1OC ADM POLICY(1)                   June 2016                  OC ADM POLICY(1)
2
3
4

NAME

6       oc  adm  policy reconcile-cluster-roles - Update cluster roles to match
7       the recommended bootstrap policy
8
9
10

SYNOPSIS

12       oc adm policy reconcile-cluster-roles [OPTIONS]
13
14
15

DESCRIPTION

17       Update cluster roles to match the recommended bootstrap policy
18
19
20       This command will compare cluster roles against the  recommended  boot‐
21       strap policy.  Any cluster role that does not match will be replaced by
22       the recommended bootstrap role.  This command will not remove any addi‐
23       tional cluster role.
24
25
26       Cluster    roles    with   the   annotation   rbac.authorization.kuber‐
27       netes.io/autoupdate set to "false" are skipped.
28
29
30       You can see which cluster roles have recommended changed by choosing an
31       output type.
32
33
34

OPTIONS

36       --additive-only=true
37           If true, preserves modified cluster roles.
38
39
40       --allow-missing-template-keys=true
41           If  true, ignore any errors in templates when a field or map key is
42       missing in the template. Only applies to  golang  and  jsonpath  output
43       formats.
44
45
46       --confirm=false
47           If true, specify that cluster roles should be modified. Defaults to
48       false, displaying what would be replaced  but  not  actually  replacing
49       anything.
50
51
52       --no-headers=false
53           When  using the default or custom-column output format, don't print
54       headers (default print headers).
55
56
57       -o, --output="yaml"
58           Output format. One of:  json|yaml|wide|name|custom-columns=...|cus‐
59       tom-columns-file=...|go-template=...|go-template-file=...|json‐
60       path=...|jsonpath-file=...  See   custom   columns   [   ⟨http://kuber
61       netes.io/docs/user-guide/kubectl-overview/#custom-columns⟩],     golang
62       template  [  ⟨http://golang.org/pkg/text/template/#pkg-overview⟩]   and
63       jsonpath template [ ⟨http://kubernetes.io/docs/user-guide/jsonpath⟩].
64
65
66       --show-labels=false
67           When  printing,  show  all  labels as the last column (default hide
68       labels column)
69
70
71       --sort-by=""
72           If non-empty, sort list types using this field specification.   The
73       field  specification  is  expressed  as  a  JSONPath  expression  (e.g.
74       '{.metadata.name}'). The field in the API resource  specified  by  this
75       JSONPath expression must be an integer or a string.
76
77
78       --template=""
79           Template  string  or  path  to template file to use when -o=go-tem‐
80       plate, -o=go-template-file. The template format is golang  templates  [
81http://golang.org/pkg/text/template/#pkg-overview⟩].
82
83
84

OPTIONS INHERITED FROM PARENT COMMANDS

86       --allow_verification_with_non_compliant_keys=false
87           Allow  a  SignatureVerifier  to  use  keys  which  are  technically
88       non-compliant with RFC6962.
89
90
91       --alsologtostderr=false
92           log to standard error as well as files
93
94
95       --application_metrics_count_limit=100
96           Max number of application metrics to store (per container)
97
98
99       --as=""
100           Username to impersonate for the operation
101
102
103       --as-group=[]
104           Group to impersonate for the operation, this flag can  be  repeated
105       to specify multiple groups.
106
107
108       --azure-container-registry-config=""
109           Path  to the file containing Azure container registry configuration
110       information.
111
112
113       --boot_id_file="/proc/sys/kernel/random/boot_id"
114           Comma-separated list of files to check for boot-id. Use  the  first
115       one that exists.
116
117
118       --cache-dir="/builddir/.kube/http-cache"
119           Default HTTP cache directory
120
121
122       --certificate-authority=""
123           Path to a cert file for the certificate authority
124
125
126       --client-certificate=""
127           Path to a client certificate file for TLS
128
129
130       --client-key=""
131           Path to a client key file for TLS
132
133
134       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
135           CIDRs opened in GCE firewall for LB traffic proxy  health checks
136
137
138       --cluster=""
139           The name of the kubeconfig cluster to use
140
141
142       --container_hints="/etc/cadvisor/container_hints.json"
143           location of the container hints file
144
145
146       --containerd="unix:///var/run/containerd.sock"
147           containerd endpoint
148
149
150       --context=""
151           The name of the kubeconfig context to use
152
153
154       --default-not-ready-toleration-seconds=300
155           Indicates   the   tolerationSeconds   of   the    toleration    for
156       notReady:NoExecute  that is added by default to every pod that does not
157       already have such a toleration.
158
159
160       --default-unreachable-toleration-seconds=300
161           Indicates the tolerationSeconds  of  the  toleration  for  unreach‐
162       able:NoExecute  that  is  added  by  default to every pod that does not
163       already have such a toleration.
164
165
166       --docker="unix:///var/run/docker.sock"
167           docker endpoint
168
169
170       --docker-tls=false
171           use TLS to connect to docker
172
173
174       --docker-tls-ca="ca.pem"
175           path to trusted CA
176
177
178       --docker-tls-cert="cert.pem"
179           path to client certificate
180
181
182       --docker-tls-key="key.pem"
183           path to private key
184
185
186       --docker_env_metadata_whitelist=""
187           a comma-separated list of environment variable keys that  needs  to
188       be collected for docker containers
189
190
191       --docker_only=false
192           Only report docker containers in addition to root stats
193
194
195       --docker_root="/var/lib/docker"
196           DEPRECATED:  docker  root is read from docker info (this is a fall‐
197       back, default: /var/lib/docker)
198
199
200       --enable_load_reader=false
201           Whether to enable cpu load reader
202
203
204       --event_storage_age_limit="default=24h"
205           Max length of time for which to store events (per type). Value is a
206       comma  separated  list  of  key  values, where the keys are event types
207       (e.g.: creation, oom) or "default" and the value is a duration. Default
208       is applied to all non-specified event types
209
210
211       --event_storage_event_limit="default=100000"
212           Max  number  of  events to store (per type). Value is a comma sepa‐
213       rated list of key values, where the keys are event  types  (e.g.:  cre‐
214       ation,  oom)  or  "default"  and  the  value  is an integer. Default is
215       applied to all non-specified event types
216
217
218       --global_housekeeping_interval=0
219           Interval between global housekeepings
220
221
222       --housekeeping_interval=0
223           Interval between container housekeepings
224
225
226       --insecure-skip-tls-verify=false
227           If true, the server's certificate will not be checked for validity.
228       This will make your HTTPS connections insecure
229
230
231       --kubeconfig=""
232           Path to the kubeconfig file to use for CLI requests.
233
234
235       --log-flush-frequency=0
236           Maximum number of seconds between log flushes
237
238
239       --log_backtrace_at=:0
240           when logging hits line file:N, emit a stack trace
241
242
243       --log_cadvisor_usage=false
244           Whether to log the usage of the cAdvisor container
245
246
247       --log_dir=""
248           If non-empty, write log files in this directory
249
250
251       --logtostderr=true
252           log to standard error instead of files
253
254
255       --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
256           Comma-separated  list  of  files  to  check for machine-id. Use the
257       first one that exists.
258
259
260       --match-server-version=false
261           Require server version to match client version
262
263
264       -n, --namespace=""
265           If present, the namespace scope for this CLI request
266
267
268       --request-timeout="0"
269           The length of time to wait before giving  up  on  a  single  server
270       request. Non-zero values should contain a corresponding time unit (e.g.
271       1s, 2m, 3h). A value of zero means don't timeout requests.
272
273
274       -s, --server=""
275           The address and port of the Kubernetes API server
276
277
278       --stderrthreshold=2
279           logs at or above this threshold go to stderr
280
281
282       --storage_driver_buffer_duration=0
283           Writes in the storage driver will be buffered  for  this  duration,
284       and committed to the non memory backends as a single transaction
285
286
287       --storage_driver_db="cadvisor"
288           database name
289
290
291       --storage_driver_host="localhost:8086"
292           database host:port
293
294
295       --storage_driver_password="root"
296           database password
297
298
299       --storage_driver_secure=false
300           use secure connection with database
301
302
303       --storage_driver_table="stats"
304           table name
305
306
307       --storage_driver_user="root"
308           database username
309
310
311       --token=""
312           Bearer token for authentication to the API server
313
314
315       --user=""
316           The name of the kubeconfig user to use
317
318
319       -v, --v=0
320           log level for V logs
321
322
323       --version=false
324           Print version information and quit
325
326
327       --vmodule=
328           comma-separated  list  of pattern=N settings for file-filtered log‐
329       ging
330
331
332

EXAMPLE

334                # Display the names of cluster roles that would be modified
335                oc adm policy reconcile-cluster-roles -o name
336
337                # Add missing permissions to cluster roles that don't match the current defaults
338                oc adm policy reconcile-cluster-roles --confirm
339
340                # Add missing permissions and remove extra permissions from
341                # cluster roles that don't match the current defaults
342                oc adm policy reconcile-cluster-roles --additive-only=false --confirm
343
344                # Display the union of the default and modified cluster roles
345                oc adm policy reconcile-cluster-roles --additive-only
346
347
348
349

SEE ALSO

351       oc-adm-policy(1),
352
353
354

HISTORY

356       June 2016, Ported from the Kubernetes man-doc generator
357
358
359
360Openshift                  Openshift CLI User Manuals         OC ADM POLICY(1)
Impressum