1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7
9 kubectl create role - Create a role with single rule.
10
11
12
14 kubectl create role [OPTIONS]
15
16
17
19 Create a role with single rule.
20
21
22
24 --allow-missing-template-keys=true If true, ignore any errors in
25 templates when a field or map key is missing in the template. Only ap‐
26 plies to golang and jsonpath output formats.
27
28
29 --dry-run="none" Must be "none", "server", or "client". If client
30 strategy, only print the object that would be sent, without sending it.
31 If server strategy, submit server-side request without persisting the
32 resource.
33
34
35 --field-manager="kubectl-create" Name of the manager used to track
36 field ownership.
37
38
39 -o, --output="" Output format. One of: json|yaml|name|go-tem‐
40 plate|go-template-file|template|templatefile|jsonpath|json‐
41 path-as-json|jsonpath-file.
42
43
44 --resource=[] Resource that the rule applies to
45
46
47 --resource-name=[] Resource in the white list that the rule ap‐
48 plies to, repeat this flag for multiple items
49
50
51 --save-config=false If true, the configuration of current object
52 will be saved in its annotation. Otherwise, the annotation will be un‐
53 changed. This flag is useful when you want to perform kubectl apply on
54 this object in the future.
55
56
57 --show-managed-fields=false If true, keep the managedFields when
58 printing objects in JSON or YAML format.
59
60
61 --template="" Template string or path to template file to use when
62 -o=go-template, -o=go-template-file. The template format is golang tem‐
63 plates [http://golang.org/pkg/text/template/#pkg-overview].
64
65
66 --validate=true If true, use a schema to validate the input before
67 sending it
68
69
70 --verb=[] Verb that applies to the resources contained in the rule
71
72
73
75 --add-dir-header=false If true, adds the file directory to the
76 header of the log messages
77
78
79 --alsologtostderr=false log to standard error as well as files
80
81
82 --application-metrics-count-limit=100 Max number of application
83 metrics to store (per container)
84
85
86 --as="" Username to impersonate for the operation
87
88
89 --as-group=[] Group to impersonate for the operation, this flag
90 can be repeated to specify multiple groups.
91
92
93 --azure-container-registry-config="" Path to the file containing
94 Azure container registry configuration information.
95
96
97 --boot-id-file="/proc/sys/kernel/random/boot_id" Comma-separated
98 list of files to check for boot-id. Use the first one that exists.
99
100
101 --cache-dir="/builddir/.kube/cache" Default cache directory
102
103
104 --certificate-authority="" Path to a cert file for the certificate
105 authority
106
107
108 --client-certificate="" Path to a client certificate file for TLS
109
110
111 --client-key="" Path to a client key file for TLS
112
113
114 --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
115 CIDRs opened in GCE firewall for L7 LB traffic proxy health
116 checks
117
118
119 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
120 CIDRs opened in GCE firewall for L4 LB traffic proxy health
121 checks
122
123
124 --cluster="" The name of the kubeconfig cluster to use
125
126
127 --container-hints="/etc/cadvisor/container_hints.json" location of
128 the container hints file
129
130
131 --containerd="/run/containerd/containerd.sock" containerd endpoint
132
133
134 --containerd-namespace="k8s.io" containerd namespace
135
136
137 --context="" The name of the kubeconfig context to use
138
139
140 --default-not-ready-toleration-seconds=300 Indicates the tolera‐
141 tionSeconds of the toleration for notReady:NoExecute that is added by
142 default to every pod that does not already have such a toleration.
143
144
145 --default-unreachable-toleration-seconds=300 Indicates the tolera‐
146 tionSeconds of the toleration for unreachable:NoExecute that is added
147 by default to every pod that does not already have such a toleration.
148
149
150 --disable-root-cgroup-stats=false Disable collecting root Cgroup
151 stats
152
153
154 --docker="unix:///var/run/docker.sock" docker endpoint
155
156
157 --docker-env-metadata-whitelist="" a comma-separated list of envi‐
158 ronment variable keys matched with specified prefix that needs to be
159 collected for docker containers
160
161
162 --docker-only=false Only report docker containers in addition to
163 root stats
164
165
166 --docker-root="/var/lib/docker" DEPRECATED: docker root is read
167 from docker info (this is a fallback, default: /var/lib/docker)
168
169
170 --docker-tls=false use TLS to connect to docker
171
172
173 --docker-tls-ca="ca.pem" path to trusted CA
174
175
176 --docker-tls-cert="cert.pem" path to client certificate
177
178
179 --docker-tls-key="key.pem" path to private key
180
181
182 --enable-load-reader=false Whether to enable cpu load reader
183
184
185 --event-storage-age-limit="default=0" Max length of time for which
186 to store events (per type). Value is a comma separated list of key val‐
187 ues, where the keys are event types (e.g.: creation, oom) or "default"
188 and the value is a duration. Default is applied to all non-specified
189 event types
190
191
192 --event-storage-event-limit="default=0" Max number of events to
193 store (per type). Value is a comma separated list of key values, where
194 the keys are event types (e.g.: creation, oom) or "default" and the
195 value is an integer. Default is applied to all non-specified event
196 types
197
198
199 --global-housekeeping-interval=1m0s Interval between global house‐
200 keepings
201
202
203 --housekeeping-interval=10s Interval between container housekeep‐
204 ings
205
206
207 --insecure-skip-tls-verify=false If true, the server's certificate
208 will not be checked for validity. This will make your HTTPS connections
209 insecure
210
211
212 --kubeconfig="" Path to the kubeconfig file to use for CLI re‐
213 quests.
214
215
216 --log-backtrace-at=:0 when logging hits line file:N, emit a stack
217 trace
218
219
220 --log-cadvisor-usage=false Whether to log the usage of the cAdvi‐
221 sor container
222
223
224 --log-dir="" If non-empty, write log files in this directory
225
226
227 --log-file="" If non-empty, use this log file
228
229
230 --log-file-max-size=1800 Defines the maximum size a log file can
231 grow to. Unit is megabytes. If the value is 0, the maximum file size is
232 unlimited.
233
234
235 --log-flush-frequency=5s Maximum number of seconds between log
236 flushes
237
238
239 --logtostderr=true log to standard error instead of files
240
241
242 --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
243 Comma-separated list of files to check for machine-id. Use the
244 first one that exists.
245
246
247 --match-server-version=false Require server version to match
248 client version
249
250
251 -n, --namespace="" If present, the namespace scope for this CLI
252 request
253
254
255 --one-output=false If true, only write logs to their native sever‐
256 ity level (vs also writing to each lower severity level)
257
258
259 --password="" Password for basic authentication to the API server
260
261
262 --profile="none" Name of profile to capture. One of
263 (none|cpu|heap|goroutine|threadcreate|block|mutex)
264
265
266 --profile-output="profile.pprof" Name of the file to write the
267 profile to
268
269
270 --referenced-reset-interval=0 Reset interval for referenced bytes
271 (container_referenced_bytes metric), number of measurement cycles after
272 which referenced bytes are cleared, if set to 0 referenced bytes are
273 never cleared (default: 0)
274
275
276 --request-timeout="0" The length of time to wait before giving up
277 on a single server request. Non-zero values should contain a corre‐
278 sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
279 out requests.
280
281
282 -s, --server="" The address and port of the Kubernetes API server
283
284
285 --skip-headers=false If true, avoid header prefixes in the log
286 messages
287
288
289 --skip-log-headers=false If true, avoid headers when opening log
290 files
291
292
293 --stderrthreshold=2 logs at or above this threshold go to stderr
294
295
296 --storage-driver-buffer-duration=1m0s Writes in the storage driver
297 will be buffered for this duration, and committed to the non memory
298 backends as a single transaction
299
300
301 --storage-driver-db="cadvisor" database name
302
303
304 --storage-driver-host="localhost:8086" database host:port
305
306
307 --storage-driver-password="root" database password
308
309
310 --storage-driver-secure=false use secure connection with database
311
312
313 --storage-driver-table="stats" table name
314
315
316 --storage-driver-user="root" database username
317
318
319 --tls-server-name="" Server name to use for server certificate
320 validation. If it is not provided, the hostname used to contact the
321 server is used
322
323
324 --token="" Bearer token for authentication to the API server
325
326
327 --update-machine-info-interval=5m0s Interval between machine info
328 updates.
329
330
331 --user="" The name of the kubeconfig user to use
332
333
334 --username="" Username for basic authentication to the API server
335
336
337 -v, --v=0 number for the log level verbosity
338
339
340 --version=false Print version information and quit
341
342
343 --vmodule= comma-separated list of pattern=N settings for
344 file-filtered logging
345
346
347 --warnings-as-errors=false Treat warnings received from the server
348 as errors and exit with a non-zero exit code
349
350
351
353 # Create a Role named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
354 kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods
355
356 # Create a Role named "pod-reader" with ResourceName specified
357 kubectl create role pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod
358
359 # Create a Role named "foo" with API Group specified
360 kubectl create role foo --verb=get,list,watch --resource=rs.extensions
361
362 # Create a Role named "foo" with SubResource specified
363 kubectl create role foo --verb=get,list,watch --resource=pods,pods/status
364
365
366
367
369 kubectl-create(1),
370
371
372
374 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
375 com) based on the kubernetes source material, but hopefully they have
376 been automatically generated since!
377
378
379
380Manuals User KUBERNETES(1)(kubernetes)