1KUBERNETES(1)(kubernetes)                            KUBERNETES(1)(kubernetes)
2
3
4
5Eric Paris Jan 2015
6
7

NAME

9       kubectl  set  subject  -  Update  User,  Group  or  ServiceAccount in a
10       RoleBinding/ClusterRoleBinding
11
12
13

SYNOPSIS

15       kubectl set subject [OPTIONS]
16
17
18

DESCRIPTION

20       Update User, Group or ServiceAccount in a  RoleBinding/ClusterRoleBind‐
21       ing.
22
23
24

OPTIONS

26       --all=false      Select all resources, including uninitialized ones, in
27       the namespace of the specified resource types
28
29
30       --allow-missing-template-keys=true      If true, ignore any  errors  in
31       templates  when a field or map key is missing in the template. Only ap‐
32       plies to golang and jsonpath output formats.
33
34
35       --dry-run="none"      Must be "none", "server", or "client". If  client
36       strategy, only print the object that would be sent, without sending it.
37       If server strategy, submit server-side request without  persisting  the
38       resource.
39
40
41       --field-manager="kubectl-set"       Name  of  the manager used to track
42       field ownership.
43
44
45       -f, --filename=[]      Filename, directory, or URL  to  files  the  re‐
46       source to update the subjects
47
48
49       --group=[]      Groups to bind to the role
50
51
52       -k,  --kustomize=""      Process the kustomization directory. This flag
53       can't be used together with -f or -R.
54
55
56       --local=false      If true, set subject will NOT contact api-server but
57       run locally.
58
59
60       -o,  --output=""       Output  format.  One  of: json|yaml|name|go-tem‐
61       plate|go-template-file|template|templatefile|jsonpath|json‐
62       path-as-json|jsonpath-file.
63
64
65       -R, --recursive=false      Process the directory used in -f, --filename
66       recursively. Useful when you want to manage related manifests organized
67       within the same directory.
68
69
70       -l, --selector=""      Selector (label query) to filter on, not includ‐
71       ing  uninitialized  ones,  supports  '=',  '==',  and   '!='.(e.g.   -l
72       key1=value1,key2=value2)
73
74
75       --serviceaccount=[]      Service accounts to bind to the role
76
77
78       --show-managed-fields=false       If  true, keep the managedFields when
79       printing objects in JSON or YAML format.
80
81
82       --template=""      Template string or path to template file to use when
83       -o=go-template, -o=go-template-file. The template format is golang tem‐
84       plates [http://golang.org/pkg/text/template/#pkg-overview].
85
86
87

OPTIONS INHERITED FROM PARENT COMMANDS

89       --add-dir-header=false      If true, adds the  file  directory  to  the
90       header of the log messages
91
92
93       --alsologtostderr=false      log to standard error as well as files
94
95
96       --application-metrics-count-limit=100       Max  number  of application
97       metrics to store (per container)
98
99
100       --as=""      Username to impersonate for the operation
101
102
103       --as-group=[]      Group to impersonate for the  operation,  this  flag
104       can be repeated to specify multiple groups.
105
106
107       --azure-container-registry-config=""       Path  to the file containing
108       Azure container registry configuration information.
109
110
111       --boot-id-file="/proc/sys/kernel/random/boot_id"        Comma-separated
112       list of files to check for boot-id. Use the first one that exists.
113
114
115       --cache-dir="/builddir/.kube/cache"      Default cache directory
116
117
118       --certificate-authority=""      Path to a cert file for the certificate
119       authority
120
121
122       --client-certificate=""      Path to a client certificate file for TLS
123
124
125       --client-key=""      Path to a client key file for TLS
126
127
128       --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
129            CIDRs  opened  in  GCE  firewall  for  L7 LB traffic proxy  health
130       checks
131
132
133       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
134            CIDRs  opened  in  GCE  firewall  for  L4 LB traffic proxy  health
135       checks
136
137
138       --cluster=""      The name of the kubeconfig cluster to use
139
140
141       --container-hints="/etc/cadvisor/container_hints.json"      location of
142       the container hints file
143
144
145       --containerd="/run/containerd/containerd.sock"      containerd endpoint
146
147
148       --containerd-namespace="k8s.io"      containerd namespace
149
150
151       --context=""      The name of the kubeconfig context to use
152
153
154       --default-not-ready-toleration-seconds=300       Indicates  the tolera‐
155       tionSeconds of the toleration for notReady:NoExecute that is  added  by
156       default to every pod that does not already have such a toleration.
157
158
159       --default-unreachable-toleration-seconds=300      Indicates the tolera‐
160       tionSeconds of the toleration for unreachable:NoExecute that  is  added
161       by default to every pod that does not already have such a toleration.
162
163
164       --disable-root-cgroup-stats=false       Disable  collecting root Cgroup
165       stats
166
167
168       --docker="unix:///var/run/docker.sock"      docker endpoint
169
170
171       --docker-env-metadata-whitelist=""      a comma-separated list of envi‐
172       ronment  variable  keys  matched with specified prefix that needs to be
173       collected for docker containers
174
175
176       --docker-only=false      Only report docker containers in  addition  to
177       root stats
178
179
180       --docker-root="/var/lib/docker"       DEPRECATED:  docker  root is read
181       from docker info (this is a fallback, default: /var/lib/docker)
182
183
184       --docker-tls=false      use TLS to connect to docker
185
186
187       --docker-tls-ca="ca.pem"      path to trusted CA
188
189
190       --docker-tls-cert="cert.pem"      path to client certificate
191
192
193       --docker-tls-key="key.pem"      path to private key
194
195
196       --enable-load-reader=false      Whether to enable cpu load reader
197
198
199       --event-storage-age-limit="default=0"      Max length of time for which
200       to store events (per type). Value is a comma separated list of key val‐
201       ues, where the keys are event types (e.g.: creation, oom) or  "default"
202       and  the  value  is a duration. Default is applied to all non-specified
203       event types
204
205
206       --event-storage-event-limit="default=0"      Max number  of  events  to
207       store  (per type). Value is a comma separated list of key values, where
208       the keys are event types (e.g.: creation, oom)  or  "default"  and  the
209       value  is  an  integer.  Default  is applied to all non-specified event
210       types
211
212
213       --global-housekeeping-interval=1m0s      Interval between global house‐
214       keepings
215
216
217       --housekeeping-interval=10s       Interval between container housekeep‐
218       ings
219
220
221       --insecure-skip-tls-verify=false      If true, the server's certificate
222       will not be checked for validity. This will make your HTTPS connections
223       insecure
224
225
226       --kubeconfig=""      Path to the kubeconfig file to  use  for  CLI  re‐
227       quests.
228
229
230       --log-backtrace-at=:0       when logging hits line file:N, emit a stack
231       trace
232
233
234       --log-cadvisor-usage=false      Whether to log the usage of the  cAdvi‐
235       sor container
236
237
238       --log-dir=""      If non-empty, write log files in this directory
239
240
241       --log-file=""      If non-empty, use this log file
242
243
244       --log-file-max-size=1800       Defines  the maximum size a log file can
245       grow to. Unit is megabytes. If the value is 0, the maximum file size is
246       unlimited.
247
248
249       --log-flush-frequency=5s       Maximum  number  of  seconds between log
250       flushes
251
252
253       --logtostderr=true      log to standard error instead of files
254
255
256       --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
257            Comma-separated  list  of  files  to check for machine-id. Use the
258       first one that exists.
259
260
261       --match-server-version=false       Require  server  version  to   match
262       client version
263
264
265       -n,  --namespace=""       If  present, the namespace scope for this CLI
266       request
267
268
269       --one-output=false      If true, only write logs to their native sever‐
270       ity level (vs also writing to each lower severity level)
271
272
273       --password=""      Password for basic authentication to the API server
274
275
276       --profile="none"         Name   of   profile   to   capture.   One   of
277       (none|cpu|heap|goroutine|threadcreate|block|mutex)
278
279
280       --profile-output="profile.pprof"      Name of the  file  to  write  the
281       profile to
282
283
284       --referenced-reset-interval=0       Reset interval for referenced bytes
285       (container_referenced_bytes metric), number of measurement cycles after
286       which  referenced  bytes  are cleared, if set to 0 referenced bytes are
287       never cleared (default: 0)
288
289
290       --request-timeout="0"      The length of time to wait before giving  up
291       on  a  single  server  request. Non-zero values should contain a corre‐
292       sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
293       out requests.
294
295
296       -s, --server=""      The address and port of the Kubernetes API server
297
298
299       --skip-headers=false       If  true,  avoid  header prefixes in the log
300       messages
301
302
303       --skip-log-headers=false      If true, avoid headers when  opening  log
304       files
305
306
307       --stderrthreshold=2      logs at or above this threshold go to stderr
308
309
310       --storage-driver-buffer-duration=1m0s      Writes in the storage driver
311       will be buffered for this duration, and committed  to  the  non  memory
312       backends as a single transaction
313
314
315       --storage-driver-db="cadvisor"      database name
316
317
318       --storage-driver-host="localhost:8086"      database host:port
319
320
321       --storage-driver-password="root"      database password
322
323
324       --storage-driver-secure=false      use secure connection with database
325
326
327       --storage-driver-table="stats"      table name
328
329
330       --storage-driver-user="root"      database username
331
332
333       --tls-server-name=""       Server  name  to  use for server certificate
334       validation. If it is not provided, the hostname  used  to  contact  the
335       server is used
336
337
338       --token=""      Bearer token for authentication to the API server
339
340
341       --update-machine-info-interval=5m0s       Interval between machine info
342       updates.
343
344
345       --user=""      The name of the kubeconfig user to use
346
347
348       --username=""      Username for basic authentication to the API server
349
350
351       -v, --v=0      number for the log level verbosity
352
353
354       --version=false      Print version information and quit
355
356
357       --vmodule=       comma-separated  list  of   pattern=N   settings   for
358       file-filtered logging
359
360
361       --warnings-as-errors=false      Treat warnings received from the server
362       as errors and exit with a non-zero exit code
363
364
365

EXAMPLE

367                # Update a ClusterRoleBinding for serviceaccount1
368                kubectl set subject clusterrolebinding admin --serviceaccount=namespace:serviceaccount1
369
370                # Update a RoleBinding for user1, user2, and group1
371                kubectl set subject rolebinding admin --user=user1 --user=user2 --group=group1
372
373                # Print the result (in yaml format) of updating rolebinding subjects from a local, without hitting the server
374                kubectl create rolebinding admin --role=admin --user=admin -o yaml --dry-run=client | kubectl set subject --local -f - --user=foo -o yaml
375
376
377
378

SEE ALSO

380       kubectl-set(1),
381
382
383

HISTORY

385       January 2015, Originally compiled by Eric Paris (eparis at  redhat  dot
386       com)  based  on the kubernetes source material, but hopefully they have
387       been automatically generated since!
388
389
390
391Manuals                              User            KUBERNETES(1)(kubernetes)
Impressum