1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7
9 kubectl set subject - Update User, Group or ServiceAccount in a
10 RoleBinding/ClusterRoleBinding
11
12
13
15 kubectl set subject [OPTIONS]
16
17
18
20 Update User, Group or ServiceAccount in a RoleBinding/ClusterRoleBind‐
21 ing.
22
23
24
26 --all=false Select all resources, including uninitialized ones, in
27 the namespace of the specified resource types
28
29
30 --allow-missing-template-keys=true If true, ignore any errors in
31 templates when a field or map key is missing in the template. Only ap‐
32 plies to golang and jsonpath output formats.
33
34
35 --dry-run="none" Must be "none", "server", or "client". If client
36 strategy, only print the object that would be sent, without sending it.
37 If server strategy, submit server-side request without persisting the
38 resource.
39
40
41 --field-manager="kubectl-set" Name of the manager used to track
42 field ownership.
43
44
45 -f, --filename=[] Filename, directory, or URL to files the re‐
46 source to update the subjects
47
48
49 --group=[] Groups to bind to the role
50
51
52 -k, --kustomize="" Process the kustomization directory. This flag
53 can't be used together with -f or -R.
54
55
56 --local=false If true, set subject will NOT contact api-server but
57 run locally.
58
59
60 -o, --output="" Output format. One of: json|yaml|name|go-tem‐
61 plate|go-template-file|template|templatefile|jsonpath|json‐
62 path-as-json|jsonpath-file.
63
64
65 -R, --recursive=false Process the directory used in -f, --filename
66 recursively. Useful when you want to manage related manifests organized
67 within the same directory.
68
69
70 -l, --selector="" Selector (label query) to filter on, not includ‐
71 ing uninitialized ones, supports '=', '==', and '!='.(e.g. -l
72 key1=value1,key2=value2)
73
74
75 --serviceaccount=[] Service accounts to bind to the role
76
77
78 --template="" Template string or path to template file to use when
79 -o=go-template, -o=go-template-file. The template format is golang tem‐
80 plates [http://golang.org/pkg/text/template/#pkg-overview].
81
82
83
85 --add-dir-header=false If true, adds the file directory to the
86 header of the log messages
87
88
89 --alsologtostderr=false log to standard error as well as files
90
91
92 --application-metrics-count-limit=100 Max number of application
93 metrics to store (per container)
94
95
96 --as="" Username to impersonate for the operation
97
98
99 --as-group=[] Group to impersonate for the operation, this flag
100 can be repeated to specify multiple groups.
101
102
103 --azure-container-registry-config="" Path to the file containing
104 Azure container registry configuration information.
105
106
107 --boot-id-file="/proc/sys/kernel/random/boot_id" Comma-separated
108 list of files to check for boot-id. Use the first one that exists.
109
110
111 --cache-dir="/builddir/.kube/cache" Default cache directory
112
113
114 --certificate-authority="" Path to a cert file for the certificate
115 authority
116
117
118 --client-certificate="" Path to a client certificate file for TLS
119
120
121 --client-key="" Path to a client key file for TLS
122
123
124 --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
125 CIDRs opened in GCE firewall for L7 LB traffic proxy health
126 checks
127
128
129 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
130 CIDRs opened in GCE firewall for L4 LB traffic proxy health
131 checks
132
133
134 --cluster="" The name of the kubeconfig cluster to use
135
136
137 --container-hints="/etc/cadvisor/container_hints.json" location of
138 the container hints file
139
140
141 --containerd="/run/containerd/containerd.sock" containerd endpoint
142
143
144 --containerd-namespace="k8s.io" containerd namespace
145
146
147 --context="" The name of the kubeconfig context to use
148
149
150 --default-not-ready-toleration-seconds=300 Indicates the tolera‐
151 tionSeconds of the toleration for notReady:NoExecute that is added by
152 default to every pod that does not already have such a toleration.
153
154
155 --default-unreachable-toleration-seconds=300 Indicates the tolera‐
156 tionSeconds of the toleration for unreachable:NoExecute that is added
157 by default to every pod that does not already have such a toleration.
158
159
160 --disable-root-cgroup-stats=false Disable collecting root Cgroup
161 stats
162
163
164 --docker="unix:///var/run/docker.sock" docker endpoint
165
166
167 --docker-env-metadata-whitelist="" a comma-separated list of envi‐
168 ronment variable keys matched with specified prefix that needs to be
169 collected for docker containers
170
171
172 --docker-only=false Only report docker containers in addition to
173 root stats
174
175
176 --docker-root="/var/lib/docker" DEPRECATED: docker root is read
177 from docker info (this is a fallback, default: /var/lib/docker)
178
179
180 --docker-tls=false use TLS to connect to docker
181
182
183 --docker-tls-ca="ca.pem" path to trusted CA
184
185
186 --docker-tls-cert="cert.pem" path to client certificate
187
188
189 --docker-tls-key="key.pem" path to private key
190
191
192 --enable-load-reader=false Whether to enable cpu load reader
193
194
195 --event-storage-age-limit="default=0" Max length of time for which
196 to store events (per type). Value is a comma separated list of key val‐
197 ues, where the keys are event types (e.g.: creation, oom) or "default"
198 and the value is a duration. Default is applied to all non-specified
199 event types
200
201
202 --event-storage-event-limit="default=0" Max number of events to
203 store (per type). Value is a comma separated list of key values, where
204 the keys are event types (e.g.: creation, oom) or "default" and the
205 value is an integer. Default is applied to all non-specified event
206 types
207
208
209 --global-housekeeping-interval=1m0s Interval between global house‐
210 keepings
211
212
213 --housekeeping-interval=10s Interval between container housekeep‐
214 ings
215
216
217 --insecure-skip-tls-verify=false If true, the server's certificate
218 will not be checked for validity. This will make your HTTPS connections
219 insecure
220
221
222 --kubeconfig="" Path to the kubeconfig file to use for CLI re‐
223 quests.
224
225
226 --log-backtrace-at=:0 when logging hits line file:N, emit a stack
227 trace
228
229
230 --log-cadvisor-usage=false Whether to log the usage of the cAdvi‐
231 sor container
232
233
234 --log-dir="" If non-empty, write log files in this directory
235
236
237 --log-file="" If non-empty, use this log file
238
239
240 --log-file-max-size=1800 Defines the maximum size a log file can
241 grow to. Unit is megabytes. If the value is 0, the maximum file size is
242 unlimited.
243
244
245 --log-flush-frequency=5s Maximum number of seconds between log
246 flushes
247
248
249 --logtostderr=true log to standard error instead of files
250
251
252 --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
253 Comma-separated list of files to check for machine-id. Use the
254 first one that exists.
255
256
257 --match-server-version=false Require server version to match
258 client version
259
260
261 -n, --namespace="" If present, the namespace scope for this CLI
262 request
263
264
265 --one-output=false If true, only write logs to their native sever‐
266 ity level (vs also writing to each lower severity level
267
268
269 --password="" Password for basic authentication to the API server
270
271
272 --profile="none" Name of profile to capture. One of
273 (none|cpu|heap|goroutine|threadcreate|block|mutex)
274
275
276 --profile-output="profile.pprof" Name of the file to write the
277 profile to
278
279
280 --referenced-reset-interval=0 Reset interval for referenced bytes
281 (container_referenced_bytes metric), number of measurement cycles after
282 which referenced bytes are cleared, if set to 0 referenced bytes are
283 never cleared (default: 0)
284
285
286 --request-timeout="0" The length of time to wait before giving up
287 on a single server request. Non-zero values should contain a corre‐
288 sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
289 out requests.
290
291
292 -s, --server="" The address and port of the Kubernetes API server
293
294
295 --skip-headers=false If true, avoid header prefixes in the log
296 messages
297
298
299 --skip-log-headers=false If true, avoid headers when opening log
300 files
301
302
303 --stderrthreshold=2 logs at or above this threshold go to stderr
304
305
306 --storage-driver-buffer-duration=1m0s Writes in the storage driver
307 will be buffered for this duration, and committed to the non memory
308 backends as a single transaction
309
310
311 --storage-driver-db="cadvisor" database name
312
313
314 --storage-driver-host="localhost:8086" database host:port
315
316
317 --storage-driver-password="root" database password
318
319
320 --storage-driver-secure=false use secure connection with database
321
322
323 --storage-driver-table="stats" table name
324
325
326 --storage-driver-user="root" database username
327
328
329 --tls-server-name="" Server name to use for server certificate
330 validation. If it is not provided, the hostname used to contact the
331 server is used
332
333
334 --token="" Bearer token for authentication to the API server
335
336
337 --update-machine-info-interval=5m0s Interval between machine info
338 updates.
339
340
341 --user="" The name of the kubeconfig user to use
342
343
344 --username="" Username for basic authentication to the API server
345
346
347 -v, --v=0 number for the log level verbosity
348
349
350 --version=false Print version information and quit
351
352
353 --vmodule= comma-separated list of pattern=N settings for
354 file-filtered logging
355
356
357 --warnings-as-errors=false Treat warnings received from the server
358 as errors and exit with a non-zero exit code
359
360
361
363 # Update a ClusterRoleBinding for serviceaccount1
364 kubectl set subject clusterrolebinding admin --serviceaccount=namespace:serviceaccount1
365
366 # Update a RoleBinding for user1, user2, and group1
367 kubectl set subject rolebinding admin --user=user1 --user=user2 --group=group1
368
369 # Print the result (in yaml format) of updating rolebinding subjects from a local, without hitting the server
370 kubectl create rolebinding admin --role=admin --user=admin -o yaml --dry-run=client | kubectl set subject --local -f - --user=foo -o yaml
371
372
373
374
376 kubectl-set(1),
377
378
379
381 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
382 com) based on the kubernetes source material, but hopefully they have
383 been automatically generated since!
384
385
386
387Manuals User KUBERNETES(1)(kubernetes)