1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7
9 kubectl create clusterrole - Create a ClusterRole.
10
11
12
14 kubectl create clusterrole [OPTIONS]
15
16
17
19 Create a ClusterRole.
20
21
22
24 --aggregation-rule= An aggregation label selector for combining
25 ClusterRoles.
26
27
28 --allow-missing-template-keys=true If true, ignore any errors in
29 templates when a field or map key is missing in the template. Only ap‐
30 plies to golang and jsonpath output formats.
31
32
33 --dry-run="none" Must be "none", "server", or "client". If client
34 strategy, only print the object that would be sent, without sending it.
35 If server strategy, submit server-side request without persisting the
36 resource.
37
38
39 --field-manager="kubectl-create" Name of the manager used to track
40 field ownership.
41
42
43 --non-resource-url=[] A partial url that user should have access
44 to.
45
46
47 -o, --output="" Output format. One of: json|yaml|name|go-tem‐
48 plate|go-template-file|template|templatefile|jsonpath|json‐
49 path-as-json|jsonpath-file.
50
51
52 --resource=[] Resource that the rule applies to
53
54
55 --resource-name=[] Resource in the white list that the rule ap‐
56 plies to, repeat this flag for multiple items
57
58
59 --save-config=false If true, the configuration of current object
60 will be saved in its annotation. Otherwise, the annotation will be un‐
61 changed. This flag is useful when you want to perform kubectl apply on
62 this object in the future.
63
64
65 --show-managed-fields=false If true, keep the managedFields when
66 printing objects in JSON or YAML format.
67
68
69 --template="" Template string or path to template file to use when
70 -o=go-template, -o=go-template-file. The template format is golang tem‐
71 plates [http://golang.org/pkg/text/template/#pkg-overview].
72
73
74 --validate=true If true, use a schema to validate the input before
75 sending it
76
77
78 --verb=[] Verb that applies to the resources contained in the rule
79
80
81
83 --add-dir-header=false If true, adds the file directory to the
84 header of the log messages
85
86
87 --alsologtostderr=false log to standard error as well as files
88
89
90 --application-metrics-count-limit=100 Max number of application
91 metrics to store (per container)
92
93
94 --as="" Username to impersonate for the operation
95
96
97 --as-group=[] Group to impersonate for the operation, this flag
98 can be repeated to specify multiple groups.
99
100
101 --azure-container-registry-config="" Path to the file containing
102 Azure container registry configuration information.
103
104
105 --boot-id-file="/proc/sys/kernel/random/boot_id" Comma-separated
106 list of files to check for boot-id. Use the first one that exists.
107
108
109 --cache-dir="/builddir/.kube/cache" Default cache directory
110
111
112 --certificate-authority="" Path to a cert file for the certificate
113 authority
114
115
116 --client-certificate="" Path to a client certificate file for TLS
117
118
119 --client-key="" Path to a client key file for TLS
120
121
122 --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
123 CIDRs opened in GCE firewall for L7 LB traffic proxy health
124 checks
125
126
127 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
128 CIDRs opened in GCE firewall for L4 LB traffic proxy health
129 checks
130
131
132 --cluster="" The name of the kubeconfig cluster to use
133
134
135 --container-hints="/etc/cadvisor/container_hints.json" location of
136 the container hints file
137
138
139 --containerd="/run/containerd/containerd.sock" containerd endpoint
140
141
142 --containerd-namespace="k8s.io" containerd namespace
143
144
145 --context="" The name of the kubeconfig context to use
146
147
148 --default-not-ready-toleration-seconds=300 Indicates the tolera‐
149 tionSeconds of the toleration for notReady:NoExecute that is added by
150 default to every pod that does not already have such a toleration.
151
152
153 --default-unreachable-toleration-seconds=300 Indicates the tolera‐
154 tionSeconds of the toleration for unreachable:NoExecute that is added
155 by default to every pod that does not already have such a toleration.
156
157
158 --disable-root-cgroup-stats=false Disable collecting root Cgroup
159 stats
160
161
162 --docker="unix:///var/run/docker.sock" docker endpoint
163
164
165 --docker-env-metadata-whitelist="" a comma-separated list of envi‐
166 ronment variable keys matched with specified prefix that needs to be
167 collected for docker containers
168
169
170 --docker-only=false Only report docker containers in addition to
171 root stats
172
173
174 --docker-root="/var/lib/docker" DEPRECATED: docker root is read
175 from docker info (this is a fallback, default: /var/lib/docker)
176
177
178 --docker-tls=false use TLS to connect to docker
179
180
181 --docker-tls-ca="ca.pem" path to trusted CA
182
183
184 --docker-tls-cert="cert.pem" path to client certificate
185
186
187 --docker-tls-key="key.pem" path to private key
188
189
190 --enable-load-reader=false Whether to enable cpu load reader
191
192
193 --event-storage-age-limit="default=0" Max length of time for which
194 to store events (per type). Value is a comma separated list of key val‐
195 ues, where the keys are event types (e.g.: creation, oom) or "default"
196 and the value is a duration. Default is applied to all non-specified
197 event types
198
199
200 --event-storage-event-limit="default=0" Max number of events to
201 store (per type). Value is a comma separated list of key values, where
202 the keys are event types (e.g.: creation, oom) or "default" and the
203 value is an integer. Default is applied to all non-specified event
204 types
205
206
207 --global-housekeeping-interval=1m0s Interval between global house‐
208 keepings
209
210
211 --housekeeping-interval=10s Interval between container housekeep‐
212 ings
213
214
215 --insecure-skip-tls-verify=false If true, the server's certificate
216 will not be checked for validity. This will make your HTTPS connections
217 insecure
218
219
220 --kubeconfig="" Path to the kubeconfig file to use for CLI re‐
221 quests.
222
223
224 --log-backtrace-at=:0 when logging hits line file:N, emit a stack
225 trace
226
227
228 --log-cadvisor-usage=false Whether to log the usage of the cAdvi‐
229 sor container
230
231
232 --log-dir="" If non-empty, write log files in this directory
233
234
235 --log-file="" If non-empty, use this log file
236
237
238 --log-file-max-size=1800 Defines the maximum size a log file can
239 grow to. Unit is megabytes. If the value is 0, the maximum file size is
240 unlimited.
241
242
243 --log-flush-frequency=5s Maximum number of seconds between log
244 flushes
245
246
247 --logtostderr=true log to standard error instead of files
248
249
250 --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
251 Comma-separated list of files to check for machine-id. Use the
252 first one that exists.
253
254
255 --match-server-version=false Require server version to match
256 client version
257
258
259 -n, --namespace="" If present, the namespace scope for this CLI
260 request
261
262
263 --one-output=false If true, only write logs to their native sever‐
264 ity level (vs also writing to each lower severity level)
265
266
267 --password="" Password for basic authentication to the API server
268
269
270 --profile="none" Name of profile to capture. One of
271 (none|cpu|heap|goroutine|threadcreate|block|mutex)
272
273
274 --profile-output="profile.pprof" Name of the file to write the
275 profile to
276
277
278 --referenced-reset-interval=0 Reset interval for referenced bytes
279 (container_referenced_bytes metric), number of measurement cycles after
280 which referenced bytes are cleared, if set to 0 referenced bytes are
281 never cleared (default: 0)
282
283
284 --request-timeout="0" The length of time to wait before giving up
285 on a single server request. Non-zero values should contain a corre‐
286 sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
287 out requests.
288
289
290 -s, --server="" The address and port of the Kubernetes API server
291
292
293 --skip-headers=false If true, avoid header prefixes in the log
294 messages
295
296
297 --skip-log-headers=false If true, avoid headers when opening log
298 files
299
300
301 --stderrthreshold=2 logs at or above this threshold go to stderr
302
303
304 --storage-driver-buffer-duration=1m0s Writes in the storage driver
305 will be buffered for this duration, and committed to the non memory
306 backends as a single transaction
307
308
309 --storage-driver-db="cadvisor" database name
310
311
312 --storage-driver-host="localhost:8086" database host:port
313
314
315 --storage-driver-password="root" database password
316
317
318 --storage-driver-secure=false use secure connection with database
319
320
321 --storage-driver-table="stats" table name
322
323
324 --storage-driver-user="root" database username
325
326
327 --tls-server-name="" Server name to use for server certificate
328 validation. If it is not provided, the hostname used to contact the
329 server is used
330
331
332 --token="" Bearer token for authentication to the API server
333
334
335 --update-machine-info-interval=5m0s Interval between machine info
336 updates.
337
338
339 --user="" The name of the kubeconfig user to use
340
341
342 --username="" Username for basic authentication to the API server
343
344
345 -v, --v=0 number for the log level verbosity
346
347
348 --version=false Print version information and quit
349
350
351 --vmodule= comma-separated list of pattern=N settings for
352 file-filtered logging
353
354
355 --warnings-as-errors=false Treat warnings received from the server
356 as errors and exit with a non-zero exit code
357
358
359
361 # Create a ClusterRole named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
362 kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods
363
364 # Create a ClusterRole named "pod-reader" with ResourceName specified
365 kubectl create clusterrole pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod
366
367 # Create a ClusterRole named "foo" with API Group specified
368 kubectl create clusterrole foo --verb=get,list,watch --resource=rs.extensions
369
370 # Create a ClusterRole named "foo" with SubResource specified
371 kubectl create clusterrole foo --verb=get,list,watch --resource=pods,pods/status
372
373 # Create a ClusterRole name "foo" with NonResourceURL specified
374 kubectl create clusterrole "foo" --verb=get --non-resource-url=/logs/*
375
376 # Create a ClusterRole name "monitoring" with AggregationRule specified
377 kubectl create clusterrole monitoring --aggregation-rule="rbac.example.com/aggregate-to-monitoring=true"
378
379
380
381
383 kubectl-create(1),
384
385
386
388 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
389 com) based on the kubernetes source material, but hopefully they have
390 been automatically generated since!
391
392
393
394Manuals User KUBERNETES(1)(kubernetes)