1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2Eric Paris Jan 2015
6
9 kubectl set subject - Update User, Group or ServiceAccount in a
10 RoleBinding/ClusterRoleBinding
11
15 kubectl set subject [OPTIONS]
16
20 Update User, Group or ServiceAccount in a RoleBinding/ClusterRoleBind‐
21 ing.
22
26 --all=false Select all resources, including uninitialized ones, in
27 the namespace of the specified resource types
28 --allow-missing-template-keys=true If true, ignore any errors in
31 templates when a field or map key is missing in the template. Only ap‐
32 plies to golang and jsonpath output formats.
33 --dry-run="none" Must be "none", "server", or "client". If client
36 strategy, only print the object that would be sent, without sending it.
37 If server strategy, submit server-side request without persisting the
38 resource.
39 --field-manager="kubectl-set" Name of the manager used to track
42 field ownership.
43 -f, --filename=[] Filename, directory, or URL to files the re‐
46 source to update the subjects
47 --group=[] Groups to bind to the role
50 -k, --kustomize="" Process the kustomization directory. This flag
53 can't be used together with -f or -R.
54 --local=false If true, set subject will NOT contact api-server but
57 run locally.
58 -o, --output="" Output format. One of: json|yaml|name|go-tem‐
61 plate|go-template-file|template|templatefile|jsonpath|json‐
62 path-as-json|jsonpath-file.
63 -R, --recursive=false Process the directory used in -f, --filename
66 recursively. Useful when you want to manage related manifests organized
67 within the same directory.
68 -l, --selector="" Selector (label query) to filter on, not includ‐
71 ing uninitialized ones, supports '=', '==', and '!='.(e.g. -l
72 key1=value1,key2=value2)
73 --serviceaccount=[] Service accounts to bind to the role
76 --show-managed-fields=false If true, keep the managedFields when
79 printing objects in JSON or YAML format.
80 --template="" Template string or path to template file to use when
83 -o=go-template, -o=go-template-file. The template format is golang tem‐
84 plates [http://golang.org/pkg/text/template/#pkg-overview].
85
89 --add-dir-header=false If true, adds the file directory to the
90 header of the log messages
91 --alsologtostderr=false log to standard error as well as files
94 --application-metrics-count-limit=100 Max number of application
97 metrics to store (per container)
98 --as="" Username to impersonate for the operation
101 --as-group=[] Group to impersonate for the operation, this flag
104 can be repeated to specify multiple groups.
105 --azure-container-registry-config="" Path to the file containing
108 Azure container registry configuration information.
109 --boot-id-file="/proc/sys/kernel/random/boot_id" Comma-separated
112 list of files to check for boot-id. Use the first one that exists.
113 --cache-dir="/builddir/.kube/cache" Default cache directory
116 --certificate-authority="" Path to a cert file for the certificate
119 authority
120 --client-certificate="" Path to a client certificate file for TLS
123 --client-key="" Path to a client key file for TLS
126 --cloud-provider-gce-l7lb-src-cidrs=130.211.0.0/22,35.191.0.0/16
129 CIDRs opened in GCE firewall for L7 LB traffic proxy health
130 checks
131 --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
134 CIDRs opened in GCE firewall for L4 LB traffic proxy health
135 checks
136 --cluster="" The name of the kubeconfig cluster to use
139 --container-hints="/etc/cadvisor/container_hints.json" location of
142 the container hints file
143 --containerd="/run/containerd/containerd.sock" containerd endpoint
146 --containerd-namespace="k8s.io" containerd namespace
149 --context="" The name of the kubeconfig context to use
152 --default-not-ready-toleration-seconds=300 Indicates the tolera‐
155 tionSeconds of the toleration for notReady:NoExecute that is added by
156 default to every pod that does not already have such a toleration.
157 --default-unreachable-toleration-seconds=300 Indicates the tolera‐
160 tionSeconds of the toleration for unreachable:NoExecute that is added
161 by default to every pod that does not already have such a toleration.
162 --disable-root-cgroup-stats=false Disable collecting root Cgroup
165 stats
166 --docker="unix:///var/run/docker.sock" docker endpoint
169 --docker-env-metadata-whitelist="" a comma-separated list of envi‐
172 ronment variable keys matched with specified prefix that needs to be
173 collected for docker containers
174 --docker-only=false Only report docker containers in addition to
177 root stats
178 --docker-root="/var/lib/docker" DEPRECATED: docker root is read
181 from docker info (this is a fallback, default: /var/lib/docker)
182 --docker-tls=false use TLS to connect to docker
185 --docker-tls-ca="ca.pem" path to trusted CA
188 --docker-tls-cert="cert.pem" path to client certificate
191 --docker-tls-key="key.pem" path to private key
194 --enable-load-reader=false Whether to enable cpu load reader
197 --event-storage-age-limit="default=0" Max length of time for which
200 to store events (per type). Value is a comma separated list of key val‐
201 ues, where the keys are event types (e.g.: creation, oom) or "default"
202 and the value is a duration. Default is applied to all non-specified
203 event types
204 --event-storage-event-limit="default=0" Max number of events to
207 store (per type). Value is a comma separated list of key values, where
208 the keys are event types (e.g.: creation, oom) or "default" and the
209 value is an integer. Default is applied to all non-specified event
210 types
211 --global-housekeeping-interval=1m0s Interval between global house‐
214 keepings
215 --housekeeping-interval=10s Interval between container housekeep‐
218 ings
219 --insecure-skip-tls-verify=false If true, the server's certificate
222 will not be checked for validity. This will make your HTTPS connections
223 insecure
224 --kubeconfig="" Path to the kubeconfig file to use for CLI re‐
227 quests.
228 --log-backtrace-at=:0 when logging hits line file:N, emit a stack
231 trace
232 --log-cadvisor-usage=false Whether to log the usage of the cAdvi‐
235 sor container
236 --log-dir="" If non-empty, write log files in this directory
239 --log-file="" If non-empty, use this log file
242 --log-file-max-size=1800 Defines the maximum size a log file can
245 grow to. Unit is megabytes. If the value is 0, the maximum file size is
246 unlimited.
247 --log-flush-frequency=5s Maximum number of seconds between log
250 flushes
251 --logtostderr=true log to standard error instead of files
254 --machine-id-file="/etc/machine-id,/var/lib/dbus/machine-id"
257 Comma-separated list of files to check for machine-id. Use the
258 first one that exists.
259 --match-server-version=false Require server version to match
262 client version
263 -n, --namespace="" If present, the namespace scope for this CLI
266 request
267 --one-output=false If true, only write logs to their native sever‐
270 ity level (vs also writing to each lower severity level)
271 --password="" Password for basic authentication to the API server
274 --profile="none" Name of profile to capture. One of
277 (none|cpu|heap|goroutine|threadcreate|block|mutex)
278 --profile-output="profile.pprof" Name of the file to write the
281 profile to
282 --referenced-reset-interval=0 Reset interval for referenced bytes
285 (container_referenced_bytes metric), number of measurement cycles after
286 which referenced bytes are cleared, if set to 0 referenced bytes are
287 never cleared (default: 0)
288 --request-timeout="0" The length of time to wait before giving up
291 on a single server request. Non-zero values should contain a corre‐
292 sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
293 out requests.
294 -s, --server="" The address and port of the Kubernetes API server
297 --skip-headers=false If true, avoid header prefixes in the log
300 messages
301 --skip-log-headers=false If true, avoid headers when opening log
304 files
305 --stderrthreshold=2 logs at or above this threshold go to stderr
308 --storage-driver-buffer-duration=1m0s Writes in the storage driver
311 will be buffered for this duration, and committed to the non memory
312 backends as a single transaction
313 --storage-driver-db="cadvisor" database name
316 --storage-driver-host="localhost:8086" database host:port
319 --storage-driver-password="root" database password
322 --storage-driver-secure=false use secure connection with database
325 --storage-driver-table="stats" table name
328 --storage-driver-user="root" database username
331 --tls-server-name="" Server name to use for server certificate
334 validation. If it is not provided, the hostname used to contact the
335 server is used
336 --token="" Bearer token for authentication to the API server
339 --update-machine-info-interval=5m0s Interval between machine info
342 updates.
343 --user="" The name of the kubeconfig user to use
346 --username="" Username for basic authentication to the API server
349 -v, --v=0 number for the log level verbosity
352 --version=false Print version information and quit
355 --vmodule= comma-separated list of pattern=N settings for
358 file-filtered logging
359 --warnings-as-errors=false Treat warnings received from the server
362 as errors and exit with a non-zero exit code
363
367 # Update a ClusterRoleBinding for serviceaccount1
368 kubectl set subject clusterrolebinding admin --serviceaccount=namespace:serviceaccount1
369 # Update a RoleBinding for user1, user2, and group1
371 kubectl set subject rolebinding admin --user=user1 --user=user2 --group=group1
372 # Print the result (in yaml format) of updating rolebinding subjects from a local, without hitting the server
374 kubectl create rolebinding admin --role=admin --user=admin -o yaml --dry-run=client | kubectl set subject --local -f - --user=foo -o yaml
375
380 kubectl-set(1),
381
385 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
386 com) based on the kubernetes source material, but hopefully they have
387 been automatically generated since!
388Manuals User KUBERNETES(1)(kubernetes)