1KUBERNETES(1)(kubernetes)                            KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7

NAME

9       kubectl create secret tls - Create a TLS secret
10
11
12

SYNOPSIS

14       kubectl create secret tls [OPTIONS]
15
16
17

DESCRIPTION

19       Create a TLS secret from the given public/private key pair.
20
21
22       The public/private key pair must exist before hand. The public key cer‐
23       tificate must be .PEM encoded and match the given private key.
24
25
26

OPTIONS

28       --allow-missing-template-keys=true      If true, ignore any  errors  in
29       templates  when a field or map key is missing in the template. Only ap‐
30       plies to golang and jsonpath output formats.
31
32
33       --append-hash=false      Append a hash of the secret to its name.
34
35
36       --cert=""      Path to PEM encoded public key certificate.
37
38
39       --dry-run="none"      Must be "none", "server", or "client". If  client
40       strategy, only print the object that would be sent, without sending it.
41       If server strategy, submit server-side request without  persisting  the
42       resource.
43
44
45       --field-manager="kubectl-create"      Name of the manager used to track
46       field ownership.
47
48
49       --generator="secret-for-tls/v1"      The name of the API  generator  to
50       use.
51
52
53       --key=""      Path to private key associated with given certificate.
54
55
56       -o,  --output=""       Output  format.  One  of: json|yaml|name|go-tem‐
57       plate|go-template-file|template|templatefile|jsonpath|json‐
58       path-as-json|jsonpath-file.
59
60
61       --save-config=false       If  true, the configuration of current object
62       will be saved in its annotation. Otherwise, the annotation will be  un‐
63       changed.  This flag is useful when you want to perform kubectl apply on
64       this object in the future.
65
66
67       --template=""      Template string or path to template file to use when
68       -o=go-template, -o=go-template-file. The template format is golang tem‐
69       plates [http://golang.org/pkg/text/template/#pkg-overview].
70
71
72       --validate=true      If true, use a schema to validate the input before
73       sending it
74
75
76

OPTIONS INHERITED FROM PARENT COMMANDS

78       --add-dir-header=false       If  true,  adds  the file directory to the
79       header of the log messages
80
81
82       --alsologtostderr=false      log to standard error as well as files
83
84
85       --application-metrics-count-limit=100      Max  number  of  application
86       metrics to store (per container)
87
88
89       --as=""      Username to impersonate for the operation
90
91
92       --as-group=[]       Group  to  impersonate for the operation, this flag
93       can be repeated to specify multiple groups.
94
95
96       --azure-container-registry-config=""      Path to the  file  containing
97       Azure container registry configuration information.
98
99
100       --boot-id-file="/proc/sys/kernel/random/boot_id"        Comma-separated
101       list of files to check for boot-id. Use the first one that exists.
102
103
104       --cache-dir="/builddir/.kube/cache"      Default cache directory
105
106
107       --certificate-authority=""      Path to a cert file for the certificate
108       authority
109
110
111       --client-certificate=""      Path to a client certificate file for TLS
112
113
114       --client-key=""      Path to a client key file for TLS
115
116
117       --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
118            CIDRs opened in GCE firewall for  L7  LB  traffic  proxy    health
119       checks
120
121
122       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
123            CIDRs opened in GCE firewall for  L4  LB  traffic  proxy    health
124       checks
125
126
127       --cluster=""      The name of the kubeconfig cluster to use
128
129
130       --container-hints="/etc/cadvisor/container_hints.json"      location of
131       the container hints file
132
133
134       --containerd="/run/containerd/containerd.sock"      containerd endpoint
135
136
137       --containerd-namespace="k8s.io"      containerd namespace
138
139
140       --context=""      The name of the kubeconfig context to use
141
142
143       --default-not-ready-toleration-seconds=300      Indicates  the  tolera‐
144       tionSeconds  of  the toleration for notReady:NoExecute that is added by
145       default to every pod that does not already have such a toleration.
146
147
148       --default-unreachable-toleration-seconds=300      Indicates the tolera‐
149       tionSeconds  of  the toleration for unreachable:NoExecute that is added
150       by default to every pod that does not already have such a toleration.
151
152
153       --disable-root-cgroup-stats=false      Disable collecting  root  Cgroup
154       stats
155
156
157       --docker="unix:///var/run/docker.sock"      docker endpoint
158
159
160       --docker-env-metadata-whitelist=""      a comma-separated list of envi‐
161       ronment variable keys matched with specified prefix that  needs  to  be
162       collected for docker containers
163
164
165       --docker-only=false       Only  report docker containers in addition to
166       root stats
167
168
169       --docker-root="/var/lib/docker"      DEPRECATED: docker  root  is  read
170       from docker info (this is a fallback, default: /var/lib/docker)
171
172
173       --docker-tls=false      use TLS to connect to docker
174
175
176       --docker-tls-ca="ca.pem"      path to trusted CA
177
178
179       --docker-tls-cert="cert.pem"      path to client certificate
180
181
182       --docker-tls-key="key.pem"      path to private key
183
184
185       --enable-load-reader=false      Whether to enable cpu load reader
186
187
188       --event-storage-age-limit="default=0"      Max length of time for which
189       to store events (per type). Value is a comma separated list of key val‐
190       ues,  where the keys are event types (e.g.: creation, oom) or "default"
191       and the value is a duration. Default is applied  to  all  non-specified
192       event types
193
194
195       --event-storage-event-limit="default=0"       Max  number  of events to
196       store (per type). Value is a comma separated list of key values,  where
197       the  keys  are  event  types (e.g.: creation, oom) or "default" and the
198       value is an integer. Default is  applied  to  all  non-specified  event
199       types
200
201
202       --global-housekeeping-interval=1m0s      Interval between global house‐
203       keepings
204
205
206       --housekeeping-interval=10s      Interval between container  housekeep‐
207       ings
208
209
210       --insecure-skip-tls-verify=false      If true, the server's certificate
211       will not be checked for validity. This will make your HTTPS connections
212       insecure
213
214
215       --kubeconfig=""       Path  to  the  kubeconfig file to use for CLI re‐
216       quests.
217
218
219       --log-backtrace-at=:0      when logging hits line file:N, emit a  stack
220       trace
221
222
223       --log-cadvisor-usage=false       Whether to log the usage of the cAdvi‐
224       sor container
225
226
227       --log-dir=""      If non-empty, write log files in this directory
228
229
230       --log-file=""      If non-empty, use this log file
231
232
233       --log-file-max-size=1800      Defines the maximum size a log  file  can
234       grow to. Unit is megabytes. If the value is 0, the maximum file size is
235       unlimited.
236
237
238       --log-flush-frequency=5s      Maximum number  of  seconds  between  log
239       flushes
240
241
242       --logtostderr=true      log to standard error instead of files
243
244
245       --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
246            Comma-separated list of files to check  for  machine-id.  Use  the
247       first one that exists.
248
249
250       --match-server-version=false        Require  server  version  to  match
251       client version
252
253
254       -n, --namespace=""      If present, the namespace scope  for  this  CLI
255       request
256
257
258       --one-output=false      If true, only write logs to their native sever‐
259       ity level (vs also writing to each lower severity level
260
261
262       --password=""      Password for basic authentication to the API server
263
264
265       --profile="none"        Name   of   profile   to   capture.   One    of
266       (none|cpu|heap|goroutine|threadcreate|block|mutex)
267
268
269       --profile-output="profile.pprof"       Name  of  the  file to write the
270       profile to
271
272
273       --referenced-reset-interval=0      Reset interval for referenced  bytes
274       (container_referenced_bytes metric), number of measurement cycles after
275       which referenced bytes are cleared, if set to 0  referenced  bytes  are
276       never cleared (default: 0)
277
278
279       --request-timeout="0"       The length of time to wait before giving up
280       on a single server request. Non-zero values  should  contain  a  corre‐
281       sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
282       out requests.
283
284
285       -s, --server=""      The address and port of the Kubernetes API server
286
287
288       --skip-headers=false      If true, avoid header  prefixes  in  the  log
289       messages
290
291
292       --skip-log-headers=false       If  true, avoid headers when opening log
293       files
294
295
296       --stderrthreshold=2      logs at or above this threshold go to stderr
297
298
299       --storage-driver-buffer-duration=1m0s      Writes in the storage driver
300       will  be  buffered  for  this duration, and committed to the non memory
301       backends as a single transaction
302
303
304       --storage-driver-db="cadvisor"      database name
305
306
307       --storage-driver-host="localhost:8086"      database host:port
308
309
310       --storage-driver-password="root"      database password
311
312
313       --storage-driver-secure=false      use secure connection with database
314
315
316       --storage-driver-table="stats"      table name
317
318
319       --storage-driver-user="root"      database username
320
321
322       --tls-server-name=""      Server name to  use  for  server  certificate
323       validation.  If  it  is  not provided, the hostname used to contact the
324       server is used
325
326
327       --token=""      Bearer token for authentication to the API server
328
329
330       --update-machine-info-interval=5m0s      Interval between machine  info
331       updates.
332
333
334       --user=""      The name of the kubeconfig user to use
335
336
337       --username=""      Username for basic authentication to the API server
338
339
340       -v, --v=0      number for the log level verbosity
341
342
343       --version=false      Print version information and quit
344
345
346       --vmodule=        comma-separated   list   of  pattern=N  settings  for
347       file-filtered logging
348
349
350       --warnings-as-errors=false      Treat warnings received from the server
351       as errors and exit with a non-zero exit code
352
353
354

EXAMPLE

356                # Create a new TLS secret named tls-secret with the given key pair:
357                kubectl create secret tls tls-secret --cert=path/to/tls.cert --key=path/to/tls.key
358
359
360
361

SEE ALSO

363       kubectl-create-secret(1),
364
365
366

HISTORY

368       January  2015,  Originally compiled by Eric Paris (eparis at redhat dot
369       com) based on the kubernetes source material, but hopefully  they  have
370       been automatically generated since!
371
372
373
374Manuals                              User            KUBERNETES(1)(kubernetes)
Impressum