1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2Eric Paris Jan 2015
6
9 kubectl create secret generic - Create a secret from a local file, di‐
10 rectory or literal value
11
15 kubectl create secret generic [OPTIONS]
16
20 Create a secret based on a file, directory, or specified literal value.
21 A single secret may package one or more key/value pairs.
24 When creating a secret based on a file, the key will default to the
27 basename of the file, and the value will default to the file content.
28 If the basename is an invalid key or you wish to chose your own, you
29 may specify an alternate key.
30 When creating a secret based on a directory, each file whose basename
33 is a valid key in the directory will be packaged into the secret. Any
34 directory entries except regular files are ignored (e.g. subdirecto‐
35 ries, symlinks, devices, pipes, etc).
36
40 --allow-missing-template-keys=true If true, ignore any errors in
41 templates when a field or map key is missing in the template. Only ap‐
42 plies to golang and jsonpath output formats.
43 --append-hash=false Append a hash of the secret to its name.
46 --dry-run="none" Must be "none", "server", or "client". If client
49 strategy, only print the object that would be sent, without sending it.
50 If server strategy, submit server-side request without persisting the
51 resource.
52 --field-manager="kubectl-create" Name of the manager used to track
55 field ownership.
56 --from-env-file="" Specify the path to a file to read lines of
59 key=val pairs to create a secret (i.e. a Docker .env file).
60 --from-file=[] Key files can be specified using their file path,
63 in which case a default name will be given to them, or optionally with
64 a name and file path, in which case the given name will be used. Spec‐
65 ifying a directory will iterate each named file in the directory that
66 is a valid secret key.
67 --from-literal=[] Specify a key and literal value to insert in se‐
70 cret (i.e. mykey=somevalue)
71 -o, --output="" Output format. One of: json|yaml|name|go-tem‐
74 plate|go-template-file|template|templatefile|jsonpath|json‐
75 path-as-json|jsonpath-file.
76 --save-config=false If true, the configuration of current object
79 will be saved in its annotation. Otherwise, the annotation will be un‐
80 changed. This flag is useful when you want to perform kubectl apply on
81 this object in the future.
82 --show-managed-fields=false If true, keep the managedFields when
85 printing objects in JSON or YAML format.
86 --template="" Template string or path to template file to use when
89 -o=go-template, -o=go-template-file. The template format is golang tem‐
90 plates [http://golang.org/pkg/text/template/#pkg-overview].
91 --type="" The type of secret to create
94 --validate=true If true, use a schema to validate the input before
97 sending it
98
102 --add-dir-header=false If true, adds the file directory to the
103 header of the log messages
104 --alsologtostderr=false log to standard error as well as files
107 --application-metrics-count-limit=100 Max number of application
110 metrics to store (per container)
111 --as="" Username to impersonate for the operation
114 --as-group=[] Group to impersonate for the operation, this flag
117 can be repeated to specify multiple groups.
118 --azure-container-registry-config="" Path to the file containing
121 Azure container registry configuration information.
122 --boot-id-file="/proc/sys/kernel/random/boot_id" Comma-separated
125 list of files to check for boot-id. Use the first one that exists.
126 --cache-dir="/builddir/.kube/cache" Default cache directory
129 --certificate-authority="" Path to a cert file for the certificate
132 authority
133 --client-certificate="" Path to a client certificate file for TLS
136 --client-key="" Path to a client key file for TLS
139 --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
142 CIDRs opened in GCE firewall for L7 LB traffic proxy health
143 checks
144 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
147 CIDRs opened in GCE firewall for L4 LB traffic proxy health
148 checks
149 --cluster="" The name of the kubeconfig cluster to use
152 --container-hints="/etc/cadvisor/container_hints.json" location of
155 the container hints file
156 --containerd="/run/containerd/containerd.sock" containerd endpoint
159 --containerd-namespace="k8s.io" containerd namespace
162 --context="" The name of the kubeconfig context to use
165 --default-not-ready-toleration-seconds=300 Indicates the tolera‐
168 tionSeconds of the toleration for notReady:NoExecute that is added by
169 default to every pod that does not already have such a toleration.
170 --default-unreachable-toleration-seconds=300 Indicates the tolera‐
173 tionSeconds of the toleration for unreachable:NoExecute that is added
174 by default to every pod that does not already have such a toleration.
175 --disable-root-cgroup-stats=false Disable collecting root Cgroup
178 stats
179 --docker="unix:///var/run/docker.sock" docker endpoint
182 --docker-env-metadata-whitelist="" a comma-separated list of envi‐
185 ronment variable keys matched with specified prefix that needs to be
186 collected for docker containers
187 --docker-only=false Only report docker containers in addition to
190 root stats
191 --docker-root="/var/lib/docker" DEPRECATED: docker root is read
194 from docker info (this is a fallback, default: /var/lib/docker)
195 --docker-tls=false use TLS to connect to docker
198 --docker-tls-ca="ca.pem" path to trusted CA
201 --docker-tls-cert="cert.pem" path to client certificate
204 --docker-tls-key="key.pem" path to private key
207 --enable-load-reader=false Whether to enable cpu load reader
210 --event-storage-age-limit="default=0" Max length of time for which
213 to store events (per type). Value is a comma separated list of key val‐
214 ues, where the keys are event types (e.g.: creation, oom) or "default"
215 and the value is a duration. Default is applied to all non-specified
216 event types
217 --event-storage-event-limit="default=0" Max number of events to
220 store (per type). Value is a comma separated list of key values, where
221 the keys are event types (e.g.: creation, oom) or "default" and the
222 value is an integer. Default is applied to all non-specified event
223 types
224 --global-housekeeping-interval=1m0s Interval between global house‐
227 keepings
228 --housekeeping-interval=10s Interval between container housekeep‐
231 ings
232 --insecure-skip-tls-verify=false If true, the server's certificate
235 will not be checked for validity. This will make your HTTPS connections
236 insecure
237 --kubeconfig="" Path to the kubeconfig file to use for CLI re‐
240 quests.
241 --log-backtrace-at=:0 when logging hits line file:N, emit a stack
244 trace
245 --log-cadvisor-usage=false Whether to log the usage of the cAdvi‐
248 sor container
249 --log-dir="" If non-empty, write log files in this directory
252 --log-file="" If non-empty, use this log file
255 --log-file-max-size=1800 Defines the maximum size a log file can
258 grow to. Unit is megabytes. If the value is 0, the maximum file size is
259 unlimited.
260 --log-flush-frequency=5s Maximum number of seconds between log
263 flushes
264 --logtostderr=true log to standard error instead of files
267 --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
270 Comma-separated list of files to check for machine-id. Use the
271 first one that exists.
272 --match-server-version=false Require server version to match
275 client version
276 -n, --namespace="" If present, the namespace scope for this CLI
279 request
280 --one-output=false If true, only write logs to their native sever‐
283 ity level (vs also writing to each lower severity level)
284 --password="" Password for basic authentication to the API server
287 --profile="none" Name of profile to capture. One of
290 (none|cpu|heap|goroutine|threadcreate|block|mutex)
291 --profile-output="profile.pprof" Name of the file to write the
294 profile to
295 --referenced-reset-interval=0 Reset interval for referenced bytes
298 (container_referenced_bytes metric), number of measurement cycles after
299 which referenced bytes are cleared, if set to 0 referenced bytes are
300 never cleared (default: 0)
301 --request-timeout="0" The length of time to wait before giving up
304 on a single server request. Non-zero values should contain a corre‐
305 sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
306 out requests.
307 -s, --server="" The address and port of the Kubernetes API server
310 --skip-headers=false If true, avoid header prefixes in the log
313 messages
314 --skip-log-headers=false If true, avoid headers when opening log
317 files
318 --stderrthreshold=2 logs at or above this threshold go to stderr
321 --storage-driver-buffer-duration=1m0s Writes in the storage driver
324 will be buffered for this duration, and committed to the non memory
325 backends as a single transaction
326 --storage-driver-db="cadvisor" database name
329 --storage-driver-host="localhost:8086" database host:port
332 --storage-driver-password="root" database password
335 --storage-driver-secure=false use secure connection with database
338 --storage-driver-table="stats" table name
341 --storage-driver-user="root" database username
344 --tls-server-name="" Server name to use for server certificate
347 validation. If it is not provided, the hostname used to contact the
348 server is used
349 --token="" Bearer token for authentication to the API server
352 --update-machine-info-interval=5m0s Interval between machine info
355 updates.
356 --user="" The name of the kubeconfig user to use
359 --username="" Username for basic authentication to the API server
362 -v, --v=0 number for the log level verbosity
365 --version=false Print version information and quit
368 --vmodule= comma-separated list of pattern=N settings for
371 file-filtered logging
372 --warnings-as-errors=false Treat warnings received from the server
375 as errors and exit with a non-zero exit code
376
380 # Create a new secret named my-secret with keys for each file in folder bar
381 kubectl create secret generic my-secret --from-file=path/to/bar
382 # Create a new secret named my-secret with specified keys instead of names on disk
384 kubectl create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa --from-file=ssh-publickey=path/to/id_rsa.pub
385 # Create a new secret named my-secret with key1=supersecret and key2=topsecret
387 kubectl create secret generic my-secret --from-literal=key1=supersecret --from-literal=key2=topsecret
388 # Create a new secret named my-secret using a combination of a file and a literal
390 kubectl create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa --from-literal=passphrase=topsecret
391 # Create a new secret named my-secret from an env file
393 kubectl create secret generic my-secret --from-env-file=path/to/bar.env
394
399 kubectl-create-secret(1),
400
404 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
405 com) based on the kubernetes source material, but hopefully they have
406 been automatically generated since!
407Manuals User KUBERNETES(1)(kubernetes)