1OC POLICY(1)                       June 2016                      OC POLICY(1)
2
3
4

NAME

6       oc policy add-role-to-user - Add a role to users or serviceaccounts for
7       the current project
8
9
10

SYNOPSIS

12       oc policy add-role-to-user [OPTIONS]
13
14
15

DESCRIPTION

17       Add a role to users or service accounts for the current project
18
19
20       This command allows you to grant a user access  to  specific  resources
21       and actions within the current project, by assigning them to a role. It
22       creates or modifies a RoleBinding referencing the specified role adding
23       the  user(s)  or serviceaccount(s) to the list of subjects. The command
24       does  not  require  that  the  matching  role  or   user/serviceaccount
25       resources  exist and will create the binding successfully even when the
26       role or user/serviceaccount do not exist or when the user does not have
27       access to view them.
28
29
30       If  the  --rolebinding-name  argument  is supplied, it will look for an
31       existing rolebinding with that name. The role on the matching rolebind‐
32       ing MUST match the role name supplied to the command. If no rolebinding
33       name is given, a default name will be used. When --role-namespace argu‐
34       ment  is  specified  as  a  non-empty  value, it MUST match the current
35       namespace. When role-namespace is specified, the rolebinding will  ref‐
36       erence  a  namespaced Role. Otherwise, the rolebinding will reference a
37       ClusterRole resource.
38
39
40       To learn more, see information about RBAC and policy, or use the  'get'
41       and  'describe'  commands  on  the following resources: 'clusterroles',
42       'clusterrolebindings', 'roles', 'rolebindings', 'users', 'groups',  and
43       'serviceaccounts'.
44
45
46

OPTIONS

48       --allow-missing-template-keys=true
49           If  true, ignore any errors in templates when a field or map key is
50       missing in the template. Only applies to  golang  and  jsonpath  output
51       formats.
52
53
54       --dry-run=false
55           If  true, only print the object that would be sent, without sending
56       it.
57
58
59       --no-headers=false
60           When using the default or custom-column output format, don't  print
61       headers (default print headers).
62
63
64       -o, --output=""
65           Output  format. One of: json|yaml|wide|name|custom-columns=...|cus‐
66       tom-columns-file=...|go-template=...|go-template-file=...|json‐
67       path=...|jsonpath-file=...   See   custom   columns   [  ⟨http://kuber
68       netes.io/docs/user-guide/kubectl-overview/#custom-columns⟩],     golang
69       template   [  ⟨http://golang.org/pkg/text/template/#pkg-overview⟩]  and
70       jsonpath template [ ⟨http://kubernetes.io/docs/user-guide/jsonpath⟩].
71
72
73       --role-namespace=""
74           namespace where the role is located: empty means a role defined  in
75       cluster policy
76
77
78       --rolebinding-name=""
79           Name  of the rolebinding to modify or create. If left empty creates
80       a new rolebinding with a default name
81
82
83       -z, --serviceaccount=[]
84           service account in the current namespace to use as a user
85
86
87       --show-labels=false
88           When printing, show all labels as the  last  column  (default  hide
89       labels column)
90
91
92       --sort-by=""
93           If  non-empty, sort list types using this field specification.  The
94       field  specification  is  expressed  as  a  JSONPath  expression  (e.g.
95       '{.metadata.name}').  The  field  in the API resource specified by this
96       JSONPath expression must be an integer or a string.
97
98
99       --template=""
100           Template string or path to template file  to  use  when  -o=go-tem‐
101       plate,  -o=go-template-file.  The template format is golang templates [
102http://golang.org/pkg/text/template/#pkg-overview⟩].
103
104
105

OPTIONS INHERITED FROM PARENT COMMANDS

107       --allow_verification_with_non_compliant_keys=false
108           Allow  a  SignatureVerifier  to  use  keys  which  are  technically
109       non-compliant with RFC6962.
110
111
112       --alsologtostderr=false
113           log to standard error as well as files
114
115
116       --application_metrics_count_limit=100
117           Max number of application metrics to store (per container)
118
119
120       --as=""
121           Username to impersonate for the operation
122
123
124       --as-group=[]
125           Group  to  impersonate for the operation, this flag can be repeated
126       to specify multiple groups.
127
128
129       --azure-container-registry-config=""
130           Path to the file containing Azure container registry  configuration
131       information.
132
133
134       --boot_id_file="/proc/sys/kernel/random/boot_id"
135           Comma-separated  list  of files to check for boot-id. Use the first
136       one that exists.
137
138
139       --cache-dir="/builddir/.kube/http-cache"
140           Default HTTP cache directory
141
142
143       --certificate-authority=""
144           Path to a cert file for the certificate authority
145
146
147       --client-certificate=""
148           Path to a client certificate file for TLS
149
150
151       --client-key=""
152           Path to a client key file for TLS
153
154
155       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
156           CIDRs opened in GCE firewall for LB traffic proxy  health checks
157
158
159       --cluster=""
160           The name of the kubeconfig cluster to use
161
162
163       --container_hints="/etc/cadvisor/container_hints.json"
164           location of the container hints file
165
166
167       --containerd="unix:///var/run/containerd.sock"
168           containerd endpoint
169
170
171       --context=""
172           The name of the kubeconfig context to use
173
174
175       --default-not-ready-toleration-seconds=300
176           Indicates    the    tolerationSeconds   of   the   toleration   for
177       notReady:NoExecute that is added by default to every pod that does  not
178       already have such a toleration.
179
180
181       --default-unreachable-toleration-seconds=300
182           Indicates  the  tolerationSeconds  of  the  toleration for unreach‐
183       able:NoExecute that is added by default to  every  pod  that  does  not
184       already have such a toleration.
185
186
187       --docker="unix:///var/run/docker.sock"
188           docker endpoint
189
190
191       --docker-tls=false
192           use TLS to connect to docker
193
194
195       --docker-tls-ca="ca.pem"
196           path to trusted CA
197
198
199       --docker-tls-cert="cert.pem"
200           path to client certificate
201
202
203       --docker-tls-key="key.pem"
204           path to private key
205
206
207       --docker_env_metadata_whitelist=""
208           a  comma-separated  list of environment variable keys that needs to
209       be collected for docker containers
210
211
212       --docker_only=false
213           Only report docker containers in addition to root stats
214
215
216       --docker_root="/var/lib/docker"
217           DEPRECATED: docker root is read from docker info (this is  a  fall‐
218       back, default: /var/lib/docker)
219
220
221       --enable_load_reader=false
222           Whether to enable cpu load reader
223
224
225       --event_storage_age_limit="default=24h"
226           Max length of time for which to store events (per type). Value is a
227       comma separated list of key values, where  the  keys  are  event  types
228       (e.g.: creation, oom) or "default" and the value is a duration. Default
229       is applied to all non-specified event types
230
231
232       --event_storage_event_limit="default=100000"
233           Max number of events to store (per type). Value is  a  comma  sepa‐
234       rated  list  of  key values, where the keys are event types (e.g.: cre‐
235       ation, oom) or "default" and  the  value  is  an  integer.  Default  is
236       applied to all non-specified event types
237
238
239       --global_housekeeping_interval=0
240           Interval between global housekeepings
241
242
243       --housekeeping_interval=0
244           Interval between container housekeepings
245
246
247       --insecure-skip-tls-verify=false
248           If true, the server's certificate will not be checked for validity.
249       This will make your HTTPS connections insecure
250
251
252       --kubeconfig=""
253           Path to the kubeconfig file to use for CLI requests.
254
255
256       --log-flush-frequency=0
257           Maximum number of seconds between log flushes
258
259
260       --log_backtrace_at=:0
261           when logging hits line file:N, emit a stack trace
262
263
264       --log_cadvisor_usage=false
265           Whether to log the usage of the cAdvisor container
266
267
268       --log_dir=""
269           If non-empty, write log files in this directory
270
271
272       --logtostderr=true
273           log to standard error instead of files
274
275
276       --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
277           Comma-separated list of files to  check  for  machine-id.  Use  the
278       first one that exists.
279
280
281       --match-server-version=false
282           Require server version to match client version
283
284
285       -n, --namespace=""
286           If present, the namespace scope for this CLI request
287
288
289       --request-timeout="0"
290           The  length  of  time  to  wait before giving up on a single server
291       request. Non-zero values should contain a corresponding time unit (e.g.
292       1s, 2m, 3h). A value of zero means don't timeout requests.
293
294
295       -s, --server=""
296           The address and port of the Kubernetes API server
297
298
299       --stderrthreshold=2
300           logs at or above this threshold go to stderr
301
302
303       --storage_driver_buffer_duration=0
304           Writes  in  the  storage driver will be buffered for this duration,
305       and committed to the non memory backends as a single transaction
306
307
308       --storage_driver_db="cadvisor"
309           database name
310
311
312       --storage_driver_host="localhost:8086"
313           database host:port
314
315
316       --storage_driver_password="root"
317           database password
318
319
320       --storage_driver_secure=false
321           use secure connection with database
322
323
324       --storage_driver_table="stats"
325           table name
326
327
328       --storage_driver_user="root"
329           database username
330
331
332       --token=""
333           Bearer token for authentication to the API server
334
335
336       --user=""
337           The name of the kubeconfig user to use
338
339
340       -v, --v=0
341           log level for V logs
342
343
344       --version=false
345           Print version information and quit
346
347
348       --vmodule=
349           comma-separated list of pattern=N settings for  file-filtered  log‐
350       ging
351
352
353

EXAMPLE

355                # Add the 'view' role to user1 for the current project
356                oc policy add-role-to-user view user1
357
358                # Add the 'edit' role to serviceaccount1 for the current project
359                oc policy add-role-to-user edit -z serviceaccount1
360
361
362
363

SEE ALSO

365       oc-policy(1),
366
367
368

HISTORY

370       June 2016, Ported from the Kubernetes man-doc generator
371
372
373
374Openshift                  Openshift CLI User Manuals             OC POLICY(1)
Impressum