1KUBERNETES(1)(kubernetes)                            KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7

NAME

9       kubectl  set  subject  -  Update  User,  Group  or  ServiceAccount in a
10       RoleBinding/ClusterRoleBinding
11
12
13

SYNOPSIS

15       kubectl set subject [OPTIONS]
16
17
18

DESCRIPTION

20       Update User, Group or ServiceAccount in a  RoleBinding/ClusterRoleBind‐
21       ing.
22
23
24

OPTIONS

26       --all=false      Select all resources, including uninitialized ones, in
27       the namespace of the specified resource types
28
29
30       --allow-missing-template-keys=true      If true, ignore any  errors  in
31       templates  when a field or map key is missing in the template. Only ap‐
32       plies to golang and jsonpath output formats.
33
34
35       --dry-run="none"      Must be "none", "server", or "client". If  client
36       strategy, only print the object that would be sent, without sending it.
37       If server strategy, submit server-side request without  persisting  the
38       resource.
39
40
41       --field-manager="kubectl-set"       Name  of  the manager used to track
42       field ownership.
43
44
45       -f, --filename=[]      Filename, directory, or URL  to  files  the  re‐
46       source to update the subjects
47
48
49       --group=[]      Groups to bind to the role
50
51
52       -k,  --kustomize=""      Process the kustomization directory. This flag
53       can't be used together with -f or -R.
54
55
56       --local=false      If true, set subject will NOT contact api-server but
57       run locally.
58
59
60       -o,  --output=""       Output  format.  One  of: json|yaml|name|go-tem‐
61       plate|go-template-file|template|templatefile|jsonpath|json‐
62       path-as-json|jsonpath-file.
63
64
65       -R, --recursive=false      Process the directory used in -f, --filename
66       recursively. Useful when you want to manage related manifests organized
67       within the same directory.
68
69
70       -l, --selector=""      Selector (label query) to filter on, not includ‐
71       ing  uninitialized  ones,  supports  '=',  '==',  and   '!='.(e.g.   -l
72       key1=value1,key2=value2)
73
74
75       --serviceaccount=[]      Service accounts to bind to the role
76
77
78       --template=""      Template string or path to template file to use when
79       -o=go-template, -o=go-template-file. The template format is golang tem‐
80       plates [http://golang.org/pkg/text/template/#pkg-overview].
81
82
83

OPTIONS INHERITED FROM PARENT COMMANDS

85       --add-dir-header=false       If  true,  adds  the file directory to the
86       header of the log messages
87
88
89       --alsologtostderr=false      log to standard error as well as files
90
91
92       --application-metrics-count-limit=100      Max  number  of  application
93       metrics to store (per container)
94
95
96       --as=""      Username to impersonate for the operation
97
98
99       --as-group=[]       Group  to  impersonate for the operation, this flag
100       can be repeated to specify multiple groups.
101
102
103       --azure-container-registry-config=""      Path to the  file  containing
104       Azure container registry configuration information.
105
106
107       --boot-id-file="/proc/sys/kernel/random/boot_id"        Comma-separated
108       list of files to check for boot-id. Use the first one that exists.
109
110
111       --cache-dir="/builddir/.kube/cache"      Default cache directory
112
113
114       --certificate-authority=""      Path to a cert file for the certificate
115       authority
116
117
118       --client-certificate=""      Path to a client certificate file for TLS
119
120
121       --client-key=""      Path to a client key file for TLS
122
123
124       --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
125            CIDRs opened in GCE firewall for  L7  LB  traffic  proxy    health
126       checks
127
128
129       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
130            CIDRs opened in GCE firewall for  L4  LB  traffic  proxy    health
131       checks
132
133
134       --cluster=""      The name of the kubeconfig cluster to use
135
136
137       --container-hints="/etc/cadvisor/container_hints.json"      location of
138       the container hints file
139
140
141       --containerd="/run/containerd/containerd.sock"      containerd endpoint
142
143
144       --containerd-namespace="k8s.io"      containerd namespace
145
146
147       --context=""      The name of the kubeconfig context to use
148
149
150       --default-not-ready-toleration-seconds=300      Indicates  the  tolera‐
151       tionSeconds  of  the toleration for notReady:NoExecute that is added by
152       default to every pod that does not already have such a toleration.
153
154
155       --default-unreachable-toleration-seconds=300      Indicates the tolera‐
156       tionSeconds  of  the toleration for unreachable:NoExecute that is added
157       by default to every pod that does not already have such a toleration.
158
159
160       --disable-root-cgroup-stats=false      Disable collecting  root  Cgroup
161       stats
162
163
164       --docker="unix:///var/run/docker.sock"      docker endpoint
165
166
167       --docker-env-metadata-whitelist=""      a comma-separated list of envi‐
168       ronment variable keys matched with specified prefix that  needs  to  be
169       collected for docker containers
170
171
172       --docker-only=false       Only  report docker containers in addition to
173       root stats
174
175
176       --docker-root="/var/lib/docker"      DEPRECATED: docker  root  is  read
177       from docker info (this is a fallback, default: /var/lib/docker)
178
179
180       --docker-tls=false      use TLS to connect to docker
181
182
183       --docker-tls-ca="ca.pem"      path to trusted CA
184
185
186       --docker-tls-cert="cert.pem"      path to client certificate
187
188
189       --docker-tls-key="key.pem"      path to private key
190
191
192       --enable-load-reader=false      Whether to enable cpu load reader
193
194
195       --event-storage-age-limit="default=0"      Max length of time for which
196       to store events (per type). Value is a comma separated list of key val‐
197       ues,  where the keys are event types (e.g.: creation, oom) or "default"
198       and the value is a duration. Default is applied  to  all  non-specified
199       event types
200
201
202       --event-storage-event-limit="default=0"       Max  number  of events to
203       store (per type). Value is a comma separated list of key values,  where
204       the  keys  are  event  types (e.g.: creation, oom) or "default" and the
205       value is an integer. Default is  applied  to  all  non-specified  event
206       types
207
208
209       --global-housekeeping-interval=1m0s      Interval between global house‐
210       keepings
211
212
213       --housekeeping-interval=10s      Interval between container  housekeep‐
214       ings
215
216
217       --insecure-skip-tls-verify=false      If true, the server's certificate
218       will not be checked for validity. This will make your HTTPS connections
219       insecure
220
221
222       --kubeconfig=""       Path  to  the  kubeconfig file to use for CLI re‐
223       quests.
224
225
226       --log-backtrace-at=:0      when logging hits line file:N, emit a  stack
227       trace
228
229
230       --log-cadvisor-usage=false       Whether to log the usage of the cAdvi‐
231       sor container
232
233
234       --log-dir=""      If non-empty, write log files in this directory
235
236
237       --log-file=""      If non-empty, use this log file
238
239
240       --log-file-max-size=1800      Defines the maximum size a log  file  can
241       grow to. Unit is megabytes. If the value is 0, the maximum file size is
242       unlimited.
243
244
245       --log-flush-frequency=5s      Maximum number  of  seconds  between  log
246       flushes
247
248
249       --logtostderr=true      log to standard error instead of files
250
251
252       --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
253            Comma-separated list of files to check  for  machine-id.  Use  the
254       first one that exists.
255
256
257       --match-server-version=false        Require  server  version  to  match
258       client version
259
260
261       -n, --namespace=""      If present, the namespace scope  for  this  CLI
262       request
263
264
265       --one-output=false      If true, only write logs to their native sever‐
266       ity level (vs also writing to each lower severity level
267
268
269       --password=""      Password for basic authentication to the API server
270
271
272       --profile="none"        Name   of   profile   to   capture.   One    of
273       (none|cpu|heap|goroutine|threadcreate|block|mutex)
274
275
276       --profile-output="profile.pprof"       Name  of  the  file to write the
277       profile to
278
279
280       --referenced-reset-interval=0      Reset interval for referenced  bytes
281       (container_referenced_bytes metric), number of measurement cycles after
282       which referenced bytes are cleared, if set to 0  referenced  bytes  are
283       never cleared (default: 0)
284
285
286       --request-timeout="0"       The length of time to wait before giving up
287       on a single server request. Non-zero values  should  contain  a  corre‐
288       sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
289       out requests.
290
291
292       -s, --server=""      The address and port of the Kubernetes API server
293
294
295       --skip-headers=false      If true, avoid header  prefixes  in  the  log
296       messages
297
298
299       --skip-log-headers=false       If  true, avoid headers when opening log
300       files
301
302
303       --stderrthreshold=2      logs at or above this threshold go to stderr
304
305
306       --storage-driver-buffer-duration=1m0s      Writes in the storage driver
307       will  be  buffered  for  this duration, and committed to the non memory
308       backends as a single transaction
309
310
311       --storage-driver-db="cadvisor"      database name
312
313
314       --storage-driver-host="localhost:8086"      database host:port
315
316
317       --storage-driver-password="root"      database password
318
319
320       --storage-driver-secure=false      use secure connection with database
321
322
323       --storage-driver-table="stats"      table name
324
325
326       --storage-driver-user="root"      database username
327
328
329       --tls-server-name=""      Server name to  use  for  server  certificate
330       validation.  If  it  is  not provided, the hostname used to contact the
331       server is used
332
333
334       --token=""      Bearer token for authentication to the API server
335
336
337       --update-machine-info-interval=5m0s      Interval between machine  info
338       updates.
339
340
341       --user=""      The name of the kubeconfig user to use
342
343
344       --username=""      Username for basic authentication to the API server
345
346
347       -v, --v=0      number for the log level verbosity
348
349
350       --version=false      Print version information and quit
351
352
353       --vmodule=        comma-separated   list   of  pattern=N  settings  for
354       file-filtered logging
355
356
357       --warnings-as-errors=false      Treat warnings received from the server
358       as errors and exit with a non-zero exit code
359
360
361

EXAMPLE

363                # Update a ClusterRoleBinding for serviceaccount1
364                kubectl set subject clusterrolebinding admin --serviceaccount=namespace:serviceaccount1
365
366                # Update a RoleBinding for user1, user2, and group1
367                kubectl set subject rolebinding admin --user=user1 --user=user2 --group=group1
368
369                # Print the result (in yaml format) of updating rolebinding subjects from a local, without hitting the server
370                kubectl create rolebinding admin --role=admin --user=admin -o yaml --dry-run=client | kubectl set subject --local -f - --user=foo -o yaml
371
372
373
374

SEE ALSO

376       kubectl-set(1),
377
378
379

HISTORY

381       January  2015,  Originally compiled by Eric Paris (eparis at redhat dot
382       com) based on the kubernetes source material, but hopefully  they  have
383       been automatically generated since!
384
385
386
387Manuals                              User            KUBERNETES(1)(kubernetes)
Impressum