1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2Eric Paris Jan 2015
6
9 kubectl create role - Create a role with single rule.
10
14 kubectl create role [OPTIONS]
15
19 Create a role with single rule.
20
24 --allow-missing-template-keys=true If true, ignore any errors in
25 templates when a field or map key is missing in the template. Only ap‐
26 plies to golang and jsonpath output formats.
27 --dry-run="none" Must be "none", "server", or "client". If client
30 strategy, only print the object that would be sent, without sending it.
31 If server strategy, submit server-side request without persisting the
32 resource.
33 --field-manager="kubectl-create" Name of the manager used to track
36 field ownership.
37 -o, --output="" Output format. One of: json|yaml|name|go-tem‐
40 plate|go-template-file|template|templatefile|jsonpath|json‐
41 path-as-json|jsonpath-file.
42 --resource=[] Resource that the rule applies to
45 --resource-name=[] Resource in the white list that the rule ap‐
48 plies to, repeat this flag for multiple items
49 --save-config=false If true, the configuration of current object
52 will be saved in its annotation. Otherwise, the annotation will be un‐
53 changed. This flag is useful when you want to perform kubectl apply on
54 this object in the future.
55 --show-managed-fields=false If true, keep the managedFields when
58 printing objects in JSON or YAML format.
59 --template="" Template string or path to template file to use when
62 -o=go-template, -o=go-template-file. The template format is golang tem‐
63 plates [http://golang.org/pkg/text/template/#pkg-overview].
64 --validate=true If true, use a schema to validate the input before
67 sending it
68 --verb=[] Verb that applies to the resources contained in the rule
71
75 --add-dir-header=false If true, adds the file directory to the
76 header of the log messages
77 --alsologtostderr=false log to standard error as well as files
80 --application-metrics-count-limit=100 Max number of application
83 metrics to store (per container)
84 --as="" Username to impersonate for the operation
87 --as-group=[] Group to impersonate for the operation, this flag
90 can be repeated to specify multiple groups.
91 --azure-container-registry-config="" Path to the file containing
94 Azure container registry configuration information.
95 --boot-id-file="/proc/sys/kernel/random/boot_id" Comma-separated
98 list of files to check for boot-id. Use the first one that exists.
99 --cache-dir="/builddir/.kube/cache" Default cache directory
102 --certificate-authority="" Path to a cert file for the certificate
105 authority
106 --client-certificate="" Path to a client certificate file for TLS
109 --client-key="" Path to a client key file for TLS
112 --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
115 CIDRs opened in GCE firewall for L7 LB traffic proxy health
116 checks
117 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
120 CIDRs opened in GCE firewall for L4 LB traffic proxy health
121 checks
122 --cluster="" The name of the kubeconfig cluster to use
125 --container-hints="/etc/cadvisor/container_hints.json" location of
128 the container hints file
129 --containerd="/run/containerd/containerd.sock" containerd endpoint
132 --containerd-namespace="k8s.io" containerd namespace
135 --context="" The name of the kubeconfig context to use
138 --default-not-ready-toleration-seconds=300 Indicates the tolera‐
141 tionSeconds of the toleration for notReady:NoExecute that is added by
142 default to every pod that does not already have such a toleration.
143 --default-unreachable-toleration-seconds=300 Indicates the tolera‐
146 tionSeconds of the toleration for unreachable:NoExecute that is added
147 by default to every pod that does not already have such a toleration.
148 --disable-root-cgroup-stats=false Disable collecting root Cgroup
151 stats
152 --docker="unix:///var/run/docker.sock" docker endpoint
155 --docker-env-metadata-whitelist="" a comma-separated list of envi‐
158 ronment variable keys matched with specified prefix that needs to be
159 collected for docker containers
160 --docker-only=false Only report docker containers in addition to
163 root stats
164 --docker-root="/var/lib/docker" DEPRECATED: docker root is read
167 from docker info (this is a fallback, default: /var/lib/docker)
168 --docker-tls=false use TLS to connect to docker
171 --docker-tls-ca="ca.pem" path to trusted CA
174 --docker-tls-cert="cert.pem" path to client certificate
177 --docker-tls-key="key.pem" path to private key
180 --enable-load-reader=false Whether to enable cpu load reader
183 --event-storage-age-limit="default=0" Max length of time for which
186 to store events (per type). Value is a comma separated list of key val‐
187 ues, where the keys are event types (e.g.: creation, oom) or "default"
188 and the value is a duration. Default is applied to all non-specified
189 event types
190 --event-storage-event-limit="default=0" Max number of events to
193 store (per type). Value is a comma separated list of key values, where
194 the keys are event types (e.g.: creation, oom) or "default" and the
195 value is an integer. Default is applied to all non-specified event
196 types
197 --global-housekeeping-interval=1m0s Interval between global house‐
200 keepings
201 --housekeeping-interval=10s Interval between container housekeep‐
204 ings
205 --insecure-skip-tls-verify=false If true, the server's certificate
208 will not be checked for validity. This will make your HTTPS connections
209 insecure
210 --kubeconfig="" Path to the kubeconfig file to use for CLI re‐
213 quests.
214 --log-backtrace-at=:0 when logging hits line file:N, emit a stack
217 trace
218 --log-cadvisor-usage=false Whether to log the usage of the cAdvi‐
221 sor container
222 --log-dir="" If non-empty, write log files in this directory
225 --log-file="" If non-empty, use this log file
228 --log-file-max-size=1800 Defines the maximum size a log file can
231 grow to. Unit is megabytes. If the value is 0, the maximum file size is
232 unlimited.
233 --log-flush-frequency=5s Maximum number of seconds between log
236 flushes
237 --logtostderr=true log to standard error instead of files
240 --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
243 Comma-separated list of files to check for machine-id. Use the
244 first one that exists.
245 --match-server-version=false Require server version to match
248 client version
249 -n, --namespace="" If present, the namespace scope for this CLI
252 request
253 --one-output=false If true, only write logs to their native sever‐
256 ity level (vs also writing to each lower severity level)
257 --password="" Password for basic authentication to the API server
260 --profile="none" Name of profile to capture. One of
263 (none|cpu|heap|goroutine|threadcreate|block|mutex)
264 --profile-output="profile.pprof" Name of the file to write the
267 profile to
268 --referenced-reset-interval=0 Reset interval for referenced bytes
271 (container_referenced_bytes metric), number of measurement cycles after
272 which referenced bytes are cleared, if set to 0 referenced bytes are
273 never cleared (default: 0)
274 --request-timeout="0" The length of time to wait before giving up
277 on a single server request. Non-zero values should contain a corre‐
278 sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
279 out requests.
280 -s, --server="" The address and port of the Kubernetes API server
283 --skip-headers=false If true, avoid header prefixes in the log
286 messages
287 --skip-log-headers=false If true, avoid headers when opening log
290 files
291 --stderrthreshold=2 logs at or above this threshold go to stderr
294 --storage-driver-buffer-duration=1m0s Writes in the storage driver
297 will be buffered for this duration, and committed to the non memory
298 backends as a single transaction
299 --storage-driver-db="cadvisor" database name
302 --storage-driver-host="localhost:8086" database host:port
305 --storage-driver-password="root" database password
308 --storage-driver-secure=false use secure connection with database
311 --storage-driver-table="stats" table name
314 --storage-driver-user="root" database username
317 --tls-server-name="" Server name to use for server certificate
320 validation. If it is not provided, the hostname used to contact the
321 server is used
322 --token="" Bearer token for authentication to the API server
325 --update-machine-info-interval=5m0s Interval between machine info
328 updates.
329 --user="" The name of the kubeconfig user to use
332 --username="" Username for basic authentication to the API server
335 -v, --v=0 number for the log level verbosity
338 --version=false Print version information and quit
341 --vmodule= comma-separated list of pattern=N settings for
344 file-filtered logging
345 --warnings-as-errors=false Treat warnings received from the server
348 as errors and exit with a non-zero exit code
349
353 # Create a Role named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
354 kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods
355 # Create a Role named "pod-reader" with ResourceName specified
357 kubectl create role pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod
358 # Create a Role named "foo" with API Group specified
360 kubectl create role foo --verb=get,list,watch --resource=rs.extensions
361 # Create a Role named "foo" with SubResource specified
363 kubectl create role foo --verb=get,list,watch --resource=pods,pods/status
364
369 kubectl-create(1),
370
374 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
375 com) based on the kubernetes source material, but hopefully they have
376 been automatically generated since!
377Manuals User KUBERNETES(1)(kubernetes)