1OC POLICY(1)                       June 2016                      OC POLICY(1)
2
3
4

NAME

6       oc policy scc-subject-review - Check whether a user or a ServiceAccount
7       can create a Pod.
8
9
10

SYNOPSIS

12       oc policy scc-subject-review [OPTIONS]
13
14
15

DESCRIPTION

17       Check whether a User, Service Account or a Group can create a  Pod.  It
18       returns  a  list  of  Security  Context Constraints that will admit the
19       resource. If User is specified but not Groups,  it  is  interpreted  as
20       "What  if  User  is not a member of any groups". If User and Groups are
21       empty, then the check is performed using the current user
22
23
24

OPTIONS

26       --allow-missing-template-keys=true
27           If true, ignore any errors in templates when a field or map key  is
28       missing  in  the  template.  Only applies to golang and jsonpath output
29       formats.
30
31
32       -f, --filename=[]
33           Filename, directory, or URL to files Filename, directory, or URL to
34       a file identifying the resource to get from a server.
35
36
37       -g, --groups=[]
38           Comma separated, list of groups. Review will be performed on behalf
39       of these groups
40
41
42       --no-headers=false
43           When using the default or custom-column output format, don't  print
44       headers (default print headers).
45
46
47       -o, --output=""
48           Output  format. One of: json|yaml|wide|name|custom-columns=...|cus‐
49       tom-columns-file=...|go-template=...|go-template-file=...|json‐
50       path=...|jsonpath-file=...   See   custom   columns   [  ⟨http://kuber
51       netes.io/docs/user-guide/kubectl-overview/#custom-columns⟩],     golang
52       template   [  ⟨http://golang.org/pkg/text/template/#pkg-overview⟩]  and
53       jsonpath template [ ⟨http://kubernetes.io/docs/user-guide/jsonpath⟩].
54
55
56       -R, --recursive=false
57           Process the directory used in -f,  --filename  recursively.  Useful
58       when  you  want  to  manage related manifests organized within the same
59       directory.
60
61
62       -z, --serviceaccount=""
63           service account in the current namespace to use as a user
64
65
66       --show-labels=false
67           When printing, show all labels as the  last  column  (default  hide
68       labels column)
69
70
71       --sort-by=""
72           If  non-empty, sort list types using this field specification.  The
73       field  specification  is  expressed  as  a  JSONPath  expression  (e.g.
74       '{.metadata.name}').  The  field  in the API resource specified by this
75       JSONPath expression must be an integer or a string.
76
77
78       --template=""
79           Template string or path to template file  to  use  when  -o=go-tem‐
80       plate,  -o=go-template-file.  The template format is golang templates [
81http://golang.org/pkg/text/template/#pkg-overview⟩].
82
83
84

OPTIONS INHERITED FROM PARENT COMMANDS

86       --allow_verification_with_non_compliant_keys=false
87           Allow  a  SignatureVerifier  to  use  keys  which  are  technically
88       non-compliant with RFC6962.
89
90
91       --alsologtostderr=false
92           log to standard error as well as files
93
94
95       --application_metrics_count_limit=100
96           Max number of application metrics to store (per container)
97
98
99       --as=""
100           Username to impersonate for the operation
101
102
103       --as-group=[]
104           Group  to  impersonate for the operation, this flag can be repeated
105       to specify multiple groups.
106
107
108       --azure-container-registry-config=""
109           Path to the file containing Azure container registry  configuration
110       information.
111
112
113       --boot_id_file="/proc/sys/kernel/random/boot_id"
114           Comma-separated  list  of files to check for boot-id. Use the first
115       one that exists.
116
117
118       --cache-dir="/builddir/.kube/http-cache"
119           Default HTTP cache directory
120
121
122       --certificate-authority=""
123           Path to a cert file for the certificate authority
124
125
126       --client-certificate=""
127           Path to a client certificate file for TLS
128
129
130       --client-key=""
131           Path to a client key file for TLS
132
133
134       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
135           CIDRs opened in GCE firewall for LB traffic proxy  health checks
136
137
138       --cluster=""
139           The name of the kubeconfig cluster to use
140
141
142       --container_hints="/etc/cadvisor/container_hints.json"
143           location of the container hints file
144
145
146       --containerd="unix:///var/run/containerd.sock"
147           containerd endpoint
148
149
150       --context=""
151           The name of the kubeconfig context to use
152
153
154       --default-not-ready-toleration-seconds=300
155           Indicates    the    tolerationSeconds   of   the   toleration   for
156       notReady:NoExecute that is added by default to every pod that does  not
157       already have such a toleration.
158
159
160       --default-unreachable-toleration-seconds=300
161           Indicates  the  tolerationSeconds  of  the  toleration for unreach‐
162       able:NoExecute that is added by default to  every  pod  that  does  not
163       already have such a toleration.
164
165
166       --docker="unix:///var/run/docker.sock"
167           docker endpoint
168
169
170       --docker-tls=false
171           use TLS to connect to docker
172
173
174       --docker-tls-ca="ca.pem"
175           path to trusted CA
176
177
178       --docker-tls-cert="cert.pem"
179           path to client certificate
180
181
182       --docker-tls-key="key.pem"
183           path to private key
184
185
186       --docker_env_metadata_whitelist=""
187           a  comma-separated  list of environment variable keys that needs to
188       be collected for docker containers
189
190
191       --docker_only=false
192           Only report docker containers in addition to root stats
193
194
195       --docker_root="/var/lib/docker"
196           DEPRECATED: docker root is read from docker info (this is  a  fall‐
197       back, default: /var/lib/docker)
198
199
200       --enable_load_reader=false
201           Whether to enable cpu load reader
202
203
204       --event_storage_age_limit="default=24h"
205           Max length of time for which to store events (per type). Value is a
206       comma separated list of key values, where  the  keys  are  event  types
207       (e.g.: creation, oom) or "default" and the value is a duration. Default
208       is applied to all non-specified event types
209
210
211       --event_storage_event_limit="default=100000"
212           Max number of events to store (per type). Value is  a  comma  sepa‐
213       rated  list  of  key values, where the keys are event types (e.g.: cre‐
214       ation, oom) or "default" and  the  value  is  an  integer.  Default  is
215       applied to all non-specified event types
216
217
218       --global_housekeeping_interval=0
219           Interval between global housekeepings
220
221
222       --housekeeping_interval=0
223           Interval between container housekeepings
224
225
226       --insecure-skip-tls-verify=false
227           If true, the server's certificate will not be checked for validity.
228       This will make your HTTPS connections insecure
229
230
231       --kubeconfig=""
232           Path to the kubeconfig file to use for CLI requests.
233
234
235       --log-flush-frequency=0
236           Maximum number of seconds between log flushes
237
238
239       --log_backtrace_at=:0
240           when logging hits line file:N, emit a stack trace
241
242
243       --log_cadvisor_usage=false
244           Whether to log the usage of the cAdvisor container
245
246
247       --log_dir=""
248           If non-empty, write log files in this directory
249
250
251       --logtostderr=true
252           log to standard error instead of files
253
254
255       --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
256           Comma-separated list of files to  check  for  machine-id.  Use  the
257       first one that exists.
258
259
260       --match-server-version=false
261           Require server version to match client version
262
263
264       -n, --namespace=""
265           If present, the namespace scope for this CLI request
266
267
268       --request-timeout="0"
269           The  length  of  time  to  wait before giving up on a single server
270       request. Non-zero values should contain a corresponding time unit (e.g.
271       1s, 2m, 3h). A value of zero means don't timeout requests.
272
273
274       -s, --server=""
275           The address and port of the Kubernetes API server
276
277
278       --stderrthreshold=2
279           logs at or above this threshold go to stderr
280
281
282       --storage_driver_buffer_duration=0
283           Writes  in  the  storage driver will be buffered for this duration,
284       and committed to the non memory backends as a single transaction
285
286
287       --storage_driver_db="cadvisor"
288           database name
289
290
291       --storage_driver_host="localhost:8086"
292           database host:port
293
294
295       --storage_driver_password="root"
296           database password
297
298
299       --storage_driver_secure=false
300           use secure connection with database
301
302
303       --storage_driver_table="stats"
304           table name
305
306
307       --storage_driver_user="root"
308           database username
309
310
311       --token=""
312           Bearer token for authentication to the API server
313
314
315       --user=""
316           The name of the kubeconfig user to use
317
318
319       -v, --v=0
320           log level for V logs
321
322
323       --version=false
324           Print version information and quit
325
326
327       --vmodule=
328           comma-separated list of pattern=N settings for  file-filtered  log‐
329       ging
330
331
332

EXAMPLE

334                # Check whether user bob can create a pod specified in myresource.yaml
335                $ oc policy scc-subject-review -u bob -f myresource.yaml
336
337                # Check whether user bob who belongs to projectAdmin group can create a pod specified in myresource.yaml
338                $ oc policy scc-subject-review -u bob -g projectAdmin -f myresource.yaml
339
340                # Check whether ServiceAccount specified in podTemplateSpec in myresourcewithsa.yaml can create the Pod
341                $  oc policy scc-subject-review -f myresourcewithsa.yaml
342
343
344
345

SEE ALSO

347       oc-policy(1),
348
349
350

HISTORY

352       June 2016, Ported from the Kubernetes man-doc generator
353
354
355
356Openshift                  Openshift CLI User Manuals             OC POLICY(1)
Impressum