1KUBERNETES(1)(kubernetes)                            KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7

NAME

9       kubectl create role - Create a role with single rule.
10
11
12

SYNOPSIS

14       kubectl create role [OPTIONS]
15
16
17

DESCRIPTION

19       Create a role with single rule.
20
21
22

OPTIONS

24       --allow-missing-template-keys=true       If  true, ignore any errors in
25       templates when a field or map key is missing in the template. Only  ap‐
26       plies to golang and jsonpath output formats.
27
28
29       --dry-run="none"       Must be "none", "server", or "client". If client
30       strategy, only print the object that would be sent, without sending it.
31       If  server  strategy, submit server-side request without persisting the
32       resource.
33
34
35       --field-manager="kubectl-create"      Name of the manager used to track
36       field ownership.
37
38
39       -o,  --output=""       Output  format.  One  of: json|yaml|name|go-tem‐
40       plate|go-template-file|template|templatefile|jsonpath|json‐
41       path-as-json|jsonpath-file.
42
43
44       --resource=[]      Resource that the rule applies to
45
46
47       --resource-name=[]       Resource  in  the white list that the rule ap‐
48       plies to, repeat this flag for multiple items
49
50
51       --save-config=false      If true, the configuration of  current  object
52       will  be saved in its annotation. Otherwise, the annotation will be un‐
53       changed. This flag is useful when you want to perform kubectl apply  on
54       this object in the future.
55
56
57       --show-managed-fields=false       If  true, keep the managedFields when
58       printing objects in JSON or YAML format.
59
60
61       --template=""      Template string or path to template file to use when
62       -o=go-template, -o=go-template-file. The template format is golang tem‐
63       plates [http://golang.org/pkg/text/template/#pkg-overview].
64
65
66       --validate=true      If true, use a schema to validate the input before
67       sending it
68
69
70       --verb=[]      Verb that applies to the resources contained in the rule
71
72
73

OPTIONS INHERITED FROM PARENT COMMANDS

75       --add-dir-header=false       If  true,  adds  the file directory to the
76       header of the log messages
77
78
79       --alsologtostderr=false      log to standard error as well as files
80
81
82       --application-metrics-count-limit=100      Max  number  of  application
83       metrics to store (per container)
84
85
86       --as=""      Username to impersonate for the operation
87
88
89       --as-group=[]       Group  to  impersonate for the operation, this flag
90       can be repeated to specify multiple groups.
91
92
93       --azure-container-registry-config=""      Path to the  file  containing
94       Azure container registry configuration information.
95
96
97       --boot-id-file="/proc/sys/kernel/random/boot_id"        Comma-separated
98       list of files to check for boot-id. Use the first one that exists.
99
100
101       --cache-dir="/builddir/.kube/cache"      Default cache directory
102
103
104       --certificate-authority=""      Path to a cert file for the certificate
105       authority
106
107
108       --client-certificate=""      Path to a client certificate file for TLS
109
110
111       --client-key=""      Path to a client key file for TLS
112
113
114       --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
115            CIDRs opened in GCE firewall for  L7  LB  traffic  proxy    health
116       checks
117
118
119       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
120            CIDRs opened in GCE firewall for  L4  LB  traffic  proxy    health
121       checks
122
123
124       --cluster=""      The name of the kubeconfig cluster to use
125
126
127       --container-hints="/etc/cadvisor/container_hints.json"      location of
128       the container hints file
129
130
131       --containerd="/run/containerd/containerd.sock"      containerd endpoint
132
133
134       --containerd-namespace="k8s.io"      containerd namespace
135
136
137       --context=""      The name of the kubeconfig context to use
138
139
140       --default-not-ready-toleration-seconds=300      Indicates  the  tolera‐
141       tionSeconds  of  the toleration for notReady:NoExecute that is added by
142       default to every pod that does not already have such a toleration.
143
144
145       --default-unreachable-toleration-seconds=300      Indicates the tolera‐
146       tionSeconds  of  the toleration for unreachable:NoExecute that is added
147       by default to every pod that does not already have such a toleration.
148
149
150       --disable-root-cgroup-stats=false      Disable collecting  root  Cgroup
151       stats
152
153
154       --docker="unix:///var/run/docker.sock"      docker endpoint
155
156
157       --docker-env-metadata-whitelist=""      a comma-separated list of envi‐
158       ronment variable keys matched with specified prefix that  needs  to  be
159       collected for docker containers
160
161
162       --docker-only=false       Only  report docker containers in addition to
163       root stats
164
165
166       --docker-root="/var/lib/docker"      DEPRECATED: docker  root  is  read
167       from docker info (this is a fallback, default: /var/lib/docker)
168
169
170       --docker-tls=false      use TLS to connect to docker
171
172
173       --docker-tls-ca="ca.pem"      path to trusted CA
174
175
176       --docker-tls-cert="cert.pem"      path to client certificate
177
178
179       --docker-tls-key="key.pem"      path to private key
180
181
182       --enable-load-reader=false      Whether to enable cpu load reader
183
184
185       --event-storage-age-limit="default=0"      Max length of time for which
186       to store events (per type). Value is a comma separated list of key val‐
187       ues,  where the keys are event types (e.g.: creation, oom) or "default"
188       and the value is a duration. Default is applied  to  all  non-specified
189       event types
190
191
192       --event-storage-event-limit="default=0"       Max  number  of events to
193       store (per type). Value is a comma separated list of key values,  where
194       the  keys  are  event  types (e.g.: creation, oom) or "default" and the
195       value is an integer. Default is  applied  to  all  non-specified  event
196       types
197
198
199       --global-housekeeping-interval=1m0s      Interval between global house‐
200       keepings
201
202
203       --housekeeping-interval=10s      Interval between container  housekeep‐
204       ings
205
206
207       --insecure-skip-tls-verify=false      If true, the server's certificate
208       will not be checked for validity. This will make your HTTPS connections
209       insecure
210
211
212       --kubeconfig=""       Path  to  the  kubeconfig file to use for CLI re‐
213       quests.
214
215
216       --log-backtrace-at=:0      when logging hits line file:N, emit a  stack
217       trace
218
219
220       --log-cadvisor-usage=false       Whether to log the usage of the cAdvi‐
221       sor container
222
223
224       --log-dir=""      If non-empty, write log files in this directory
225
226
227       --log-file=""      If non-empty, use this log file
228
229
230       --log-file-max-size=1800      Defines the maximum size a log  file  can
231       grow to. Unit is megabytes. If the value is 0, the maximum file size is
232       unlimited.
233
234
235       --log-flush-frequency=5s      Maximum number  of  seconds  between  log
236       flushes
237
238
239       --logtostderr=true      log to standard error instead of files
240
241
242       --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
243            Comma-separated list of files to check  for  machine-id.  Use  the
244       first one that exists.
245
246
247       --match-server-version=false        Require  server  version  to  match
248       client version
249
250
251       -n, --namespace=""      If present, the namespace scope  for  this  CLI
252       request
253
254
255       --one-output=false      If true, only write logs to their native sever‐
256       ity level (vs also writing to each lower severity level)
257
258
259       --password=""      Password for basic authentication to the API server
260
261
262       --profile="none"        Name   of   profile   to   capture.   One    of
263       (none|cpu|heap|goroutine|threadcreate|block|mutex)
264
265
266       --profile-output="profile.pprof"       Name  of  the  file to write the
267       profile to
268
269
270       --referenced-reset-interval=0      Reset interval for referenced  bytes
271       (container_referenced_bytes metric), number of measurement cycles after
272       which referenced bytes are cleared, if set to 0  referenced  bytes  are
273       never cleared (default: 0)
274
275
276       --request-timeout="0"       The length of time to wait before giving up
277       on a single server request. Non-zero values  should  contain  a  corre‐
278       sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
279       out requests.
280
281
282       -s, --server=""      The address and port of the Kubernetes API server
283
284
285       --skip-headers=false      If true, avoid header  prefixes  in  the  log
286       messages
287
288
289       --skip-log-headers=false       If  true, avoid headers when opening log
290       files
291
292
293       --stderrthreshold=2      logs at or above this threshold go to stderr
294
295
296       --storage-driver-buffer-duration=1m0s      Writes in the storage driver
297       will  be  buffered  for  this duration, and committed to the non memory
298       backends as a single transaction
299
300
301       --storage-driver-db="cadvisor"      database name
302
303
304       --storage-driver-host="localhost:8086"      database host:port
305
306
307       --storage-driver-password="root"      database password
308
309
310       --storage-driver-secure=false      use secure connection with database
311
312
313       --storage-driver-table="stats"      table name
314
315
316       --storage-driver-user="root"      database username
317
318
319       --tls-server-name=""      Server name to  use  for  server  certificate
320       validation.  If  it  is  not provided, the hostname used to contact the
321       server is used
322
323
324       --token=""      Bearer token for authentication to the API server
325
326
327       --update-machine-info-interval=5m0s      Interval between machine  info
328       updates.
329
330
331       --user=""      The name of the kubeconfig user to use
332
333
334       --username=""      Username for basic authentication to the API server
335
336
337       -v, --v=0      number for the log level verbosity
338
339
340       --version=false      Print version information and quit
341
342
343       --vmodule=        comma-separated   list   of  pattern=N  settings  for
344       file-filtered logging
345
346
347       --warnings-as-errors=false      Treat warnings received from the server
348       as errors and exit with a non-zero exit code
349
350
351

EXAMPLE

353                # Create a Role named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
354                kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods
355
356                # Create a Role named "pod-reader" with ResourceName specified
357                kubectl create role pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod
358
359                # Create a Role named "foo" with API Group specified
360                kubectl create role foo --verb=get,list,watch --resource=rs.extensions
361
362                # Create a Role named "foo" with SubResource specified
363                kubectl create role foo --verb=get,list,watch --resource=pods,pods/status
364
365
366
367

SEE ALSO

369       kubectl-create(1),
370
371
372

HISTORY

374       January  2015,  Originally compiled by Eric Paris (eparis at redhat dot
375       com) based on the kubernetes source material, but hopefully  they  have
376       been automatically generated since!
377
378
379
380Manuals                              User            KUBERNETES(1)(kubernetes)
Impressum