1KUBERNETES(1)(kubernetes)                            KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7

NAME

9       kubectl create clusterrole - Create a ClusterRole.
10
11
12

SYNOPSIS

14       kubectl create clusterrole [OPTIONS]
15
16
17

DESCRIPTION

19       Create a ClusterRole.
20
21
22

OPTIONS

24       --aggregation-rule=       An  aggregation  label selector for combining
25       ClusterRoles.
26
27
28       --allow-missing-template-keys=true      If true, ignore any  errors  in
29       templates  when a field or map key is missing in the template. Only ap‐
30       plies to golang and jsonpath output formats.
31
32
33       --dry-run="none"      Must be "none", "server", or "client". If  client
34       strategy, only print the object that would be sent, without sending it.
35       If server strategy, submit server-side request without  persisting  the
36       resource.
37
38
39       --field-manager="kubectl-create"      Name of the manager used to track
40       field ownership.
41
42
43       --non-resource-url=[]      A partial url that user should  have  access
44       to.
45
46
47       -o,  --output=""       Output  format.  One  of: json|yaml|name|go-tem‐
48       plate|go-template-file|template|templatefile|jsonpath|json‐
49       path-as-json|jsonpath-file.
50
51
52       --resource=[]      Resource that the rule applies to
53
54
55       --resource-name=[]       Resource  in  the white list that the rule ap‐
56       plies to, repeat this flag for multiple items
57
58
59       --save-config=false      If true, the configuration of  current  object
60       will  be saved in its annotation. Otherwise, the annotation will be un‐
61       changed. This flag is useful when you want to perform kubectl apply  on
62       this object in the future.
63
64
65       --show-managed-fields=false       If  true, keep the managedFields when
66       printing objects in JSON or YAML format.
67
68
69       --template=""      Template string or path to template file to use when
70       -o=go-template, -o=go-template-file. The template format is golang tem‐
71       plates [http://golang.org/pkg/text/template/#pkg-overview].
72
73
74       --validate=true      If true, use a schema to validate the input before
75       sending it
76
77
78       --verb=[]      Verb that applies to the resources contained in the rule
79
80
81

OPTIONS INHERITED FROM PARENT COMMANDS

83       --add-dir-header=false       If  true,  adds  the file directory to the
84       header of the log messages
85
86
87       --alsologtostderr=false      log to standard error as well as files
88
89
90       --application-metrics-count-limit=100      Max  number  of  application
91       metrics to store (per container)
92
93
94       --as=""      Username to impersonate for the operation
95
96
97       --as-group=[]       Group  to  impersonate for the operation, this flag
98       can be repeated to specify multiple groups.
99
100
101       --azure-container-registry-config=""      Path to the  file  containing
102       Azure container registry configuration information.
103
104
105       --boot-id-file="/proc/sys/kernel/random/boot_id"        Comma-separated
106       list of files to check for boot-id. Use the first one that exists.
107
108
109       --cache-dir="/builddir/.kube/cache"      Default cache directory
110
111
112       --certificate-authority=""      Path to a cert file for the certificate
113       authority
114
115
116       --client-certificate=""      Path to a client certificate file for TLS
117
118
119       --client-key=""      Path to a client key file for TLS
120
121
122       --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
123            CIDRs opened in GCE firewall for  L7  LB  traffic  proxy    health
124       checks
125
126
127       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
128            CIDRs opened in GCE firewall for  L4  LB  traffic  proxy    health
129       checks
130
131
132       --cluster=""      The name of the kubeconfig cluster to use
133
134
135       --container-hints="/etc/cadvisor/container_hints.json"      location of
136       the container hints file
137
138
139       --containerd="/run/containerd/containerd.sock"      containerd endpoint
140
141
142       --containerd-namespace="k8s.io"      containerd namespace
143
144
145       --context=""      The name of the kubeconfig context to use
146
147
148       --default-not-ready-toleration-seconds=300      Indicates  the  tolera‐
149       tionSeconds  of  the toleration for notReady:NoExecute that is added by
150       default to every pod that does not already have such a toleration.
151
152
153       --default-unreachable-toleration-seconds=300      Indicates the tolera‐
154       tionSeconds  of  the toleration for unreachable:NoExecute that is added
155       by default to every pod that does not already have such a toleration.
156
157
158       --disable-root-cgroup-stats=false      Disable collecting  root  Cgroup
159       stats
160
161
162       --docker="unix:///var/run/docker.sock"      docker endpoint
163
164
165       --docker-env-metadata-whitelist=""      a comma-separated list of envi‐
166       ronment variable keys matched with specified prefix that  needs  to  be
167       collected for docker containers
168
169
170       --docker-only=false       Only  report docker containers in addition to
171       root stats
172
173
174       --docker-root="/var/lib/docker"      DEPRECATED: docker  root  is  read
175       from docker info (this is a fallback, default: /var/lib/docker)
176
177
178       --docker-tls=false      use TLS to connect to docker
179
180
181       --docker-tls-ca="ca.pem"      path to trusted CA
182
183
184       --docker-tls-cert="cert.pem"      path to client certificate
185
186
187       --docker-tls-key="key.pem"      path to private key
188
189
190       --enable-load-reader=false      Whether to enable cpu load reader
191
192
193       --event-storage-age-limit="default=0"      Max length of time for which
194       to store events (per type). Value is a comma separated list of key val‐
195       ues,  where the keys are event types (e.g.: creation, oom) or "default"
196       and the value is a duration. Default is applied  to  all  non-specified
197       event types
198
199
200       --event-storage-event-limit="default=0"       Max  number  of events to
201       store (per type). Value is a comma separated list of key values,  where
202       the  keys  are  event  types (e.g.: creation, oom) or "default" and the
203       value is an integer. Default is  applied  to  all  non-specified  event
204       types
205
206
207       --global-housekeeping-interval=1m0s      Interval between global house‐
208       keepings
209
210
211       --housekeeping-interval=10s      Interval between container  housekeep‐
212       ings
213
214
215       --insecure-skip-tls-verify=false      If true, the server's certificate
216       will not be checked for validity. This will make your HTTPS connections
217       insecure
218
219
220       --kubeconfig=""       Path  to  the  kubeconfig file to use for CLI re‐
221       quests.
222
223
224       --log-backtrace-at=:0      when logging hits line file:N, emit a  stack
225       trace
226
227
228       --log-cadvisor-usage=false       Whether to log the usage of the cAdvi‐
229       sor container
230
231
232       --log-dir=""      If non-empty, write log files in this directory
233
234
235       --log-file=""      If non-empty, use this log file
236
237
238       --log-file-max-size=1800      Defines the maximum size a log  file  can
239       grow to. Unit is megabytes. If the value is 0, the maximum file size is
240       unlimited.
241
242
243       --log-flush-frequency=5s      Maximum number  of  seconds  between  log
244       flushes
245
246
247       --logtostderr=true      log to standard error instead of files
248
249
250       --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
251            Comma-separated list of files to check  for  machine-id.  Use  the
252       first one that exists.
253
254
255       --match-server-version=false        Require  server  version  to  match
256       client version
257
258
259       -n, --namespace=""      If present, the namespace scope  for  this  CLI
260       request
261
262
263       --one-output=false      If true, only write logs to their native sever‐
264       ity level (vs also writing to each lower severity level)
265
266
267       --password=""      Password for basic authentication to the API server
268
269
270       --profile="none"        Name   of   profile   to   capture.   One    of
271       (none|cpu|heap|goroutine|threadcreate|block|mutex)
272
273
274       --profile-output="profile.pprof"       Name  of  the  file to write the
275       profile to
276
277
278       --referenced-reset-interval=0      Reset interval for referenced  bytes
279       (container_referenced_bytes metric), number of measurement cycles after
280       which referenced bytes are cleared, if set to 0  referenced  bytes  are
281       never cleared (default: 0)
282
283
284       --request-timeout="0"       The length of time to wait before giving up
285       on a single server request. Non-zero values  should  contain  a  corre‐
286       sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
287       out requests.
288
289
290       -s, --server=""      The address and port of the Kubernetes API server
291
292
293       --skip-headers=false      If true, avoid header  prefixes  in  the  log
294       messages
295
296
297       --skip-log-headers=false       If  true, avoid headers when opening log
298       files
299
300
301       --stderrthreshold=2      logs at or above this threshold go to stderr
302
303
304       --storage-driver-buffer-duration=1m0s      Writes in the storage driver
305       will  be  buffered  for  this duration, and committed to the non memory
306       backends as a single transaction
307
308
309       --storage-driver-db="cadvisor"      database name
310
311
312       --storage-driver-host="localhost:8086"      database host:port
313
314
315       --storage-driver-password="root"      database password
316
317
318       --storage-driver-secure=false      use secure connection with database
319
320
321       --storage-driver-table="stats"      table name
322
323
324       --storage-driver-user="root"      database username
325
326
327       --tls-server-name=""      Server name to  use  for  server  certificate
328       validation.  If  it  is  not provided, the hostname used to contact the
329       server is used
330
331
332       --token=""      Bearer token for authentication to the API server
333
334
335       --update-machine-info-interval=5m0s      Interval between machine  info
336       updates.
337
338
339       --user=""      The name of the kubeconfig user to use
340
341
342       --username=""      Username for basic authentication to the API server
343
344
345       -v, --v=0      number for the log level verbosity
346
347
348       --version=false      Print version information and quit
349
350
351       --vmodule=        comma-separated   list   of  pattern=N  settings  for
352       file-filtered logging
353
354
355       --warnings-as-errors=false      Treat warnings received from the server
356       as errors and exit with a non-zero exit code
357
358
359

EXAMPLE

361                # Create a ClusterRole named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
362                kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods
363
364                # Create a ClusterRole named "pod-reader" with ResourceName specified
365                kubectl create clusterrole pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod
366
367                # Create a ClusterRole named "foo" with API Group specified
368                kubectl create clusterrole foo --verb=get,list,watch --resource=rs.extensions
369
370                # Create a ClusterRole named "foo" with SubResource specified
371                kubectl create clusterrole foo --verb=get,list,watch --resource=pods,pods/status
372
373                # Create a ClusterRole name "foo" with NonResourceURL specified
374                kubectl create clusterrole "foo" --verb=get --non-resource-url=/logs/*
375
376                # Create a ClusterRole name "monitoring" with AggregationRule specified
377                kubectl create clusterrole monitoring --aggregation-rule="rbac.example.com/aggregate-to-monitoring=true"
378
379
380
381

SEE ALSO

383       kubectl-create(1),
384
385
386

HISTORY

388       January  2015,  Originally compiled by Eric Paris (eparis at redhat dot
389       com) based on the kubernetes source material, but hopefully  they  have
390       been automatically generated since!
391
392
393
394Manuals                              User            KUBERNETES(1)(kubernetes)
Impressum