1KUBERNETES(1)(kubernetes)                            KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7

NAME

9       kubectl  create secret generic - Create a secret from a local file, di‐
10       rectory or literal value
11
12
13

SYNOPSIS

15       kubectl create secret generic [OPTIONS]
16
17
18

DESCRIPTION

20       Create a secret based on a file, directory, or specified literal value.
21
22
23       A single secret may package one or more key/value pairs.
24
25
26       When creating a secret based on a file, the key  will  default  to  the
27       basename  of  the file, and the value will default to the file content.
28       If the basename is an invalid key or you wish to chose  your  own,  you
29       may specify an alternate key.
30
31
32       When  creating  a secret based on a directory, each file whose basename
33       is a valid key in the directory will be packaged into the  secret.  Any
34       directory  entries  except  regular files are ignored (e.g. subdirecto‐
35       ries, symlinks, devices, pipes, etc).
36
37
38

OPTIONS

40       --allow-missing-template-keys=true      If true, ignore any  errors  in
41       templates  when a field or map key is missing in the template. Only ap‐
42       plies to golang and jsonpath output formats.
43
44
45       --append-hash=false      Append a hash of the secret to its name.
46
47
48       --dry-run="none"      Must be "none", "server", or "client". If  client
49       strategy, only print the object that would be sent, without sending it.
50       If server strategy, submit server-side request without  persisting  the
51       resource.
52
53
54       --field-manager="kubectl-create"      Name of the manager used to track
55       field ownership.
56
57
58       --from-env-file=""      Specify the path to a file  to  read  lines  of
59       key=val pairs to create a secret (i.e. a Docker .env file).
60
61
62       --from-file=[]       Key  files can be specified using their file path,
63       in which case a default name will be given to them, or optionally  with
64       a name and file path, in which case the given name will be used.  Spec‐
65       ifying a directory will iterate each named file in the  directory  that
66       is a valid secret key.
67
68
69       --from-literal=[]      Specify a key and literal value to insert in se‐
70       cret (i.e. mykey=somevalue)
71
72
73       -o, --output=""       Output  format.  One  of:  json|yaml|name|go-tem‐
74       plate|go-template-file|template|templatefile|jsonpath|json‐
75       path-as-json|jsonpath-file.
76
77
78       --save-config=false      If true, the configuration of  current  object
79       will  be saved in its annotation. Otherwise, the annotation will be un‐
80       changed. This flag is useful when you want to perform kubectl apply  on
81       this object in the future.
82
83
84       --show-managed-fields=false       If  true, keep the managedFields when
85       printing objects in JSON or YAML format.
86
87
88       --template=""      Template string or path to template file to use when
89       -o=go-template, -o=go-template-file. The template format is golang tem‐
90       plates [http://golang.org/pkg/text/template/#pkg-overview].
91
92
93       --type=""      The type of secret to create
94
95
96       --validate=true      If true, use a schema to validate the input before
97       sending it
98
99
100

OPTIONS INHERITED FROM PARENT COMMANDS

102       --add-dir-header=false       If  true,  adds  the file directory to the
103       header of the log messages
104
105
106       --alsologtostderr=false      log to standard error as well as files
107
108
109       --application-metrics-count-limit=100      Max  number  of  application
110       metrics to store (per container)
111
112
113       --as=""      Username to impersonate for the operation
114
115
116       --as-group=[]       Group  to  impersonate for the operation, this flag
117       can be repeated to specify multiple groups.
118
119
120       --azure-container-registry-config=""      Path to the  file  containing
121       Azure container registry configuration information.
122
123
124       --boot-id-file="/proc/sys/kernel/random/boot_id"        Comma-separated
125       list of files to check for boot-id. Use the first one that exists.
126
127
128       --cache-dir="/builddir/.kube/cache"      Default cache directory
129
130
131       --certificate-authority=""      Path to a cert file for the certificate
132       authority
133
134
135       --client-certificate=""      Path to a client certificate file for TLS
136
137
138       --client-key=""      Path to a client key file for TLS
139
140
141       --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
142            CIDRs opened in GCE firewall for  L7  LB  traffic  proxy    health
143       checks
144
145
146       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
147            CIDRs opened in GCE firewall for  L4  LB  traffic  proxy    health
148       checks
149
150
151       --cluster=""      The name of the kubeconfig cluster to use
152
153
154       --container-hints="/etc/cadvisor/container_hints.json"      location of
155       the container hints file
156
157
158       --containerd="/run/containerd/containerd.sock"      containerd endpoint
159
160
161       --containerd-namespace="k8s.io"      containerd namespace
162
163
164       --context=""      The name of the kubeconfig context to use
165
166
167       --default-not-ready-toleration-seconds=300      Indicates  the  tolera‐
168       tionSeconds  of  the toleration for notReady:NoExecute that is added by
169       default to every pod that does not already have such a toleration.
170
171
172       --default-unreachable-toleration-seconds=300      Indicates the tolera‐
173       tionSeconds  of  the toleration for unreachable:NoExecute that is added
174       by default to every pod that does not already have such a toleration.
175
176
177       --disable-root-cgroup-stats=false      Disable collecting  root  Cgroup
178       stats
179
180
181       --docker="unix:///var/run/docker.sock"      docker endpoint
182
183
184       --docker-env-metadata-whitelist=""      a comma-separated list of envi‐
185       ronment variable keys matched with specified prefix that  needs  to  be
186       collected for docker containers
187
188
189       --docker-only=false       Only  report docker containers in addition to
190       root stats
191
192
193       --docker-root="/var/lib/docker"      DEPRECATED: docker  root  is  read
194       from docker info (this is a fallback, default: /var/lib/docker)
195
196
197       --docker-tls=false      use TLS to connect to docker
198
199
200       --docker-tls-ca="ca.pem"      path to trusted CA
201
202
203       --docker-tls-cert="cert.pem"      path to client certificate
204
205
206       --docker-tls-key="key.pem"      path to private key
207
208
209       --enable-load-reader=false      Whether to enable cpu load reader
210
211
212       --event-storage-age-limit="default=0"      Max length of time for which
213       to store events (per type). Value is a comma separated list of key val‐
214       ues,  where the keys are event types (e.g.: creation, oom) or "default"
215       and the value is a duration. Default is applied  to  all  non-specified
216       event types
217
218
219       --event-storage-event-limit="default=0"       Max  number  of events to
220       store (per type). Value is a comma separated list of key values,  where
221       the  keys  are  event  types (e.g.: creation, oom) or "default" and the
222       value is an integer. Default is  applied  to  all  non-specified  event
223       types
224
225
226       --global-housekeeping-interval=1m0s      Interval between global house‐
227       keepings
228
229
230       --housekeeping-interval=10s      Interval between container  housekeep‐
231       ings
232
233
234       --insecure-skip-tls-verify=false      If true, the server's certificate
235       will not be checked for validity. This will make your HTTPS connections
236       insecure
237
238
239       --kubeconfig=""       Path  to  the  kubeconfig file to use for CLI re‐
240       quests.
241
242
243       --log-backtrace-at=:0      when logging hits line file:N, emit a  stack
244       trace
245
246
247       --log-cadvisor-usage=false       Whether to log the usage of the cAdvi‐
248       sor container
249
250
251       --log-dir=""      If non-empty, write log files in this directory
252
253
254       --log-file=""      If non-empty, use this log file
255
256
257       --log-file-max-size=1800      Defines the maximum size a log  file  can
258       grow to. Unit is megabytes. If the value is 0, the maximum file size is
259       unlimited.
260
261
262       --log-flush-frequency=5s      Maximum number  of  seconds  between  log
263       flushes
264
265
266       --logtostderr=true      log to standard error instead of files
267
268
269       --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
270            Comma-separated list of files to check  for  machine-id.  Use  the
271       first one that exists.
272
273
274       --match-server-version=false        Require  server  version  to  match
275       client version
276
277
278       -n, --namespace=""      If present, the namespace scope  for  this  CLI
279       request
280
281
282       --one-output=false      If true, only write logs to their native sever‐
283       ity level (vs also writing to each lower severity level)
284
285
286       --password=""      Password for basic authentication to the API server
287
288
289       --profile="none"        Name   of   profile   to   capture.   One    of
290       (none|cpu|heap|goroutine|threadcreate|block|mutex)
291
292
293       --profile-output="profile.pprof"       Name  of  the  file to write the
294       profile to
295
296
297       --referenced-reset-interval=0      Reset interval for referenced  bytes
298       (container_referenced_bytes metric), number of measurement cycles after
299       which referenced bytes are cleared, if set to 0  referenced  bytes  are
300       never cleared (default: 0)
301
302
303       --request-timeout="0"       The length of time to wait before giving up
304       on a single server request. Non-zero values  should  contain  a  corre‐
305       sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
306       out requests.
307
308
309       -s, --server=""      The address and port of the Kubernetes API server
310
311
312       --skip-headers=false      If true, avoid header  prefixes  in  the  log
313       messages
314
315
316       --skip-log-headers=false       If  true, avoid headers when opening log
317       files
318
319
320       --stderrthreshold=2      logs at or above this threshold go to stderr
321
322
323       --storage-driver-buffer-duration=1m0s      Writes in the storage driver
324       will  be  buffered  for  this duration, and committed to the non memory
325       backends as a single transaction
326
327
328       --storage-driver-db="cadvisor"      database name
329
330
331       --storage-driver-host="localhost:8086"      database host:port
332
333
334       --storage-driver-password="root"      database password
335
336
337       --storage-driver-secure=false      use secure connection with database
338
339
340       --storage-driver-table="stats"      table name
341
342
343       --storage-driver-user="root"      database username
344
345
346       --tls-server-name=""      Server name to  use  for  server  certificate
347       validation.  If  it  is  not provided, the hostname used to contact the
348       server is used
349
350
351       --token=""      Bearer token for authentication to the API server
352
353
354       --update-machine-info-interval=5m0s      Interval between machine  info
355       updates.
356
357
358       --user=""      The name of the kubeconfig user to use
359
360
361       --username=""      Username for basic authentication to the API server
362
363
364       -v, --v=0      number for the log level verbosity
365
366
367       --version=false      Print version information and quit
368
369
370       --vmodule=        comma-separated   list   of  pattern=N  settings  for
371       file-filtered logging
372
373
374       --warnings-as-errors=false      Treat warnings received from the server
375       as errors and exit with a non-zero exit code
376
377
378

EXAMPLE

380                # Create a new secret named my-secret with keys for each file in folder bar
381                kubectl create secret generic my-secret --from-file=path/to/bar
382
383                # Create a new secret named my-secret with specified keys instead of names on disk
384                kubectl create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa --from-file=ssh-publickey=path/to/id_rsa.pub
385
386                # Create a new secret named my-secret with key1=supersecret and key2=topsecret
387                kubectl create secret generic my-secret --from-literal=key1=supersecret --from-literal=key2=topsecret
388
389                # Create a new secret named my-secret using a combination of a file and a literal
390                kubectl create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa --from-literal=passphrase=topsecret
391
392                # Create a new secret named my-secret from an env file
393                kubectl create secret generic my-secret --from-env-file=path/to/bar.env
394
395
396
397

SEE ALSO

399       kubectl-create-secret(1),
400
401
402

HISTORY

404       January  2015,  Originally compiled by Eric Paris (eparis at redhat dot
405       com) based on the kubernetes source material, but hopefully  they  have
406       been automatically generated since!
407
408
409
410Manuals                              User            KUBERNETES(1)(kubernetes)
Impressum