that does not already have such a toleration.
151 --disable-root-cgroup-stats=false Disable collecting root Cgroup
154 stats
155 --docker="unix:///var/run/docker.sock" docker endpoint
158 --docker-env-metadata-whitelist="" a comma-separated list of envi‐
161 ronment variable keys matched with specified prefix that needs to be
162 collected for docker containers
163 --docker-only=false Only report docker containers in addition to
166 root stats
167 --docker-root="/var/lib/docker" DEPRECATED: docker root is read
170 from docker info (this is a fallback, default: /var/lib/docker)
171 --docker-tls=false use TLS to connect to docker
174 --docker-tls-ca="ca.pem" path to trusted CA
177 --docker-tls-cert="cert.pem" path to client certificate
180 --docker-tls-key="key.pem" path to private key
183 --enable-load-reader=false Whether to enable cpu load reader
186 --event-storage-age-limit="default=0" Max length of time for which
189 to store events (per type). Value is a comma separated list of key val‐
190 ues, where the keys are event types (e.g.: creation, oom) or "default"
191 and the value is a duration. Default is applied to all non-specified
192 event types
193 --event-storage-event-limit="default=0" Max number of events to
196 store (per type). Value is a comma separated list of key values, where
197 the keys are event types (e.g.: creation, oom) or "default" and the
198 value is an integer. Default is applied to all non-specified event
199 types
200 --global-housekeeping-interval=1m0s Interval between global house‐
203 keepings
204 --housekeeping-interval=10s Interval between container housekeep‐
207 ings
208 --insecure-skip-tls-verify=false If true, the server's certificate
211 will not be checked for validity. This will make your HTTPS connections
212 insecure
213 --kubeconfig="" Path to the kubeconfig file to use for CLI re‐
216 quests.
217 --log-backtrace-at=:0 when logging hits line file:N, emit a stack
220 trace
221 --log-cadvisor-usage=false Whether to log the usage of the cAdvi‐
224 sor container
225 --log-dir="" If non-empty, write log files in this directory
228 --log-file="" If non-empty, use this log file
231 --log-file-max-size=1800 Defines the maximum size a log file can
234 grow to. Unit is megabytes. If the value is 0, the maximum file size is
235 unlimited.
236 --log-flush-frequency=5s Maximum number of seconds between log
239 flushes
240 --logtostderr=true log to standard error instead of files
243 --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
246 Comma-separated list of files to check for machine-id. Use the
247 first one that exists.
248 --match-server-version=false Require server version to match
251 client version
252 -n, --namespace="" If present, the namespace scope for this CLI
255 request
256 --one-output=false If true, only write logs to their native sever‐
259 ity level (vs also writing to each lower severity level
260 --password="" Password for basic authentication to the API server
263 --profile="none" Name of profile to capture. One of
266 (none|cpu|heap|goroutine|threadcreate|block|mutex)
267 --profile-output="profile.pprof" Name of the file to write the
270 profile to
271 --referenced-reset-interval=0 Reset interval for referenced bytes
274 (container_referenced_bytes metric), number of measurement cycles after
275 which referenced bytes are cleared, if set to 0 referenced bytes are
276 never cleared (default: 0)
277 --request-timeout="0" The length of time to wait before giving up
280 on a single server request. Non-zero values should contain a corre‐
281 sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
282 out requests.
283 -s, --server="" The address and port of the Kubernetes API server
286 --skip-headers=false If true, avoid header prefixes in the log
289 messages
290 --skip-log-headers=false If true, avoid headers when opening log
293 files
294 --stderrthreshold=2 logs at or above this threshold go to stderr
297 --storage-driver-buffer-duration=1m0s Writes in the storage driver
300 will be buffered for this duration, and committed to the non memory
301 backends as a single transaction
302 --storage-driver-db="cadvisor" database name
305 --storage-driver-host="localhost:8086" database host:port
308 --storage-driver-password="root" database password
311 --storage-driver-secure=false use secure connection with database
314 --storage-driver-table="stats" table name
317 --storage-driver-user="root" database username
320 --tls-server-name="" Server name to use for server certificate
323 validation. If it is not provided, the hostname used to contact the
324 server is used
325 --token="" Bearer token for authentication to the API server
328 --update-machine-info-interval=5m0s Interval between machine info
331 updates.
332 --user="" The name of the kubeconfig user to use
335 --username="" Username for basic authentication to the API server
338 -v, --v=0 number for the log level verbosity
341 --version=false Print version information and quit
344 --vmodule= comma-separated list of pattern=N settings for
347 file-filtered logging
348 --warnings-as-errors=false Treat warnings received from the server
351 as errors and exit with a non-zero exit code
352
356 # Create a new TLS secret named tls-secret with the given key pair:
357 kubectl create secret tls tls-secret --cert=path/to/tls.cert --key=path/to/tls.key
358
363 kubectl-create-secret(1),
364
368 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
369 com) based on the kubernetes source material, but hopefully they have
370 been automatically generated since!
371Manuals User KUBERNETES(1)(kubernetes)