1KUBERNETES(1)(kubernetes) KUBERNETES(1)(kubernetes)
2Eric Paris Jan 2015
6
9 kubectl set subject - Update the user, group, or service account in a
10 role binding or cluster role binding
11
15 kubectl set subject [OPTIONS]
16
20 Update the user, group, or service account in a role binding or cluster
21 role binding.
22
26 --all=false Select all resources, in the namespace of the speci‐
27 fied resource types
28 --allow-missing-template-keys=true If true, ignore any errors in
31 templates when a field or map key is missing in the template. Only ap‐
32 plies to golang and jsonpath output formats.
33 --dry-run="none" Must be "none", "server", or "client". If client
36 strategy, only print the object that would be sent, without sending it.
37 If server strategy, submit server-side request without persisting the
38 resource.
39 --field-manager="kubectl-set" Name of the manager used to track
42 field ownership.
43 -f, --filename=[] Filename, directory, or URL to files the re‐
46 source to update the subjects
47 --group=[] Groups to bind to the role
50 -k, --kustomize="" Process the kustomization directory. This flag
53 can't be used together with -f or -R.
54 --local=false If true, set subject will NOT contact api-server but
57 run locally.
58 -o, --output="" Output format. One of: (json, yaml, name, go-tem‐
61 plate, go-template-file, template, templatefile, jsonpath, jsonpath-as-
62 json, jsonpath-file).
63 -R, --recursive=false Process the directory used in -f, --filename
66 recursively. Useful when you want to manage related manifests organized
67 within the same directory.
68 -l, --selector="" Selector (label query) to filter on, supports
71 '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects
72 must satisfy all of the specified label constraints.
73 --serviceaccount=[] Service accounts to bind to the role
76 --show-managed-fields=false If true, keep the managedFields when
79 printing objects in JSON or YAML format.
80 --template="" Template string or path to template file to use when
83 -o=go-template, -o=go-template-file. The template format is golang tem‐
84 plates [http://golang.org/pkg/text/template/#pkg-overview].
85 --user=[] Usernames to bind to the role
88
92 --as="" Username to impersonate for the operation. User could be a
93 regular user or a service account in a namespace.
94 --as-group=[] Group to impersonate for the operation, this flag
97 can be repeated to specify multiple groups.
98 --as-uid="" UID to impersonate for the operation.
101 --azure-container-registry-config="" Path to the file containing
104 Azure container registry configuration information.
105 --cache-dir="/builddir/.kube/cache" Default cache directory
108 --certificate-authority="" Path to a cert file for the certificate
111 authority
112 --client-certificate="" Path to a client certificate file for TLS
115 --client-key="" Path to a client key file for TLS
118 --cluster="" The name of the kubeconfig cluster to use
121 --context="" The name of the kubeconfig context to use
124 --disable-compression=false If true, opt-out of response compres‐
127 sion for all requests to the server
128 --insecure-skip-tls-verify=false If true, the server's certificate
131 will not be checked for validity. This will make your HTTPS connections
132 insecure
133 --kubeconfig="" Path to the kubeconfig file to use for CLI re‐
136 quests.
137 --match-server-version=false Require server version to match
140 client version
141 -n, --namespace="" If present, the namespace scope for this CLI
144 request
145 --password="" Password for basic authentication to the API server
148 --profile="none" Name of profile to capture. One of
151 (none|cpu|heap|goroutine|threadcreate|block|mutex)
152 --profile-output="profile.pprof" Name of the file to write the
155 profile to
156 --request-timeout="0" The length of time to wait before giving up
159 on a single server request. Non-zero values should contain a corre‐
160 sponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't time‐
161 out requests.
162 -s, --server="" The address and port of the Kubernetes API server
165 --tls-server-name="" Server name to use for server certificate
168 validation. If it is not provided, the hostname used to contact the
169 server is used
170 --token="" Bearer token for authentication to the API server
173 --username="" Username for basic authentication to the API server
176 --version=false Print version information and quit
179 --warnings-as-errors=false Treat warnings received from the server
182 as errors and exit with a non-zero exit code
183
187 # Update a cluster role binding for serviceaccount1
188 kubectl set subject clusterrolebinding admin --serviceaccount=namespace:serviceaccount1
189 # Update a role binding for user1, user2, and group1
191 kubectl set subject rolebinding admin --user=user1 --user=user2 --group=group1
192 # Print the result (in YAML format) of updating rolebinding subjects from a local, without hitting the server
194 kubectl create rolebinding admin --role=admin --user=admin -o yaml --dry-run=client | kubectl set subject --local -f - --user=foo -o yaml
195
200 kubectl-set(1),
201
205 January 2015, Originally compiled by Eric Paris (eparis at redhat dot
206 com) based on the kubernetes source material, but hopefully they have
207 been automatically generated since!
208Manuals User KUBERNETES(1)(kubernetes)