1OC ADM(1)                          June 2016                         OC ADM(1)
2
3
4

NAME

6       oc adm policy - Manage policy
7
8
9

SYNOPSIS

11       oc adm policy [OPTIONS]
12
13
14

DESCRIPTION

16       Manage policy on the cluster
17
18
19       These  commands  allow  you to assign and manage the roles and policies
20       that apply to users. The reconcile commands  allow  you  to  reset  and
21       upgrade your system policies to the latest default policies.
22
23
24       To  see  more  information  on  roles  and  policies, use the 'get' and
25       'describe' commands on the following resources: 'clusterroles',  'clus‐
26       terpolicy',  'clusterrolebindings',  'roles', 'policy', 'rolebindings',
27       and 'scc'.
28
29
30

OPTIONS INHERITED FROM PARENT COMMANDS

32       --allow_verification_with_non_compliant_keys=false
33           Allow  a  SignatureVerifier  to  use  keys  which  are  technically
34       non-compliant with RFC6962.
35
36
37       --alsologtostderr=false
38           log to standard error as well as files
39
40
41       --application_metrics_count_limit=100
42           Max number of application metrics to store (per container)
43
44
45       --as=""
46           Username to impersonate for the operation
47
48
49       --as-group=[]
50           Group  to  impersonate for the operation, this flag can be repeated
51       to specify multiple groups.
52
53
54       --azure-container-registry-config=""
55           Path to the file containing Azure container registry  configuration
56       information.
57
58
59       --boot_id_file="/proc/sys/kernel/random/boot_id"
60           Comma-separated  list  of files to check for boot-id. Use the first
61       one that exists.
62
63
64       --cache-dir="/builddir/.kube/http-cache"
65           Default HTTP cache directory
66
67
68       --certificate-authority=""
69           Path to a cert file for the certificate authority
70
71
72       --client-certificate=""
73           Path to a client certificate file for TLS
74
75
76       --client-key=""
77           Path to a client key file for TLS
78
79
80       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
81           CIDRs opened in GCE firewall for LB traffic proxy  health checks
82
83
84       --cluster=""
85           The name of the kubeconfig cluster to use
86
87
88       --container_hints="/etc/cadvisor/container_hints.json"
89           location of the container hints file
90
91
92       --containerd="unix:///var/run/containerd.sock"
93           containerd endpoint
94
95
96       --context=""
97           The name of the kubeconfig context to use
98
99
100       --default-not-ready-toleration-seconds=300
101           Indicates    the    tolerationSeconds   of   the   toleration   for
102       notReady:NoExecute that is added by default to every pod that does  not
103       already have such a toleration.
104
105
106       --default-unreachable-toleration-seconds=300
107           Indicates  the  tolerationSeconds  of  the  toleration for unreach‐
108       able:NoExecute that is added by default to  every  pod  that  does  not
109       already have such a toleration.
110
111
112       --docker="unix:///var/run/docker.sock"
113           docker endpoint
114
115
116       --docker-tls=false
117           use TLS to connect to docker
118
119
120       --docker-tls-ca="ca.pem"
121           path to trusted CA
122
123
124       --docker-tls-cert="cert.pem"
125           path to client certificate
126
127
128       --docker-tls-key="key.pem"
129           path to private key
130
131
132       --docker_env_metadata_whitelist=""
133           a  comma-separated  list of environment variable keys that needs to
134       be collected for docker containers
135
136
137       --docker_only=false
138           Only report docker containers in addition to root stats
139
140
141       --docker_root="/var/lib/docker"
142           DEPRECATED: docker root is read from docker info (this is  a  fall‐
143       back, default: /var/lib/docker)
144
145
146       --enable_load_reader=false
147           Whether to enable cpu load reader
148
149
150       --event_storage_age_limit="default=24h"
151           Max length of time for which to store events (per type). Value is a
152       comma separated list of key values, where  the  keys  are  event  types
153       (e.g.: creation, oom) or "default" and the value is a duration. Default
154       is applied to all non-specified event types
155
156
157       --event_storage_event_limit="default=100000"
158           Max number of events to store (per type). Value is  a  comma  sepa‐
159       rated  list  of  key values, where the keys are event types (e.g.: cre‐
160       ation, oom) or "default" and  the  value  is  an  integer.  Default  is
161       applied to all non-specified event types
162
163
164       --global_housekeeping_interval=0
165           Interval between global housekeepings
166
167
168       --housekeeping_interval=0
169           Interval between container housekeepings
170
171
172       --insecure-skip-tls-verify=false
173           If true, the server's certificate will not be checked for validity.
174       This will make your HTTPS connections insecure
175
176
177       --kubeconfig=""
178           Path to the kubeconfig file to use for CLI requests.
179
180
181       --log-flush-frequency=0
182           Maximum number of seconds between log flushes
183
184
185       --log_backtrace_at=:0
186           when logging hits line file:N, emit a stack trace
187
188
189       --log_cadvisor_usage=false
190           Whether to log the usage of the cAdvisor container
191
192
193       --log_dir=""
194           If non-empty, write log files in this directory
195
196
197       --logtostderr=true
198           log to standard error instead of files
199
200
201       --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
202           Comma-separated list of files to  check  for  machine-id.  Use  the
203       first one that exists.
204
205
206       --match-server-version=false
207           Require server version to match client version
208
209
210       -n, --namespace=""
211           If present, the namespace scope for this CLI request
212
213
214       --request-timeout="0"
215           The  length  of  time  to  wait before giving up on a single server
216       request. Non-zero values should contain a corresponding time unit (e.g.
217       1s, 2m, 3h). A value of zero means don't timeout requests.
218
219
220       -s, --server=""
221           The address and port of the Kubernetes API server
222
223
224       --stderrthreshold=2
225           logs at or above this threshold go to stderr
226
227
228       --storage_driver_buffer_duration=0
229           Writes  in  the  storage driver will be buffered for this duration,
230       and committed to the non memory backends as a single transaction
231
232
233       --storage_driver_db="cadvisor"
234           database name
235
236
237       --storage_driver_host="localhost:8086"
238           database host:port
239
240
241       --storage_driver_password="root"
242           database password
243
244
245       --storage_driver_secure=false
246           use secure connection with database
247
248
249       --storage_driver_table="stats"
250           table name
251
252
253       --storage_driver_user="root"
254           database username
255
256
257       --token=""
258           Bearer token for authentication to the API server
259
260
261       --user=""
262           The name of the kubeconfig user to use
263
264
265       -v, --v=0
266           log level for V logs
267
268
269       --version=false
270           Print version information and quit
271
272
273       --vmodule=
274           comma-separated list of pattern=N settings for  file-filtered  log‐
275       ging
276
277
278

SEE ALSO

280       oc-adm(1),    oc-adm-policy-add-cluster-role-to-group(1),   oc-adm-pol‐
281       icy-add-cluster-role-to-user(1),    oc-adm-policy-add-role-to-group(1),
282       oc-adm-policy-add-role-to-user(1),   oc-adm-policy-add-scc-to-group(1),
283       oc-adm-policy-add-scc-to-user(1),         oc-adm-policy-reconcile-clus‐
284       ter-role-bindings(1),         oc-adm-policy-reconcile-cluster-roles(1),
285       oc-adm-policy-reconcile-sccs(1),             oc-adm-policy-remove-clus‐
286       ter-role-from-group(1), oc-adm-policy-remove-cluster-role-from-user(1),
287       oc-adm-policy-remove-group(1), oc-adm-policy-remove-role-from-group(1),
288       oc-adm-policy-remove-role-from-user(1),                     oc-adm-pol‐
289       icy-remove-scc-from-group(1),    oc-adm-policy-remove-scc-from-user(1),
290       oc-adm-policy-remove-user(1),  oc-adm-policy-scc-review(1), oc-adm-pol‐
291       icy-scc-subject-review(1), oc-adm-policy-who-can(1),
292
293
294

HISTORY

296       June 2016, Ported from the Kubernetes man-doc generator
297
298
299
300Openshift                  Openshift CLI User Manuals                OC ADM(1)
Impressum