1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2Eric Paris Jan 2015
6
9 kubectl create clusterrole - Create a ClusterRole.
10
14 kubectl create clusterrole [OPTIONS]
15
19 Create a ClusterRole.
20
24 --aggregation-rule= An aggregation label selector for combining
25 ClusterRoles.
26 --allow-missing-template-keys=true If true, ignore any errors in
29 templates when a field or map key is missing in the template. Only ap‐
30 plies to golang and jsonpath output formats.
31 --dry-run="none" Must be "none", "server", or "client". If client
34 strategy, only print the object that would be sent, without sending it.
35 If server strategy, submit server-side request without persisting the
36 resource.
37 --field-manager="kubectl-create" Name of the manager used to track
40 field ownership.
41 --non-resource-url=[] A partial url that user should have access
44 to.
45 -o, --output="" Output format. One of: json|yaml|name|go-tem‐
48 plate|go-template-file|template|templatefile|jsonpath|json‐
49 path-as-json|jsonpath-file.
50 --resource=[] Resource that the rule applies to
53 --resource-name=[] Resource in the white list that the rule ap‐
56 plies to, repeat this flag for multiple items
57 --save-config=false If true, the configuration of current object
60 will be saved in its annotation. Otherwise, the annotation will be un‐
61 changed. This flag is useful when you want to perform kubectl apply on
62 this object in the future.
63 --show-managed-fields=false If true, keep the managedFields when
66 printing objects in JSON or YAML format.
67 --template="" Template string or path to template file to use when
70 -o=go-template, -o=go-template-file. The template format is golang tem‐
71 plates [http://golang.org/pkg/text/template/#pkg-overview].
72 --validate=true If true, use a schema to validate the input before
75 sending it
76 --verb=[] Verb that applies to the resources contained in the rule
79
83 --add-dir-header=false If true, adds the file directory to the
84 header of the log messages
85 --alsologtostderr=false log to standard error as well as files
88 --application-metrics-count-limit=100 Max number of application
91 metrics to store (per container)
92 --as="" Username to impersonate for the operation
95 --as-group=[] Group to impersonate for the operation, this flag
98 can be repeated to specify multiple groups.
99 --azure-container-registry-config="" Path to the file containing
102 Azure container registry configuration information.
103 --boot-id-file="/proc/sys/kernel/random/boot_id" Comma-separated
106 list of files to check for boot-id. Use the first one that exists.
107 --cache-dir="/builddir/.kube/cache" Default cache directory
110 --certificate-authority="" Path to a cert file for the certificate
113 authority
114 --client-certificate="" Path to a client certificate file for TLS
117 --client-key="" Path to a client key file for TLS
120 --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
123 CIDRs opened in GCE firewall for L7 LB traffic proxy health
124 checks
125 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
128 CIDRs opened in GCE firewall for L4 LB traffic proxy health
129 checks
130 --cluster="" The name of the kubeconfig cluster to use
133 --container-hints="/etc/cadvisor/container_hints.json" location of
136 the container hints file
137 --containerd="/run/containerd/containerd.sock" containerd endpoint
140 --containerd-namespace="k8s.io" containerd namespace
143 --context="" The name of the kubeconfig context to use
146 --default-not-ready-toleration-seconds=300 Indicates the tolera‐
149 tionSeconds of the toleration for notReady:NoExecute that is added by
150 default to every pod that does not already have such a toleration.
151 --default-unreachable-toleration-seconds=300 Indicates the tolera‐
154 tionSeconds of the toleration for unreachable:NoExecute that is added
155 by default to every pod that does not already have such a toleration.
156 --disable-root-cgroup-stats=false Disable collecting root Cgroup
159 stats
160 --docker="unix:///var/run/docker.sock" docker endpoint
163 --docker-env-metadata-whitelist="" a comma-separated list of envi‐
166 ronment variable keys matched with specified prefix that needs to be
167 collected for docker containers
168 --docker-only=false Only report docker containers in addition to
171 root stats
172 --docker-root="/var/lib/docker" DEPRECATED: docker root is read
175 from docker info (this is a fallback, default: /var/lib/docker)
176 --docker-tls=false use TLS to connect to docker
179 --docker-tls-ca="ca.pem" path to trusted CA
182 --docker-tls-cert="cert.pem" path to client certificate
185 --docker-tls-key="key.pem" path to private key
188 --enable-load-reader=false Whether to enable cpu load reader
191 --event-storage-age-limit="default=0" Max length of time for which
194 to store events (per type). Value is a comma separated list of key val‐
195 ues, where the keys are event types (e.g.: creation, oom) or "default"
196 and the value is a duration. Default is applied to all non-specified
197 event types
198 --event-storage-event-limit="default=0" Max number of events to
201 store (per type). Value is a comma separated list of key values, where
202 the keys are event types (e.g.: creation, oom) or "default" and the
203 value is an integer. Default is applied to all non-specified event
204 types
205 --global-housekeeping-interval=1m0s Interval between global house‐
208 keepings
209 --housekeeping-interval=10s Interval between container housekeep‐
212 ings
213 --insecure-skip-tls-verify=false If true, the server's certificate
216 will not be checked for validity. This will make your HTTPS connections
217 insecure
218 --kubeconfig="" Path to the kubeconfig file to use for CLI re‐
221 quests.
222 --log-backtrace-at=:0 when logging hits line file:N, emit a stack
225 trace
226 --log-cadvisor-usage=false Whether to log the usage of the cAdvi‐
229 sor container
230 --log-dir="" If non-empty, write log files in this directory
233 --log-file="" If non-empty, use this log file
236 --log-file-max-size=1800 Defines the maximum size a log file can
239 grow to. Unit is megabytes. If the value is 0, the maximum file size is
240 unlimited.
241 --log-flush-frequency=5s Maximum number of seconds between log
244 flushes
245 --logtostderr=true log to standard error instead of files
248 --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
251 Comma-separated list of files to check for machine-id. Use the
252 first one that exists.
253 --match-server-version=false Require server version to match
256 client version
257 -n, --namespace="" If present, the namespace scope for this CLI
260 request
261 --one-output=false If true, only write logs to their native sever‐
264 ity level (vs also writing to each lower severity level)
265 --password="" Password for basic authentication to the API server
268 --profile="none" Name of profile to capture. One of
271 (none|cpu|heap|goroutine|threadcreate|block|mutex)
272 --profile-output="profile.pprof" Name of the file to write the
275 profile to
276 --referenced-reset-interval=0 Reset interval for referenced bytes
279 (container_referenced_bytes metric), number of measurement cycles after
280 which referenced bytes are cleared, if set to 0 referenced bytes are
281 never cleared (default: 0)
282 --request-timeout="0" The length of time to wait before giving up
285 on a single server request. Non-zero values should contain a corre‐
286 sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
287 out requests.
288 -s, --server="" The address and port of the Kubernetes API server
291 --skip-headers=false If true, avoid header prefixes in the log
294 messages
295 --skip-log-headers=false If true, avoid headers when opening log
298 files
299 --stderrthreshold=2 logs at or above this threshold go to stderr
302 --storage-driver-buffer-duration=1m0s Writes in the storage driver
305 will be buffered for this duration, and committed to the non memory
306 backends as a single transaction
307 --storage-driver-db="cadvisor" database name
310 --storage-driver-host="localhost:8086" database host:port
313 --storage-driver-password="root" database password
316 --storage-driver-secure=false use secure connection with database
319 --storage-driver-table="stats" table name
322 --storage-driver-user="root" database username
325 --tls-server-name="" Server name to use for server certificate
328 validation. If it is not provided, the hostname used to contact the
329 server is used
330 --token="" Bearer token for authentication to the API server
333 --update-machine-info-interval=5m0s Interval between machine info
336 updates.
337 --user="" The name of the kubeconfig user to use
340 --username="" Username for basic authentication to the API server
343 -v, --v=0 number for the log level verbosity
346 --version=false Print version information and quit
349 --vmodule= comma-separated list of pattern=N settings for
352 file-filtered logging
353 --warnings-as-errors=false Treat warnings received from the server
356 as errors and exit with a non-zero exit code
357
361 # Create a ClusterRole named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
362 kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods
363 # Create a ClusterRole named "pod-reader" with ResourceName specified
365 kubectl create clusterrole pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod
366 # Create a ClusterRole named "foo" with API Group specified
368 kubectl create clusterrole foo --verb=get,list,watch --resource=rs.extensions
369 # Create a ClusterRole named "foo" with SubResource specified
371 kubectl create clusterrole foo --verb=get,list,watch --resource=pods,pods/status
372 # Create a ClusterRole name "foo" with NonResourceURL specified
374 kubectl create clusterrole "foo" --verb=get --non-resource-url=/logs/*
375 # Create a ClusterRole name "monitoring" with AggregationRule specified
377 kubectl create clusterrole monitoring --aggregation-rule="rbac.example.com/aggregate-to-monitoring=true"
378
383 kubectl-create(1),
384
388 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
389 com) based on the kubernetes source material, but hopefully they have
390 been automatically generated since!
391Manuals User KUBERNETES(1)(kubernetes)