1OC ADM POLICY(1)                   June 2016                  OC ADM POLICY(1)
2
3
4

NAME

6       oc  adm  policy  reconcile-cluster-role-bindings  - Update cluster role
7       bindings to match the recommended bootstrap policy
8
9
10

SYNOPSIS

12       oc adm policy reconcile-cluster-role-bindings [OPTIONS]
13
14
15

DESCRIPTION

17       Update cluster role bindings to match the recommended bootstrap policy
18
19
20       This command will inspect the cluster role bindings against the  recom‐
21       mended  bootstrap  policy. Any cluster role binding that does not match
22       will be replaced by the recommended bootstrap role binding.  This  com‐
23       mand will not remove any additional cluster role bindings.
24
25
26       You  can  see  which  recommended cluster role bindings have changed by
27       choosing an output type.
28
29
30

OPTIONS

32       --additive-only=true
33           If true, preserves extra subjects in cluster role bindings.
34
35
36       --allow-missing-template-keys=true
37           If true, ignore any errors in templates when a field or map key  is
38       missing  in  the  template.  Only applies to golang and jsonpath output
39       formats.
40
41
42       --confirm=false
43           If true, specify that cluster role  bindings  should  be  modified.
44       Defaults  to  false, displaying what would be replaced but not actually
45       replacing anything.
46
47
48       --exclude-groups=[]
49           Do not add cluster role bindings for these group names.
50
51
52       --exclude-users=[]
53           Do not add cluster role bindings for these user names.
54
55
56       --no-headers=false
57           When using the default or custom-column output format, don't  print
58       headers (default print headers).
59
60
61       -o, --output="yaml"
62           Output  format. One of: json|yaml|wide|name|custom-columns=...|cus‐
63       tom-columns-file=...|go-template=...|go-template-file=...|json‐
64       path=...|jsonpath-file=...   See   custom   columns   [  ⟨http://kuber
65       netes.io/docs/user-guide/kubectl-overview/#custom-columns⟩],     golang
66       template   [  ⟨http://golang.org/pkg/text/template/#pkg-overview⟩]  and
67       jsonpath template [ ⟨http://kubernetes.io/docs/user-guide/jsonpath⟩].
68
69
70       --show-labels=false
71           When printing, show all labels as the  last  column  (default  hide
72       labels column)
73
74
75       --sort-by=""
76           If  non-empty, sort list types using this field specification.  The
77       field  specification  is  expressed  as  a  JSONPath  expression  (e.g.
78       '{.metadata.name}').  The  field  in the API resource specified by this
79       JSONPath expression must be an integer or a string.
80
81
82       --template=""
83           Template string or path to template file  to  use  when  -o=go-tem‐
84       plate,  -o=go-template-file.  The template format is golang templates [
85http://golang.org/pkg/text/template/#pkg-overview⟩].
86
87
88

OPTIONS INHERITED FROM PARENT COMMANDS

90       --allow_verification_with_non_compliant_keys=false
91           Allow  a  SignatureVerifier  to  use  keys  which  are  technically
92       non-compliant with RFC6962.
93
94
95       --alsologtostderr=false
96           log to standard error as well as files
97
98
99       --application_metrics_count_limit=100
100           Max number of application metrics to store (per container)
101
102
103       --as=""
104           Username to impersonate for the operation
105
106
107       --as-group=[]
108           Group  to  impersonate for the operation, this flag can be repeated
109       to specify multiple groups.
110
111
112       --azure-container-registry-config=""
113           Path to the file containing Azure container registry  configuration
114       information.
115
116
117       --boot_id_file="/proc/sys/kernel/random/boot_id"
118           Comma-separated  list  of files to check for boot-id. Use the first
119       one that exists.
120
121
122       --cache-dir="/builddir/.kube/http-cache"
123           Default HTTP cache directory
124
125
126       --certificate-authority=""
127           Path to a cert file for the certificate authority
128
129
130       --client-certificate=""
131           Path to a client certificate file for TLS
132
133
134       --client-key=""
135           Path to a client key file for TLS
136
137
138       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
139           CIDRs opened in GCE firewall for LB traffic proxy  health checks
140
141
142       --cluster=""
143           The name of the kubeconfig cluster to use
144
145
146       --container_hints="/etc/cadvisor/container_hints.json"
147           location of the container hints file
148
149
150       --containerd="unix:///var/run/containerd.sock"
151           containerd endpoint
152
153
154       --context=""
155           The name of the kubeconfig context to use
156
157
158       --default-not-ready-toleration-seconds=300
159           Indicates    the    tolerationSeconds   of   the   toleration   for
160       notReady:NoExecute that is added by default to every pod that does  not
161       already have such a toleration.
162
163
164       --default-unreachable-toleration-seconds=300
165           Indicates  the  tolerationSeconds  of  the  toleration for unreach‐
166       able:NoExecute that is added by default to  every  pod  that  does  not
167       already have such a toleration.
168
169
170       --docker="unix:///var/run/docker.sock"
171           docker endpoint
172
173
174       --docker-tls=false
175           use TLS to connect to docker
176
177
178       --docker-tls-ca="ca.pem"
179           path to trusted CA
180
181
182       --docker-tls-cert="cert.pem"
183           path to client certificate
184
185
186       --docker-tls-key="key.pem"
187           path to private key
188
189
190       --docker_env_metadata_whitelist=""
191           a  comma-separated  list of environment variable keys that needs to
192       be collected for docker containers
193
194
195       --docker_only=false
196           Only report docker containers in addition to root stats
197
198
199       --docker_root="/var/lib/docker"
200           DEPRECATED: docker root is read from docker info (this is  a  fall‐
201       back, default: /var/lib/docker)
202
203
204       --enable_load_reader=false
205           Whether to enable cpu load reader
206
207
208       --event_storage_age_limit="default=24h"
209           Max length of time for which to store events (per type). Value is a
210       comma separated list of key values, where  the  keys  are  event  types
211       (e.g.: creation, oom) or "default" and the value is a duration. Default
212       is applied to all non-specified event types
213
214
215       --event_storage_event_limit="default=100000"
216           Max number of events to store (per type). Value is  a  comma  sepa‐
217       rated  list  of  key values, where the keys are event types (e.g.: cre‐
218       ation, oom) or "default" and  the  value  is  an  integer.  Default  is
219       applied to all non-specified event types
220
221
222       --global_housekeeping_interval=0
223           Interval between global housekeepings
224
225
226       --housekeeping_interval=0
227           Interval between container housekeepings
228
229
230       --insecure-skip-tls-verify=false
231           If true, the server's certificate will not be checked for validity.
232       This will make your HTTPS connections insecure
233
234
235       --kubeconfig=""
236           Path to the kubeconfig file to use for CLI requests.
237
238
239       --log-flush-frequency=0
240           Maximum number of seconds between log flushes
241
242
243       --log_backtrace_at=:0
244           when logging hits line file:N, emit a stack trace
245
246
247       --log_cadvisor_usage=false
248           Whether to log the usage of the cAdvisor container
249
250
251       --log_dir=""
252           If non-empty, write log files in this directory
253
254
255       --logtostderr=true
256           log to standard error instead of files
257
258
259       --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
260           Comma-separated list of files to  check  for  machine-id.  Use  the
261       first one that exists.
262
263
264       --match-server-version=false
265           Require server version to match client version
266
267
268       -n, --namespace=""
269           If present, the namespace scope for this CLI request
270
271
272       --request-timeout="0"
273           The  length  of  time  to  wait before giving up on a single server
274       request. Non-zero values should contain a corresponding time unit (e.g.
275       1s, 2m, 3h). A value of zero means don't timeout requests.
276
277
278       -s, --server=""
279           The address and port of the Kubernetes API server
280
281
282       --stderrthreshold=2
283           logs at or above this threshold go to stderr
284
285
286       --storage_driver_buffer_duration=0
287           Writes  in  the  storage driver will be buffered for this duration,
288       and committed to the non memory backends as a single transaction
289
290
291       --storage_driver_db="cadvisor"
292           database name
293
294
295       --storage_driver_host="localhost:8086"
296           database host:port
297
298
299       --storage_driver_password="root"
300           database password
301
302
303       --storage_driver_secure=false
304           use secure connection with database
305
306
307       --storage_driver_table="stats"
308           table name
309
310
311       --storage_driver_user="root"
312           database username
313
314
315       --token=""
316           Bearer token for authentication to the API server
317
318
319       --user=""
320           The name of the kubeconfig user to use
321
322
323       -v, --v=0
324           log level for V logs
325
326
327       --version=false
328           Print version information and quit
329
330
331       --vmodule=
332           comma-separated list of pattern=N settings for  file-filtered  log‐
333       ging
334
335
336

EXAMPLE

338                # Display the names of cluster role bindings that would be modified
339                oc adm policy reconcile-cluster-role-bindings -o name
340
341                # Display the cluster role bindings that would be modified, removing any extra subjects
342                oc adm policy reconcile-cluster-role-bindings --additive-only=false
343
344                # Update cluster role bindings that don't match the current defaults
345                oc adm policy reconcile-cluster-role-bindings --confirm
346
347                # Update cluster role bindings that don't match the current defaults, avoid adding roles to the system:authenticated group
348                oc adm policy reconcile-cluster-role-bindings --confirm --exclude-groups=system:authenticated
349
350                # Update cluster role bindings that don't match the current defaults, removing any extra subjects from the binding
351                oc adm policy reconcile-cluster-role-bindings --confirm --additive-only=false
352
353
354
355

SEE ALSO

357       oc-adm-policy(1),
358
359
360

HISTORY

362       June 2016, Ported from the Kubernetes man-doc generator
363
364
365
366Openshift                  Openshift CLI User Manuals         OC ADM POLICY(1)
Impressum