This is the multi-page printable view of this section.
Click here to print.
Return to the regular view of this page.
kubectl create
Synopsis
Create a resource from a file or from stdin.
JSON and YAML formats are accepted.
kubectl create -f FILENAME
Examples
# Create a pod using the data in pod.json
kubectl create -f ./pod.json
# Create a pod based on the JSON passed into stdin
cat pod.json | kubectl create -f -
# Edit the data in registry.yaml in JSON then create the resource using the edited data
kubectl create -f registry.yaml --edit -o json
Options
| --allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
| --dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
| --edit |
| Edit the API resource before creating |
| --field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
| -f, --filename strings |
| Filename, directory, or URL to files to use to create the resource |
| -h, --help |
| help for create |
| -k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
| -o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
| --raw string |
| Raw URI to POST to the server. Uses the transport specified by the kubeconfig file. |
| -R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
| --save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
| -l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
| --show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
| --template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
| --validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false).
"true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
"warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
"false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
| --windows-line-endings |
| Only relevant if --edit=true. Defaults to the line ending native to your platform. |
| --as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
| --as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
| --as-uid string |
| UID to impersonate for the operation. |
| --azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
| --cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
| --certificate-authority string |
| Path to a cert file for the certificate authority |
| --client-certificate string |
| Path to a client certificate file for TLS |
| --client-key string |
| Path to a client key file for TLS |
| --cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
| --cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
| --cluster string |
| The name of the kubeconfig cluster to use |
| --context string |
| The name of the kubeconfig context to use |
| --default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --disable-compression |
| If true, opt-out of response compression for all requests to the server |
| --insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
| --kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
| --match-server-version |
| Require server version to match client version |
| -n, --namespace string |
| If present, the namespace scope for this CLI request |
| --password string |
| Password for basic authentication to the API server |
| --profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
| --profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
| --request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
| -s, --server string |
| The address and port of the Kubernetes API server |
| --storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
| --storage-driver-db string Default: "cadvisor" |
| database name |
| --storage-driver-host string Default: "localhost:8086" |
| database host:port |
| --storage-driver-password string Default: "root" |
| database password |
| --storage-driver-secure |
| use secure connection with database |
| --storage-driver-table string Default: "stats" |
| table name |
| --storage-driver-user string Default: "root" |
| database username |
| --tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
| --token string |
| Bearer token for authentication to the API server |
| --user string |
| The name of the kubeconfig user to use |
| --username string |
| Username for basic authentication to the API server |
| --version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
| --warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
1 - kubectl create clusterrole
Synopsis
Create a cluster role.
kubectl create clusterrole NAME --verb=verb --resource=resource.group [--resource-name=resourcename] [--dry-run=server|client|none]
Examples
# Create a cluster role named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods
# Create a cluster role named "pod-reader" with ResourceName specified
kubectl create clusterrole pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod
# Create a cluster role named "foo" with API Group specified
kubectl create clusterrole foo --verb=get,list,watch --resource=rs.apps
# Create a cluster role named "foo" with SubResource specified
kubectl create clusterrole foo --verb=get,list,watch --resource=pods,pods/status
# Create a cluster role name "foo" with NonResourceURL specified
kubectl create clusterrole "foo" --verb=get --non-resource-url=/logs/*
# Create a cluster role name "monitoring" with AggregationRule specified
kubectl create clusterrole monitoring --aggregation-rule="rbac.example.com/aggregate-to-monitoring=true"
Options
| --aggregation-rule <comma-separated 'key=value' pairs> |
| An aggregation label selector for combining ClusterRoles. |
| --allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
| --dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
| --field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
| -h, --help |
| help for clusterrole |
| --non-resource-url strings |
| A partial url that user should have access to. |
| -o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
| --resource strings |
| Resource that the rule applies to |
| --resource-name strings |
| Resource in the white list that the rule applies to, repeat this flag for multiple items |
| --save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
| --show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
| --template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
| --validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false).
"true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
"warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
"false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
| --verb strings |
| Verb that applies to the resources contained in the rule |
| --as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
| --as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
| --as-uid string |
| UID to impersonate for the operation. |
| --azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
| --cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
| --certificate-authority string |
| Path to a cert file for the certificate authority |
| --client-certificate string |
| Path to a client certificate file for TLS |
| --client-key string |
| Path to a client key file for TLS |
| --cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
| --cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
| --cluster string |
| The name of the kubeconfig cluster to use |
| --context string |
| The name of the kubeconfig context to use |
| --default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --disable-compression |
| If true, opt-out of response compression for all requests to the server |
| --insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
| --kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
| --match-server-version |
| Require server version to match client version |
| -n, --namespace string |
| If present, the namespace scope for this CLI request |
| --password string |
| Password for basic authentication to the API server |
| --profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
| --profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
| --request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
| -s, --server string |
| The address and port of the Kubernetes API server |
| --storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
| --storage-driver-db string Default: "cadvisor" |
| database name |
| --storage-driver-host string Default: "localhost:8086" |
| database host:port |
| --storage-driver-password string Default: "root" |
| database password |
| --storage-driver-secure |
| use secure connection with database |
| --storage-driver-table string Default: "stats" |
| table name |
| --storage-driver-user string Default: "root" |
| database username |
| --tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
| --token string |
| Bearer token for authentication to the API server |
| --user string |
| The name of the kubeconfig user to use |
| --username string |
| Username for basic authentication to the API server |
| --version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
| --warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2 - kubectl create clusterrolebinding
Synopsis
Create a cluster role binding for a particular cluster role.
kubectl create clusterrolebinding NAME --clusterrole=NAME [--user=username] [--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none]
Examples
# Create a cluster role binding for user1, user2, and group1 using the cluster-admin cluster role
kubectl create clusterrolebinding cluster-admin --clusterrole=cluster-admin --user=user1 --user=user2 --group=group1
Options
| --allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
| --clusterrole string |
| ClusterRole this ClusterRoleBinding should reference |
| --dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
| --field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
| --group strings |
| Groups to bind to the clusterrole. The flag can be repeated to add multiple groups. |
| -h, --help |
| help for clusterrolebinding |
| -o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
| --save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
| --serviceaccount strings |
| Service accounts to bind to the clusterrole, in the format <namespace>:<name>. The flag can be repeated to add multiple service accounts. |
| --show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
| --template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
| --user strings |
| Usernames to bind to the clusterrole. The flag can be repeated to add multiple users. |
| --validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false).
"true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
"warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
"false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
| --as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
| --as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
| --as-uid string |
| UID to impersonate for the operation. |
| --azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
| --cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
| --certificate-authority string |
| Path to a cert file for the certificate authority |
| --client-certificate string |
| Path to a client certificate file for TLS |
| --client-key string |
| Path to a client key file for TLS |
| --cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
| --cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
| --cluster string |
| The name of the kubeconfig cluster to use |
| --context string |
| The name of the kubeconfig context to use |
| --default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --disable-compression |
| If true, opt-out of response compression for all requests to the server |
| --insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
| --kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
| --match-server-version |
| Require server version to match client version |
| -n, --namespace string |
| If present, the namespace scope for this CLI request |
| --password string |
| Password for basic authentication to the API server |
| --profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
| --profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
| --request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
| -s, --server string |
| The address and port of the Kubernetes API server |
| --storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
| --storage-driver-db string Default: "cadvisor" |
| database name |
| --storage-driver-host string Default: "localhost:8086" |
| database host:port |
| --storage-driver-password string Default: "root" |
| database password |
| --storage-driver-secure |
| use secure connection with database |
| --storage-driver-table string Default: "stats" |
| table name |
| --storage-driver-user string Default: "root" |
| database username |
| --tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
| --token string |
| Bearer token for authentication to the API server |
| --username string |
| Username for basic authentication to the API server |
| --version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
| --warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
3 - kubectl create configmap
Synopsis
Create a config map based on a file, directory, or specified literal value.
A single config map may package one or more key/value pairs.
When creating a config map based on a file, the key will default to the basename of the file, and the value will default to the file content. If the basename is an invalid key, you may specify an alternate key.
When creating a config map based on a directory, each file whose basename is a valid key in the directory will be packaged into the config map. Any directory entries except regular files are ignored (e.g. subdirectories, symlinks, devices, pipes, etc).
kubectl create configmap NAME [--from-file=[key=]source] [--from-literal=key1=value1] [--dry-run=server|client|none]
Examples
# Create a new config map named my-config based on folder bar
kubectl create configmap my-config --from-file=path/to/bar
# Create a new config map named my-config with specified keys instead of file basenames on disk
kubectl create configmap my-config --from-file=key1=/path/to/bar/file1.txt --from-file=key2=/path/to/bar/file2.txt
# Create a new config map named my-config with key1=config1 and key2=config2
kubectl create configmap my-config --from-literal=key1=config1 --from-literal=key2=config2
# Create a new config map named my-config from the key=value pairs in the file
kubectl create configmap my-config --from-file=path/to/bar
# Create a new config map named my-config from an env file
kubectl create configmap my-config --from-env-file=path/to/foo.env --from-env-file=path/to/bar.env
Options
| --allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
| --append-hash |
| Append a hash of the configmap to its name. |
| --dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
| --field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
| --from-env-file strings |
| Specify the path to a file to read lines of key=val pairs to create a configmap. |
| --from-file strings |
| Key file can be specified using its file path, in which case file basename will be used as configmap key, or optionally with a key and file path, in which case the given key will be used. Specifying a directory will iterate each named file in the directory whose basename is a valid configmap key. |
| --from-literal strings |
| Specify a key and literal value to insert in configmap (i.e. mykey=somevalue) |
| -h, --help |
| help for configmap |
| -o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
| --save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
| --show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
| --template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
| --validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false).
"true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
"warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
"false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
| --as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
| --as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
| --as-uid string |
| UID to impersonate for the operation. |
| --azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
| --cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
| --certificate-authority string |
| Path to a cert file for the certificate authority |
| --client-certificate string |
| Path to a client certificate file for TLS |
| --client-key string |
| Path to a client key file for TLS |
| --cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
| --cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
| --cluster string |
| The name of the kubeconfig cluster to use |
| --context string |
| The name of the kubeconfig context to use |
| --default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --disable-compression |
| If true, opt-out of response compression for all requests to the server |
| --insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
| --kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
| --match-server-version |
| Require server version to match client version |
| -n, --namespace string |
| If present, the namespace scope for this CLI request |
| --password string |
| Password for basic authentication to the API server |
| --profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
| --profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
| --request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
| -s, --server string |
| The address and port of the Kubernetes API server |
| --storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
| --storage-driver-db string Default: "cadvisor" |
| database name |
| --storage-driver-host string Default: "localhost:8086" |
| database host:port |
| --storage-driver-password string Default: "root" |
| database password |
| --storage-driver-secure |
| use secure connection with database |
| --storage-driver-table string Default: "stats" |
| table name |
| --storage-driver-user string Default: "root" |
| database username |
| --tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
| --token string |
| Bearer token for authentication to the API server |
| --user string |
| The name of the kubeconfig user to use |
| --username string |
| Username for basic authentication to the API server |
| --version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
| --warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
4 - kubectl create cronjob
Synopsis
Create a cron job with the specified name.
kubectl create cronjob NAME --image=image --schedule='0/5 * * * ?' -- [COMMAND] [args...] [flags]
Examples
# Create a cron job
kubectl create cronjob my-job --image=busybox --schedule="*/1 * * * *"
# Create a cron job with a command
kubectl create cronjob my-job --image=busybox --schedule="*/1 * * * *" -- date
Options
| --allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
| --dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
| --field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
| -h, --help |
| help for cronjob |
| --image string |
| Image name to run. |
| -o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
| --restart string |
| job's restart policy. supported values: OnFailure, Never |
| --save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
| --schedule string |
| A schedule in the Cron format the job should be run with. |
| --show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
| --template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
| --validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false).
"true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
"warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
"false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
| --as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
| --as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
| --as-uid string |
| UID to impersonate for the operation. |
| --azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
| --cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
| --certificate-authority string |
| Path to a cert file for the certificate authority |
| --client-certificate string |
| Path to a client certificate file for TLS |
| --client-key string |
| Path to a client key file for TLS |
| --cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
| --cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
| --cluster string |
| The name of the kubeconfig cluster to use |
| --context string |
| The name of the kubeconfig context to use |
| --default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --disable-compression |
| If true, opt-out of response compression for all requests to the server |
| --insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
| --kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
| --match-server-version |
| Require server version to match client version |
| -n, --namespace string |
| If present, the namespace scope for this CLI request |
| --password string |
| Password for basic authentication to the API server |
| --profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
| --profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
| --request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
| -s, --server string |
| The address and port of the Kubernetes API server |
| --storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
| --storage-driver-db string Default: "cadvisor" |
| database name |
| --storage-driver-host string Default: "localhost:8086" |
| database host:port |
| --storage-driver-password string Default: "root" |
| database password |
| --storage-driver-secure |
| use secure connection with database |
| --storage-driver-table string Default: "stats" |
| table name |
| --storage-driver-user string Default: "root" |
| database username |
| --tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
| --token string |
| Bearer token for authentication to the API server |
| --user string |
| The name of the kubeconfig user to use |
| --username string |
| Username for basic authentication to the API server |
| --version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
| --warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
5 - kubectl create deployment
Synopsis
Create a deployment with the specified name.
kubectl create deployment NAME --image=image -- [COMMAND] [args...]
Examples
# Create a deployment named my-dep that runs the busybox image
kubectl create deployment my-dep --image=busybox
# Create a deployment with a command
kubectl create deployment my-dep --image=busybox -- date
# Create a deployment named my-dep that runs the nginx image with 3 replicas
kubectl create deployment my-dep --image=nginx --replicas=3
# Create a deployment named my-dep that runs the busybox image and expose port 5701
kubectl create deployment my-dep --image=busybox --port=5701
Options
| --allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
| --dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
| --field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
| -h, --help |
| help for deployment |
| --image strings |
| Image names to run. |
| -o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
| --port int32 Default: -1 |
| The port that this container exposes. |
| -r, --replicas int32 Default: 1 |
| Number of replicas to create. Default is 1. |
| --save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
| --show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
| --template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
| --validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false).
"true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
"warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
"false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
| --as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
| --as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
| --as-uid string |
| UID to impersonate for the operation. |
| --azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
| --cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
| --certificate-authority string |
| Path to a cert file for the certificate authority |
| --client-certificate string |
| Path to a client certificate file for TLS |
| --client-key string |
| Path to a client key file for TLS |
| --cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
| --cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
| --cluster string |
| The name of the kubeconfig cluster to use |
| --context string |
| The name of the kubeconfig context to use |
| --default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --disable-compression |
| If true, opt-out of response compression for all requests to the server |
| --insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
| --kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
| --match-server-version |
| Require server version to match client version |
| -n, --namespace string |
| If present, the namespace scope for this CLI request |
| --password string |
| Password for basic authentication to the API server |
| --profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
| --profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
| --request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
| -s, --server string |
| The address and port of the Kubernetes API server |
| --storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
| --storage-driver-db string Default: "cadvisor" |
| database name |
| --storage-driver-host string Default: "localhost:8086" |
| database host:port |
| --storage-driver-password string Default: "root" |
| database password |
| --storage-driver-secure |
| use secure connection with database |
| --storage-driver-table string Default: "stats" |
| table name |
| --storage-driver-user string Default: "root" |
| database username |
| --tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
| --token string |
| Bearer token for authentication to the API server |
| --user string |
| The name of the kubeconfig user to use |
| --username string |
| Username for basic authentication to the API server |
| --version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
| --warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
6 - kubectl create ingress
Synopsis
Create an ingress with the specified name.
kubectl create ingress NAME --rule=host/path=service:port[,tls[=secret]]
Examples
# Create a single ingress called 'simple' that directs requests to foo.com/bar to svc
# svc1:8080 with a TLS secret "my-cert"
kubectl create ingress simple --rule="foo.com/bar=svc1:8080,tls=my-cert"
# Create a catch all ingress of "/path" pointing to service svc:port and Ingress Class as "otheringress"
kubectl create ingress catch-all --class=otheringress --rule="/path=svc:port"
# Create an ingress with two annotations: ingress.annotation1 and ingress.annotations2
kubectl create ingress annotated --class=default --rule="foo.com/bar=svc:port" \
--annotation ingress.annotation1=foo \
--annotation ingress.annotation2=bla
# Create an ingress with the same host and multiple paths
kubectl create ingress multipath --class=default \
--rule="foo.com/=svc:port" \
--rule="foo.com/admin/=svcadmin:portadmin"
# Create an ingress with multiple hosts and the pathType as Prefix
kubectl create ingress ingress1 --class=default \
--rule="foo.com/path*=svc:8080" \
--rule="bar.com/admin*=svc2:http"
# Create an ingress with TLS enabled using the default ingress certificate and different path types
kubectl create ingress ingtls --class=default \
--rule="foo.com/=svc:https,tls" \
--rule="foo.com/path/subpath*=othersvc:8080"
# Create an ingress with TLS enabled using a specific secret and pathType as Prefix
kubectl create ingress ingsecret --class=default \
--rule="foo.com/*=svc:8080,tls=secret1"
# Create an ingress with a default backend
kubectl create ingress ingdefault --class=default \
--default-backend=defaultsvc:http \
--rule="foo.com/*=svc:8080,tls=secret1"
Options
| --allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
| --annotation strings |
| Annotation to insert in the ingress object, in the format annotation=value |
| --class string |
| Ingress Class to be used |
| --default-backend string |
| Default service for backend, in format of svcname:port |
| --dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
| --field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
| -h, --help |
| help for ingress |
| -o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
| --rule strings |
| Rule in format host/path=service:port[,tls=secretname]. Paths containing the leading character '*' are considered pathType=Prefix. tls argument is optional. |
| --save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
| --show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
| --template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
| --validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false).
"true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
"warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
"false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
| --as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
| --as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
| --as-uid string |
| UID to impersonate for the operation. |
| --azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
| --cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
| --certificate-authority string |
| Path to a cert file for the certificate authority |
| --client-certificate string |
| Path to a client certificate file for TLS |
| --client-key string |
| Path to a client key file for TLS |
| --cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
| --cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
| --cluster string |
| The name of the kubeconfig cluster to use |
| --context string |
| The name of the kubeconfig context to use |
| --default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --disable-compression |
| If true, opt-out of response compression for all requests to the server |
| --insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
| --kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
| --match-server-version |
| Require server version to match client version |
| -n, --namespace string |
| If present, the namespace scope for this CLI request |
| --password string |
| Password for basic authentication to the API server |
| --profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
| --profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
| --request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
| -s, --server string |
| The address and port of the Kubernetes API server |
| --storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
| --storage-driver-db string Default: "cadvisor" |
| database name |
| --storage-driver-host string Default: "localhost:8086" |
| database host:port |
| --storage-driver-password string Default: "root" |
| database password |
| --storage-driver-secure |
| use secure connection with database |
| --storage-driver-table string Default: "stats" |
| table name |
| --storage-driver-user string Default: "root" |
| database username |
| --tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
| --token string |
| Bearer token for authentication to the API server |
| --user string |
| The name of the kubeconfig user to use |
| --username string |
| Username for basic authentication to the API server |
| --version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
| --warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
7 - kubectl create job
Synopsis
Create a job with the specified name.
kubectl create job NAME --image=image [--from=cronjob/name] -- [COMMAND] [args...]
Examples
# Create a job
kubectl create job my-job --image=busybox
# Create a job with a command
kubectl create job my-job --image=busybox -- date
# Create a job from a cron job named "a-cronjob"
kubectl create job test-job --from=cronjob/a-cronjob
Options
| --allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
| --dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
| --field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
| --from string |
| The name of the resource to create a Job from (only cronjob is supported). |
| -h, --help |
| help for job |
| --image string |
| Image name to run. |
| -o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
| --save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
| --show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
| --template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
| --validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false).
"true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
"warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
"false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
| --as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
| --as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
| --as-uid string |
| UID to impersonate for the operation. |
| --azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
| --cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
| --certificate-authority string |
| Path to a cert file for the certificate authority |
| --client-certificate string |
| Path to a client certificate file for TLS |
| --client-key string |
| Path to a client key file for TLS |
| --cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
| --cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
| --cluster string |
| The name of the kubeconfig cluster to use |
| --context string |
| The name of the kubeconfig context to use |
| --default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --disable-compression |
| If true, opt-out of response compression for all requests to the server |
| --insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
| --kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
| --match-server-version |
| Require server version to match client version |
| -n, --namespace string |
| If present, the namespace scope for this CLI request |
| --password string |
| Password for basic authentication to the API server |
| --profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
| --profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
| --request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
| -s, --server string |
| The address and port of the Kubernetes API server |
| --storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
| --storage-driver-db string Default: "cadvisor" |
| database name |
| --storage-driver-host string Default: "localhost:8086" |
| database host:port |
| --storage-driver-password string Default: "root" |
| database password |
| --storage-driver-secure |
| use secure connection with database |
| --storage-driver-table string Default: "stats" |
| table name |
| --storage-driver-user string Default: "root" |
| database username |
| --tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
| --token string |
| Bearer token for authentication to the API server |
| --user string |
| The name of the kubeconfig user to use |
| --username string |
| Username for basic authentication to the API server |
| --version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
| --warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
8 - kubectl create namespace
Synopsis
Create a namespace with the specified name.
kubectl create namespace NAME [--dry-run=server|client|none]
Examples
# Create a new namespace named my-namespace
kubectl create namespace my-namespace
Options
| --allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
| --dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
| --field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
| -h, --help |
| help for namespace |
| -o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
| --save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
| --show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
| --template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
| --validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false).
"true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
"warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
"false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
| --as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
| --as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
| --as-uid string |
| UID to impersonate for the operation. |
| --azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
| --cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
| --certificate-authority string |
| Path to a cert file for the certificate authority |
| --client-certificate string |
| Path to a client certificate file for TLS |
| --client-key string |
| Path to a client key file for TLS |
| --cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
| --cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
| --cluster string |
| The name of the kubeconfig cluster to use |
| --context string |
| The name of the kubeconfig context to use |
| --default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --disable-compression |
| If true, opt-out of response compression for all requests to the server |
| --insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
| --kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
| --match-server-version |
| Require server version to match client version |
| -n, --namespace string |
| If present, the namespace scope for this CLI request |
| --password string |
| Password for basic authentication to the API server |
| --profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
| --profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
| --request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
| -s, --server string |
| The address and port of the Kubernetes API server |
| --storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
| --storage-driver-db string Default: "cadvisor" |
| database name |
| --storage-driver-host string Default: "localhost:8086" |
| database host:port |
| --storage-driver-password string Default: "root" |
| database password |
| --storage-driver-secure |
| use secure connection with database |
| --storage-driver-table string Default: "stats" |
| table name |
| --storage-driver-user string Default: "root" |
| database username |
| --tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
| --token string |
| Bearer token for authentication to the API server |
| --user string |
| The name of the kubeconfig user to use |
| --username string |
| Username for basic authentication to the API server |
| --version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
| --warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
9 - kubectl create poddisruptionbudget
Synopsis
Create a pod disruption budget with the specified name, selector, and desired minimum available pods.
kubectl create poddisruptionbudget NAME --selector=SELECTOR --min-available=N [--dry-run=server|client|none]
Examples
# Create a pod disruption budget named my-pdb that will select all pods with the app=rails label
# and require at least one of them being available at any point in time
kubectl create poddisruptionbudget my-pdb --selector=app=rails --min-available=1
# Create a pod disruption budget named my-pdb that will select all pods with the app=nginx label
# and require at least half of the pods selected to be available at any point in time
kubectl create pdb my-pdb --selector=app=nginx --min-available=50%
Options
| --allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
| --dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
| --field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
| -h, --help |
| help for poddisruptionbudget |
| --max-unavailable string |
| The maximum number or percentage of unavailable pods this budget requires. |
| --min-available string |
| The minimum number or percentage of available pods this budget requires. |
| -o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
| --save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
| --selector string |
| A label selector to use for this budget. Only equality-based selector requirements are supported. |
| --show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
| --template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
| --validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false).
"true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
"warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
"false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
| --as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
| --as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
| --as-uid string |
| UID to impersonate for the operation. |
| --azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
| --cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
| --certificate-authority string |
| Path to a cert file for the certificate authority |
| --client-certificate string |
| Path to a client certificate file for TLS |
| --client-key string |
| Path to a client key file for TLS |
| --cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
| --cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
| --cluster string |
| The name of the kubeconfig cluster to use |
| --context string |
| The name of the kubeconfig context to use |
| --default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --disable-compression |
| If true, opt-out of response compression for all requests to the server |
| --insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
| --kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
| --match-server-version |
| Require server version to match client version |
| -n, --namespace string |
| If present, the namespace scope for this CLI request |
| --password string |
| Password for basic authentication to the API server |
| --profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
| --profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
| --request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
| -s, --server string |
| The address and port of the Kubernetes API server |
| --storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
| --storage-driver-db string Default: "cadvisor" |
| database name |
| --storage-driver-host string Default: "localhost:8086" |
| database host:port |
| --storage-driver-password string Default: "root" |
| database password |
| --storage-driver-secure |
| use secure connection with database |
| --storage-driver-table string Default: "stats" |
| table name |
| --storage-driver-user string Default: "root" |
| database username |
| --tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
| --token string |
| Bearer token for authentication to the API server |
| --user string |
| The name of the kubeconfig user to use |
| --username string |
| Username for basic authentication to the API server |
| --version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
| --warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
10 - kubectl create priorityclass
Synopsis
Create a priority class with the specified name, value, globalDefault and description.
kubectl create priorityclass NAME --value=VALUE --global-default=BOOL [--dry-run=server|client|none]
Examples
# Create a priority class named high-priority
kubectl create priorityclass high-priority --value=1000 --description="high priority"
# Create a priority class named default-priority that is considered as the global default priority
kubectl create priorityclass default-priority --value=1000 --global-default=true --description="default priority"
# Create a priority class named high-priority that cannot preempt pods with lower priority
kubectl create priorityclass high-priority --value=1000 --description="high priority" --preemption-policy="Never"
Options
| --allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
| --description string |
| description is an arbitrary string that usually provides guidelines on when this priority class should be used. |
| --dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
| --field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
| --global-default |
| global-default specifies whether this PriorityClass should be considered as the default priority. |
| -h, --help |
| help for priorityclass |
| -o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
| --preemption-policy string Default: "PreemptLowerPriority" |
| preemption-policy is the policy for preempting pods with lower priority. |
| --save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
| --show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
| --template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
| --validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false).
"true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
"warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
"false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
| --value int32 |
| the value of this priority class. |
| --as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
| --as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
| --as-uid string |
| UID to impersonate for the operation. |
| --azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
| --cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
| --certificate-authority string |
| Path to a cert file for the certificate authority |
| --client-certificate string |
| Path to a client certificate file for TLS |
| --client-key string |
| Path to a client key file for TLS |
| --cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
| --cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
| --cluster string |
| The name of the kubeconfig cluster to use |
| --context string |
| The name of the kubeconfig context to use |
| --default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --disable-compression |
| If true, opt-out of response compression for all requests to the server |
| --insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
| --kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
| --match-server-version |
| Require server version to match client version |
| -n, --namespace string |
| If present, the namespace scope for this CLI request |
| --password string |
| Password for basic authentication to the API server |
| --profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
| --profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
| --request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
| -s, --server string |
| The address and port of the Kubernetes API server |
| --storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
| --storage-driver-db string Default: "cadvisor" |
| database name |
| --storage-driver-host string Default: "localhost:8086" |
| database host:port |
| --storage-driver-password string Default: "root" |
| database password |
| --storage-driver-secure |
| use secure connection with database |
| --storage-driver-table string Default: "stats" |
| table name |
| --storage-driver-user string Default: "root" |
| database username |
| --tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
| --token string |
| Bearer token for authentication to the API server |
| --user string |
| The name of the kubeconfig user to use |
| --username string |
| Username for basic authentication to the API server |
| --version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
| --warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
11 - kubectl create quota
Synopsis
Create a resource quota with the specified name, hard limits, and optional scopes.
kubectl create quota NAME [--hard=key1=value1,key2=value2] [--scopes=Scope1,Scope2] [--dry-run=server|client|none]
Examples
# Create a new resource quota named my-quota
kubectl create quota my-quota --hard=cpu=1,memory=1G,pods=2,services=3,replicationcontrollers=2,resourcequotas=1,secrets=5,persistentvolumeclaims=10
# Create a new resource quota named best-effort
kubectl create quota best-effort --hard=pods=100 --scopes=BestEffort
Options
| --allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
| --dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
| --field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
| --hard string |
| A comma-delimited set of resource=quantity pairs that define a hard limit. |
| -h, --help |
| help for quota |
| -o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
| --save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
| --scopes string |
| A comma-delimited set of quota scopes that must all match each object tracked by the quota. |
| --show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
| --template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
| --validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false).
"true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
"warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
"false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
| --as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
| --as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
| --as-uid string |
| UID to impersonate for the operation. |
| --azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
| --cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
| --certificate-authority string |
| Path to a cert file for the certificate authority |
| --client-certificate string |
| Path to a client certificate file for TLS |
| --client-key string |
| Path to a client key file for TLS |
| --cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
| --cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
| --cluster string |
| The name of the kubeconfig cluster to use |
| --context string |
| The name of the kubeconfig context to use |
| --default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --disable-compression |
| If true, opt-out of response compression for all requests to the server |
| --insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
| --kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
| --match-server-version |
| Require server version to match client version |
| -n, --namespace string |
| If present, the namespace scope for this CLI request |
| --password string |
| Password for basic authentication to the API server |
| --profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
| --profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
| --request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
| -s, --server string |
| The address and port of the Kubernetes API server |
| --storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
| --storage-driver-db string Default: "cadvisor" |
| database name |
| --storage-driver-host string Default: "localhost:8086" |
| database host:port |
| --storage-driver-password string Default: "root" |
| database password |
| --storage-driver-secure |
| use secure connection with database |
| --storage-driver-table string Default: "stats" |
| table name |
| --storage-driver-user string Default: "root" |
| database username |
| --tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
| --token string |
| Bearer token for authentication to the API server |
| --user string |
| The name of the kubeconfig user to use |
| --username string |
| Username for basic authentication to the API server |
| --version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
| --warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
12 - kubectl create role
Synopsis
Create a role with single rule.
kubectl create role NAME --verb=verb --resource=resource.group/subresource [--resource-name=resourcename] [--dry-run=server|client|none]
Examples
# Create a role named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods
# Create a role named "pod-reader" with ResourceName specified
kubectl create role pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod
# Create a role named "foo" with API Group specified
kubectl create role foo --verb=get,list,watch --resource=rs.apps
# Create a role named "foo" with SubResource specified
kubectl create role foo --verb=get,list,watch --resource=pods,pods/status
Options
| --allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
| --dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
| --field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
| -h, --help |
| help for role |
| -o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
| --resource strings |
| Resource that the rule applies to |
| --resource-name strings |
| Resource in the white list that the rule applies to, repeat this flag for multiple items |
| --save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
| --show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
| --template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
| --validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false).
"true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
"warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
"false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
| --verb strings |
| Verb that applies to the resources contained in the rule |
| --as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
| --as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
| --as-uid string |
| UID to impersonate for the operation. |
| --azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
| --cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
| --certificate-authority string |
| Path to a cert file for the certificate authority |
| --client-certificate string |
| Path to a client certificate file for TLS |
| --client-key string |
| Path to a client key file for TLS |
| --cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
| --cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
| --cluster string |
| The name of the kubeconfig cluster to use |
| --context string |
| The name of the kubeconfig context to use |
| --default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --disable-compression |
| If true, opt-out of response compression for all requests to the server |
| --insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
| --kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
| --match-server-version |
| Require server version to match client version |
| -n, --namespace string |
| If present, the namespace scope for this CLI request |
| --password string |
| Password for basic authentication to the API server |
| --profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
| --profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
| --request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
| -s, --server string |
| The address and port of the Kubernetes API server |
| --storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
| --storage-driver-db string Default: "cadvisor" |
| database name |
| --storage-driver-host string Default: "localhost:8086" |
| database host:port |
| --storage-driver-password string Default: "root" |
| database password |
| --storage-driver-secure |
| use secure connection with database |
| --storage-driver-table string Default: "stats" |
| table name |
| --storage-driver-user string Default: "root" |
| database username |
| --tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
| --token string |
| Bearer token for authentication to the API server |
| --user string |
| The name of the kubeconfig user to use |
| --username string |
| Username for basic authentication to the API server |
| --version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
| --warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
13 - kubectl create rolebinding
Synopsis
Create a role binding for a particular role or cluster role.
kubectl create rolebinding NAME --clusterrole=NAME|--role=NAME [--user=username] [--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none]
Examples
# Create a role binding for user1, user2, and group1 using the admin cluster role
kubectl create rolebinding admin --clusterrole=admin --user=user1 --user=user2 --group=group1
# Create a role binding for serviceaccount monitoring:sa-dev using the admin role
kubectl create rolebinding admin-binding --role=admin --serviceaccount=monitoring:sa-dev
Options
| --allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
| --clusterrole string |
| ClusterRole this RoleBinding should reference |
| --dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
| --field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
| --group strings |
| Groups to bind to the role. The flag can be repeated to add multiple groups. |
| -h, --help |
| help for rolebinding |
| -o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
| --role string |
| Role this RoleBinding should reference |
| --save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
| --serviceaccount strings |
| Service accounts to bind to the role, in the format <namespace>:<name>. The flag can be repeated to add multiple service accounts. |
| --show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
| --template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
| --user strings |
| Usernames to bind to the role. The flag can be repeated to add multiple users. |
| --validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false).
"true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
"warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
"false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
| --as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
| --as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
| --as-uid string |
| UID to impersonate for the operation. |
| --azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
| --cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
| --certificate-authority string |
| Path to a cert file for the certificate authority |
| --client-certificate string |
| Path to a client certificate file for TLS |
| --client-key string |
| Path to a client key file for TLS |
| --cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
| --cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
| --cluster string |
| The name of the kubeconfig cluster to use |
| --context string |
| The name of the kubeconfig context to use |
| --default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --disable-compression |
| If true, opt-out of response compression for all requests to the server |
| --insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
| --kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
| --match-server-version |
| Require server version to match client version |
| -n, --namespace string |
| If present, the namespace scope for this CLI request |
| --password string |
| Password for basic authentication to the API server |
| --profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
| --profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
| --request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
| -s, --server string |
| The address and port of the Kubernetes API server |
| --storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
| --storage-driver-db string Default: "cadvisor" |
| database name |
| --storage-driver-host string Default: "localhost:8086" |
| database host:port |
| --storage-driver-password string Default: "root" |
| database password |
| --storage-driver-secure |
| use secure connection with database |
| --storage-driver-table string Default: "stats" |
| table name |
| --storage-driver-user string Default: "root" |
| database username |
| --tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
| --token string |
| Bearer token for authentication to the API server |
| --username string |
| Username for basic authentication to the API server |
| --version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
| --warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
14 - kubectl create secret
Synopsis
Create a secret with specified type.
A docker-registry type secret is for accessing a container registry.
A generic type secret indicate an Opaque secret type.
A tls type secret holds TLS certificate and its associated key.
kubectl create secret (docker-registry | generic | tls)
Options
| -h, --help |
| help for secret |
| --as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
| --as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
| --as-uid string |
| UID to impersonate for the operation. |
| --azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
| --cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
| --certificate-authority string |
| Path to a cert file for the certificate authority |
| --client-certificate string |
| Path to a client certificate file for TLS |
| --client-key string |
| Path to a client key file for TLS |
| --cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
| --cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
| --cluster string |
| The name of the kubeconfig cluster to use |
| --context string |
| The name of the kubeconfig context to use |
| --default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --disable-compression |
| If true, opt-out of response compression for all requests to the server |
| --insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
| --kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
| --match-server-version |
| Require server version to match client version |
| -n, --namespace string |
| If present, the namespace scope for this CLI request |
| --password string |
| Password for basic authentication to the API server |
| --profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
| --profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
| --request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
| -s, --server string |
| The address and port of the Kubernetes API server |
| --storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
| --storage-driver-db string Default: "cadvisor" |
| database name |
| --storage-driver-host string Default: "localhost:8086" |
| database host:port |
| --storage-driver-password string Default: "root" |
| database password |
| --storage-driver-secure |
| use secure connection with database |
| --storage-driver-table string Default: "stats" |
| table name |
| --storage-driver-user string Default: "root" |
| database username |
| --tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
| --token string |
| Bearer token for authentication to the API server |
| --user string |
| The name of the kubeconfig user to use |
| --username string |
| Username for basic authentication to the API server |
| --version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
| --warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
15 - kubectl create secret docker-registry
Synopsis
Create a new secret for use with Docker registries.
Dockercfg secrets are used to authenticate against Docker registries.
When using the Docker command line to push images, you can authenticate to a given registry by running:
'$ docker login DOCKER_REGISTRY_SERVER --username=DOCKER_USER --password=DOCKER_PASSWORD --email=DOCKER_EMAIL'.
That produces a ~/.dockercfg file that is used by subsequent 'docker push' and 'docker pull' commands to authenticate to the registry. The email address is optional.
When creating applications, you may have a Docker registry that requires authentication. In order for the
nodes to pull images on your behalf, they must have the credentials. You can provide this information
by creating a dockercfg secret and attaching it to your service account.
kubectl create secret docker-registry NAME --docker-username=user --docker-password=password --docker-email=email [--docker-server=string] [--from-file=[key=]source] [--dry-run=server|client|none]
Examples
# If you do not already have a .dockercfg file, create a dockercfg secret directly
kubectl create secret docker-registry my-secret --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
# Create a new secret named my-secret from ~/.docker/config.json
kubectl create secret docker-registry my-secret --from-file=.dockerconfigjson=path/to/.docker/config.json
Options
| --allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
| --append-hash |
| Append a hash of the secret to its name. |
| --docker-email string |
| Email for Docker registry |
| --docker-password string |
| Password for Docker registry authentication |
| --docker-server string Default: "https://index.docker.io/v1/" |
| Server location for Docker registry |
| --docker-username string |
| Username for Docker registry authentication |
| --dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
| --field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
| --from-file strings |
| Key files can be specified using their file path, in which case a default name will be given to them, or optionally with a name and file path, in which case the given name will be used. Specifying a directory will iterate each named file in the directory that is a valid secret key. |
| -h, --help |
| help for docker-registry |
| -o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
| --save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
| --show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
| --template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
| --validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false).
"true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
"warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
"false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
| --as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
| --as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
| --as-uid string |
| UID to impersonate for the operation. |
| --azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
| --cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
| --certificate-authority string |
| Path to a cert file for the certificate authority |
| --client-certificate string |
| Path to a client certificate file for TLS |
| --client-key string |
| Path to a client key file for TLS |
| --cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
| --cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
| --cluster string |
| The name of the kubeconfig cluster to use |
| --context string |
| The name of the kubeconfig context to use |
| --default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --disable-compression |
| If true, opt-out of response compression for all requests to the server |
| --insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
| --kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
| --match-server-version |
| Require server version to match client version |
| -n, --namespace string |
| If present, the namespace scope for this CLI request |
| --password string |
| Password for basic authentication to the API server |
| --profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
| --profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
| --request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
| -s, --server string |
| The address and port of the Kubernetes API server |
| --storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
| --storage-driver-db string Default: "cadvisor" |
| database name |
| --storage-driver-host string Default: "localhost:8086" |
| database host:port |
| --storage-driver-password string Default: "root" |
| database password |
| --storage-driver-secure |
| use secure connection with database |
| --storage-driver-table string Default: "stats" |
| table name |
| --storage-driver-user string Default: "root" |
| database username |
| --tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
| --token string |
| Bearer token for authentication to the API server |
| --user string |
| The name of the kubeconfig user to use |
| --username string |
| Username for basic authentication to the API server |
| --version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
| --warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
16 - kubectl create secret generic
Synopsis
Create a secret based on a file, directory, or specified literal value.
A single secret may package one or more key/value pairs.
When creating a secret based on a file, the key will default to the basename of the file, and the value will default to the file content. If the basename is an invalid key or you wish to chose your own, you may specify an alternate key.
When creating a secret based on a directory, each file whose basename is a valid key in the directory will be packaged into the secret. Any directory entries except regular files are ignored (e.g. subdirectories, symlinks, devices, pipes, etc).
kubectl create secret generic NAME [--type=string] [--from-file=[key=]source] [--from-literal=key1=value1] [--dry-run=server|client|none]
Examples
# Create a new secret named my-secret with keys for each file in folder bar
kubectl create secret generic my-secret --from-file=path/to/bar
# Create a new secret named my-secret with specified keys instead of names on disk
kubectl create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa --from-file=ssh-publickey=path/to/id_rsa.pub
# Create a new secret named my-secret with key1=supersecret and key2=topsecret
kubectl create secret generic my-secret --from-literal=key1=supersecret --from-literal=key2=topsecret
# Create a new secret named my-secret using a combination of a file and a literal
kubectl create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa --from-literal=passphrase=topsecret
# Create a new secret named my-secret from env files
kubectl create secret generic my-secret --from-env-file=path/to/foo.env --from-env-file=path/to/bar.env
Options
| --allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
| --append-hash |
| Append a hash of the secret to its name. |
| --dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
| --field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
| --from-env-file strings |
| Specify the path to a file to read lines of key=val pairs to create a secret. |
| --from-file strings |
| Key files can be specified using their file path, in which case a default name will be given to them, or optionally with a name and file path, in which case the given name will be used. Specifying a directory will iterate each named file in the directory that is a valid secret key. |
| --from-literal strings |
| Specify a key and literal value to insert in secret (i.e. mykey=somevalue) |
| -h, --help |
| help for generic |
| -o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
| --save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
| --show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
| --template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
| --type string |
| The type of secret to create |
| --validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false).
"true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
"warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
"false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
| --as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
| --as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
| --as-uid string |
| UID to impersonate for the operation. |
| --azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
| --cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
| --certificate-authority string |
| Path to a cert file for the certificate authority |
| --client-certificate string |
| Path to a client certificate file for TLS |
| --client-key string |
| Path to a client key file for TLS |
| --cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
| --cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
| --cluster string |
| The name of the kubeconfig cluster to use |
| --context string |
| The name of the kubeconfig context to use |
| --default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --disable-compression |
| If true, opt-out of response compression for all requests to the server |
| --insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
| --kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
| --match-server-version |
| Require server version to match client version |
| -n, --namespace string |
| If present, the namespace scope for this CLI request |
| --password string |
| Password for basic authentication to the API server |
| --profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
| --profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
| --request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
| -s, --server string |
| The address and port of the Kubernetes API server |
| --storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
| --storage-driver-db string Default: "cadvisor" |
| database name |
| --storage-driver-host string Default: "localhost:8086" |
| database host:port |
| --storage-driver-password string Default: "root" |
| database password |
| --storage-driver-secure |
| use secure connection with database |
| --storage-driver-table string Default: "stats" |
| table name |
| --storage-driver-user string Default: "root" |
| database username |
| --tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
| --token string |
| Bearer token for authentication to the API server |
| --user string |
| The name of the kubeconfig user to use |
| --username string |
| Username for basic authentication to the API server |
| --version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
| --warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
17 - kubectl create secret tls
Synopsis
Create a TLS secret from the given public/private key pair.
The public/private key pair must exist beforehand. The public key certificate must be .PEM encoded and match the given private key.
kubectl create secret tls NAME --cert=path/to/cert/file --key=path/to/key/file [--dry-run=server|client|none]
Examples
# Create a new TLS secret named tls-secret with the given key pair
kubectl create secret tls tls-secret --cert=path/to/tls.cert --key=path/to/tls.key
Options
| --allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
| --append-hash |
| Append a hash of the secret to its name. |
| --cert string |
| Path to PEM encoded public key certificate. |
| --dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
| --field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
| -h, --help |
| help for tls |
| --key string |
| Path to private key associated with given certificate. |
| -o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
| --save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
| --show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
| --template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
| --validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false).
"true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
"warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
"false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
| --as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
| --as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
| --as-uid string |
| UID to impersonate for the operation. |
| --azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
| --cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
| --certificate-authority string |
| Path to a cert file for the certificate authority |
| --client-certificate string |
| Path to a client certificate file for TLS |
| --client-key string |
| Path to a client key file for TLS |
| --cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
| --cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
| --cluster string |
| The name of the kubeconfig cluster to use |
| --context string |
| The name of the kubeconfig context to use |
| --default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --disable-compression |
| If true, opt-out of response compression for all requests to the server |
| --insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
| --kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
| --match-server-version |
| Require server version to match client version |
| -n, --namespace string |
| If present, the namespace scope for this CLI request |
| --password string |
| Password for basic authentication to the API server |
| --profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
| --profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
| --request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
| -s, --server string |
| The address and port of the Kubernetes API server |
| --storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
| --storage-driver-db string Default: "cadvisor" |
| database name |
| --storage-driver-host string Default: "localhost:8086" |
| database host:port |
| --storage-driver-password string Default: "root" |
| database password |
| --storage-driver-secure |
| use secure connection with database |
| --storage-driver-table string Default: "stats" |
| table name |
| --storage-driver-user string Default: "root" |
| database username |
| --tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
| --token string |
| Bearer token for authentication to the API server |
| --user string |
| The name of the kubeconfig user to use |
| --username string |
| Username for basic authentication to the API server |
| --version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
| --warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
18 - kubectl create service
Synopsis
Create a service using a specified subcommand.
kubectl create service [flags]
Options
| -h, --help |
| help for service |
| --as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
| --as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
| --as-uid string |
| UID to impersonate for the operation. |
| --azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
| --cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
| --certificate-authority string |
| Path to a cert file for the certificate authority |
| --client-certificate string |
| Path to a client certificate file for TLS |
| --client-key string |
| Path to a client key file for TLS |
| --cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
| --cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
| --cluster string |
| The name of the kubeconfig cluster to use |
| --context string |
| The name of the kubeconfig context to use |
| --default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --disable-compression |
| If true, opt-out of response compression for all requests to the server |
| --insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
| --kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
| --match-server-version |
| Require server version to match client version |
| -n, --namespace string |
| If present, the namespace scope for this CLI request |
| --password string |
| Password for basic authentication to the API server |
| --profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
| --profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
| --request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
| -s, --server string |
| The address and port of the Kubernetes API server |
| --storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
| --storage-driver-db string Default: "cadvisor" |
| database name |
| --storage-driver-host string Default: "localhost:8086" |
| database host:port |
| --storage-driver-password string Default: "root" |
| database password |
| --storage-driver-secure |
| use secure connection with database |
| --storage-driver-table string Default: "stats" |
| table name |
| --storage-driver-user string Default: "root" |
| database username |
| --tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
| --token string |
| Bearer token for authentication to the API server |
| --user string |
| The name of the kubeconfig user to use |
| --username string |
| Username for basic authentication to the API server |
| --version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
| --warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
19 - kubectl create service clusterip
Synopsis
Create a ClusterIP service with the specified name.
kubectl create service clusterip NAME [--tcp=<port>:<targetPort>] [--dry-run=server|client|none]
Examples
# Create a new ClusterIP service named my-cs
kubectl create service clusterip my-cs --tcp=5678:8080
# Create a new ClusterIP service named my-cs (in headless mode)
kubectl create service clusterip my-cs --clusterip="None"
Options
| --allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
| --clusterip string |
| Assign your own ClusterIP or set to 'None' for a 'headless' service (no loadbalancing). |
| --dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
| --field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
| -h, --help |
| help for clusterip |
| -o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
| --save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
| --show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
| --tcp strings |
| Port pairs can be specified as '<port>:<targetPort>'. |
| --template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
| --validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false).
"true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
"warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
"false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
| --as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
| --as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
| --as-uid string |
| UID to impersonate for the operation. |
| --azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
| --cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
| --certificate-authority string |
| Path to a cert file for the certificate authority |
| --client-certificate string |
| Path to a client certificate file for TLS |
| --client-key string |
| Path to a client key file for TLS |
| --cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
| --cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
| --cluster string |
| The name of the kubeconfig cluster to use |
| --context string |
| The name of the kubeconfig context to use |
| --default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --disable-compression |
| If true, opt-out of response compression for all requests to the server |
| --insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
| --kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
| --match-server-version |
| Require server version to match client version |
| -n, --namespace string |
| If present, the namespace scope for this CLI request |
| --password string |
| Password for basic authentication to the API server |
| --profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
| --profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
| --request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
| -s, --server string |
| The address and port of the Kubernetes API server |
| --storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
| --storage-driver-db string Default: "cadvisor" |
| database name |
| --storage-driver-host string Default: "localhost:8086" |
| database host:port |
| --storage-driver-password string Default: "root" |
| database password |
| --storage-driver-secure |
| use secure connection with database |
| --storage-driver-table string Default: "stats" |
| table name |
| --storage-driver-user string Default: "root" |
| database username |
| --tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
| --token string |
| Bearer token for authentication to the API server |
| --user string |
| The name of the kubeconfig user to use |
| --username string |
| Username for basic authentication to the API server |
| --version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
| --warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
20 - kubectl create service externalname
Synopsis
Create an ExternalName service with the specified name.
ExternalName service references to an external DNS address instead of only pods, which will allow application authors to reference services that exist off platform, on other clusters, or locally.
kubectl create service externalname NAME --external-name external.name [--dry-run=server|client|none]
Examples
# Create a new ExternalName service named my-ns
kubectl create service externalname my-ns --external-name bar.com
Options
| --allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
| --dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
| --external-name string |
| External name of service |
| --field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
| -h, --help |
| help for externalname |
| -o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
| --save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
| --show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
| --tcp strings |
| Port pairs can be specified as '<port>:<targetPort>'. |
| --template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
| --validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false).
"true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
"warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
"false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
| --as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
| --as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
| --as-uid string |
| UID to impersonate for the operation. |
| --azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
| --cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
| --certificate-authority string |
| Path to a cert file for the certificate authority |
| --client-certificate string |
| Path to a client certificate file for TLS |
| --client-key string |
| Path to a client key file for TLS |
| --cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
| --cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
| --cluster string |
| The name of the kubeconfig cluster to use |
| --context string |
| The name of the kubeconfig context to use |
| --default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --disable-compression |
| If true, opt-out of response compression for all requests to the server |
| --insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
| --kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
| --match-server-version |
| Require server version to match client version |
| -n, --namespace string |
| If present, the namespace scope for this CLI request |
| --password string |
| Password for basic authentication to the API server |
| --profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
| --profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
| --request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
| -s, --server string |
| The address and port of the Kubernetes API server |
| --storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
| --storage-driver-db string Default: "cadvisor" |
| database name |
| --storage-driver-host string Default: "localhost:8086" |
| database host:port |
| --storage-driver-password string Default: "root" |
| database password |
| --storage-driver-secure |
| use secure connection with database |
| --storage-driver-table string Default: "stats" |
| table name |
| --storage-driver-user string Default: "root" |
| database username |
| --tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
| --token string |
| Bearer token for authentication to the API server |
| --user string |
| The name of the kubeconfig user to use |
| --username string |
| Username for basic authentication to the API server |
| --version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
| --warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
21 - kubectl create service loadbalancer
Synopsis
Create a LoadBalancer service with the specified name.
kubectl create service loadbalancer NAME [--tcp=port:targetPort] [--dry-run=server|client|none]
Examples
# Create a new LoadBalancer service named my-lbs
kubectl create service loadbalancer my-lbs --tcp=5678:8080
Options
| --allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
| --dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
| --field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
| -h, --help |
| help for loadbalancer |
| -o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
| --save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
| --show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
| --tcp strings |
| Port pairs can be specified as '<port>:<targetPort>'. |
| --template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
| --validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false).
"true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
"warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
"false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
| --as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
| --as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
| --as-uid string |
| UID to impersonate for the operation. |
| --azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
| --cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
| --certificate-authority string |
| Path to a cert file for the certificate authority |
| --client-certificate string |
| Path to a client certificate file for TLS |
| --client-key string |
| Path to a client key file for TLS |
| --cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
| --cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
| --cluster string |
| The name of the kubeconfig cluster to use |
| --context string |
| The name of the kubeconfig context to use |
| --default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --disable-compression |
| If true, opt-out of response compression for all requests to the server |
| --insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
| --kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
| --match-server-version |
| Require server version to match client version |
| -n, --namespace string |
| If present, the namespace scope for this CLI request |
| --password string |
| Password for basic authentication to the API server |
| --profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
| --profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
| --request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
| -s, --server string |
| The address and port of the Kubernetes API server |
| --storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
| --storage-driver-db string Default: "cadvisor" |
| database name |
| --storage-driver-host string Default: "localhost:8086" |
| database host:port |
| --storage-driver-password string Default: "root" |
| database password |
| --storage-driver-secure |
| use secure connection with database |
| --storage-driver-table string Default: "stats" |
| table name |
| --storage-driver-user string Default: "root" |
| database username |
| --tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
| --token string |
| Bearer token for authentication to the API server |
| --user string |
| The name of the kubeconfig user to use |
| --username string |
| Username for basic authentication to the API server |
| --version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
| --warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
22 - kubectl create service nodeport
Synopsis
Create a NodePort service with the specified name.
kubectl create service nodeport NAME [--tcp=port:targetPort] [--dry-run=server|client|none]
Examples
# Create a new NodePort service named my-ns
kubectl create service nodeport my-ns --tcp=5678:8080
Options
| --allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
| --dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
| --field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
| -h, --help |
| help for nodeport |
| --node-port int |
| Port used to expose the service on each node in a cluster. |
| -o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
| --save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
| --show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
| --tcp strings |
| Port pairs can be specified as '<port>:<targetPort>'. |
| --template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
| --validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false).
"true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
"warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
"false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
| --as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
| --as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
| --as-uid string |
| UID to impersonate for the operation. |
| --azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
| --cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
| --certificate-authority string |
| Path to a cert file for the certificate authority |
| --client-certificate string |
| Path to a client certificate file for TLS |
| --client-key string |
| Path to a client key file for TLS |
| --cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
| --cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
| --cluster string |
| The name of the kubeconfig cluster to use |
| --context string |
| The name of the kubeconfig context to use |
| --default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --disable-compression |
| If true, opt-out of response compression for all requests to the server |
| --insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
| --kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
| --match-server-version |
| Require server version to match client version |
| -n, --namespace string |
| If present, the namespace scope for this CLI request |
| --password string |
| Password for basic authentication to the API server |
| --profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
| --profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
| --request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
| -s, --server string |
| The address and port of the Kubernetes API server |
| --storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
| --storage-driver-db string Default: "cadvisor" |
| database name |
| --storage-driver-host string Default: "localhost:8086" |
| database host:port |
| --storage-driver-password string Default: "root" |
| database password |
| --storage-driver-secure |
| use secure connection with database |
| --storage-driver-table string Default: "stats" |
| table name |
| --storage-driver-user string Default: "root" |
| database username |
| --tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
| --token string |
| Bearer token for authentication to the API server |
| --user string |
| The name of the kubeconfig user to use |
| --username string |
| Username for basic authentication to the API server |
| --version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
| --warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
23 - kubectl create serviceaccount
Synopsis
Create a service account with the specified name.
kubectl create serviceaccount NAME [--dry-run=server|client|none]
Examples
# Create a new service account named my-service-account
kubectl create serviceaccount my-service-account
Options
| --allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
| --dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
| --field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
| -h, --help |
| help for serviceaccount |
| -o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
| --save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
| --show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
| --template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
| --validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false).
"true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not.
"warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise.
"false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
| --as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
| --as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
| --as-uid string |
| UID to impersonate for the operation. |
| --azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
| --cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
| --certificate-authority string |
| Path to a cert file for the certificate authority |
| --client-certificate string |
| Path to a client certificate file for TLS |
| --client-key string |
| Path to a client key file for TLS |
| --cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
| --cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
| --cluster string |
| The name of the kubeconfig cluster to use |
| --context string |
| The name of the kubeconfig context to use |
| --default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --disable-compression |
| If true, opt-out of response compression for all requests to the server |
| --insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
| --kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
| --match-server-version |
| Require server version to match client version |
| -n, --namespace string |
| If present, the namespace scope for this CLI request |
| --password string |
| Password for basic authentication to the API server |
| --profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
| --profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
| --request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
| -s, --server string |
| The address and port of the Kubernetes API server |
| --storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
| --storage-driver-db string Default: "cadvisor" |
| database name |
| --storage-driver-host string Default: "localhost:8086" |
| database host:port |
| --storage-driver-password string Default: "root" |
| database password |
| --storage-driver-secure |
| use secure connection with database |
| --storage-driver-table string Default: "stats" |
| table name |
| --storage-driver-user string Default: "root" |
| database username |
| --tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
| --token string |
| Bearer token for authentication to the API server |
| --user string |
| The name of the kubeconfig user to use |
| --username string |
| Username for basic authentication to the API server |
| --version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
| --warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
24 - kubectl create token
Synopsis
Request a service account token.
kubectl create token SERVICE_ACCOUNT_NAME
Examples
# Request a token to authenticate to the kube-apiserver as the service account "myapp" in the current namespace
kubectl create token myapp
# Request a token for a service account in a custom namespace
kubectl create token myapp --namespace myns
# Request a token with a custom expiration
kubectl create token myapp --duration 10m
# Request a token with a custom audience
kubectl create token myapp --audience https://example.com
# Request a token bound to an instance of a Secret object
kubectl create token myapp --bound-object-kind Secret --bound-object-name mysecret
# Request a token bound to an instance of a Secret object with a specific UID
kubectl create token myapp --bound-object-kind Secret --bound-object-name mysecret --bound-object-uid 0d4691ed-659b-4935-a832-355f77ee47cc
Options
| --allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
| --audience strings |
| Audience of the requested token. If unset, defaults to requesting a token for use with the Kubernetes API server. May be repeated to request a token valid for multiple audiences. |
| --bound-object-kind string |
| Kind of an object to bind the token to. Supported kinds are Pod, Secret. If set, --bound-object-name must be provided. |
| --bound-object-name string |
| Name of an object to bind the token to. The token will expire when the object is deleted. Requires --bound-object-kind. |
| --bound-object-uid string |
| UID of an object to bind the token to. Requires --bound-object-kind and --bound-object-name. If unset, the UID of the existing object is used. |
| --duration duration |
| Requested lifetime of the issued token. If not set, the lifetime will be determined by the server automatically. The server may return a token with a longer or shorter lifetime. |
| -h, --help |
| help for token |
| -o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
| --show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
| --template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
| --as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
| --as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
| --as-uid string |
| UID to impersonate for the operation. |
| --azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
| --cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
| --certificate-authority string |
| Path to a cert file for the certificate authority |
| --client-certificate string |
| Path to a client certificate file for TLS |
| --client-key string |
| Path to a client key file for TLS |
| --cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
| --cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
| --cluster string |
| The name of the kubeconfig cluster to use |
| --context string |
| The name of the kubeconfig context to use |
| --default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
| --disable-compression |
| If true, opt-out of response compression for all requests to the server |
| --insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
| --kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
| --match-server-version |
| Require server version to match client version |
| -n, --namespace string |
| If present, the namespace scope for this CLI request |
| --password string |
| Password for basic authentication to the API server |
| --profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
| --profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
| --request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
| -s, --server string |
| The address and port of the Kubernetes API server |
| --storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
| --storage-driver-db string Default: "cadvisor" |
| database name |
| --storage-driver-host string Default: "localhost:8086" |
| database host:port |
| --storage-driver-password string Default: "root" |
| database password |
| --storage-driver-secure |
| use secure connection with database |
| --storage-driver-table string Default: "stats" |
| table name |
| --storage-driver-user string Default: "root" |
| database username |
| --tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
| --token string |
| Bearer token for authentication to the API server |
| --user string |
| The name of the kubeconfig user to use |
| --username string |
| Username for basic authentication to the API server |
| --version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
| --warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also