This is the multi-page printable view of this section.
Click here to print.
Return to the regular view of this page.
Command line tool (kubectl)
Kubernetes provides a command line tool for communicating with a Kubernetes cluster's
control plane,
using the Kubernetes API.
This tool is named kubectl
.
For configuration, kubectl
looks for a file named config
in the $HOME/.kube
directory.
You can specify other kubeconfig
files by setting the KUBECONFIG
environment variable or by setting the
--kubeconfig
flag.
This overview covers kubectl
syntax, describes the command operations, and provides common examples.
For details about each command, including all the supported flags and subcommands, see the
kubectl reference documentation.
For installation instructions, see Installing kubectl;
for a quick guide, see the cheat sheet.
If you're used to using the docker
command-line tool,
kubectl
for Docker Users explains some equivalent commands for Kubernetes.
Syntax
Use the following syntax to run kubectl
commands from your terminal window:
kubectl [command] [TYPE] [NAME] [flags]
where command
, TYPE
, NAME
, and flags
are:
-
command
: Specifies the operation that you want to perform on one or more resources,
for example create
, get
, describe
, delete
.
-
TYPE
: Specifies the resource type. Resource types are case-insensitive and
you can specify the singular, plural, or abbreviated forms.
For example, the following commands produce the same output:
kubectl get pod pod1
kubectl get pods pod1
kubectl get po pod1
-
NAME
: Specifies the name of the resource. Names are case-sensitive. If the name is omitted,
details for all resources are displayed, for example kubectl get pods
.
When performing an operation on multiple resources, you can specify each resource by
type and name or specify one or more files:
-
flags
: Specifies optional flags. For example, you can use the -s
or --server
flags
to specify the address and port of the Kubernetes API server.
Caution: Flags that you specify from the command line override default values and any corresponding environment variables.
If you need help, run kubectl help
from the terminal window.
In-cluster authentication and namespace overrides
By default kubectl
will first determine if it is running within a pod, and thus in a cluster.
It starts by checking for the KUBERNETES_SERVICE_HOST
and KUBERNETES_SERVICE_PORT
environment
variables and the existence of a service account token file at /var/run/secrets/kubernetes.io/serviceaccount/token
.
If all three are found in-cluster authentication is assumed.
To maintain backwards compatibility, if the POD_NAMESPACE
environment variable is set
during in-cluster authentication it will override the default namespace from the
service account token. Any manifests or tools relying on namespace defaulting will be affected by this.
POD_NAMESPACE
environment variable
If the POD_NAMESPACE
environment variable is set, cli operations on namespaced resources
will default to the variable value. For example, if the variable is set to seattle
,
kubectl get pods
would return pods in the seattle
namespace. This is because pods are
a namespaced resource, and no namespace was provided in the command. Review the output
of kubectl api-resources
to determine if a resource is namespaced.
Explicit use of --namespace <value>
overrides this behavior.
How kubectl handles ServiceAccount tokens
If:
- there is Kubernetes service account token file mounted at
/var/run/secrets/kubernetes.io/serviceaccount/token
, and
- the
KUBERNETES_SERVICE_HOST
environment variable is set, and
- the
KUBERNETES_SERVICE_PORT
environment variable is set, and
- you don't explicitly specify a namespace on the kubectl command line
then kubectl assumes it is running in your cluster. The kubectl tool looks up the
namespace of that ServiceAccount (this is the same as the namespace of the Pod)
and acts against that namespace. This is different from what happens outside of a
cluster; when kubectl runs outside a cluster and you don't specify a namespace,
the kubectl command acts against the namespace set for the current context in your
client configuration. To change the default namespace for your kubectl you can use the
following command:
kubectl config set-context --current --namespace=<namespace-name>
Operations
The following table includes short descriptions and the general syntax for all of the kubectl
operations:
Operation |
Syntax |
Description |
alpha |
kubectl alpha SUBCOMMAND [flags] |
List the available commands that correspond to alpha features, which are not enabled in Kubernetes clusters by default. |
annotate |
kubectl annotate (-f FILENAME | TYPE NAME | TYPE/NAME) KEY_1=VAL_1 ... KEY_N=VAL_N [--overwrite] [--all] [--resource-version=version] [flags] |
Add or update the annotations of one or more resources. |
api-resources |
kubectl api-resources [flags] |
List the API resources that are available. |
api-versions |
kubectl api-versions [flags] |
List the API versions that are available. |
apply |
kubectl apply -f FILENAME [flags] |
Apply a configuration change to a resource from a file or stdin. |
attach |
kubectl attach POD -c CONTAINER [-i] [-t] [flags] |
Attach to a running container either to view the output stream or interact with the container (stdin). |
auth |
kubectl auth [flags] [options] |
Inspect authorization. |
autoscale |
kubectl autoscale (-f FILENAME | TYPE NAME | TYPE/NAME) [--min=MINPODS] --max=MAXPODS [--cpu-percent=CPU] [flags] |
Automatically scale the set of pods that are managed by a replication controller. |
certificate |
kubectl certificate SUBCOMMAND [options] |
Modify certificate resources. |
cluster-info |
kubectl cluster-info [flags] |
Display endpoint information about the master and services in the cluster. |
completion |
kubectl completion SHELL [options] |
Output shell completion code for the specified shell (bash or zsh). |
config |
kubectl config SUBCOMMAND [flags] |
Modifies kubeconfig files. See the individual subcommands for details. |
convert |
kubectl convert -f FILENAME [options] |
Convert config files between different API versions. Both YAML and JSON formats are accepted. Note - requires kubectl-convert plugin to be installed. |
cordon |
kubectl cordon NODE [options] |
Mark node as unschedulable. |
cp |
kubectl cp <file-spec-src> <file-spec-dest> [options] |
Copy files and directories to and from containers. |
create |
kubectl create -f FILENAME [flags] |
Create one or more resources from a file or stdin. |
delete |
kubectl delete (-f FILENAME | TYPE [NAME | /NAME | -l label | --all]) [flags] |
Delete resources either from a file, stdin, or specifying label selectors, names, resource selectors, or resources. |
describe |
kubectl describe (-f FILENAME | TYPE [NAME_PREFIX | /NAME | -l label]) [flags] |
Display the detailed state of one or more resources. |
diff |
kubectl diff -f FILENAME [flags] |
Diff file or stdin against live configuration. |
drain |
kubectl drain NODE [options] |
Drain node in preparation for maintenance. |
edit |
kubectl edit (-f FILENAME | TYPE NAME | TYPE/NAME) [flags] |
Edit and update the definition of one or more resources on the server by using the default editor. |
events |
kubectl events |
List events |
exec |
kubectl exec POD [-c CONTAINER] [-i] [-t] [flags] [-- COMMAND [args...]] |
Execute a command against a container in a pod. |
explain |
kubectl explain TYPE [--recursive=false] [flags] |
Get documentation of various resources. For instance pods, nodes, services, etc. |
expose |
kubectl expose (-f FILENAME | TYPE NAME | TYPE/NAME) [--port=port] [--protocol=TCP|UDP] [--target-port=number-or-name] [--name=name] [--external-ip=external-ip-of-service] [--type=type] [flags] |
Expose a replication controller, service, or pod as a new Kubernetes service. |
get |
kubectl get (-f FILENAME | TYPE [NAME | /NAME | -l label]) [--watch] [--sort-by=FIELD] [[-o | --output]=OUTPUT_FORMAT] [flags] |
List one or more resources. |
kustomize |
kubectl kustomize <dir> [flags] [options] |
List a set of API resources generated from instructions in a kustomization.yaml file. The argument must be the path to the directory containing the file, or a git repository URL with a path suffix specifying same with respect to the repository root. |
label |
kubectl label (-f FILENAME | TYPE NAME | TYPE/NAME) KEY_1=VAL_1 ... KEY_N=VAL_N [--overwrite] [--all] [--resource-version=version] [flags] |
Add or update the labels of one or more resources. |
logs |
kubectl logs POD [-c CONTAINER] [--follow] [flags] |
Print the logs for a container in a pod. |
options |
kubectl options |
List of global command-line options, which apply to all commands. |
patch |
kubectl patch (-f FILENAME | TYPE NAME | TYPE/NAME) --patch PATCH [flags] |
Update one or more fields of a resource by using the strategic merge patch process. |
plugin |
kubectl plugin [flags] [options] |
Provides utilities for interacting with plugins. |
port-forward |
kubectl port-forward POD [LOCAL_PORT:]REMOTE_PORT [...[LOCAL_PORT_N:]REMOTE_PORT_N] [flags] |
Forward one or more local ports to a pod. |
proxy |
kubectl proxy [--port=PORT] [--www=static-dir] [--www-prefix=prefix] [--api-prefix=prefix] [flags] |
Run a proxy to the Kubernetes API server. |
replace |
kubectl replace -f FILENAME |
Replace a resource from a file or stdin. |
rollout |
kubectl rollout SUBCOMMAND [options] |
Manage the rollout of a resource. Valid resource types include: deployments, daemonsets and statefulsets. |
run |
kubectl run NAME --image=image [--env="key=value"] [--port=port] [--dry-run=server|client|none] [--overrides=inline-json] [flags] |
Run a specified image on the cluster. |
scale |
kubectl scale (-f FILENAME | TYPE NAME | TYPE/NAME) --replicas=COUNT [--resource-version=version] [--current-replicas=count] [flags] |
Update the size of the specified replication controller. |
set |
kubectl set SUBCOMMAND [options] |
Configure application resources. |
taint |
kubectl taint NODE NAME KEY_1=VAL_1:TAINT_EFFECT_1 ... KEY_N=VAL_N:TAINT_EFFECT_N [options] |
Update the taints on one or more nodes. |
top |
kubectl top (POD | NODE) [flags] [options] |
Display Resource (CPU/Memory/Storage) usage of pod or node. |
uncordon |
kubectl uncordon NODE [options] |
Mark node as schedulable. |
version |
kubectl version [--client] [flags] |
Display the Kubernetes version running on the client and server. |
wait |
kubectl wait ([-f FILENAME] | resource.group/resource.name | resource.group [(-l label | --all)]) [--for=delete|--for condition=available] [options] |
Experimental: Wait for a specific condition on one or many resources. |
To learn more about command operations, see the kubectl reference documentation.
Resource types
The following table includes a list of all the supported resource types and their abbreviated aliases.
(This output can be retrieved from kubectl api-resources
, and was accurate as of Kubernetes 1.25.0)
NAME |
SHORTNAMES |
APIVERSION |
NAMESPACED |
KIND |
bindings |
|
v1 |
true |
Binding |
componentstatuses |
cs |
v1 |
false |
ComponentStatus |
configmaps |
cm |
v1 |
true |
ConfigMap |
endpoints |
ep |
v1 |
true |
Endpoints |
events |
ev |
v1 |
true |
Event |
limitranges |
limits |
v1 |
true |
LimitRange |
namespaces |
ns |
v1 |
false |
Namespace |
nodes |
no |
v1 |
false |
Node |
persistentvolumeclaims |
pvc |
v1 |
true |
PersistentVolumeClaim |
persistentvolumes |
pv |
v1 |
false |
PersistentVolume |
pods |
po |
v1 |
true |
Pod |
podtemplates |
|
v1 |
true |
PodTemplate |
replicationcontrollers |
rc |
v1 |
true |
ReplicationController |
resourcequotas |
quota |
v1 |
true |
ResourceQuota |
secrets |
|
v1 |
true |
Secret |
serviceaccounts |
sa |
v1 |
true |
ServiceAccount |
services |
svc |
v1 |
true |
Service |
mutatingwebhookconfigurations |
|
admissionregistration.k8s.io/v1 |
false |
MutatingWebhookConfiguration |
validatingwebhookconfigurations |
|
admissionregistration.k8s.io/v1 |
false |
ValidatingWebhookConfiguration |
customresourcedefinitions |
crd,crds |
apiextensions.k8s.io/v1 |
false |
CustomResourceDefinition |
apiservices |
|
apiregistration.k8s.io/v1 |
false |
APIService |
controllerrevisions |
|
apps/v1 |
true |
ControllerRevision |
daemonsets |
ds |
apps/v1 |
true |
DaemonSet |
deployments |
deploy |
apps/v1 |
true |
Deployment |
replicasets |
rs |
apps/v1 |
true |
ReplicaSet |
statefulsets |
sts |
apps/v1 |
true |
StatefulSet |
tokenreviews |
|
authentication.k8s.io/v1 |
false |
TokenReview |
localsubjectaccessreviews |
|
authorization.k8s.io/v1 |
true |
LocalSubjectAccessReview |
selfsubjectaccessreviews |
|
authorization.k8s.io/v1 |
false |
SelfSubjectAccessReview |
selfsubjectrulesreviews |
|
authorization.k8s.io/v1 |
false |
SelfSubjectRulesReview |
subjectaccessreviews |
|
authorization.k8s.io/v1 |
false |
SubjectAccessReview |
horizontalpodautoscalers |
hpa |
autoscaling/v2 |
true |
HorizontalPodAutoscaler |
cronjobs |
cj |
batch/v1 |
true |
CronJob |
jobs |
|
batch/v1 |
true |
Job |
certificatesigningrequests |
csr |
certificates.k8s.io/v1 |
false |
CertificateSigningRequest |
leases |
|
coordination.k8s.io/v1 |
true |
Lease |
endpointslices |
|
discovery.k8s.io/v1 |
true |
EndpointSlice |
events |
ev |
events.k8s.io/v1 |
true |
Event |
flowschemas |
|
flowcontrol.apiserver.k8s.io/v1beta2 |
false |
FlowSchema |
prioritylevelconfigurations |
|
flowcontrol.apiserver.k8s.io/v1beta2 |
false |
PriorityLevelConfiguration |
ingressclasses |
|
networking.k8s.io/v1 |
false |
IngressClass |
ingresses |
ing |
networking.k8s.io/v1 |
true |
Ingress |
networkpolicies |
netpol |
networking.k8s.io/v1 |
true |
NetworkPolicy |
runtimeclasses |
|
node.k8s.io/v1 |
false |
RuntimeClass |
poddisruptionbudgets |
pdb |
policy/v1 |
true |
PodDisruptionBudget |
podsecuritypolicies |
psp |
policy/v1beta1 |
false |
PodSecurityPolicy |
clusterrolebindings |
|
rbac.authorization.k8s.io/v1 |
false |
ClusterRoleBinding |
clusterroles |
|
rbac.authorization.k8s.io/v1 |
false |
ClusterRole |
rolebindings |
|
rbac.authorization.k8s.io/v1 |
true |
RoleBinding |
roles |
|
rbac.authorization.k8s.io/v1 |
true |
Role |
priorityclasses |
pc |
scheduling.k8s.io/v1 |
false |
PriorityClass |
csidrivers |
|
storage.k8s.io/v1 |
false |
CSIDriver |
csinodes |
|
storage.k8s.io/v1 |
false |
CSINode |
csistoragecapacities |
|
storage.k8s.io/v1 |
true |
CSIStorageCapacity |
storageclasses |
sc |
storage.k8s.io/v1 |
false |
StorageClass |
volumeattachments |
|
storage.k8s.io/v1 |
false |
VolumeAttachment |
Output options
Use the following sections for information about how you can format or sort the output
of certain commands. For details about which commands support the various output options,
see the kubectl reference documentation.
The default output format for all kubectl
commands is the human readable plain-text format.
To output details to your terminal window in a specific format, you can add either the -o
or --output
flags to a supported kubectl
command.
Syntax
kubectl [command] [TYPE] [NAME] -o <output_format>
Depending on the kubectl
operation, the following output formats are supported:
Output format |
Description |
-o custom-columns=<spec> |
Print a table using a comma separated list of custom columns. |
-o custom-columns-file=<filename> |
Print a table using the custom columns template in the <filename> file. |
-o json |
Output a JSON formatted API object. |
-o jsonpath=<template> |
Print the fields defined in a jsonpath expression. |
-o jsonpath-file=<filename> |
Print the fields defined by the jsonpath expression in the <filename> file. |
-o name |
Print only the resource name and nothing else. |
-o wide |
Output in the plain-text format with any additional information. For pods, the node name is included. |
-o yaml |
Output a YAML formatted API object. |
Example
In this example, the following command outputs the details for a single pod as a YAML formatted object:
kubectl get pod web-pod-13je7 -o yaml
Remember: See the kubectl reference documentation
for details about which output format is supported by each command.
Custom columns
To define custom columns and output only the details that you want into a table, you can use the custom-columns
option.
You can choose to define the custom columns inline or use a template file: -o custom-columns=<spec>
or -o custom-columns-file=<filename>
.
Examples
Inline:
kubectl get pods <pod-name> -o custom-columns=NAME:.metadata.name,RSRC:.metadata.resourceVersion
Template file:
kubectl get pods <pod-name> -o custom-columns-file=template.txt
where the template.txt
file contains:
NAME RSRC
metadata.name metadata.resourceVersion
The result of running either command is similar to:
NAME RSRC
submit-queue 610995
Server-side columns
kubectl
supports receiving specific column information from the server about objects.
This means that for any given resource, the server will return columns and rows relevant to that resource, for the client to print.
This allows for consistent human-readable output across clients used against the same cluster, by having the server encapsulate the details of printing.
This feature is enabled by default. To disable it, add the
--server-print=false
flag to the kubectl get
command.
Examples
To print information about the status of a pod, use a command like the following:
kubectl get pods <pod-name> --server-print=false
The output is similar to:
NAME AGE
pod-name 1m
Sorting list objects
To output objects to a sorted list in your terminal window, you can add the --sort-by
flag
to a supported kubectl
command. Sort your objects by specifying any numeric or string field
with the --sort-by
flag. To specify a field, use a jsonpath expression.
Syntax
kubectl [command] [TYPE] [NAME] --sort-by=<jsonpath_exp>
Example
To print a list of pods sorted by name, you run:
kubectl get pods --sort-by=.metadata.name
Examples: Common operations
Use the following set of examples to help you familiarize yourself with running the commonly used kubectl
operations:
kubectl apply
- Apply or Update a resource from a file or stdin.
# Create a service using the definition in example-service.yaml.
kubectl apply -f example-service.yaml
# Create a replication controller using the definition in example-controller.yaml.
kubectl apply -f example-controller.yaml
# Create the objects that are defined in any .yaml, .yml, or .json file within the <directory> directory.
kubectl apply -f <directory>
kubectl get
- List one or more resources.
# List all pods in plain-text output format.
kubectl get pods
# List all pods in plain-text output format and include additional information (such as node name).
kubectl get pods -o wide
# List the replication controller with the specified name in plain-text output format. Tip: You can shorten and replace the 'replicationcontroller' resource type with the alias 'rc'.
kubectl get replicationcontroller <rc-name>
# List all replication controllers and services together in plain-text output format.
kubectl get rc,services
# List all daemon sets in plain-text output format.
kubectl get ds
# List all pods running on node server01
kubectl get pods --field-selector=spec.nodeName=server01
kubectl describe
- Display detailed state of one or more resources, including the uninitialized ones by default.
# Display the details of the node with name <node-name>.
kubectl describe nodes <node-name>
# Display the details of the pod with name <pod-name>.
kubectl describe pods/<pod-name>
# Display the details of all the pods that are managed by the replication controller named <rc-name>.
# Remember: Any pods that are created by the replication controller get prefixed with the name of the replication controller.
kubectl describe pods <rc-name>
# Describe all pods
kubectl describe pods
Note: The kubectl get
command is usually used for retrieving one or more
resources of the same resource type. It features a rich set of flags that allows
you to customize the output format using the -o
or --output
flag, for example.
You can specify the -w
or --watch
flag to start watching updates to a particular
object. The kubectl describe
command is more focused on describing the many
related aspects of a specified resource. It may invoke several API calls to the
API server to build a view for the user. For example, the kubectl describe node
command retrieves not only the information about the node, but also a summary of
the pods running on it, the events generated for the node etc.
kubectl delete
- Delete resources either from a file, stdin, or specifying label selectors, names, resource selectors, or resources.
# Delete a pod using the type and name specified in the pod.yaml file.
kubectl delete -f pod.yaml
# Delete all the pods and services that have the label '<label-key>=<label-value>'.
kubectl delete pods,services -l <label-key>=<label-value>
# Delete all pods, including uninitialized ones.
kubectl delete pods --all
kubectl exec
- Execute a command against a container in a pod.
# Get output from running 'date' from pod <pod-name>. By default, output is from the first container.
kubectl exec <pod-name> -- date
# Get output from running 'date' in container <container-name> of pod <pod-name>.
kubectl exec <pod-name> -c <container-name> -- date
# Get an interactive TTY and run /bin/bash from pod <pod-name>. By default, output is from the first container.
kubectl exec -ti <pod-name> -- /bin/bash
kubectl logs
- Print the logs for a container in a pod.
# Return a snapshot of the logs from pod <pod-name>.
kubectl logs <pod-name>
# Start streaming the logs from pod <pod-name>. This is similar to the 'tail -f' Linux command.
kubectl logs -f <pod-name>
kubectl diff
- View a diff of the proposed updates to a cluster.
# Diff resources included in "pod.json".
kubectl diff -f pod.json
# Diff file read from stdin.
cat service.yaml | kubectl diff -f -
Examples: Creating and using plugins
Use the following set of examples to help you familiarize yourself with writing and using kubectl
plugins:
# create a simple plugin in any language and name the resulting executable file
# so that it begins with the prefix "kubectl-"
cat ./kubectl-hello
#!/bin/sh
# this plugin prints the words "hello world"
echo "hello world"
With a plugin written, let's make it executable:
chmod a+x ./kubectl-hello
# and move it to a location in our PATH
sudo mv ./kubectl-hello /usr/local/bin
sudo chown root:root /usr/local/bin
# You have now created and "installed" a kubectl plugin.
# You can begin using this plugin by invoking it from kubectl as if it were a regular command
kubectl hello
hello world
# You can "uninstall" a plugin, by removing it from the folder in your
# $PATH where you placed it
sudo rm /usr/local/bin/kubectl-hello
In order to view all of the plugins that are available to kubectl
, use
the kubectl plugin list
subcommand:
The output is similar to:
The following kubectl-compatible plugins are available:
/usr/local/bin/kubectl-hello
/usr/local/bin/kubectl-foo
/usr/local/bin/kubectl-bar
kubectl plugin list
also warns you about plugins that are not
executable, or that are shadowed by other plugins; for example:
sudo chmod -x /usr/local/bin/kubectl-foo # remove execute permission
kubectl plugin list
The following kubectl-compatible plugins are available:
/usr/local/bin/kubectl-hello
/usr/local/bin/kubectl-foo
- warning: /usr/local/bin/kubectl-foo identified as a plugin, but it is not executable
/usr/local/bin/kubectl-bar
error: one plugin warning was found
You can think of plugins as a means to build more complex functionality on top
of the existing kubectl commands:
The next few examples assume that you already made kubectl-whoami
have
the following contents:
#!/bin/bash
# this plugin makes use of the `kubectl config` command in order to output
# information about the current user, based on the currently selected context
kubectl config view --template='{{ range .contexts }}{{ if eq .name "'$(kubectl config current-context)'" }}Current user: {{ printf "%s\n" .context.user }}{{ end }}{{ end }}'
Running the above command gives you an output containing the user for the
current context in your KUBECONFIG file:
# make the file executable
sudo chmod +x ./kubectl-whoami
# and move it into your PATH
sudo mv ./kubectl-whoami /usr/local/bin
kubectl whoami
Current user: plugins-user
What's next
1 - kubectl Quick Reference
This page contains a list of commonly used kubectl
commands and flags.
Note: These instructions are for Kubernetes v1.29. To check the version, use the kubectl version
command.
Kubectl autocomplete
BASH
source <(kubectl completion bash) # set up autocomplete in bash into the current shell, bash-completion package should be installed first.
echo "source <(kubectl completion bash)" >> ~/.bashrc # add autocomplete permanently to your bash shell.
You can also use a shorthand alias for kubectl
that also works with completion:
alias k=kubectl
complete -o default -F __start_kubectl k
ZSH
source <(kubectl completion zsh) # set up autocomplete in zsh into the current shell
echo '[[ $commands[kubectl] ]] && source <(kubectl completion zsh)' >> ~/.zshrc # add autocomplete permanently to your zsh shell
FISH
Require kubectl version 1.23 or above.
echo 'kubectl completion fish | source' >> ~/.config/fish/config.fish # add kubectl autocompletion permanently to your fish shell
A note on --all-namespaces
Appending --all-namespaces
happens frequently enough that you should be aware of the shorthand for --all-namespaces
:
kubectl -A
Kubectl context and configuration
Set which Kubernetes cluster kubectl
communicates with and modifies configuration
information. See Authenticating Across Clusters with kubeconfig documentation for
detailed config file information.
kubectl config view # Show Merged kubeconfig settings.
# use multiple kubeconfig files at the same time and view merged config
KUBECONFIG=~/.kube/config:~/.kube/kubconfig2
kubectl config view
# Show merged kubeconfig settings and raw certificate data and exposed secrets
kubectl config view --raw
# get the password for the e2e user
kubectl config view -o jsonpath='{.users[?(@.name == "e2e")].user.password}'
# get the certificate for the e2e user
kubectl config view --raw -o jsonpath='{.users[?(.name == 'e2e')].user.client-certificate-data}' | base64 -d
kubectl config view -o jsonpath='{.users[].name}' # display the first user
kubectl config view -o jsonpath='{.users[*].name}' # get a list of users
kubectl config get-contexts # display list of contexts
kubectl config get-contexts -o name # get all context names
kubectl config current-context # display the current-context
kubectl config use-context my-cluster-name # set the default context to my-cluster-name
kubectl config set-cluster my-cluster-name # set a cluster entry in the kubeconfig
# configure the URL to a proxy server to use for requests made by this client in the kubeconfig
kubectl config set-cluster my-cluster-name --proxy-url=my-proxy-url
# add a new user to your kubeconf that supports basic auth
kubectl config set-credentials kubeuser/foo.kubernetes.com --username=kubeuser --password=kubepassword
# permanently save the namespace for all subsequent kubectl commands in that context.
kubectl config set-context --current --namespace=ggckad-s2
# set a context utilizing a specific username and namespace.
kubectl config set-context gce --user=cluster-admin --namespace=foo \
&& kubectl config use-context gce
kubectl config unset users.foo # delete user foo
# short alias to set/show context/namespace (only works for bash and bash-compatible shells, current context to be set before using kn to set namespace)
alias kx='f() { [ "$1" ] && kubectl config use-context $1 || kubectl config current-context ; } ; f'
alias kn='f() { [ "$1" ] && kubectl config set-context --current --namespace $1 || kubectl config view --minify | grep namespace | cut -d" " -f6 ; } ; f'
Kubectl apply
apply
manages applications through files defining Kubernetes resources. It creates and updates resources in a cluster through running kubectl apply
. This is the recommended way of managing Kubernetes applications on production. See Kubectl Book.
Creating objects
Kubernetes manifests can be defined in YAML or JSON. The file extension .yaml
,
.yml
, and .json
can be used.
kubectl apply -f ./my-manifest.yaml # create resource(s)
kubectl apply -f ./my1.yaml -f ./my2.yaml # create from multiple files
kubectl apply -f ./dir # create resource(s) in all manifest files in dir
kubectl apply -f https://example.com/manifest.yaml # create resource(s) from url (Note: this is an example domain and does not contain a valid manifest)
kubectl create deployment nginx --image=nginx # start a single instance of nginx
# create a Job which prints "Hello World"
kubectl create job hello --image=busybox:1.28 -- echo "Hello World"
# create a CronJob that prints "Hello World" every minute
kubectl create cronjob hello --image=busybox:1.28 --schedule="*/1 * * * *" -- echo "Hello World"
kubectl explain pods # get the documentation for pod manifests
# Create multiple YAML objects from stdin
kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
name: busybox-sleep
spec:
containers:
- name: busybox
image: busybox:1.28
args:
- sleep
- "1000000"
---
apiVersion: v1
kind: Pod
metadata:
name: busybox-sleep-less
spec:
containers:
- name: busybox
image: busybox:1.28
args:
- sleep
- "1000"
EOF
# Create a secret with several keys
kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: mysecret
type: Opaque
data:
password: $(echo -n "s33msi4" | base64 -w0)
username: $(echo -n "jane" | base64 -w0)
EOF
Viewing and finding resources
# Get commands with basic output
kubectl get services # List all services in the namespace
kubectl get pods --all-namespaces # List all pods in all namespaces
kubectl get pods -o wide # List all pods in the current namespace, with more details
kubectl get deployment my-dep # List a particular deployment
kubectl get pods # List all pods in the namespace
kubectl get pod my-pod -o yaml # Get a pod's YAML
# Describe commands with verbose output
kubectl describe nodes my-node
kubectl describe pods my-pod
# List Services Sorted by Name
kubectl get services --sort-by=.metadata.name
# List pods Sorted by Restart Count
kubectl get pods --sort-by='.status.containerStatuses[0].restartCount'
# List PersistentVolumes sorted by capacity
kubectl get pv --sort-by=.spec.capacity.storage
# Get the version label of all pods with label app=cassandra
kubectl get pods --selector=app=cassandra -o \
jsonpath='{.items[*].metadata.labels.version}'
# Retrieve the value of a key with dots, e.g. 'ca.crt'
kubectl get configmap myconfig \
-o jsonpath='{.data.ca\.crt}'
# Retrieve a base64 encoded value with dashes instead of underscores.
kubectl get secret my-secret --template='{{index .data "key-name-with-dashes"}}'
# Get all worker nodes (use a selector to exclude results that have a label
# named 'node-role.kubernetes.io/control-plane')
kubectl get node --selector='!node-role.kubernetes.io/control-plane'
# Get all running pods in the namespace
kubectl get pods --field-selector=status.phase=Running
# Get ExternalIPs of all nodes
kubectl get nodes -o jsonpath='{.items[*].status.addresses[?(@.type=="ExternalIP")].address}'
# List Names of Pods that belong to Particular RC
# "jq" command useful for transformations that are too complex for jsonpath, it can be found at https://jqlang.github.io/jq/
sel=${$(kubectl get rc my-rc --output=json | jq -j '.spec.selector | to_entries | .[] | "\(.key)=\(.value),"')%?}
echo $(kubectl get pods --selector=$sel --output=jsonpath={.items..metadata.name})
# Show labels for all pods (or any other Kubernetes object that supports labelling)
kubectl get pods --show-labels
# Check which nodes are ready
JSONPATH='{range .items[*]}{@.metadata.name}:{range @.status.conditions[*]}{@.type}={@.status};{end}{end}' \
&& kubectl get nodes -o jsonpath="$JSONPATH" | grep "Ready=True"
# Check which nodes are ready with custom-columns
kubectl get node -o custom-columns='NODE_NAME:.metadata.name,STATUS:.status.conditions[?(@.type=="Ready")].status'
# Output decoded secrets without external tools
kubectl get secret my-secret -o go-template='{{range $k,$v := .data}}{{"### "}}{{$k}}{{"\n"}}{{$v|base64decode}}{{"\n\n"}}{{end}}'
# List all Secrets currently in use by a pod
kubectl get pods -o json | jq '.items[].spec.containers[].env[]?.valueFrom.secretKeyRef.name' | grep -v null | sort | uniq
# List all containerIDs of initContainer of all pods
# Helpful when cleaning up stopped containers, while avoiding removal of initContainers.
kubectl get pods --all-namespaces -o jsonpath='{range .items[*].status.initContainerStatuses[*]}{.containerID}{"\n"}{end}' | cut -d/ -f3
# List Events sorted by timestamp
kubectl get events --sort-by=.metadata.creationTimestamp
# List all warning events
kubectl events --types=Warning
# Compares the current state of the cluster against the state that the cluster would be in if the manifest was applied.
kubectl diff -f ./my-manifest.yaml
# Produce a period-delimited tree of all keys returned for nodes
# Helpful when locating a key within a complex nested JSON structure
kubectl get nodes -o json | jq -c 'paths|join(".")'
# Produce a period-delimited tree of all keys returned for pods, etc
kubectl get pods -o json | jq -c 'paths|join(".")'
# Produce ENV for all pods, assuming you have a default container for the pods, default namespace and the `env` command is supported.
# Helpful when running any supported command across all pods, not just `env`
for pod in $(kubectl get po --output=jsonpath={.items..metadata.name}); do echo $pod && kubectl exec -it $pod -- env; done
# Get a deployment's status subresource
kubectl get deployment nginx-deployment --subresource=status
Updating resources
kubectl set image deployment/frontend www=image:v2 # Rolling update "www" containers of "frontend" deployment, updating the image
kubectl rollout history deployment/frontend # Check the history of deployments including the revision
kubectl rollout undo deployment/frontend # Rollback to the previous deployment
kubectl rollout undo deployment/frontend --to-revision=2 # Rollback to a specific revision
kubectl rollout status -w deployment/frontend # Watch rolling update status of "frontend" deployment until completion
kubectl rollout restart deployment/frontend # Rolling restart of the "frontend" deployment
cat pod.json | kubectl replace -f - # Replace a pod based on the JSON passed into stdin
# Force replace, delete and then re-create the resource. Will cause a service outage.
kubectl replace --force -f ./pod.json
# Create a service for a replicated nginx, which serves on port 80 and connects to the containers on port 8000
kubectl expose rc nginx --port=80 --target-port=8000
# Update a single-container pod's image version (tag) to v4
kubectl get pod mypod -o yaml | sed 's/\(image: myimage\):.*$/\1:v4/' | kubectl replace -f -
kubectl label pods my-pod new-label=awesome # Add a Label
kubectl label pods my-pod new-label- # Remove a label
kubectl label pods my-pod new-label=new-value --overwrite # Overwrite an existing value
kubectl annotate pods my-pod icon-url=http://goo.gl/XXBTWq # Add an annotation
kubectl annotate pods my-pod icon-url- # Remove annotation
kubectl autoscale deployment foo --min=2 --max=10 # Auto scale a deployment "foo"
Patching resources
# Partially update a node
kubectl patch node k8s-node-1 -p '{"spec":{"unschedulable":true}}'
# Update a container's image; spec.containers[*].name is required because it's a merge key
kubectl patch pod valid-pod -p '{"spec":{"containers":[{"name":"kubernetes-serve-hostname","image":"new image"}]}}'
# Update a container's image using a json patch with positional arrays
kubectl patch pod valid-pod --type='json' -p='[{"op": "replace", "path": "/spec/containers/0/image", "value":"new image"}]'
# Disable a deployment livenessProbe using a json patch with positional arrays
kubectl patch deployment valid-deployment --type json -p='[{"op": "remove", "path": "/spec/template/spec/containers/0/livenessProbe"}]'
# Add a new element to a positional array
kubectl patch sa default --type='json' -p='[{"op": "add", "path": "/secrets/1", "value": {"name": "whatever" } }]'
# Update a deployment's replica count by patching its scale subresource
kubectl patch deployment nginx-deployment --subresource='scale' --type='merge' -p '{"spec":{"replicas":2}}'
Editing resources
Edit any API resource in your preferred editor.
kubectl edit svc/docker-registry # Edit the service named docker-registry
KUBE_EDITOR="nano" kubectl edit svc/docker-registry # Use an alternative editor
Scaling resources
kubectl scale --replicas=3 rs/foo # Scale a replicaset named 'foo' to 3
kubectl scale --replicas=3 -f foo.yaml # Scale a resource specified in "foo.yaml" to 3
kubectl scale --current-replicas=2 --replicas=3 deployment/mysql # If the deployment named mysql's current size is 2, scale mysql to 3
kubectl scale --replicas=5 rc/foo rc/bar rc/baz # Scale multiple replication controllers
Deleting resources
kubectl delete -f ./pod.json # Delete a pod using the type and name specified in pod.json
kubectl delete pod unwanted --now # Delete a pod with no grace period
kubectl delete pod,service baz foo # Delete pods and services with same names "baz" and "foo"
kubectl delete pods,services -l name=myLabel # Delete pods and services with label name=myLabel
kubectl -n my-ns delete pod,svc --all # Delete all pods and services in namespace my-ns,
# Delete all pods matching the awk pattern1 or pattern2
kubectl get pods -n mynamespace --no-headers=true | awk '/pattern1|pattern2/{print $1}' | xargs kubectl delete -n mynamespace pod
Interacting with running Pods
kubectl logs my-pod # dump pod logs (stdout)
kubectl logs -l name=myLabel # dump pod logs, with label name=myLabel (stdout)
kubectl logs my-pod --previous # dump pod logs (stdout) for a previous instantiation of a container
kubectl logs my-pod -c my-container # dump pod container logs (stdout, multi-container case)
kubectl logs -l name=myLabel -c my-container # dump pod container logs, with label name=myLabel (stdout)
kubectl logs my-pod -c my-container --previous # dump pod container logs (stdout, multi-container case) for a previous instantiation of a container
kubectl logs -f my-pod # stream pod logs (stdout)
kubectl logs -f my-pod -c my-container # stream pod container logs (stdout, multi-container case)
kubectl logs -f -l name=myLabel --all-containers # stream all pods logs with label name=myLabel (stdout)
kubectl run -i --tty busybox --image=busybox:1.28 -- sh # Run pod as interactive shell
kubectl run nginx --image=nginx -n mynamespace # Start a single instance of nginx pod in the namespace of mynamespace
kubectl run nginx --image=nginx --dry-run=client -o yaml > pod.yaml
# Generate spec for running pod nginx and write it into a file called pod.yaml
kubectl attach my-pod -i # Attach to Running Container
kubectl port-forward my-pod 5000:6000 # Listen on port 5000 on the local machine and forward to port 6000 on my-pod
kubectl exec my-pod -- ls / # Run command in existing pod (1 container case)
kubectl exec --stdin --tty my-pod -- /bin/sh # Interactive shell access to a running pod (1 container case)
kubectl exec my-pod -c my-container -- ls / # Run command in existing pod (multi-container case)
kubectl top pod POD_NAME --containers # Show metrics for a given pod and its containers
kubectl top pod POD_NAME --sort-by=cpu # Show metrics for a given pod and sort it by 'cpu' or 'memory'
Copying files and directories to and from containers
kubectl cp /tmp/foo_dir my-pod:/tmp/bar_dir # Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod in the current namespace
kubectl cp /tmp/foo my-pod:/tmp/bar -c my-container # Copy /tmp/foo local file to /tmp/bar in a remote pod in a specific container
kubectl cp /tmp/foo my-namespace/my-pod:/tmp/bar # Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace my-namespace
kubectl cp my-namespace/my-pod:/tmp/foo /tmp/bar # Copy /tmp/foo from a remote pod to /tmp/bar locally
Note: kubectl cp
requires that the 'tar' binary is present in your container image. If 'tar' is not present, kubectl cp
will fail.
For advanced use cases, such as symlinks, wildcard expansion or file mode preservation consider using kubectl exec
.
tar cf - /tmp/foo | kubectl exec -i -n my-namespace my-pod -- tar xf - -C /tmp/bar # Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace my-namespace
kubectl exec -n my-namespace my-pod -- tar cf - /tmp/foo | tar xf - -C /tmp/bar # Copy /tmp/foo from a remote pod to /tmp/bar locally
Interacting with Deployments and Services
kubectl logs deploy/my-deployment # dump Pod logs for a Deployment (single-container case)
kubectl logs deploy/my-deployment -c my-container # dump Pod logs for a Deployment (multi-container case)
kubectl port-forward svc/my-service 5000 # listen on local port 5000 and forward to port 5000 on Service backend
kubectl port-forward svc/my-service 5000:my-service-port # listen on local port 5000 and forward to Service target port with name <my-service-port>
kubectl port-forward deploy/my-deployment 5000:6000 # listen on local port 5000 and forward to port 6000 on a Pod created by <my-deployment>
kubectl exec deploy/my-deployment -- ls # run command in first Pod and first container in Deployment (single- or multi-container cases)
Interacting with Nodes and cluster
kubectl cordon my-node # Mark my-node as unschedulable
kubectl drain my-node # Drain my-node in preparation for maintenance
kubectl uncordon my-node # Mark my-node as schedulable
kubectl top node my-node # Show metrics for a given node
kubectl cluster-info # Display addresses of the master and services
kubectl cluster-info dump # Dump current cluster state to stdout
kubectl cluster-info dump --output-directory=/path/to/cluster-state # Dump current cluster state to /path/to/cluster-state
# View existing taints on which exist on current nodes.
kubectl get nodes -o='custom-columns=NodeName:.metadata.name,TaintKey:.spec.taints[*].key,TaintValue:.spec.taints[*].value,TaintEffect:.spec.taints[*].effect'
# If a taint with that key and effect already exists, its value is replaced as specified.
kubectl taint nodes foo dedicated=special-user:NoSchedule
Resource types
List all supported resource types along with their shortnames, API group, whether they are namespaced, and kind:
Other operations for exploring API resources:
kubectl api-resources --namespaced=true # All namespaced resources
kubectl api-resources --namespaced=false # All non-namespaced resources
kubectl api-resources -o name # All resources with simple output (only the resource name)
kubectl api-resources -o wide # All resources with expanded (aka "wide") output
kubectl api-resources --verbs=list,get # All resources that support the "list" and "get" request verbs
kubectl api-resources --api-group=extensions # All resources in the "extensions" API group
To output details to your terminal window in a specific format, add the -o
(or --output
) flag to a supported kubectl
command.
Output format |
Description |
-o=custom-columns=<spec> |
Print a table using a comma separated list of custom columns |
-o=custom-columns-file=<filename> |
Print a table using the custom columns template in the <filename> file |
-o=go-template=<template> |
Print the fields defined in a golang template |
-o=go-template-file=<filename> |
Print the fields defined by the golang template in the <filename> file |
-o=json |
Output a JSON formatted API object |
-o=jsonpath=<template> |
Print the fields defined in a jsonpath expression |
-o=jsonpath-file=<filename> |
Print the fields defined by the jsonpath expression in the <filename> file |
-o=name |
Print only the resource name and nothing else |
-o=wide |
Output in the plain-text format with any additional information, and for pods, the node name is included |
-o=yaml |
Output a YAML formatted API object |
Examples using -o=custom-columns
:
# All images running in a cluster
kubectl get pods -A -o=custom-columns='DATA:spec.containers[*].image'
# All images running in namespace: default, grouped by Pod
kubectl get pods --namespace default --output=custom-columns="NAME:.metadata.name,IMAGE:.spec.containers[*].image"
# All images excluding "registry.k8s.io/coredns:1.6.2"
kubectl get pods -A -o=custom-columns='DATA:spec.containers[?(@.image!="registry.k8s.io/coredns:1.6.2")].image'
# All fields under metadata regardless of name
kubectl get pods -A -o=custom-columns='DATA:metadata.*'
More examples in the kubectl reference documentation.
Kubectl output verbosity and debugging
Kubectl verbosity is controlled with the -v
or --v
flags followed by an integer representing the log level. General Kubernetes logging conventions and the associated log levels are described here.
Verbosity |
Description |
--v=0 |
Generally useful for this to always be visible to a cluster operator. |
--v=1 |
A reasonable default log level if you don't want verbosity. |
--v=2 |
Useful steady state information about the service and important log messages that may correlate to significant changes in the system. This is the recommended default log level for most systems. |
--v=3 |
Extended information about changes. |
--v=4 |
Debug level verbosity. |
--v=5 |
Trace level verbosity. |
--v=6 |
Display requested resources. |
--v=7 |
Display HTTP request headers. |
--v=8 |
Display HTTP request contents. |
--v=9 |
Display HTTP request contents without truncation of contents. |
What's next
2 - kubectl reference
2.1 - kubectl
Synopsis
kubectl controls the Kubernetes cluster manager.
Find more information at: https://kubernetes.io/docs/reference/kubectl/
kubectl [flags]
Options
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
-h, --help |
| help for kubectl |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl annotate - Update the annotations on a resource
- kubectl api-resources - Print the supported API resources on the server
- kubectl api-versions - Print the supported API versions on the server, in the form of "group/version"
- kubectl apply - Apply a configuration to a resource by file name or stdin
- kubectl attach - Attach to a running container
- kubectl auth - Inspect authorization
- kubectl autoscale - Auto-scale a deployment, replica set, stateful set, or replication controller
- kubectl certificate - Modify certificate resources
- kubectl cluster-info - Display cluster information
- kubectl completion - Output shell completion code for the specified shell (bash, zsh, fish, or powershell)
- kubectl config - Modify kubeconfig files
- kubectl cordon - Mark node as unschedulable
- kubectl cp - Copy files and directories to and from containers
- kubectl create - Create a resource from a file or from stdin
- kubectl debug - Create debugging sessions for troubleshooting workloads and nodes
- kubectl delete - Delete resources by file names, stdin, resources and names, or by resources and label selector
- kubectl describe - Show details of a specific resource or group of resources
- kubectl diff - Diff the live version against a would-be applied version
- kubectl drain - Drain node in preparation for maintenance
- kubectl edit - Edit a resource on the server
- kubectl events - List events
- kubectl exec - Execute a command in a container
- kubectl explain - Get documentation for a resource
- kubectl expose - Take a replication controller, service, deployment or pod and expose it as a new Kubernetes service
- kubectl get - Display one or many resources
- kubectl kustomize - Build a kustomization target from a directory or URL
- kubectl label - Update the labels on a resource
- kubectl logs - Print the logs for a container in a pod
- kubectl options - Print the list of flags inherited by all commands
- kubectl patch - Update fields of a resource
- kubectl plugin - Provides utilities for interacting with plugins
- kubectl port-forward - Forward one or more local ports to a pod
- kubectl proxy - Run a proxy to the Kubernetes API server
- kubectl replace - Replace a resource by file name or stdin
- kubectl rollout - Manage the rollout of a resource
- kubectl run - Run a particular image on the cluster
- kubectl scale - Set a new size for a deployment, replica set, or replication controller
- kubectl set - Set specific features on objects
- kubectl taint - Update the taints on one or more nodes
- kubectl top - Display resource (CPU/memory) usage
- kubectl uncordon - Mark node as schedulable
- kubectl version - Print the client and server version information
- kubectl wait - Experimental: Wait for a specific condition on one or many resources
2.2 - kubectl annotate
Synopsis
Update the annotations on one or more resources.
All Kubernetes objects support the ability to store additional data with the object as annotations. Annotations are key/value pairs that can be larger than labels and include arbitrary string values such as structured JSON. Tools and system extensions may use annotations to store their own data.
Attempting to set an annotation that already exists will fail unless --overwrite is set. If --resource-version is specified and does not match the current resource version on the server the command will fail.
Use "kubectl api-resources" for a complete list of supported resources.
kubectl annotate [--overwrite] (-f FILENAME | TYPE NAME) KEY_1=VAL_1 ... KEY_N=VAL_N [--resource-version=version]
Examples
# Update pod 'foo' with the annotation 'description' and the value 'my frontend'
# If the same annotation is set multiple times, only the last value will be applied
kubectl annotate pods foo description='my frontend'
# Update a pod identified by type and name in "pod.json"
kubectl annotate -f pod.json description='my frontend'
# Update pod 'foo' with the annotation 'description' and the value 'my frontend running nginx', overwriting any existing value
kubectl annotate --overwrite pods foo description='my frontend running nginx'
# Update all pods in the namespace
kubectl annotate pods --all description='my frontend running nginx'
# Update pod 'foo' only if the resource is unchanged from version 1
kubectl annotate pods foo description='my frontend running nginx' --resource-version=1
# Update pod 'foo' by removing an annotation named 'description' if it exists
# Does not require the --overwrite flag
kubectl annotate pods foo description-
Options
--all |
| Select all resources, in the namespace of the specified resource types. |
-A, --all-namespaces |
| If true, check the specified action in all namespaces. |
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-annotate" |
| Name of the manager used to track field ownership. |
--field-selector string |
| Selector (field query) to filter on, supports '=', '==', and '!='.(e.g. --field-selector key1=value1,key2=value2). The server only supports a limited number of field queries per type. |
-f, --filename strings |
| Filename, directory, or URL to files identifying the resource to update the annotation |
-h, --help |
| help for annotate |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
--list |
| If true, display the annotations for a given resource. |
--local |
| If true, annotation will NOT contact api-server but run locally. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--overwrite |
| If true, allow annotations to be overwritten, otherwise reject annotation updates that overwrite existing annotations. |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
--resource-version string |
| If non-empty, the annotation update will only succeed if this is the current resource-version for the object. Only valid when specifying a single resource. |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.3 - kubectl api-resources
Synopsis
Print the supported API resources on the server.
kubectl api-resources [flags]
Examples
# Print the supported API resources
kubectl api-resources
# Print the supported API resources with more information
kubectl api-resources -o wide
# Print the supported API resources sorted by a column
kubectl api-resources --sort-by=name
# Print the supported namespaced resources
kubectl api-resources --namespaced=true
# Print the supported non-namespaced resources
kubectl api-resources --namespaced=false
# Print the supported API resources with a specific APIGroup
kubectl api-resources --api-group=rbac.authorization.k8s.io
Options
--api-group string |
| Limit to resources in the specified API group. |
--cached |
| Use the cached list of resources if available. |
--categories strings |
| Limit to resources that belong to the specified categories. |
-h, --help |
| help for api-resources |
--namespaced Default: true |
| If false, non-namespaced resources will be returned, otherwise returning namespaced resources by default. |
--no-headers |
| When using the default or custom-column output format, don't print headers (default print headers). |
-o, --output string |
| Output format. One of: (wide, name). |
--sort-by string |
| If non-empty, sort list of resources using specified field. The field can be either 'name' or 'kind'. |
--verbs strings |
| Limit to resources that support the specified verbs. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.4 - kubectl api-versions
Synopsis
Print the supported API versions on the server, in the form of "group/version".
kubectl api-versions
Examples
# Print the supported API versions
kubectl api-versions
Options
-h, --help |
| help for api-versions |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.5 - kubectl apply
Synopsis
Apply a configuration to a resource by file name or stdin. The resource name must be specified. This resource will be created if it doesn't exist yet. To use 'apply', always create the resource initially with either 'apply' or 'create --save-config'.
JSON and YAML formats are accepted.
Alpha Disclaimer: the --prune functionality is not yet complete. Do not use unless you are aware of what the current state is. See https://issues.k8s.io/34274.
kubectl apply (-f FILENAME | -k DIRECTORY)
Examples
# Apply the configuration in pod.json to a pod
kubectl apply -f ./pod.json
# Apply resources from a directory containing kustomization.yaml - e.g. dir/kustomization.yaml
kubectl apply -k dir/
# Apply the JSON passed into stdin to a pod
cat pod.json | kubectl apply -f -
# Apply the configuration from all files that end with '.json'
kubectl apply -f '*.json'
# Note: --prune is still in Alpha
# Apply the configuration in manifest.yaml that matches label app=nginx and delete all other resources that are not in the file and match label app=nginx
kubectl apply --prune -f manifest.yaml -l app=nginx
# Apply the configuration in manifest.yaml and delete all the other config maps that are not in the file
kubectl apply --prune -f manifest.yaml --all --prune-allowlist=core/v1/ConfigMap
Options
--all |
| Select all resources in the namespace of the specified resource types. |
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--cascade string[="background"] Default: "background" |
| Must be "background", "orphan", or "foreground". Selects the deletion cascading strategy for the dependents (e.g. Pods created by a ReplicationController). Defaults to background. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-client-side-apply" |
| Name of the manager used to track field ownership. |
-f, --filename strings |
| The files that contain the configurations to apply. |
--force |
| If true, immediately remove resources from API and bypass graceful deletion. Note that immediate deletion of some resources may result in inconsistency or data loss and requires confirmation. |
--force-conflicts |
| If true, server-side apply will force the changes against conflicts. |
--grace-period int Default: -1 |
| Period of time in seconds given to the resource to terminate gracefully. Ignored if negative. Set to 1 for immediate shutdown. Can only be set to 0 when --force is true (force deletion). |
-h, --help |
| help for apply |
-k, --kustomize string |
| Process a kustomization directory. This flag can't be used together with -f or -R. |
--openapi-patch Default: true |
| If true, use openapi to calculate diff when the openapi presents and the resource can be found in the openapi spec. Otherwise, fall back to use baked-in types. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--overwrite Default: true |
| Automatically resolve conflicts between the modified and live configuration by using values from the modified configuration |
--prune |
| Automatically delete resource objects, that do not appear in the configs and are created by either apply or create --save-config. Should be used with either -l or --all. |
--prune-allowlist strings |
| Overwrite the default allowlist with <group/version/kind> for --prune |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--server-side |
| If true, apply runs in the server instead of the client. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--timeout duration |
| The length of time to wait before giving up on a delete, zero means determine a timeout from the size of the object |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--wait |
| If true, wait for resources to be gone before returning. This waits for finalizers. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.5.1 - kubectl apply edit-last-applied
Synopsis
Edit the latest last-applied-configuration annotations of resources from the default editor.
The edit-last-applied command allows you to directly edit any API resource you can retrieve via the command-line tools. It will open the editor defined by your KUBE_EDITOR, or EDITOR environment variables, or fall back to 'vi' for Linux or 'notepad' for Windows. You can edit multiple objects, although changes are applied one at a time. The command accepts file names as well as command-line arguments, although the files you point to must be previously saved versions of resources.
The default format is YAML. To edit in JSON, specify "-o json".
The flag --windows-line-endings can be used to force Windows line endings, otherwise the default for your operating system will be used.
In the event an error occurs while updating, a temporary file will be created on disk that contains your unapplied changes. The most common error when updating a resource is another editor changing the resource on the server. When this occurs, you will have to apply your changes to the newer version of the resource, or update your temporary saved copy to include the latest resource version.
kubectl apply edit-last-applied (RESOURCE/NAME | -f FILENAME)
Examples
# Edit the last-applied-configuration annotations by type/name in YAML
kubectl apply edit-last-applied deployment/nginx
# Edit the last-applied-configuration annotations by file in JSON
kubectl apply edit-last-applied -f deploy.yaml -o json
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--field-manager string Default: "kubectl-client-side-apply" |
| Name of the manager used to track field ownership. |
-f, --filename strings |
| Filename, directory, or URL to files to use to edit the resource |
-h, --help |
| help for edit-last-applied |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--windows-line-endings |
| Defaults to the line ending native to your platform. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl apply - Apply a configuration to a resource by file name or stdin
2.5.2 - kubectl apply set-last-applied
Synopsis
Set the latest last-applied-configuration annotations by setting it to match the contents of a file. This results in the last-applied-configuration being updated as though 'kubectl apply -f<file> ' was run, without updating any other parts of the object.
kubectl apply set-last-applied -f FILENAME
Examples
# Set the last-applied-configuration of a resource to match the contents of a file
kubectl apply set-last-applied -f deploy.yaml
# Execute set-last-applied against each configuration file in a directory
kubectl apply set-last-applied -f path/
# Set the last-applied-configuration of a resource to match the contents of a file; will create the annotation if it does not already exist
kubectl apply set-last-applied -f deploy.yaml --create-annotation=true
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--create-annotation |
| Will create 'last-applied-configuration' annotations if current objects doesn't have one |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
-f, --filename strings |
| Filename, directory, or URL to files that contains the last-applied-configuration annotations |
-h, --help |
| help for set-last-applied |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl apply - Apply a configuration to a resource by file name or stdin
2.5.3 - kubectl apply view-last-applied
Synopsis
View the latest last-applied-configuration annotations by type/name or file.
The default output will be printed to stdout in YAML format. You can use the -o option to change the output format.
kubectl apply view-last-applied (TYPE [NAME | -l label] | TYPE/NAME | -f FILENAME)
Examples
# View the last-applied-configuration annotations by type/name in YAML
kubectl apply view-last-applied deployment/nginx
# View the last-applied-configuration annotations by file in JSON
kubectl apply view-last-applied -f deploy.yaml -o json
Options
--all |
| Select all resources in the namespace of the specified resource types |
-f, --filename strings |
| Filename, directory, or URL to files that contains the last-applied-configuration annotations |
-h, --help |
| help for view-last-applied |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
-o, --output string Default: "yaml" |
| Output format. Must be one of (yaml, json) |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl apply - Apply a configuration to a resource by file name or stdin
2.6 - kubectl attach
Synopsis
Attach to a process that is already running inside an existing container.
kubectl attach (POD | TYPE/NAME) -c CONTAINER
Examples
# Get output from running pod mypod; use the 'kubectl.kubernetes.io/default-container' annotation
# for selecting the container to be attached or the first container in the pod will be chosen
kubectl attach mypod
# Get output from ruby-container from pod mypod
kubectl attach mypod -c ruby-container
# Switch to raw terminal mode; sends stdin to 'bash' in ruby-container from pod mypod
# and sends stdout/stderr from 'bash' back to the client
kubectl attach mypod -c ruby-container -i -t
# Get output from the first pod of a replica set named nginx
kubectl attach rs/nginx
Options
-c, --container string |
| Container name. If omitted, use the kubectl.kubernetes.io/default-container annotation for selecting the container to be attached or the first container in the pod will be chosen |
-h, --help |
| help for attach |
--pod-running-timeout duration Default: 1m0s |
| The length of time (like 5s, 2m, or 3h, higher than zero) to wait until at least one pod is running |
-q, --quiet |
| Only print output from the remote session |
-i, --stdin |
| Pass stdin to the container |
-t, --tty |
| Stdin is a TTY |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.7 - kubectl auth
Synopsis
Inspect authorization.
kubectl auth [flags]
Options
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.7.1 - kubectl auth can-i
Synopsis
Check whether an action is allowed.
VERB is a logical Kubernetes API verb like 'get', 'list', 'watch', 'delete', etc. TYPE is a Kubernetes resource. Shortcuts and groups will be resolved. NONRESOURCEURL is a partial URL that starts with "/". NAME is the name of a particular Kubernetes resource. This command pairs nicely with impersonation. See --as global flag.
kubectl auth can-i VERB [TYPE | TYPE/NAME | NONRESOURCEURL]
Examples
# Check to see if I can create pods in any namespace
kubectl auth can-i create pods --all-namespaces
# Check to see if I can list deployments in my current namespace
kubectl auth can-i list deployments.apps
# Check to see if service account "foo" of namespace "dev" can list pods
# in the namespace "prod".
# You must be allowed to use impersonation for the global option "--as".
kubectl auth can-i list pods --as=system:serviceaccount:dev:foo -n prod
# Check to see if I can do everything in my current namespace ("*" means all)
kubectl auth can-i '*' '*'
# Check to see if I can get the job named "bar" in namespace "foo"
kubectl auth can-i list jobs.batch/bar -n foo
# Check to see if I can read pod logs
kubectl auth can-i get pods --subresource=log
# Check to see if I can access the URL /logs/
kubectl auth can-i get /logs/
# List all allowed actions in namespace "foo"
kubectl auth can-i --list --namespace=foo
Options
-A, --all-namespaces |
| If true, check the specified action in all namespaces. |
-h, --help |
| help for can-i |
--list |
| If true, prints all allowed actions. |
--no-headers |
| If true, prints allowed actions without headers |
-q, --quiet |
| If true, suppress output and just return the exit code. |
--subresource string |
| SubResource such as pod/log or deployment/scale |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.7.2 - kubectl auth reconcile
Synopsis
Reconciles rules for RBAC role, role binding, cluster role, and cluster role binding objects.
Missing objects are created, and the containing namespace is created for namespaced objects, if required.
Existing roles are updated to include the permissions in the input objects, and remove extra permissions if --remove-extra-permissions is specified.
Existing bindings are updated to include the subjects in the input objects, and remove extra subjects if --remove-extra-subjects is specified.
This is preferred to 'apply' for RBAC resources so that semantically-aware merging of rules and subjects is done.
kubectl auth reconcile -f FILENAME
Examples
# Reconcile RBAC resources from a file
kubectl auth reconcile -f my-rbac-rules.yaml
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
-f, --filename strings |
| Filename, directory, or URL to files identifying the resource to reconcile. |
-h, --help |
| help for reconcile |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
--remove-extra-permissions |
| If true, removes extra permissions added to roles |
--remove-extra-subjects |
| If true, removes extra subjects added to rolebindings |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.7.3 - kubectl auth whoami
Synopsis
Experimental: Check who you are and your attributes (groups, extra).
This command is helpful to get yourself aware of the current user attributes,
especially when dynamic authentication, e.g., token webhook, auth proxy, or OIDC provider,
is enabled in the Kubernetes cluster.
kubectl auth whoami
Examples
# Get your subject attributes.
kubectl auth whoami
# Get your subject attributes in JSON format.
kubectl auth whoami -o json
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
-h, --help |
| help for whoami |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.8 - kubectl autoscale
Synopsis
Creates an autoscaler that automatically chooses and sets the number of pods that run in a Kubernetes cluster.
Looks up a deployment, replica set, stateful set, or replication controller by name and creates an autoscaler that uses the given resource as a reference. An autoscaler can automatically increase or decrease number of pods deployed within the system as needed.
kubectl autoscale (-f FILENAME | TYPE NAME | TYPE/NAME) [--min=MINPODS] --max=MAXPODS [--cpu-percent=CPU]
Examples
# Auto scale a deployment "foo", with the number of pods between 2 and 10, no target CPU utilization specified so a default autoscaling policy will be used
kubectl autoscale deployment foo --min=2 --max=10
# Auto scale a replication controller "foo", with the number of pods between 1 and 5, target CPU utilization at 80%
kubectl autoscale rc foo --max=5 --cpu-percent=80
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--cpu-percent int32 Default: -1 |
| The target average CPU utilization (represented as a percent of requested CPU) over all the pods. If it's not specified or negative, a default autoscaling policy will be used. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-autoscale" |
| Name of the manager used to track field ownership. |
-f, --filename strings |
| Filename, directory, or URL to files identifying the resource to autoscale. |
-h, --help |
| help for autoscale |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
--max int32 Default: -1 |
| The upper limit for the number of pods that can be set by the autoscaler. Required. |
--min int32 Default: -1 |
| The lower limit for the number of pods that can be set by the autoscaler. If it's not specified or negative, the server will apply a default value. |
--name string |
| The name for the newly created object. If not specified, the name of the input resource will be used. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.9 - kubectl certificate
Synopsis
Modify certificate resources.
kubectl certificate SUBCOMMAND
Options
-h, --help |
| help for certificate |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.9.1 - kubectl certificate approve
Synopsis
Approve a certificate signing request.
kubectl certificate approve allows a cluster admin to approve a certificate signing request (CSR). This action tells a certificate signing controller to issue a certificate to the requester with the attributes requested in the CSR.
SECURITY NOTICE: Depending on the requested attributes, the issued certificate can potentially grant a requester access to cluster resources or to authenticate as a requested identity. Before approving a CSR, ensure you understand what the signed certificate can do.
kubectl certificate approve (-f FILENAME | NAME)
Examples
# Approve CSR 'csr-sqgzp'
kubectl certificate approve csr-sqgzp
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
-f, --filename strings |
| Filename, directory, or URL to files identifying the resource to update |
--force |
| Update the CSR even if it is already approved. |
-h, --help |
| help for approve |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.9.2 - kubectl certificate deny
Synopsis
Deny a certificate signing request.
kubectl certificate deny allows a cluster admin to deny a certificate signing request (CSR). This action tells a certificate signing controller to not to issue a certificate to the requester.
kubectl certificate deny (-f FILENAME | NAME)
Examples
# Deny CSR 'csr-sqgzp'
kubectl certificate deny csr-sqgzp
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
-f, --filename strings |
| Filename, directory, or URL to files identifying the resource to update |
--force |
| Update the CSR even if it is already denied. |
-h, --help |
| help for deny |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.10 - kubectl cluster-info
Synopsis
Display addresses of the control plane and services with label kubernetes.io/cluster-service=true. To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
kubectl cluster-info [flags]
Examples
# Print the address of the control plane and cluster services
kubectl cluster-info
Options
-h, --help |
| help for cluster-info |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.10.1 - kubectl cluster-info dump
Synopsis
Dump cluster information out suitable for debugging and diagnosing cluster problems. By default, dumps everything to stdout. You can optionally specify a directory with --output-directory. If you specify a directory, Kubernetes will build a set of files in that directory. By default, only dumps things in the current namespace and 'kube-system' namespace, but you can switch to a different namespace with the --namespaces flag, or specify --all-namespaces to dump all namespaces.
The command also dumps the logs of all of the pods in the cluster; these logs are dumped into different directories based on namespace and pod name.
kubectl cluster-info dump [flags]
Examples
# Dump current cluster state to stdout
kubectl cluster-info dump
# Dump current cluster state to /path/to/cluster-state
kubectl cluster-info dump --output-directory=/path/to/cluster-state
# Dump all namespaces to stdout
kubectl cluster-info dump --all-namespaces
# Dump a set of namespaces to /path/to/cluster-state
kubectl cluster-info dump --namespaces default,kube-system --output-directory=/path/to/cluster-state
Options
-A, --all-namespaces |
| If true, dump all namespaces. If true, --namespaces is ignored. |
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
-h, --help |
| help for dump |
--namespaces strings |
| A comma separated list of namespaces to dump. |
-o, --output string Default: "json" |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--output-directory string |
| Where to output the files. If empty or '-' uses stdout, otherwise creates a directory hierarchy in that directory |
--pod-running-timeout duration Default: 20s |
| The length of time (like 5s, 2m, or 3h, higher than zero) to wait until at least one pod is running |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.11 - kubectl completion
Synopsis
Output shell completion code for the specified shell (bash, zsh, fish, or powershell). The shell code must be evaluated to provide interactive completion of kubectl commands. This can be done by sourcing it from the .bash_profile.
Detailed instructions on how to do this are available here:
for macOS:
https://kubernetes.io/docs/tasks/tools/install-kubectl-macos/#enable-shell-autocompletion
for linux:
https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/#enable-shell-autocompletion
for windows:
https://kubernetes.io/docs/tasks/tools/install-kubectl-windows/#enable-shell-autocompletion
Note for zsh users: [1] zsh completions are only supported in versions of zsh >= 5.2.
kubectl completion SHELL
Examples
# Installing bash completion on macOS using homebrew
## If running Bash 3.2 included with macOS
brew install bash-completion
## or, if running Bash 4.1+
brew install bash-completion@2
## If kubectl is installed via homebrew, this should start working immediately
## If you've installed via other means, you may need add the completion to your completion directory
kubectl completion bash > $(brew --prefix)/etc/bash_completion.d/kubectl
# Installing bash completion on Linux
## If bash-completion is not installed on Linux, install the 'bash-completion' package
## via your distribution's package manager.
## Load the kubectl completion code for bash into the current shell
source <(kubectl completion bash)
## Write bash completion code to a file and source it from .bash_profile
kubectl completion bash > ~/.kube/completion.bash.inc
printf "
# kubectl shell completion
source '$HOME/.kube/completion.bash.inc'
" >> $HOME/.bash_profile
source $HOME/.bash_profile
# Load the kubectl completion code for zsh[1] into the current shell
source <(kubectl completion zsh)
# Set the kubectl completion code for zsh[1] to autoload on startup
kubectl completion zsh > "${fpath[1]}/_kubectl"
# Load the kubectl completion code for fish[2] into the current shell
kubectl completion fish | source
# To load completions for each session, execute once:
kubectl completion fish > ~/.config/fish/completions/kubectl.fish
# Load the kubectl completion code for powershell into the current shell
kubectl completion powershell | Out-String | Invoke-Expression
# Set kubectl completion code for powershell to run on startup
## Save completion code to a script and execute in the profile
kubectl completion powershell > $HOME\.kube\completion.ps1
Add-Content $PROFILE "$HOME\.kube\completion.ps1"
## Execute completion code in the profile
Add-Content $PROFILE "if (Get-Command kubectl -ErrorAction SilentlyContinue) {
kubectl completion powershell | Out-String | Invoke-Expression
}"
## Add completion code directly to the $PROFILE script
kubectl completion powershell >> $PROFILE
Options
-h, --help |
| help for completion |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.12 - kubectl config
Synopsis
Modify kubeconfig files using subcommands like "kubectl config set current-context my-context".
The loading order follows these rules:
- If the --kubeconfig flag is set, then only that file is loaded. The flag may only be set once and no merging takes place.
- If $KUBECONFIG environment variable is set, then it is used as a list of paths (normal path delimiting rules for your system). These paths are merged. When a value is modified, it is modified in the file that defines the stanza. When a value is created, it is created in the first file that exists. If no files in the chain exist, then it creates the last file in the list.
- Otherwise, ${HOME}/.kube/config is used and no merging takes place.
kubectl config SUBCOMMAND
Options
-h, --help |
| help for config |
--kubeconfig string |
| use a particular kubeconfig file |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.12.1 - kubectl config current-context
Synopsis
Display the current-context.
kubectl config current-context [flags]
Examples
# Display the current-context
kubectl config current-context
Options
-h, --help |
| help for current-context |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| use a particular kubeconfig file |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.12.2 - kubectl config delete-cluster
Synopsis
Delete the specified cluster from the kubeconfig.
kubectl config delete-cluster NAME
Examples
# Delete the minikube cluster
kubectl config delete-cluster minikube
Options
-h, --help |
| help for delete-cluster |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| use a particular kubeconfig file |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.12.3 - kubectl config delete-context
Synopsis
Delete the specified context from the kubeconfig.
kubectl config delete-context NAME
Examples
# Delete the context for the minikube cluster
kubectl config delete-context minikube
Options
-h, --help |
| help for delete-context |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| use a particular kubeconfig file |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.12.4 - kubectl config delete-user
Synopsis
Delete the specified user from the kubeconfig.
kubectl config delete-user NAME
Examples
# Delete the minikube user
kubectl config delete-user minikube
Options
-h, --help |
| help for delete-user |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| use a particular kubeconfig file |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.12.5 - kubectl config get-clusters
Synopsis
Display clusters defined in the kubeconfig.
kubectl config get-clusters [flags]
Examples
# List the clusters that kubectl knows about
kubectl config get-clusters
Options
-h, --help |
| help for get-clusters |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| use a particular kubeconfig file |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.12.6 - kubectl config get-contexts
Synopsis
Display one or many contexts from the kubeconfig file.
kubectl config get-contexts [(-o|--output=)name)]
Examples
# List all the contexts in your kubeconfig file
kubectl config get-contexts
# Describe one context in your kubeconfig file
kubectl config get-contexts my-context
Options
-h, --help |
| help for get-contexts |
--no-headers |
| When using the default or custom-column output format, don't print headers (default print headers). |
-o, --output string |
| Output format. One of: (name). |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| use a particular kubeconfig file |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.12.7 - kubectl config get-users
Synopsis
Display users defined in the kubeconfig.
kubectl config get-users [flags]
Examples
# List the users that kubectl knows about
kubectl config get-users
Options
-h, --help |
| help for get-users |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| use a particular kubeconfig file |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.12.8 - kubectl config rename-context
Synopsis
Renames a context from the kubeconfig file.
CONTEXT_NAME is the context name that you want to change.
NEW_NAME is the new name you want to set.
Note: If the context being renamed is the 'current-context', this field will also be updated.
kubectl config rename-context CONTEXT_NAME NEW_NAME
Examples
# Rename the context 'old-name' to 'new-name' in your kubeconfig file
kubectl config rename-context old-name new-name
Options
-h, --help |
| help for rename-context |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| use a particular kubeconfig file |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.12.9 - kubectl config set
Synopsis
Set an individual value in a kubeconfig file.
PROPERTY_NAME is a dot delimited name where each token represents either an attribute name or a map key. Map keys may not contain dots.
PROPERTY_VALUE is the new value you want to set. Binary fields such as 'certificate-authority-data' expect a base64 encoded string unless the --set-raw-bytes flag is used.
Specifying an attribute name that already exists will merge new fields on top of existing values.
kubectl config set PROPERTY_NAME PROPERTY_VALUE
Examples
# Set the server field on the my-cluster cluster to https://1.2.3.4
kubectl config set clusters.my-cluster.server https://1.2.3.4
# Set the certificate-authority-data field on the my-cluster cluster
kubectl config set clusters.my-cluster.certificate-authority-data $(echo "cert_data_here" | base64 -i -)
# Set the cluster field in the my-context context to my-cluster
kubectl config set contexts.my-context.cluster my-cluster
# Set the client-key-data field in the cluster-admin user using --set-raw-bytes option
kubectl config set users.cluster-admin.client-key-data cert_data_here --set-raw-bytes=true
Options
-h, --help |
| help for set |
--set-raw-bytes tristate[=true] |
| When writing a []byte PROPERTY_VALUE, write the given string directly without base64 decoding. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| use a particular kubeconfig file |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.12.10 - kubectl config set-cluster
Synopsis
Set a cluster entry in kubeconfig.
Specifying a name that already exists will merge new fields on top of existing values for those fields.
kubectl config set-cluster NAME [--server=server] [--certificate-authority=path/to/certificate/authority] [--insecure-skip-tls-verify=true] [--tls-server-name=example.com]
Examples
# Set only the server field on the e2e cluster entry without touching other values
kubectl config set-cluster e2e --server=https://1.2.3.4
# Embed certificate authority data for the e2e cluster entry
kubectl config set-cluster e2e --embed-certs --certificate-authority=~/.kube/e2e/kubernetes.ca.crt
# Disable cert checking for the e2e cluster entry
kubectl config set-cluster e2e --insecure-skip-tls-verify=true
# Set the custom TLS server name to use for validation for the e2e cluster entry
kubectl config set-cluster e2e --tls-server-name=my-cluster-name
# Set the proxy URL for the e2e cluster entry
kubectl config set-cluster e2e --proxy-url=https://1.2.3.4
Options
--certificate-authority string |
| Path to certificate-authority file for the cluster entry in kubeconfig |
--embed-certs tristate[=true] |
| embed-certs for the cluster entry in kubeconfig |
-h, --help |
| help for set-cluster |
--insecure-skip-tls-verify tristate[=true] |
| insecure-skip-tls-verify for the cluster entry in kubeconfig |
--proxy-url string |
| proxy-url for the cluster entry in kubeconfig |
--server string |
| server for the cluster entry in kubeconfig |
--tls-server-name string |
| tls-server-name for the cluster entry in kubeconfig |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--kubeconfig string |
| use a particular kubeconfig file |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.12.11 - kubectl config set-context
Synopsis
Set a context entry in kubeconfig.
Specifying a name that already exists will merge new fields on top of existing values for those fields.
kubectl config set-context [NAME | --current] [--cluster=cluster_nickname] [--user=user_nickname] [--namespace=namespace]
Examples
# Set the user field on the gce context entry without touching other values
kubectl config set-context gce --user=cluster-admin
Options
--cluster string |
| cluster for the context entry in kubeconfig |
--current |
| Modify the current context |
-h, --help |
| help for set-context |
--namespace string |
| namespace for the context entry in kubeconfig |
--user string |
| user for the context entry in kubeconfig |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| use a particular kubeconfig file |
--match-server-version |
| Require server version to match client version |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.12.12 - kubectl config set-credentials
Synopsis
Set a user entry in kubeconfig.
Specifying a name that already exists will merge new fields on top of existing values.
Client-certificate flags:
--client-certificate=certfile --client-key=keyfile
Bearer token flags:
--token=bearer_token
Basic auth flags:
--username=basic_user --password=basic_password
Bearer token and basic auth are mutually exclusive.
kubectl config set-credentials NAME [--client-certificate=path/to/certfile] [--client-key=path/to/keyfile] [--token=bearer_token] [--username=basic_user] [--password=basic_password] [--auth-provider=provider_name] [--auth-provider-arg=key=value] [--exec-command=exec_command] [--exec-api-version=exec_api_version] [--exec-arg=arg] [--exec-env=key=value]
Examples
# Set only the "client-key" field on the "cluster-admin"
# entry, without touching other values
kubectl config set-credentials cluster-admin --client-key=~/.kube/admin.key
# Set basic auth for the "cluster-admin" entry
kubectl config set-credentials cluster-admin --username=admin --password=uXFGweU9l35qcif
# Embed client certificate data in the "cluster-admin" entry
kubectl config set-credentials cluster-admin --client-certificate=~/.kube/admin.crt --embed-certs=true
# Enable the Google Compute Platform auth provider for the "cluster-admin" entry
kubectl config set-credentials cluster-admin --auth-provider=gcp
# Enable the OpenID Connect auth provider for the "cluster-admin" entry with additional arguments
kubectl config set-credentials cluster-admin --auth-provider=oidc --auth-provider-arg=client-id=foo --auth-provider-arg=client-secret=bar
# Remove the "client-secret" config value for the OpenID Connect auth provider for the "cluster-admin" entry
kubectl config set-credentials cluster-admin --auth-provider=oidc --auth-provider-arg=client-secret-
# Enable new exec auth plugin for the "cluster-admin" entry
kubectl config set-credentials cluster-admin --exec-command=/path/to/the/executable --exec-api-version=client.authentication.k8s.io/v1beta1
# Define new exec auth plugin arguments for the "cluster-admin" entry
kubectl config set-credentials cluster-admin --exec-arg=arg1 --exec-arg=arg2
# Create or update exec auth plugin environment variables for the "cluster-admin" entry
kubectl config set-credentials cluster-admin --exec-env=key1=val1 --exec-env=key2=val2
# Remove exec auth plugin environment variables for the "cluster-admin" entry
kubectl config set-credentials cluster-admin --exec-env=var-to-remove-
Options
--auth-provider string |
| Auth provider for the user entry in kubeconfig |
--auth-provider-arg strings |
| 'key=value' arguments for the auth provider |
--client-certificate string |
| Path to client-certificate file for the user entry in kubeconfig |
--client-key string |
| Path to client-key file for the user entry in kubeconfig |
--embed-certs tristate[=true] |
| Embed client cert/key for the user entry in kubeconfig |
--exec-api-version string |
| API version of the exec credential plugin for the user entry in kubeconfig |
--exec-arg strings |
| New arguments for the exec credential plugin command for the user entry in kubeconfig |
--exec-command string |
| Command for the exec credential plugin for the user entry in kubeconfig |
--exec-env strings |
| 'key=value' environment values for the exec credential plugin |
-h, --help |
| help for set-credentials |
--password string |
| password for the user entry in kubeconfig |
--token string |
| token for the user entry in kubeconfig |
--username string |
| username for the user entry in kubeconfig |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| use a particular kubeconfig file |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--user string |
| The name of the kubeconfig user to use |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.12.13 - kubectl config unset
Synopsis
Unset an individual value in a kubeconfig file.
PROPERTY_NAME is a dot delimited name where each token represents either an attribute name or a map key. Map keys may not contain dots.
kubectl config unset PROPERTY_NAME
Examples
# Unset the current-context
kubectl config unset current-context
# Unset namespace in foo context
kubectl config unset contexts.foo.namespace
Options
-h, --help |
| help for unset |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| use a particular kubeconfig file |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.12.14 - kubectl config use-context
Synopsis
Set the current-context in a kubeconfig file.
kubectl config use-context CONTEXT_NAME
Examples
# Use the context for the minikube cluster
kubectl config use-context minikube
Options
-h, --help |
| help for use-context |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| use a particular kubeconfig file |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.12.15 - kubectl config view
Synopsis
Display merged kubeconfig settings or a specified kubeconfig file.
You can use --output jsonpath={...} to extract specific values using a jsonpath expression.
kubectl config view [flags]
Examples
# Show merged kubeconfig settings
kubectl config view
# Show merged kubeconfig settings, raw certificate data, and exposed secrets
kubectl config view --raw
# Get the password for the e2e user
kubectl config view -o jsonpath='{.users[?(@.name == "e2e")].user.password}'
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--flatten |
| Flatten the resulting kubeconfig file into self-contained output (useful for creating portable kubeconfig files) |
-h, --help |
| help for view |
--merge tristate[=true] Default: true |
| Merge the full hierarchy of kubeconfig files |
--minify |
| Remove all information not used by current-context from the output |
-o, --output string Default: "yaml" |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--raw |
| Display raw byte data and sensitive data |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| use a particular kubeconfig file |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.13 - kubectl cordon
Synopsis
Mark node as unschedulable.
kubectl cordon NODE
Examples
# Mark node "foo" as unschedulable
kubectl cordon foo
Options
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
-h, --help |
| help for cordon |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.14 - kubectl cp
Synopsis
Copy files and directories to and from containers.
kubectl cp <file-spec-src> <file-spec-dest>
Examples
# !!!Important Note!!!
# Requires that the 'tar' binary is present in your container
# image. If 'tar' is not present, 'kubectl cp' will fail.
#
# For advanced use cases, such as symlinks, wildcard expansion or
# file mode preservation, consider using 'kubectl exec'.
# Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace <some-namespace>
tar cf - /tmp/foo | kubectl exec -i -n <some-namespace> <some-pod> -- tar xf - -C /tmp/bar
# Copy /tmp/foo from a remote pod to /tmp/bar locally
kubectl exec -n <some-namespace> <some-pod> -- tar cf - /tmp/foo | tar xf - -C /tmp/bar
# Copy /tmp/foo_dir local directory to /tmp/bar_dir in a remote pod in the default namespace
kubectl cp /tmp/foo_dir <some-pod>:/tmp/bar_dir
# Copy /tmp/foo local file to /tmp/bar in a remote pod in a specific container
kubectl cp /tmp/foo <some-pod>:/tmp/bar -c <specific-container>
# Copy /tmp/foo local file to /tmp/bar in a remote pod in namespace <some-namespace>
kubectl cp /tmp/foo <some-namespace>/<some-pod>:/tmp/bar
# Copy /tmp/foo from a remote pod to /tmp/bar locally
kubectl cp <some-namespace>/<some-pod>:/tmp/foo /tmp/bar
Options
-c, --container string |
| Container name. If omitted, use the kubectl.kubernetes.io/default-container annotation for selecting the container to be attached or the first container in the pod will be chosen |
-h, --help |
| help for cp |
--no-preserve |
| The copied file/directory's ownership and permissions will not be preserved in the container |
--retries int |
| Set number of retries to complete a copy operation from a container. Specify 0 to disable or any negative value for infinite retrying. The default is 0 (no retry). |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.15 - kubectl create
Synopsis
Create a resource from a file or from stdin.
JSON and YAML formats are accepted.
kubectl create -f FILENAME
Examples
# Create a pod using the data in pod.json
kubectl create -f ./pod.json
# Create a pod based on the JSON passed into stdin
cat pod.json | kubectl create -f -
# Edit the data in registry.yaml in JSON then create the resource using the edited data
kubectl create -f registry.yaml --edit -o json
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--edit |
| Edit the API resource before creating |
--field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
-f, --filename strings |
| Filename, directory, or URL to files to use to create the resource |
-h, --help |
| help for create |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--raw string |
| Raw URI to POST to the server. Uses the transport specified by the kubeconfig file. |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--windows-line-endings |
| Only relevant if --edit=true. Defaults to the line ending native to your platform. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.15.1 - kubectl create clusterrole
Synopsis
Create a cluster role.
kubectl create clusterrole NAME --verb=verb --resource=resource.group [--resource-name=resourcename] [--dry-run=server|client|none]
Examples
# Create a cluster role named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
kubectl create clusterrole pod-reader --verb=get,list,watch --resource=pods
# Create a cluster role named "pod-reader" with ResourceName specified
kubectl create clusterrole pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod
# Create a cluster role named "foo" with API Group specified
kubectl create clusterrole foo --verb=get,list,watch --resource=rs.apps
# Create a cluster role named "foo" with SubResource specified
kubectl create clusterrole foo --verb=get,list,watch --resource=pods,pods/status
# Create a cluster role name "foo" with NonResourceURL specified
kubectl create clusterrole "foo" --verb=get --non-resource-url=/logs/*
# Create a cluster role name "monitoring" with AggregationRule specified
kubectl create clusterrole monitoring --aggregation-rule="rbac.example.com/aggregate-to-monitoring=true"
Options
--aggregation-rule <comma-separated 'key=value' pairs> |
| An aggregation label selector for combining ClusterRoles. |
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
-h, --help |
| help for clusterrole |
--non-resource-url strings |
| A partial url that user should have access to. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--resource strings |
| Resource that the rule applies to |
--resource-name strings |
| Resource in the white list that the rule applies to, repeat this flag for multiple items |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--verb strings |
| Verb that applies to the resources contained in the rule |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.15.2 - kubectl create clusterrolebinding
Synopsis
Create a cluster role binding for a particular cluster role.
kubectl create clusterrolebinding NAME --clusterrole=NAME [--user=username] [--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none]
Examples
# Create a cluster role binding for user1, user2, and group1 using the cluster-admin cluster role
kubectl create clusterrolebinding cluster-admin --clusterrole=cluster-admin --user=user1 --user=user2 --group=group1
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--clusterrole string |
| ClusterRole this ClusterRoleBinding should reference |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
--group strings |
| Groups to bind to the clusterrole. The flag can be repeated to add multiple groups. |
-h, --help |
| help for clusterrolebinding |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
--serviceaccount strings |
| Service accounts to bind to the clusterrole, in the format <namespace>:<name>. The flag can be repeated to add multiple service accounts. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--user strings |
| Usernames to bind to the clusterrole. The flag can be repeated to add multiple users. |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.15.3 - kubectl create configmap
Synopsis
Create a config map based on a file, directory, or specified literal value.
A single config map may package one or more key/value pairs.
When creating a config map based on a file, the key will default to the basename of the file, and the value will default to the file content. If the basename is an invalid key, you may specify an alternate key.
When creating a config map based on a directory, each file whose basename is a valid key in the directory will be packaged into the config map. Any directory entries except regular files are ignored (e.g. subdirectories, symlinks, devices, pipes, etc).
kubectl create configmap NAME [--from-file=[key=]source] [--from-literal=key1=value1] [--dry-run=server|client|none]
Examples
# Create a new config map named my-config based on folder bar
kubectl create configmap my-config --from-file=path/to/bar
# Create a new config map named my-config with specified keys instead of file basenames on disk
kubectl create configmap my-config --from-file=key1=/path/to/bar/file1.txt --from-file=key2=/path/to/bar/file2.txt
# Create a new config map named my-config with key1=config1 and key2=config2
kubectl create configmap my-config --from-literal=key1=config1 --from-literal=key2=config2
# Create a new config map named my-config from the key=value pairs in the file
kubectl create configmap my-config --from-file=path/to/bar
# Create a new config map named my-config from an env file
kubectl create configmap my-config --from-env-file=path/to/foo.env --from-env-file=path/to/bar.env
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--append-hash |
| Append a hash of the configmap to its name. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
--from-env-file strings |
| Specify the path to a file to read lines of key=val pairs to create a configmap. |
--from-file strings |
| Key file can be specified using its file path, in which case file basename will be used as configmap key, or optionally with a key and file path, in which case the given key will be used. Specifying a directory will iterate each named file in the directory whose basename is a valid configmap key. |
--from-literal strings |
| Specify a key and literal value to insert in configmap (i.e. mykey=somevalue) |
-h, --help |
| help for configmap |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.15.4 - kubectl create cronjob
Synopsis
Create a cron job with the specified name.
kubectl create cronjob NAME --image=image --schedule='0/5 * * * ?' -- [COMMAND] [args...] [flags]
Examples
# Create a cron job
kubectl create cronjob my-job --image=busybox --schedule="*/1 * * * *"
# Create a cron job with a command
kubectl create cronjob my-job --image=busybox --schedule="*/1 * * * *" -- date
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
-h, --help |
| help for cronjob |
--image string |
| Image name to run. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--restart string |
| job's restart policy. supported values: OnFailure, Never |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
--schedule string |
| A schedule in the Cron format the job should be run with. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.15.5 - kubectl create deployment
Synopsis
Create a deployment with the specified name.
kubectl create deployment NAME --image=image -- [COMMAND] [args...]
Examples
# Create a deployment named my-dep that runs the busybox image
kubectl create deployment my-dep --image=busybox
# Create a deployment with a command
kubectl create deployment my-dep --image=busybox -- date
# Create a deployment named my-dep that runs the nginx image with 3 replicas
kubectl create deployment my-dep --image=nginx --replicas=3
# Create a deployment named my-dep that runs the busybox image and expose port 5701
kubectl create deployment my-dep --image=busybox --port=5701
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
-h, --help |
| help for deployment |
--image strings |
| Image names to run. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--port int32 Default: -1 |
| The port that this container exposes. |
-r, --replicas int32 Default: 1 |
| Number of replicas to create. Default is 1. |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.15.6 - kubectl create ingress
Synopsis
Create an ingress with the specified name.
kubectl create ingress NAME --rule=host/path=service:port[,tls[=secret]]
Examples
# Create a single ingress called 'simple' that directs requests to foo.com/bar to svc
# svc1:8080 with a TLS secret "my-cert"
kubectl create ingress simple --rule="foo.com/bar=svc1:8080,tls=my-cert"
# Create a catch all ingress of "/path" pointing to service svc:port and Ingress Class as "otheringress"
kubectl create ingress catch-all --class=otheringress --rule="/path=svc:port"
# Create an ingress with two annotations: ingress.annotation1 and ingress.annotations2
kubectl create ingress annotated --class=default --rule="foo.com/bar=svc:port" \
--annotation ingress.annotation1=foo \
--annotation ingress.annotation2=bla
# Create an ingress with the same host and multiple paths
kubectl create ingress multipath --class=default \
--rule="foo.com/=svc:port" \
--rule="foo.com/admin/=svcadmin:portadmin"
# Create an ingress with multiple hosts and the pathType as Prefix
kubectl create ingress ingress1 --class=default \
--rule="foo.com/path*=svc:8080" \
--rule="bar.com/admin*=svc2:http"
# Create an ingress with TLS enabled using the default ingress certificate and different path types
kubectl create ingress ingtls --class=default \
--rule="foo.com/=svc:https,tls" \
--rule="foo.com/path/subpath*=othersvc:8080"
# Create an ingress with TLS enabled using a specific secret and pathType as Prefix
kubectl create ingress ingsecret --class=default \
--rule="foo.com/*=svc:8080,tls=secret1"
# Create an ingress with a default backend
kubectl create ingress ingdefault --class=default \
--default-backend=defaultsvc:http \
--rule="foo.com/*=svc:8080,tls=secret1"
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--annotation strings |
| Annotation to insert in the ingress object, in the format annotation=value |
--class string |
| Ingress Class to be used |
--default-backend string |
| Default service for backend, in format of svcname:port |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
-h, --help |
| help for ingress |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--rule strings |
| Rule in format host/path=service:port[,tls=secretname]. Paths containing the leading character '*' are considered pathType=Prefix. tls argument is optional. |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.15.7 - kubectl create job
Synopsis
Create a job with the specified name.
kubectl create job NAME --image=image [--from=cronjob/name] -- [COMMAND] [args...]
Examples
# Create a job
kubectl create job my-job --image=busybox
# Create a job with a command
kubectl create job my-job --image=busybox -- date
# Create a job from a cron job named "a-cronjob"
kubectl create job test-job --from=cronjob/a-cronjob
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
--from string |
| The name of the resource to create a Job from (only cronjob is supported). |
-h, --help |
| help for job |
--image string |
| Image name to run. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.15.8 - kubectl create namespace
Synopsis
Create a namespace with the specified name.
kubectl create namespace NAME [--dry-run=server|client|none]
Examples
# Create a new namespace named my-namespace
kubectl create namespace my-namespace
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
-h, --help |
| help for namespace |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.15.9 - kubectl create poddisruptionbudget
Synopsis
Create a pod disruption budget with the specified name, selector, and desired minimum available pods.
kubectl create poddisruptionbudget NAME --selector=SELECTOR --min-available=N [--dry-run=server|client|none]
Examples
# Create a pod disruption budget named my-pdb that will select all pods with the app=rails label
# and require at least one of them being available at any point in time
kubectl create poddisruptionbudget my-pdb --selector=app=rails --min-available=1
# Create a pod disruption budget named my-pdb that will select all pods with the app=nginx label
# and require at least half of the pods selected to be available at any point in time
kubectl create pdb my-pdb --selector=app=nginx --min-available=50%
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
-h, --help |
| help for poddisruptionbudget |
--max-unavailable string |
| The maximum number or percentage of unavailable pods this budget requires. |
--min-available string |
| The minimum number or percentage of available pods this budget requires. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
--selector string |
| A label selector to use for this budget. Only equality-based selector requirements are supported. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.15.10 - kubectl create priorityclass
Synopsis
Create a priority class with the specified name, value, globalDefault and description.
kubectl create priorityclass NAME --value=VALUE --global-default=BOOL [--dry-run=server|client|none]
Examples
# Create a priority class named high-priority
kubectl create priorityclass high-priority --value=1000 --description="high priority"
# Create a priority class named default-priority that is considered as the global default priority
kubectl create priorityclass default-priority --value=1000 --global-default=true --description="default priority"
# Create a priority class named high-priority that cannot preempt pods with lower priority
kubectl create priorityclass high-priority --value=1000 --description="high priority" --preemption-policy="Never"
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--description string |
| description is an arbitrary string that usually provides guidelines on when this priority class should be used. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
--global-default |
| global-default specifies whether this PriorityClass should be considered as the default priority. |
-h, --help |
| help for priorityclass |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--preemption-policy string Default: "PreemptLowerPriority" |
| preemption-policy is the policy for preempting pods with lower priority. |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--value int32 |
| the value of this priority class. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.15.11 - kubectl create quota
Synopsis
Create a resource quota with the specified name, hard limits, and optional scopes.
kubectl create quota NAME [--hard=key1=value1,key2=value2] [--scopes=Scope1,Scope2] [--dry-run=server|client|none]
Examples
# Create a new resource quota named my-quota
kubectl create quota my-quota --hard=cpu=1,memory=1G,pods=2,services=3,replicationcontrollers=2,resourcequotas=1,secrets=5,persistentvolumeclaims=10
# Create a new resource quota named best-effort
kubectl create quota best-effort --hard=pods=100 --scopes=BestEffort
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
--hard string |
| A comma-delimited set of resource=quantity pairs that define a hard limit. |
-h, --help |
| help for quota |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
--scopes string |
| A comma-delimited set of quota scopes that must all match each object tracked by the quota. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.15.12 - kubectl create role
Synopsis
Create a role with single rule.
kubectl create role NAME --verb=verb --resource=resource.group/subresource [--resource-name=resourcename] [--dry-run=server|client|none]
Examples
# Create a role named "pod-reader" that allows user to perform "get", "watch" and "list" on pods
kubectl create role pod-reader --verb=get --verb=list --verb=watch --resource=pods
# Create a role named "pod-reader" with ResourceName specified
kubectl create role pod-reader --verb=get --resource=pods --resource-name=readablepod --resource-name=anotherpod
# Create a role named "foo" with API Group specified
kubectl create role foo --verb=get,list,watch --resource=rs.apps
# Create a role named "foo" with SubResource specified
kubectl create role foo --verb=get,list,watch --resource=pods,pods/status
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
-h, --help |
| help for role |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--resource strings |
| Resource that the rule applies to |
--resource-name strings |
| Resource in the white list that the rule applies to, repeat this flag for multiple items |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--verb strings |
| Verb that applies to the resources contained in the rule |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.15.13 - kubectl create rolebinding
Synopsis
Create a role binding for a particular role or cluster role.
kubectl create rolebinding NAME --clusterrole=NAME|--role=NAME [--user=username] [--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none]
Examples
# Create a role binding for user1, user2, and group1 using the admin cluster role
kubectl create rolebinding admin --clusterrole=admin --user=user1 --user=user2 --group=group1
# Create a role binding for serviceaccount monitoring:sa-dev using the admin role
kubectl create rolebinding admin-binding --role=admin --serviceaccount=monitoring:sa-dev
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--clusterrole string |
| ClusterRole this RoleBinding should reference |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
--group strings |
| Groups to bind to the role. The flag can be repeated to add multiple groups. |
-h, --help |
| help for rolebinding |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--role string |
| Role this RoleBinding should reference |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
--serviceaccount strings |
| Service accounts to bind to the role, in the format <namespace>:<name>. The flag can be repeated to add multiple service accounts. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--user strings |
| Usernames to bind to the role. The flag can be repeated to add multiple users. |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.15.14 - kubectl create secret
Synopsis
Create a secret with specified type.
A docker-registry type secret is for accessing a container registry.
A generic type secret indicate an Opaque secret type.
A tls type secret holds TLS certificate and its associated key.
kubectl create secret (docker-registry | generic | tls)
Options
-h, --help |
| help for secret |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.15.15 - kubectl create secret docker-registry
Synopsis
Create a new secret for use with Docker registries.
Dockercfg secrets are used to authenticate against Docker registries.
When using the Docker command line to push images, you can authenticate to a given registry by running:
'$ docker login DOCKER_REGISTRY_SERVER --username=DOCKER_USER --password=DOCKER_PASSWORD --email=DOCKER_EMAIL'.
That produces a ~/.dockercfg file that is used by subsequent 'docker push' and 'docker pull' commands to authenticate to the registry. The email address is optional.
When creating applications, you may have a Docker registry that requires authentication. In order for the
nodes to pull images on your behalf, they must have the credentials. You can provide this information
by creating a dockercfg secret and attaching it to your service account.
kubectl create secret docker-registry NAME --docker-username=user --docker-password=password --docker-email=email [--docker-server=string] [--from-file=[key=]source] [--dry-run=server|client|none]
Examples
# If you do not already have a .dockercfg file, create a dockercfg secret directly
kubectl create secret docker-registry my-secret --docker-server=DOCKER_REGISTRY_SERVER --docker-username=DOCKER_USER --docker-password=DOCKER_PASSWORD --docker-email=DOCKER_EMAIL
# Create a new secret named my-secret from ~/.docker/config.json
kubectl create secret docker-registry my-secret --from-file=.dockerconfigjson=path/to/.docker/config.json
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--append-hash |
| Append a hash of the secret to its name. |
--docker-email string |
| Email for Docker registry |
--docker-password string |
| Password for Docker registry authentication |
--docker-server string Default: "https://index.docker.io/v1/" |
| Server location for Docker registry |
--docker-username string |
| Username for Docker registry authentication |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
--from-file strings |
| Key files can be specified using their file path, in which case a default name will be given to them, or optionally with a name and file path, in which case the given name will be used. Specifying a directory will iterate each named file in the directory that is a valid secret key. |
-h, --help |
| help for docker-registry |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.15.16 - kubectl create secret generic
Synopsis
Create a secret based on a file, directory, or specified literal value.
A single secret may package one or more key/value pairs.
When creating a secret based on a file, the key will default to the basename of the file, and the value will default to the file content. If the basename is an invalid key or you wish to chose your own, you may specify an alternate key.
When creating a secret based on a directory, each file whose basename is a valid key in the directory will be packaged into the secret. Any directory entries except regular files are ignored (e.g. subdirectories, symlinks, devices, pipes, etc).
kubectl create secret generic NAME [--type=string] [--from-file=[key=]source] [--from-literal=key1=value1] [--dry-run=server|client|none]
Examples
# Create a new secret named my-secret with keys for each file in folder bar
kubectl create secret generic my-secret --from-file=path/to/bar
# Create a new secret named my-secret with specified keys instead of names on disk
kubectl create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa --from-file=ssh-publickey=path/to/id_rsa.pub
# Create a new secret named my-secret with key1=supersecret and key2=topsecret
kubectl create secret generic my-secret --from-literal=key1=supersecret --from-literal=key2=topsecret
# Create a new secret named my-secret using a combination of a file and a literal
kubectl create secret generic my-secret --from-file=ssh-privatekey=path/to/id_rsa --from-literal=passphrase=topsecret
# Create a new secret named my-secret from env files
kubectl create secret generic my-secret --from-env-file=path/to/foo.env --from-env-file=path/to/bar.env
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--append-hash |
| Append a hash of the secret to its name. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
--from-env-file strings |
| Specify the path to a file to read lines of key=val pairs to create a secret. |
--from-file strings |
| Key files can be specified using their file path, in which case a default name will be given to them, or optionally with a name and file path, in which case the given name will be used. Specifying a directory will iterate each named file in the directory that is a valid secret key. |
--from-literal strings |
| Specify a key and literal value to insert in secret (i.e. mykey=somevalue) |
-h, --help |
| help for generic |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--type string |
| The type of secret to create |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.15.17 - kubectl create secret tls
Synopsis
Create a TLS secret from the given public/private key pair.
The public/private key pair must exist beforehand. The public key certificate must be .PEM encoded and match the given private key.
kubectl create secret tls NAME --cert=path/to/cert/file --key=path/to/key/file [--dry-run=server|client|none]
Examples
# Create a new TLS secret named tls-secret with the given key pair
kubectl create secret tls tls-secret --cert=path/to/tls.cert --key=path/to/tls.key
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--append-hash |
| Append a hash of the secret to its name. |
--cert string |
| Path to PEM encoded public key certificate. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
-h, --help |
| help for tls |
--key string |
| Path to private key associated with given certificate. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.15.18 - kubectl create service
Synopsis
Create a service using a specified subcommand.
kubectl create service [flags]
Options
-h, --help |
| help for service |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.15.19 - kubectl create service clusterip
Synopsis
Create a ClusterIP service with the specified name.
kubectl create service clusterip NAME [--tcp=<port>:<targetPort>] [--dry-run=server|client|none]
Examples
# Create a new ClusterIP service named my-cs
kubectl create service clusterip my-cs --tcp=5678:8080
# Create a new ClusterIP service named my-cs (in headless mode)
kubectl create service clusterip my-cs --clusterip="None"
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--clusterip string |
| Assign your own ClusterIP or set to 'None' for a 'headless' service (no loadbalancing). |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
-h, --help |
| help for clusterip |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--tcp strings |
| Port pairs can be specified as '<port>:<targetPort>'. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.15.20 - kubectl create service externalname
Synopsis
Create an ExternalName service with the specified name.
ExternalName service references to an external DNS address instead of only pods, which will allow application authors to reference services that exist off platform, on other clusters, or locally.
kubectl create service externalname NAME --external-name external.name [--dry-run=server|client|none]
Examples
# Create a new ExternalName service named my-ns
kubectl create service externalname my-ns --external-name bar.com
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--external-name string |
| External name of service |
--field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
-h, --help |
| help for externalname |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--tcp strings |
| Port pairs can be specified as '<port>:<targetPort>'. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.15.21 - kubectl create service loadbalancer
Synopsis
Create a LoadBalancer service with the specified name.
kubectl create service loadbalancer NAME [--tcp=port:targetPort] [--dry-run=server|client|none]
Examples
# Create a new LoadBalancer service named my-lbs
kubectl create service loadbalancer my-lbs --tcp=5678:8080
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
-h, --help |
| help for loadbalancer |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--tcp strings |
| Port pairs can be specified as '<port>:<targetPort>'. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.15.22 - kubectl create service nodeport
Synopsis
Create a NodePort service with the specified name.
kubectl create service nodeport NAME [--tcp=port:targetPort] [--dry-run=server|client|none]
Examples
# Create a new NodePort service named my-ns
kubectl create service nodeport my-ns --tcp=5678:8080
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
-h, --help |
| help for nodeport |
--node-port int |
| Port used to expose the service on each node in a cluster. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--tcp strings |
| Port pairs can be specified as '<port>:<targetPort>'. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.15.23 - kubectl create serviceaccount
Synopsis
Create a service account with the specified name.
kubectl create serviceaccount NAME [--dry-run=server|client|none]
Examples
# Create a new service account named my-service-account
kubectl create serviceaccount my-service-account
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-create" |
| Name of the manager used to track field ownership. |
-h, --help |
| help for serviceaccount |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.15.24 - kubectl create token
Synopsis
Request a service account token.
kubectl create token SERVICE_ACCOUNT_NAME
Examples
# Request a token to authenticate to the kube-apiserver as the service account "myapp" in the current namespace
kubectl create token myapp
# Request a token for a service account in a custom namespace
kubectl create token myapp --namespace myns
# Request a token with a custom expiration
kubectl create token myapp --duration 10m
# Request a token with a custom audience
kubectl create token myapp --audience https://example.com
# Request a token bound to an instance of a Secret object
kubectl create token myapp --bound-object-kind Secret --bound-object-name mysecret
# Request a token bound to an instance of a Secret object with a specific UID
kubectl create token myapp --bound-object-kind Secret --bound-object-name mysecret --bound-object-uid 0d4691ed-659b-4935-a832-355f77ee47cc
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--audience strings |
| Audience of the requested token. If unset, defaults to requesting a token for use with the Kubernetes API server. May be repeated to request a token valid for multiple audiences. |
--bound-object-kind string |
| Kind of an object to bind the token to. Supported kinds are Pod, Secret. If set, --bound-object-name must be provided. |
--bound-object-name string |
| Name of an object to bind the token to. The token will expire when the object is deleted. Requires --bound-object-kind. |
--bound-object-uid string |
| UID of an object to bind the token to. Requires --bound-object-kind and --bound-object-name. If unset, the UID of the existing object is used. |
--duration duration |
| Requested lifetime of the issued token. If not set, the lifetime will be determined by the server automatically. The server may return a token with a longer or shorter lifetime. |
-h, --help |
| help for token |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.16 - kubectl debug
Synopsis
Debug cluster resources using interactive debugging containers.
'debug' provides automation for common debugging tasks for cluster objects identified by resource and name. Pods will be used by default if no resource is specified.
The action taken by 'debug' varies depending on what resource is specified. Supported actions include:
- Workload: Create a copy of an existing pod with certain attributes changed, for example changing the image tag to a new version.
- Workload: Add an ephemeral container to an already running pod, for example to add debugging utilities without restarting the pod.
- Node: Create a new pod that runs in the node's host namespaces and can access the node's filesystem.
kubectl debug (POD | TYPE[[.VERSION].GROUP]/NAME) [ -- COMMAND [args...] ]
Examples
# Create an interactive debugging session in pod mypod and immediately attach to it.
kubectl debug mypod -it --image=busybox
# Create an interactive debugging session for the pod in the file pod.yaml and immediately attach to it.
# (requires the EphemeralContainers feature to be enabled in the cluster)
kubectl debug -f pod.yaml -it --image=busybox
# Create a debug container named debugger using a custom automated debugging image.
kubectl debug --image=myproj/debug-tools -c debugger mypod
# Create a copy of mypod adding a debug container and attach to it
kubectl debug mypod -it --image=busybox --copy-to=my-debugger
# Create a copy of mypod changing the command of mycontainer
kubectl debug mypod -it --copy-to=my-debugger --container=mycontainer -- sh
# Create a copy of mypod changing all container images to busybox
kubectl debug mypod --copy-to=my-debugger --set-image=*=busybox
# Create a copy of mypod adding a debug container and changing container images
kubectl debug mypod -it --copy-to=my-debugger --image=debian --set-image=app=app:debug,sidecar=sidecar:debug
# Create an interactive debugging session on a node and immediately attach to it.
# The container will run in the host namespaces and the host's filesystem will be mounted at /host
kubectl debug node/mynode -it --image=busybox
Options
--arguments-only |
| If specified, everything after -- will be passed to the new container as Args instead of Command. |
--attach |
| If true, wait for the container to start running, and then attach as if 'kubectl attach ...' were called. Default false, unless '-i/--stdin' is set, in which case the default is true. |
-c, --container string |
| Container name to use for debug container. |
--copy-to string |
| Create a copy of the target Pod with this name. |
--env stringToString Default: [] |
| Environment variables to set in the container. |
-f, --filename strings |
| identifying the resource to debug |
-h, --help |
| help for debug |
--image string |
| Container image to use for debug container. |
--image-pull-policy string |
| The image pull policy for the container. If left empty, this value will not be specified by the client and defaulted by the server. |
--profile string Default: "legacy" |
| Debugging profile. Options are "legacy", "general", "baseline", "netadmin", or "restricted". |
-q, --quiet |
| If true, suppress informational messages. |
--replace |
| When used with '--copy-to', delete the original Pod. |
--same-node |
| When used with '--copy-to', schedule the copy of target Pod on the same node. |
--set-image stringToString Default: [] |
| When used with '--copy-to', a list of name=image pairs for changing container images, similar to how 'kubectl set image' works. |
--share-processes Default: true |
| When used with '--copy-to', enable process namespace sharing in the copy. |
-i, --stdin |
| Keep stdin open on the container(s) in the pod, even if nothing is attached. |
--target string |
| When using an ephemeral container, target processes in this container name. |
-t, --tty |
| Allocate a TTY for the debugging container. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.17 - kubectl delete
Synopsis
Delete resources by file names, stdin, resources and names, or by resources and label selector.
JSON and YAML formats are accepted. Only one type of argument may be specified: file names, resources and names, or resources and label selector.
Some resources, such as pods, support graceful deletion. These resources define a default period before they are forcibly terminated (the grace period) but you may override that value with the --grace-period flag, or pass --now to set a grace-period of 1. Because these resources often represent entities in the cluster, deletion may not be acknowledged immediately. If the node hosting a pod is down or cannot reach the API server, termination may take significantly longer than the grace period. To force delete a resource, you must specify the --force flag. Note: only a subset of resources support graceful deletion. In absence of the support, the --grace-period flag is ignored.
IMPORTANT: Force deleting pods does not wait for confirmation that the pod's processes have been terminated, which can leave those processes running until the node detects the deletion and completes graceful deletion. If your processes use shared storage or talk to a remote API and depend on the name of the pod to identify themselves, force deleting those pods may result in multiple processes running on different machines using the same identification which may lead to data corruption or inconsistency. Only force delete pods when you are sure the pod is terminated, or if your application can tolerate multiple copies of the same pod running at once. Also, if you force delete pods, the scheduler may place new pods on those nodes before the node has released those resources and causing those pods to be evicted immediately.
Note that the delete command does NOT do resource version checks, so if someone submits an update to a resource right when you submit a delete, their update will be lost along with the rest of the resource.
After a CustomResourceDefinition is deleted, invalidation of discovery cache may take up to 6 hours. If you don't want to wait, you might want to run "kubectl api-resources" to refresh the discovery cache.
kubectl delete ([-f FILENAME] | [-k DIRECTORY] | TYPE [(NAME | -l label | --all)])
Examples
# Delete a pod using the type and name specified in pod.json
kubectl delete -f ./pod.json
# Delete resources from a directory containing kustomization.yaml - e.g. dir/kustomization.yaml
kubectl delete -k dir
# Delete resources from all files that end with '.json'
kubectl delete -f '*.json'
# Delete a pod based on the type and name in the JSON passed into stdin
cat pod.json | kubectl delete -f -
# Delete pods and services with same names "baz" and "foo"
kubectl delete pod,service baz foo
# Delete pods and services with label name=myLabel
kubectl delete pods,services -l name=myLabel
# Delete a pod with minimal delay
kubectl delete pod foo --now
# Force delete a pod on a dead node
kubectl delete pod foo --force
# Delete all pods
kubectl delete pods --all
Options
--all |
| Delete all resources, in the namespace of the specified resource types. |
-A, --all-namespaces |
| If present, list the requested object(s) across all namespaces. Namespace in current context is ignored even if specified with --namespace. |
--cascade string[="background"] Default: "background" |
| Must be "background", "orphan", or "foreground". Selects the deletion cascading strategy for the dependents (e.g. Pods created by a ReplicationController). Defaults to background. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-selector string |
| Selector (field query) to filter on, supports '=', '==', and '!='.(e.g. --field-selector key1=value1,key2=value2). The server only supports a limited number of field queries per type. |
-f, --filename strings |
| containing the resource to delete. |
--force |
| If true, immediately remove resources from API and bypass graceful deletion. Note that immediate deletion of some resources may result in inconsistency or data loss and requires confirmation. |
--grace-period int Default: -1 |
| Period of time in seconds given to the resource to terminate gracefully. Ignored if negative. Set to 1 for immediate shutdown. Can only be set to 0 when --force is true (force deletion). |
-h, --help |
| help for delete |
--ignore-not-found |
| Treat "resource not found" as a successful delete. Defaults to "true" when --all is specified. |
-i, --interactive |
| If true, delete resource only when user confirms. This flag is in Alpha. |
-k, --kustomize string |
| Process a kustomization directory. This flag can't be used together with -f or -R. |
--now |
| If true, resources are signaled for immediate shutdown (same as --grace-period=1). |
-o, --output string |
| Output mode. Use "-o name" for shorter output (resource/name). |
--raw string |
| Raw URI to DELETE to the server. Uses the transport specified by the kubeconfig file. |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--timeout duration |
| The length of time to wait before giving up on a delete, zero means determine a timeout from the size of the object |
--wait Default: true |
| If true, wait for resources to be gone before returning. This waits for finalizers. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.18 - kubectl describe
Synopsis
Show details of a specific resource or group of resources.
Print a detailed description of the selected resources, including related resources such as events or controllers. You may select a single object by name, all objects of that type, provide a name prefix, or label selector. For example:
$ kubectl describe TYPE NAME_PREFIX
will first check for an exact match on TYPE and NAME_PREFIX. If no such resource exists, it will output details for every resource that has a name prefixed with NAME_PREFIX.
Use "kubectl api-resources" for a complete list of supported resources.
kubectl describe (-f FILENAME | TYPE [NAME_PREFIX | -l label] | TYPE/NAME)
Examples
# Describe a node
kubectl describe nodes kubernetes-node-emt8.c.myproject.internal
# Describe a pod
kubectl describe pods/nginx
# Describe a pod identified by type and name in "pod.json"
kubectl describe -f pod.json
# Describe all pods
kubectl describe pods
# Describe pods by label name=myLabel
kubectl describe pods -l name=myLabel
# Describe all pods managed by the 'frontend' replication controller
# (rc-created pods get the name of the rc as a prefix in the pod name)
kubectl describe pods frontend
Options
-A, --all-namespaces |
| If present, list the requested object(s) across all namespaces. Namespace in current context is ignored even if specified with --namespace. |
--chunk-size int Default: 500 |
| Return large lists in chunks rather than all at once. Pass 0 to disable. This flag is beta and may change in the future. |
-f, --filename strings |
| Filename, directory, or URL to files containing the resource to describe |
-h, --help |
| help for describe |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--show-events Default: true |
| If true, display events related to the described object. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.19 - kubectl diff
Synopsis
Diff configurations specified by file name or stdin between the current online configuration, and the configuration as it would be if applied.
The output is always YAML.
KUBECTL_EXTERNAL_DIFF environment variable can be used to select your own diff command. Users can use external commands with params too, example: KUBECTL_EXTERNAL_DIFF="colordiff -N -u"
By default, the "diff" command available in your path will be run with the "-u" (unified diff) and "-N" (treat absent files as empty) options.
Exit status: 0 No differences were found. 1 Differences were found. >1 Kubectl or diff failed with an error.
Note: KUBECTL_EXTERNAL_DIFF, if used, is expected to follow that convention.
kubectl diff -f FILENAME
Examples
# Diff resources included in pod.json
kubectl diff -f pod.json
# Diff file read from stdin
cat service.yaml | kubectl diff -f -
Options
--concurrency int Default: 1 |
| Number of objects to process in parallel when diffing against the live version. Larger number = faster, but more memory, I/O and CPU over that shorter period of time. |
--field-manager string Default: "kubectl-client-side-apply" |
| Name of the manager used to track field ownership. |
-f, --filename strings |
| Filename, directory, or URL to files contains the configuration to diff |
--force-conflicts |
| If true, server-side apply will force the changes against conflicts. |
-h, --help |
| help for diff |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
--prune |
| Include resources that would be deleted by pruning. Can be used with -l and default shows all resources would be pruned |
--prune-allowlist strings |
| Overwrite the default whitelist with <group/version/kind> for --prune |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--server-side |
| If true, apply runs in the server instead of the client. |
--show-managed-fields |
| If true, include managed fields in the diff. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.20 - kubectl drain
Synopsis
Drain node in preparation for maintenance.
The given node will be marked unschedulable to prevent new pods from arriving. 'drain' evicts the pods if the API server supports https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ eviction https://kubernetes.io/docs/concepts/workloads/pods/disruptions/ . Otherwise, it will use normal DELETE to delete the pods. The 'drain' evicts or deletes all pods except mirror pods (which cannot be deleted through the API server). If there are daemon set-managed pods, drain will not proceed without --ignore-daemonsets, and regardless it will not delete any daemon set-managed pods, because those pods would be immediately replaced by the daemon set controller, which ignores unschedulable markings. If there are any pods that are neither mirror pods nor managed by a replication controller, replica set, daemon set, stateful set, or job, then drain will not delete any pods unless you use --force. --force will also allow deletion to proceed if the managing resource of one or more pods is missing.
'drain' waits for graceful termination. You should not operate on the machine until the command completes.
When you are ready to put the node back into service, use kubectl uncordon, which will make the node schedulable again.
https://kubernetes.io/images/docs/kubectl_drain.svg Workflowhttps://kubernetes.io/images/docs/kubectl_drain.svg
kubectl drain NODE
Examples
# Drain node "foo", even if there are pods not managed by a replication controller, replica set, job, daemon set, or stateful set on it
kubectl drain foo --force
# As above, but abort if there are pods not managed by a replication controller, replica set, job, daemon set, or stateful set, and use a grace period of 15 minutes
kubectl drain foo --grace-period=900
Options
--chunk-size int Default: 500 |
| Return large lists in chunks rather than all at once. Pass 0 to disable. This flag is beta and may change in the future. |
--delete-emptydir-data |
| Continue even if there are pods using emptyDir (local data that will be deleted when the node is drained). |
--disable-eviction |
| Force drain to use delete, even if eviction is supported. This will bypass checking PodDisruptionBudgets, use with caution. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--force |
| Continue even if there are pods that do not declare a controller. |
--grace-period int Default: -1 |
| Period of time in seconds given to each pod to terminate gracefully. If negative, the default value specified in the pod will be used. |
-h, --help |
| help for drain |
--ignore-daemonsets |
| Ignore DaemonSet-managed pods. |
--pod-selector string |
| Label selector to filter pods on the node |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--skip-wait-for-delete-timeout int |
| If pod DeletionTimestamp older than N seconds, skip waiting for the pod. Seconds must be greater than 0 to skip. |
--timeout duration |
| The length of time to wait before giving up, zero means infinite |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.21 - kubectl edit
Synopsis
Edit a resource from the default editor.
The edit command allows you to directly edit any API resource you can retrieve via the command-line tools. It will open the editor defined by your KUBE_EDITOR, or EDITOR environment variables, or fall back to 'vi' for Linux or 'notepad' for Windows. When attempting to open the editor, it will first attempt to use the shell that has been defined in the 'SHELL' environment variable. If this is not defined, the default shell will be used, which is '/bin/bash' for Linux or 'cmd' for Windows.
You can edit multiple objects, although changes are applied one at a time. The command accepts file names as well as command-line arguments, although the files you point to must be previously saved versions of resources.
Editing is done with the API version used to fetch the resource. To edit using a specific API version, fully-qualify the resource, version, and group.
The default format is YAML. To edit in JSON, specify "-o json".
The flag --windows-line-endings can be used to force Windows line endings, otherwise the default for your operating system will be used.
In the event an error occurs while updating, a temporary file will be created on disk that contains your unapplied changes. The most common error when updating a resource is another editor changing the resource on the server. When this occurs, you will have to apply your changes to the newer version of the resource, or update your temporary saved copy to include the latest resource version.
kubectl edit (RESOURCE/NAME | -f FILENAME)
Examples
# Edit the service named 'registry'
kubectl edit svc/registry
# Use an alternative editor
KUBE_EDITOR="nano" kubectl edit svc/registry
# Edit the job 'myjob' in JSON using the v1 API format
kubectl edit job.v1.batch/myjob -o json
# Edit the deployment 'mydeployment' in YAML and save the modified config in its annotation
kubectl edit deployment/mydeployment -o yaml --save-config
# Edit the 'status' subresource for the 'mydeployment' deployment
kubectl edit deployment mydeployment --subresource='status'
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--field-manager string Default: "kubectl-edit" |
| Name of the manager used to track field ownership. |
-f, --filename strings |
| Filename, directory, or URL to files to use to edit the resource |
-h, --help |
| help for edit |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--output-patch |
| Output the patch if the resource is edited. |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--subresource string |
| If specified, edit will operate on the subresource of the requested object. Must be one of [status]. This flag is beta and may change in the future. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--windows-line-endings |
| Defaults to the line ending native to your platform. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.22 - kubectl events
Synopsis
Display events.
Prints a table of the most important information about events. You can request events for a namespace, for all namespace, or filtered to only those pertaining to a specified resource.
kubectl events [(-o|--output=)json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file] [--for TYPE/NAME] [--watch] [--types=Normal,Warning]
Examples
# List recent events in the default namespace
kubectl events
# List recent events in all namespaces
kubectl events --all-namespaces
# List recent events for the specified pod, then wait for more events and list them as they arrive
kubectl events --for pod/web-pod-13je7 --watch
# List recent events in YAML format
kubectl events -oyaml
# List recent only events of type 'Warning' or 'Normal'
kubectl events --types=Warning,Normal
Options
-A, --all-namespaces |
| If present, list the requested object(s) across all namespaces. Namespace in current context is ignored even if specified with --namespace. |
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--chunk-size int Default: 500 |
| Return large lists in chunks rather than all at once. Pass 0 to disable. This flag is beta and may change in the future. |
--for string |
| Filter events to only those pertaining to the specified resource. |
-h, --help |
| help for events |
--no-headers |
| When using the default output format, don't print headers. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--types strings |
| Output only events of given types. |
-w, --watch |
| After listing the requested events, watch for more events. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.23 - kubectl exec
Synopsis
Execute a command in a container.
kubectl exec (POD | TYPE/NAME) [-c CONTAINER] [flags] -- COMMAND [args...]
Examples
# Get output from running the 'date' command from pod mypod, using the first container by default
kubectl exec mypod -- date
# Get output from running the 'date' command in ruby-container from pod mypod
kubectl exec mypod -c ruby-container -- date
# Switch to raw terminal mode; sends stdin to 'bash' in ruby-container from pod mypod
# and sends stdout/stderr from 'bash' back to the client
kubectl exec mypod -c ruby-container -i -t -- bash -il
# List contents of /usr from the first container of pod mypod and sort by modification time
# If the command you want to execute in the pod has any flags in common (e.g. -i),
# you must use two dashes (--) to separate your command's flags/arguments
# Also note, do not surround your command and its flags/arguments with quotes
# unless that is how you would execute it normally (i.e., do ls -t /usr, not "ls -t /usr")
kubectl exec mypod -i -t -- ls -t /usr
# Get output from running 'date' command from the first pod of the deployment mydeployment, using the first container by default
kubectl exec deploy/mydeployment -- date
# Get output from running 'date' command from the first pod of the service myservice, using the first container by default
kubectl exec svc/myservice -- date
Options
-c, --container string |
| Container name. If omitted, use the kubectl.kubernetes.io/default-container annotation for selecting the container to be attached or the first container in the pod will be chosen |
-f, --filename strings |
| to use to exec into the resource |
-h, --help |
| help for exec |
--pod-running-timeout duration Default: 1m0s |
| The length of time (like 5s, 2m, or 3h, higher than zero) to wait until at least one pod is running |
-q, --quiet |
| Only print output from the remote session |
-i, --stdin |
| Pass stdin to the container |
-t, --tty |
| Stdin is a TTY |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.24 - kubectl explain
Synopsis
Describe fields and structure of various resources.
This command describes the fields associated with each supported API resource. Fields are identified via a simple JSONPath identifier:
<type>.<fieldName>[.<fieldName>]
Information about each field is retrieved from the server in OpenAPI format.
Use "kubectl api-resources" for a complete list of supported resources.
kubectl explain TYPE [--recursive=FALSE|TRUE] [--api-version=api-version-group] [--output=plaintext|plaintext-openapiv2]
Examples
# Get the documentation of the resource and its fields
kubectl explain pods
# Get all the fields in the resource
kubectl explain pods --recursive
# Get the explanation for deployment in supported api versions
kubectl explain deployments --api-version=apps/v1
# Get the documentation of a specific field of a resource
kubectl explain pods.spec.containers
# Get the documentation of resources in different format
kubectl explain deployment --output=plaintext-openapiv2
Options
--api-version string |
| Use given api-version (group/version) of the resource. |
-h, --help |
| help for explain |
--output string Default: "plaintext" |
| Format in which to render the schema. Valid values are: (plaintext, plaintext-openapiv2). |
--recursive |
| When true, print the name of all the fields recursively. Otherwise, print the available fields with their description. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.25 - kubectl expose
Synopsis
Expose a resource as a new Kubernetes service.
Looks up a deployment, service, replica set, replication controller or pod by name and uses the selector for that resource as the selector for a new service on the specified port. A deployment or replica set will be exposed as a service only if its selector is convertible to a selector that service supports, i.e. when the selector contains only the matchLabels component. Note that if no port is specified via --port and the exposed resource has multiple ports, all will be re-used by the new service. Also if no labels are specified, the new service will re-use the labels from the resource it exposes.
Possible resources include (case insensitive):
pod (po), service (svc), replicationcontroller (rc), deployment (deploy), replicaset (rs)
kubectl expose (-f FILENAME | TYPE NAME) [--port=port] [--protocol=TCP|UDP|SCTP] [--target-port=number-or-name] [--name=name] [--external-ip=external-ip-of-service] [--type=type]
Examples
# Create a service for a replicated nginx, which serves on port 80 and connects to the containers on port 8000
kubectl expose rc nginx --port=80 --target-port=8000
# Create a service for a replication controller identified by type and name specified in "nginx-controller.yaml", which serves on port 80 and connects to the containers on port 8000
kubectl expose -f nginx-controller.yaml --port=80 --target-port=8000
# Create a service for a pod valid-pod, which serves on port 444 with the name "frontend"
kubectl expose pod valid-pod --port=444 --name=frontend
# Create a second service based on the above service, exposing the container port 8443 as port 443 with the name "nginx-https"
kubectl expose service nginx --port=443 --target-port=8443 --name=nginx-https
# Create a service for a replicated streaming application on port 4100 balancing UDP traffic and named 'video-stream'.
kubectl expose rc streamer --port=4100 --protocol=UDP --name=video-stream
# Create a service for a replicated nginx using replica set, which serves on port 80 and connects to the containers on port 8000
kubectl expose rs nginx --port=80 --target-port=8000
# Create a service for an nginx deployment, which serves on port 80 and connects to the containers on port 8000
kubectl expose deployment nginx --port=80 --target-port=8000
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--cluster-ip string |
| ClusterIP to be assigned to the service. Leave empty to auto-allocate, or set to 'None' to create a headless service. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--external-ip string |
| Additional external IP address (not managed by Kubernetes) to accept for the service. If this IP is routed to a node, the service can be accessed by this IP in addition to its generated service IP. |
--field-manager string Default: "kubectl-expose" |
| Name of the manager used to track field ownership. |
-f, --filename strings |
| Filename, directory, or URL to files identifying the resource to expose a service |
-h, --help |
| help for expose |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
-l, --labels string |
| Labels to apply to the service created by this call. |
--load-balancer-ip string |
| IP to assign to the LoadBalancer. If empty, an ephemeral IP will be created and used (cloud-provider specific). |
--name string |
| The name for the newly created object. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--override-type string Default: "merge" |
| The method used to override the generated object: json, merge, or strategic. |
--overrides string |
| An inline JSON override for the generated object. If this is non-empty, it is used to override the generated object. Requires that the object supply a valid apiVersion field. |
--port string |
| The port that the service should serve on. Copied from the resource being exposed, if unspecified |
--protocol string |
| The network protocol for the service to be created. Default is 'TCP'. |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
--selector string |
| A label selector to use for this service. Only equality-based selector requirements are supported. If empty (the default) infer the selector from the replication controller or replica set.) |
--session-affinity string |
| If non-empty, set the session affinity for the service to this; legal values: 'None', 'ClientIP' |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--target-port string |
| Name or number for the port on the container that the service should direct traffic to. Optional. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--type string |
| Type for this service: ClusterIP, NodePort, LoadBalancer, or ExternalName. Default is 'ClusterIP'. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.26 - kubectl get
Synopsis
Display one or many resources.
Prints a table of the most important information about the specified resources. You can filter the list using a label selector and the --selector flag. If the desired resource type is namespaced you will only see results in your current namespace unless you pass --all-namespaces.
By specifying the output as 'template' and providing a Go template as the value of the --template flag, you can filter the attributes of the fetched resources.
Use "kubectl api-resources" for a complete list of supported resources.
kubectl get [(-o|--output=)json|yaml|name|go-template|go-template-file|template|templatefile|jsonpath|jsonpath-as-json|jsonpath-file|custom-columns|custom-columns-file|wide] (TYPE[.VERSION][.GROUP] [NAME | -l label] | TYPE[.VERSION][.GROUP]/NAME ...) [flags]
Examples
# List all pods in ps output format
kubectl get pods
# List all pods in ps output format with more information (such as node name)
kubectl get pods -o wide
# List a single replication controller with specified NAME in ps output format
kubectl get replicationcontroller web
# List deployments in JSON output format, in the "v1" version of the "apps" API group
kubectl get deployments.v1.apps -o json
# List a single pod in JSON output format
kubectl get -o json pod web-pod-13je7
# List a pod identified by type and name specified in "pod.yaml" in JSON output format
kubectl get -f pod.yaml -o json
# List resources from a directory with kustomization.yaml - e.g. dir/kustomization.yaml
kubectl get -k dir/
# Return only the phase value of the specified pod
kubectl get -o template pod/web-pod-13je7 --template={{.status.phase}}
# List resource information in custom columns
kubectl get pod test-pod -o custom-columns=CONTAINER:.spec.containers[0].name,IMAGE:.spec.containers[0].image
# List all replication controllers and services together in ps output format
kubectl get rc,services
# List one or more resources by their type and names
kubectl get rc/web service/frontend pods/web-pod-13je7
# List the 'status' subresource for a single pod
kubectl get pod web-pod-13je7 --subresource status
Options
-A, --all-namespaces |
| If present, list the requested object(s) across all namespaces. Namespace in current context is ignored even if specified with --namespace. |
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--chunk-size int Default: 500 |
| Return large lists in chunks rather than all at once. Pass 0 to disable. This flag is beta and may change in the future. |
--field-selector string |
| Selector (field query) to filter on, supports '=', '==', and '!='.(e.g. --field-selector key1=value1,key2=value2). The server only supports a limited number of field queries per type. |
-f, --filename strings |
| Filename, directory, or URL to files identifying the resource to get from a server. |
-h, --help |
| help for get |
--ignore-not-found |
| If the requested object does not exist the command will return exit code 0. |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
-L, --label-columns strings |
| Accepts a comma separated list of labels that are going to be presented as columns. Names are case-sensitive. You can also use multiple flag options like -L label1 -L label2... |
--no-headers |
| When using the default or custom-column output format, don't print headers (default print headers). |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file, custom-columns, custom-columns-file, wide). See custom columns [https://kubernetes.io/docs/reference/kubectl/#custom-columns], golang template [http://golang.org/pkg/text/template/#pkg-overview] and jsonpath template [https://kubernetes.io/docs/reference/kubectl/jsonpath/]. |
--output-watch-events |
| Output watch event objects when --watch or --watch-only is used. Existing objects are output as initial ADDED events. |
--raw string |
| Raw URI to request from the server. Uses the transport specified by the kubeconfig file. |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--server-print Default: true |
| If true, have the server return the appropriate table output. Supports extension APIs and CRDs. |
--show-kind |
| If present, list the resource type for the requested object(s). |
--show-labels |
| When printing, show all labels as the last column (default hide labels column) |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--sort-by string |
| If non-empty, sort list types using this field specification. The field specification is expressed as a JSONPath expression (e.g. '{.metadata.name}'). The field in the API resource specified by this JSONPath expression must be an integer or a string. |
--subresource string |
| If specified, gets the subresource of the requested object. Must be one of [status scale]. This flag is beta and may change in the future. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
-w, --watch |
| After listing/getting the requested object, watch for changes. |
--watch-only |
| Watch for changes to the requested object(s), without listing/getting first. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.27 - kubectl kustomize
Synopsis
Build a set of KRM resources using a 'kustomization.yaml' file. The DIR argument must be a path to a directory containing 'kustomization.yaml', or a git repository URL with a path suffix specifying same with respect to the repository root. If DIR is omitted, '.' is assumed.
kubectl kustomize DIR [flags]
Examples
# Build the current working directory
kubectl kustomize
# Build some shared configuration directory
kubectl kustomize /home/config/production
# Build from github
kubectl kustomize https://github.com/kubernetes-sigs/kustomize.git/examples/helloWorld?ref=v1.0.6
Options
--as-current-user |
| use the uid and gid of the command executor to run the function in the container |
--enable-alpha-plugins |
| enable kustomize plugins |
--enable-helm |
| Enable use of the Helm chart inflator generator. |
-e, --env strings |
| a list of environment variables to be used by functions |
--helm-command string Default: "helm" |
| helm command (path to executable) |
-h, --help |
| help for kustomize |
--load-restrictor string Default: "LoadRestrictionsRootOnly" |
| if set to 'LoadRestrictionsNone', local kustomizations may load files from outside their root. This does, however, break the relocatability of the kustomization. |
--mount strings |
| a list of storage options read from the filesystem |
--network |
| enable network access for functions that declare it |
--network-name string Default: "bridge" |
| the docker network to run the container in |
-o, --output string |
| If specified, write output to this path. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.28 - kubectl label
Synopsis
Update the labels on a resource.
- A label key and value must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to 63 characters each.
- Optionally, the key can begin with a DNS subdomain prefix and a single '/', like example.com/my-app.
- If --overwrite is true, then existing labels can be overwritten, otherwise attempting to overwrite a label will result in an error.
- If --resource-version is specified, then updates will use this resource version, otherwise the existing resource-version will be used.
kubectl label [--overwrite] (-f FILENAME | TYPE NAME) KEY_1=VAL_1 ... KEY_N=VAL_N [--resource-version=version]
Examples
# Update pod 'foo' with the label 'unhealthy' and the value 'true'
kubectl label pods foo unhealthy=true
# Update pod 'foo' with the label 'status' and the value 'unhealthy', overwriting any existing value
kubectl label --overwrite pods foo status=unhealthy
# Update all pods in the namespace
kubectl label pods --all status=unhealthy
# Update a pod identified by the type and name in "pod.json"
kubectl label -f pod.json status=unhealthy
# Update pod 'foo' only if the resource is unchanged from version 1
kubectl label pods foo status=unhealthy --resource-version=1
# Update pod 'foo' by removing a label named 'bar' if it exists
# Does not require the --overwrite flag
kubectl label pods foo bar-
Options
--all |
| Select all resources, in the namespace of the specified resource types |
-A, --all-namespaces |
| If true, check the specified action in all namespaces. |
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-label" |
| Name of the manager used to track field ownership. |
--field-selector string |
| Selector (field query) to filter on, supports '=', '==', and '!='.(e.g. --field-selector key1=value1,key2=value2). The server only supports a limited number of field queries per type. |
-f, --filename strings |
| Filename, directory, or URL to files identifying the resource to update the labels |
-h, --help |
| help for label |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
--list |
| If true, display the labels for a given resource. |
--local |
| If true, label will NOT contact api-server but run locally. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--overwrite |
| If true, allow labels to be overwritten, otherwise reject label updates that overwrite existing labels. |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
--resource-version string |
| If non-empty, the labels update will only succeed if this is the current resource-version for the object. Only valid when specifying a single resource. |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.29 - kubectl logs
Synopsis
Print the logs for a container in a pod or specified resource. If the pod has only one container, the container name is optional.
kubectl logs [-f] [-p] (POD | TYPE/NAME) [-c CONTAINER]
Examples
# Return snapshot logs from pod nginx with only one container
kubectl logs nginx
# Return snapshot logs from pod nginx with multi containers
kubectl logs nginx --all-containers=true
# Return snapshot logs from all containers in pods defined by label app=nginx
kubectl logs -l app=nginx --all-containers=true
# Return snapshot of previous terminated ruby container logs from pod web-1
kubectl logs -p -c ruby web-1
# Begin streaming the logs of the ruby container in pod web-1
kubectl logs -f -c ruby web-1
# Begin streaming the logs from all containers in pods defined by label app=nginx
kubectl logs -f -l app=nginx --all-containers=true
# Display only the most recent 20 lines of output in pod nginx
kubectl logs --tail=20 nginx
# Show all logs from pod nginx written in the last hour
kubectl logs --since=1h nginx
# Show logs from a kubelet with an expired serving certificate
kubectl logs --insecure-skip-tls-verify-backend nginx
# Return snapshot logs from first container of a job named hello
kubectl logs job/hello
# Return snapshot logs from container nginx-1 of a deployment named nginx
kubectl logs deployment/nginx -c nginx-1
Options
--all-containers |
| Get all containers' logs in the pod(s). |
-c, --container string |
| Print the logs of this container |
-f, --follow |
| Specify if the logs should be streamed. |
-h, --help |
| help for logs |
--ignore-errors |
| If watching / following pod logs, allow for any errors that occur to be non-fatal |
--insecure-skip-tls-verify-backend |
| Skip verifying the identity of the kubelet that logs are requested from. In theory, an attacker could provide invalid log content back. You might want to use this if your kubelet serving certificates have expired. |
--limit-bytes int |
| Maximum bytes of logs to return. Defaults to no limit. |
--max-log-requests int Default: 5 |
| Specify maximum number of concurrent logs to follow when using by a selector. Defaults to 5. |
--pod-running-timeout duration Default: 20s |
| The length of time (like 5s, 2m, or 3h, higher than zero) to wait until at least one pod is running |
--prefix |
| Prefix each log line with the log source (pod name and container name) |
-p, --previous |
| If true, print the logs for the previous instance of the container in a pod if it exists. |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--since duration |
| Only return logs newer than a relative duration like 5s, 2m, or 3h. Defaults to all logs. Only one of since-time / since may be used. |
--since-time string |
| Only return logs after a specific date (RFC3339). Defaults to all logs. Only one of since-time / since may be used. |
--tail int Default: -1 |
| Lines of recent log file to display. Defaults to -1 with no selector, showing all log lines otherwise 10, if a selector is provided. |
--timestamps |
| Include timestamps on each line in the log output |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.30 - kubectl options
Synopsis
Print the list of flags inherited by all commands
kubectl options [flags]
Examples
# Print flags inherited by all commands
kubectl options
Options
-h, --help |
| help for options |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.31 - kubectl patch
Synopsis
Update fields of a resource using strategic merge patch, a JSON merge patch, or a JSON patch.
JSON and YAML formats are accepted.
Note: Strategic merge patch is not supported for custom resources.
kubectl patch (-f FILENAME | TYPE NAME) [-p PATCH|--patch-file FILE]
Examples
# Partially update a node using a strategic merge patch, specifying the patch as JSON
kubectl patch node k8s-node-1 -p '{"spec":{"unschedulable":true}}'
# Partially update a node using a strategic merge patch, specifying the patch as YAML
kubectl patch node k8s-node-1 -p $'spec:\n unschedulable: true'
# Partially update a node identified by the type and name specified in "node.json" using strategic merge patch
kubectl patch -f node.json -p '{"spec":{"unschedulable":true}}'
# Update a container's image; spec.containers[*].name is required because it's a merge key
kubectl patch pod valid-pod -p '{"spec":{"containers":[{"name":"kubernetes-serve-hostname","image":"new image"}]}}'
# Update a container's image using a JSON patch with positional arrays
kubectl patch pod valid-pod --type='json' -p='[{"op": "replace", "path": "/spec/containers/0/image", "value":"new image"}]'
# Update a deployment's replicas through the 'scale' subresource using a merge patch
kubectl patch deployment nginx-deployment --subresource='scale' --type='merge' -p '{"spec":{"replicas":2}}'
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-patch" |
| Name of the manager used to track field ownership. |
-f, --filename strings |
| Filename, directory, or URL to files identifying the resource to update |
-h, --help |
| help for patch |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
--local |
| If true, patch will operate on the content of the file, not the server-side resource. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
-p, --patch string |
| The patch to be applied to the resource JSON file. |
--patch-file string |
| A file containing a patch to be applied to the resource. |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--subresource string |
| If specified, patch will operate on the subresource of the requested object. Must be one of [status scale]. This flag is beta and may change in the future. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--type string Default: "strategic" |
| The type of patch being provided; one of [json merge strategic] |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.32 - kubectl plugin
Synopsis
Provides utilities for interacting with plugins.
Plugins provide extended functionality that is not part of the major command-line distribution. Please refer to the documentation and examples for more information about how write your own plugins.
The easiest way to discover and install plugins is via the kubernetes sub-project krew. To install krew, visit https://krew.sigs.k8s.io/docs/user-guide/setup/install/ krew.sigs.k8s.io https://krew.sigs.k8s.io/docs/user-guide/setup/install/
kubectl plugin [flags]
Options
-h, --help |
| help for plugin |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
- kubectl plugin list - List all visible plugin executables on a user's PATH
2.32.1 - kubectl plugin list
Synopsis
List all available plugin files on a user's PATH.
Available plugin files are those that are: - executable - anywhere on the user's PATH - begin with "kubectl-"
kubectl plugin list [flags]
Examples
# List all available plugins
kubectl plugin list
Options
-h, --help |
| help for list |
--name-only |
| If true, display only the binary name of each plugin, rather than its full path |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.33 - kubectl port-forward
Synopsis
Forward one or more local ports to a pod.
Use resource type/name such as deployment/mydeployment to select a pod. Resource type defaults to 'pod' if omitted.
If there are multiple pods matching the criteria, a pod will be selected automatically. The forwarding session ends when the selected pod terminates, and a rerun of the command is needed to resume forwarding.
kubectl port-forward TYPE/NAME [options] [LOCAL_PORT:]REMOTE_PORT [...[LOCAL_PORT_N:]REMOTE_PORT_N]
Examples
# Listen on ports 5000 and 6000 locally, forwarding data to/from ports 5000 and 6000 in the pod
kubectl port-forward pod/mypod 5000 6000
# Listen on ports 5000 and 6000 locally, forwarding data to/from ports 5000 and 6000 in a pod selected by the deployment
kubectl port-forward deployment/mydeployment 5000 6000
# Listen on port 8443 locally, forwarding to the targetPort of the service's port named "https" in a pod selected by the service
kubectl port-forward service/myservice 8443:https
# Listen on port 8888 locally, forwarding to 5000 in the pod
kubectl port-forward pod/mypod 8888:5000
# Listen on port 8888 on all addresses, forwarding to 5000 in the pod
kubectl port-forward --address 0.0.0.0 pod/mypod 8888:5000
# Listen on port 8888 on localhost and selected IP, forwarding to 5000 in the pod
kubectl port-forward --address localhost,10.19.21.23 pod/mypod 8888:5000
# Listen on a random port locally, forwarding to 5000 in the pod
kubectl port-forward pod/mypod :5000
Options
--address strings Default: "localhost" |
| Addresses to listen on (comma separated). Only accepts IP addresses or localhost as a value. When localhost is supplied, kubectl will try to bind on both 127.0.0.1 and ::1 and will fail if neither of these addresses are available to bind. |
-h, --help |
| help for port-forward |
--pod-running-timeout duration Default: 1m0s |
| The length of time (like 5s, 2m, or 3h, higher than zero) to wait until at least one pod is running |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.34 - kubectl proxy
Synopsis
Creates a proxy server or application-level gateway between localhost and the Kubernetes API server. It also allows serving static content over specified HTTP path. All incoming data enters through one port and gets forwarded to the remote Kubernetes API server port, except for the path matching the static content path.
kubectl proxy [--port=PORT] [--www=static-dir] [--www-prefix=prefix] [--api-prefix=prefix]
Examples
# To proxy all of the Kubernetes API and nothing else
kubectl proxy --api-prefix=/
# To proxy only part of the Kubernetes API and also some static files
# You can get pods info with 'curl localhost:8001/api/v1/pods'
kubectl proxy --www=/my/files --www-prefix=/static/ --api-prefix=/api/
# To proxy the entire Kubernetes API at a different root
# You can get pods info with 'curl localhost:8001/custom/api/v1/pods'
kubectl proxy --api-prefix=/custom/
# Run a proxy to the Kubernetes API server on port 8011, serving static content from ./local/www/
kubectl proxy --port=8011 --www=./local/www/
# Run a proxy to the Kubernetes API server on an arbitrary local port
# The chosen port for the server will be output to stdout
kubectl proxy --port=0
# Run a proxy to the Kubernetes API server, changing the API prefix to k8s-api
# This makes e.g. the pods API available at localhost:8001/k8s-api/v1/pods/
kubectl proxy --api-prefix=/k8s-api
Options
--accept-hosts string Default: "^localhost$,^127\.0\.0\.1$,^\[::1\]$" |
| Regular expression for hosts that the proxy should accept. |
--accept-paths string Default: "^.*" |
| Regular expression for paths that the proxy should accept. |
--address string Default: "127.0.0.1" |
| The IP address on which to serve on. |
--api-prefix string Default: "/" |
| Prefix to serve the proxied API under. |
--append-server-path |
| If true, enables automatic path appending of the kube context server path to each request. |
--disable-filter |
| If true, disable request filtering in the proxy. This is dangerous, and can leave you vulnerable to XSRF attacks, when used with an accessible port. |
-h, --help |
| help for proxy |
--keepalive duration |
| keepalive specifies the keep-alive period for an active network connection. Set to 0 to disable keepalive. |
-p, --port int Default: 8001 |
| The port on which to run the proxy. Set to 0 to pick a random port. |
--reject-methods string Default: "^$" |
| Regular expression for HTTP methods that the proxy should reject (example --reject-methods='POST,PUT,PATCH'). |
--reject-paths string Default: "^/api/.*/pods/.*/exec, ^/api/.*/pods/.*/attach" |
| Regular expression for paths that the proxy should reject. Paths specified here will be rejected even accepted by --accept-paths. |
-u, --unix-socket string |
| Unix socket on which to run the proxy. |
-w, --www string |
| Also serve static files from the given directory under the specified prefix. |
-P, --www-prefix string Default: "/static/" |
| Prefix to serve static files under, if static file directory is specified. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.35 - kubectl replace
Synopsis
Replace a resource by file name or stdin.
JSON and YAML formats are accepted. If replacing an existing resource, the complete resource spec must be provided. This can be obtained by
$ kubectl get TYPE NAME -o yaml
kubectl replace -f FILENAME
Examples
# Replace a pod using the data in pod.json
kubectl replace -f ./pod.json
# Replace a pod based on the JSON passed into stdin
cat pod.json | kubectl replace -f -
# Update a single-container pod's image version (tag) to v4
kubectl get pod mypod -o yaml | sed 's/\(image: myimage\):.*$/\1:v4/' | kubectl replace -f -
# Force replace, delete and then re-create the resource
kubectl replace --force -f ./pod.json
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--cascade string[="background"] Default: "background" |
| Must be "background", "orphan", or "foreground". Selects the deletion cascading strategy for the dependents (e.g. Pods created by a ReplicationController). Defaults to background. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-replace" |
| Name of the manager used to track field ownership. |
-f, --filename strings |
| The files that contain the configurations to replace. |
--force |
| If true, immediately remove resources from API and bypass graceful deletion. Note that immediate deletion of some resources may result in inconsistency or data loss and requires confirmation. |
--grace-period int Default: -1 |
| Period of time in seconds given to the resource to terminate gracefully. Ignored if negative. Set to 1 for immediate shutdown. Can only be set to 0 when --force is true (force deletion). |
-h, --help |
| help for replace |
-k, --kustomize string |
| Process a kustomization directory. This flag can't be used together with -f or -R. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--raw string |
| Raw URI to PUT to the server. Uses the transport specified by the kubeconfig file. |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--subresource string |
| If specified, replace will operate on the subresource of the requested object. Must be one of [status scale]. This flag is beta and may change in the future. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--timeout duration |
| The length of time to wait before giving up on a delete, zero means determine a timeout from the size of the object |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--wait |
| If true, wait for resources to be gone before returning. This waits for finalizers. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.36 - kubectl rollout
Synopsis
Manage the rollout of one or many resources.
Valid resource types include:
- deployments
- daemonsets
- statefulsets
kubectl rollout SUBCOMMAND
Examples
# Rollback to the previous deployment
kubectl rollout undo deployment/abc
# Check the rollout status of a daemonset
kubectl rollout status daemonset/foo
# Restart a deployment
kubectl rollout restart deployment/abc
# Restart deployments with the 'app=nginx' label
kubectl rollout restart deployment --selector=app=nginx
Options
-h, --help |
| help for rollout |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.36.1 - kubectl rollout history
Synopsis
View previous rollout revisions and configurations.
kubectl rollout history (TYPE NAME | TYPE/NAME) [flags]
Examples
# View the rollout history of a deployment
kubectl rollout history deployment/abc
# View the details of daemonset revision 3
kubectl rollout history daemonset/abc --revision=3
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
-f, --filename strings |
| Filename, directory, or URL to files identifying the resource to get from a server. |
-h, --help |
| help for history |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
--revision int |
| See the details, including podTemplate of the revision specified |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.36.2 - kubectl rollout pause
Synopsis
Mark the provided resource as paused.
Paused resources will not be reconciled by a controller. Use "kubectl rollout resume" to resume a paused resource. Currently only deployments support being paused.
kubectl rollout pause RESOURCE
Examples
# Mark the nginx deployment as paused
# Any current state of the deployment will continue its function; new updates
# to the deployment will not have an effect as long as the deployment is paused
kubectl rollout pause deployment/nginx
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--field-manager string Default: "kubectl-rollout" |
| Name of the manager used to track field ownership. |
-f, --filename strings |
| Filename, directory, or URL to files identifying the resource to get from a server. |
-h, --help |
| help for pause |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.36.3 - kubectl rollout restart
Synopsis
Restart a resource.
Resource rollout will be restarted.
kubectl rollout restart RESOURCE
Examples
# Restart all deployments in test-namespace namespace
kubectl rollout restart deployment -n test-namespace
# Restart a deployment
kubectl rollout restart deployment/nginx
# Restart a daemon set
kubectl rollout restart daemonset/abc
# Restart deployments with the app=nginx label
kubectl rollout restart deployment --selector=app=nginx
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--field-manager string Default: "kubectl-rollout" |
| Name of the manager used to track field ownership. |
-f, --filename strings |
| Filename, directory, or URL to files identifying the resource to get from a server. |
-h, --help |
| help for restart |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.36.4 - kubectl rollout resume
Synopsis
Resume a paused resource.
Paused resources will not be reconciled by a controller. By resuming a resource, we allow it to be reconciled again. Currently only deployments support being resumed.
kubectl rollout resume RESOURCE
Examples
# Resume an already paused deployment
kubectl rollout resume deployment/nginx
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--field-manager string Default: "kubectl-rollout" |
| Name of the manager used to track field ownership. |
-f, --filename strings |
| Filename, directory, or URL to files identifying the resource to get from a server. |
-h, --help |
| help for resume |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.36.5 - kubectl rollout status
Synopsis
Show the status of the rollout.
By default 'rollout status' will watch the status of the latest rollout until it's done. If you don't want to wait for the rollout to finish then you can use --watch=false. Note that if a new rollout starts in-between, then 'rollout status' will continue watching the latest revision. If you want to pin to a specific revision and abort if it is rolled over by another revision, use --revision=N where N is the revision you need to watch for.
kubectl rollout status (TYPE NAME | TYPE/NAME) [flags]
Examples
# Watch the rollout status of a deployment
kubectl rollout status deployment/nginx
Options
-f, --filename strings |
| Filename, directory, or URL to files identifying the resource to get from a server. |
-h, --help |
| help for status |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
--revision int |
| Pin to a specific revision for showing its status. Defaults to 0 (last revision). |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--timeout duration |
| The length of time to wait before ending watch, zero means never. Any other values should contain a corresponding time unit (e.g. 1s, 2m, 3h). |
-w, --watch Default: true |
| Watch the status of the rollout until it's done. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.36.6 - kubectl rollout undo
Synopsis
Roll back to a previous rollout.
kubectl rollout undo (TYPE NAME | TYPE/NAME) [flags]
Examples
# Roll back to the previous deployment
kubectl rollout undo deployment/abc
# Roll back to daemonset revision 3
kubectl rollout undo daemonset/abc --to-revision=3
# Roll back to the previous deployment with dry-run
kubectl rollout undo --dry-run=server deployment/abc
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
-f, --filename strings |
| Filename, directory, or URL to files identifying the resource to get from a server. |
-h, --help |
| help for undo |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--to-revision int |
| The revision to rollback to. Default to 0 (last revision). |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.37 - kubectl run
Synopsis
Create and run a particular image in a pod.
kubectl run NAME --image=image [--env="key=value"] [--port=port] [--dry-run=server|client] [--overrides=inline-json] [--command] -- [COMMAND] [args...]
Examples
# Start a nginx pod
kubectl run nginx --image=nginx
# Start a hazelcast pod and let the container expose port 5701
kubectl run hazelcast --image=hazelcast/hazelcast --port=5701
# Start a hazelcast pod and set environment variables "DNS_DOMAIN=cluster" and "POD_NAMESPACE=default" in the container
kubectl run hazelcast --image=hazelcast/hazelcast --env="DNS_DOMAIN=cluster" --env="POD_NAMESPACE=default"
# Start a hazelcast pod and set labels "app=hazelcast" and "env=prod" in the container
kubectl run hazelcast --image=hazelcast/hazelcast --labels="app=hazelcast,env=prod"
# Dry run; print the corresponding API objects without creating them
kubectl run nginx --image=nginx --dry-run=client
# Start a nginx pod, but overload the spec with a partial set of values parsed from JSON
kubectl run nginx --image=nginx --overrides='{ "apiVersion": "v1", "spec": { ... } }'
# Start a busybox pod and keep it in the foreground, don't restart it if it exits
kubectl run -i -t busybox --image=busybox --restart=Never
# Start the nginx pod using the default command, but use custom arguments (arg1 .. argN) for that command
kubectl run nginx --image=nginx -- <arg1> <arg2> ... <argN>
# Start the nginx pod using a different command and custom arguments
kubectl run nginx --image=nginx --command -- <cmd> <arg1> ... <argN>
Options
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--annotations strings |
| Annotations to apply to the pod. |
--attach |
| If true, wait for the Pod to start running, and then attach to the Pod as if 'kubectl attach ...' were called. Default false, unless '-i/--stdin' is set, in which case the default is true. With '--restart=Never' the exit code of the container process is returned. |
--command |
| If true and extra arguments are present, use them as the 'command' field in the container, rather than the 'args' field which is the default. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--env strings |
| Environment variables to set in the container. |
--expose --port |
| If true, create a ClusterIP service associated with the pod. Requires --port. |
--field-manager string Default: "kubectl-run" |
| Name of the manager used to track field ownership. |
-h, --help |
| help for run |
--image string |
| The image for the container to run. |
--image-pull-policy string |
| The image pull policy for the container. If left empty, this value will not be specified by the client and defaulted by the server. |
-l, --labels string |
| Comma separated labels to apply to the pod. Will override previous values. |
--leave-stdin-open |
| If the pod is started in interactive mode or with stdin, leave stdin open after the first attach completes. By default, stdin will be closed after the first attach completes. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--override-type string Default: "merge" |
| The method used to override the generated object: json, merge, or strategic. |
--overrides string |
| An inline JSON override for the generated object. If this is non-empty, it is used to override the generated object. Requires that the object supply a valid apiVersion field. |
--pod-running-timeout duration Default: 1m0s |
| The length of time (like 5s, 2m, or 3h, higher than zero) to wait until at least one pod is running |
--port string |
| The port that this container exposes. |
--privileged |
| If true, run the container in privileged mode. |
-q, --quiet |
| If true, suppress prompt messages. |
--restart string Default: "Always" |
| The restart policy for this Pod. Legal values [Always, OnFailure, Never]. |
--rm |
| If true, delete the pod after it exits. Only valid when attaching to the container, e.g. with '--attach' or with '-i/--stdin'. |
--save-config |
| If true, the configuration of current object will be saved in its annotation. Otherwise, the annotation will be unchanged. This flag is useful when you want to perform kubectl apply on this object in the future. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
-i, --stdin |
| Keep stdin open on the container in the pod, even if nothing is attached. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
-t, --tty |
| Allocate a TTY for the container in the pod. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.38 - kubectl scale
Synopsis
Set a new size for a deployment, replica set, replication controller, or stateful set.
Scale also allows users to specify one or more preconditions for the scale action.
If --current-replicas or --resource-version is specified, it is validated before the scale is attempted, and it is guaranteed that the precondition holds true when the scale is sent to the server.
kubectl scale [--resource-version=version] [--current-replicas=count] --replicas=COUNT (-f FILENAME | TYPE NAME)
Examples
# Scale a replica set named 'foo' to 3
kubectl scale --replicas=3 rs/foo
# Scale a resource identified by type and name specified in "foo.yaml" to 3
kubectl scale --replicas=3 -f foo.yaml
# If the deployment named mysql's current size is 2, scale mysql to 3
kubectl scale --current-replicas=2 --replicas=3 deployment/mysql
# Scale multiple replication controllers
kubectl scale --replicas=5 rc/example1 rc/example2 rc/example3
# Scale stateful set named 'web' to 3
kubectl scale --replicas=3 statefulset/web
Options
--all |
| Select all resources in the namespace of the specified resource types |
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--current-replicas int Default: -1 |
| Precondition for current size. Requires that the current size of the resource match this value in order to scale. -1 (default) for no condition. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
-f, --filename strings |
| Filename, directory, or URL to files identifying the resource to set a new size |
-h, --help |
| help for scale |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
--replicas int |
| The new desired number of replicas. Required. |
--resource-version string |
| Precondition for resource version. Requires that the current resource version match this value in order to scale. |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--timeout duration |
| The length of time to wait before giving up on a scale operation, zero means don't wait. Any other values should contain a corresponding time unit (e.g. 1s, 2m, 3h). |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.39 - kubectl set
Synopsis
Configure application resources.
These commands help you make changes to existing application resources.
kubectl set SUBCOMMAND
Options
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.39.1 - kubectl set env
Synopsis
Update environment variables on a pod template.
List environment variable definitions in one or more pods, pod templates. Add, update, or remove container environment variable definitions in one or more pod templates (within replication controllers or deployment configurations). View or modify the environment variable definitions on all containers in the specified pods or pod templates, or just those that match a wildcard.
If "--env -" is passed, environment variables can be read from STDIN using the standard env syntax.
Possible resources include (case insensitive):
pod (po), replicationcontroller (rc), deployment (deploy), daemonset (ds), statefulset (sts), cronjob (cj), replicaset (rs)
kubectl set env RESOURCE/NAME KEY_1=VAL_1 ... KEY_N=VAL_N
Examples
# Update deployment 'registry' with a new environment variable
kubectl set env deployment/registry STORAGE_DIR=/local
# List the environment variables defined on a deployments 'sample-build'
kubectl set env deployment/sample-build --list
# List the environment variables defined on all pods
kubectl set env pods --all --list
# Output modified deployment in YAML, and does not alter the object on the server
kubectl set env deployment/sample-build STORAGE_DIR=/data -o yaml
# Update all containers in all replication controllers in the project to have ENV=prod
kubectl set env rc --all ENV=prod
# Import environment from a secret
kubectl set env --from=secret/mysecret deployment/myapp
# Import environment from a config map with a prefix
kubectl set env --from=configmap/myconfigmap --prefix=MYSQL_ deployment/myapp
# Import specific keys from a config map
kubectl set env --keys=my-example-key --from=configmap/myconfigmap deployment/myapp
# Remove the environment variable ENV from container 'c1' in all deployment configs
kubectl set env deployments --all --containers="c1" ENV-
# Remove the environment variable ENV from a deployment definition on disk and
# update the deployment config on the server
kubectl set env -f deploy.json ENV-
# Set some of the local shell environment into a deployment config on the server
env | grep RAILS_ | kubectl set env -e - deployment/registry
Options
--all |
| If true, select all resources in the namespace of the specified resource types |
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
-c, --containers string Default: "*" |
| The names of containers in the selected pod templates to change - may use wildcards |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
-e, --env strings |
| Specify a key-value pair for an environment variable to set into each container. |
--field-manager string Default: "kubectl-set" |
| Name of the manager used to track field ownership. |
-f, --filename strings |
| Filename, directory, or URL to files the resource to update the env |
--from string |
| The name of a resource from which to inject environment variables |
-h, --help |
| help for env |
--keys strings |
| Comma-separated list of keys to import from specified resource |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
--list |
| If true, display the environment and any changes in the standard format. this flag will removed when we have kubectl view env. |
--local |
| If true, set env will NOT contact api-server but run locally. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--overwrite Default: true |
| If true, allow environment to be overwritten, otherwise reject updates that overwrite existing environment. |
--prefix string |
| Prefix to append to variable names |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
--resolve |
| If true, show secret or configmap references when listing variables |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.39.2 - kubectl set image
Synopsis
Update existing container image(s) of resources.
Possible resources include (case insensitive):
pod (po), replicationcontroller (rc), deployment (deploy), daemonset (ds), statefulset (sts), cronjob (cj), replicaset (rs)
kubectl set image (-f FILENAME | TYPE NAME) CONTAINER_NAME_1=CONTAINER_IMAGE_1 ... CONTAINER_NAME_N=CONTAINER_IMAGE_N
Examples
# Set a deployment's nginx container image to 'nginx:1.9.1', and its busybox container image to 'busybox'
kubectl set image deployment/nginx busybox=busybox nginx=nginx:1.9.1
# Update all deployments' and rc's nginx container's image to 'nginx:1.9.1'
kubectl set image deployments,rc nginx=nginx:1.9.1 --all
# Update image of all containers of daemonset abc to 'nginx:1.9.1'
kubectl set image daemonset abc *=nginx:1.9.1
# Print result (in yaml format) of updating nginx container image from local file, without hitting the server
kubectl set image -f path/to/file.yaml nginx=nginx:1.9.1 --local -o yaml
Options
--all |
| Select all resources, in the namespace of the specified resource types |
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-set" |
| Name of the manager used to track field ownership. |
-f, --filename strings |
| Filename, directory, or URL to files identifying the resource to get from a server. |
-h, --help |
| help for image |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
--local |
| If true, set image will NOT contact api-server but run locally. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.39.3 - kubectl set resources
Synopsis
Specify compute resource requirements (CPU, memory) for any resource that defines a pod template. If a pod is successfully scheduled, it is guaranteed the amount of resource requested, but may burst up to its specified limits.
For each compute resource, if a limit is specified and a request is omitted, the request will default to the limit.
Possible resources include (case insensitive): Use "kubectl api-resources" for a complete list of supported resources..
kubectl set resources (-f FILENAME | TYPE NAME) ([--limits=LIMITS & --requests=REQUESTS]
Examples
# Set a deployments nginx container cpu limits to "200m" and memory to "512Mi"
kubectl set resources deployment nginx -c=nginx --limits=cpu=200m,memory=512Mi
# Set the resource request and limits for all containers in nginx
kubectl set resources deployment nginx --limits=cpu=200m,memory=512Mi --requests=cpu=100m,memory=256Mi
# Remove the resource requests for resources on containers in nginx
kubectl set resources deployment nginx --limits=cpu=0,memory=0 --requests=cpu=0,memory=0
# Print the result (in yaml format) of updating nginx container limits from a local, without hitting the server
kubectl set resources -f path/to/file.yaml --limits=cpu=200m,memory=512Mi --local -o yaml
Options
--all |
| Select all resources, in the namespace of the specified resource types |
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
-c, --containers string Default: "*" |
| The names of containers in the selected pod templates to change, all containers are selected by default - may use wildcards |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-set" |
| Name of the manager used to track field ownership. |
-f, --filename strings |
| Filename, directory, or URL to files identifying the resource to get from a server. |
-h, --help |
| help for resources |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
--limits string |
| The resource requirement requests for this container. For example, 'cpu=100m,memory=256Mi'. Note that server side components may assign requests depending on the server configuration, such as limit ranges. |
--local |
| If true, set resources will NOT contact api-server but run locally. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
--requests string |
| The resource requirement requests for this container. For example, 'cpu=100m,memory=256Mi'. Note that server side components may assign requests depending on the server configuration, such as limit ranges. |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.39.4 - kubectl set selector
Synopsis
Set the selector on a resource. Note that the new selector will overwrite the old selector if the resource had one prior to the invocation of 'set selector'.
A selector must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to 63 characters. If --resource-version is specified, then updates will use this resource version, otherwise the existing resource-version will be used. Note: currently selectors can only be set on Service objects.
kubectl set selector (-f FILENAME | TYPE NAME) EXPRESSIONS [--resource-version=version]
Examples
# Set the labels and selector before creating a deployment/service pair
kubectl create service clusterip my-svc --clusterip="None" -o yaml --dry-run=client | kubectl set selector --local -f - 'environment=qa' -o yaml | kubectl create -f -
kubectl create deployment my-dep -o yaml --dry-run=client | kubectl label --local -f - environment=qa -o yaml | kubectl create -f -
Options
--all |
| Select all resources in the namespace of the specified resource types |
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-set" |
| Name of the manager used to track field ownership. |
-f, --filename strings |
| identifying the resource. |
-h, --help |
| help for selector |
--local |
| If true, annotation will NOT contact api-server but run locally. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
-R, --recursive Default: true |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
--resource-version string |
| If non-empty, the selectors update will only succeed if this is the current resource-version for the object. Only valid when specifying a single resource. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.39.5 - kubectl set serviceaccount
Synopsis
Update the service account of pod template resources.
Possible resources (case insensitive) can be:
replicationcontroller (rc), deployment (deploy), daemonset (ds), job, replicaset (rs), statefulset
kubectl set serviceaccount (-f FILENAME | TYPE NAME) SERVICE_ACCOUNT
Examples
# Set deployment nginx-deployment's service account to serviceaccount1
kubectl set serviceaccount deployment nginx-deployment serviceaccount1
# Print the result (in YAML format) of updated nginx deployment with the service account from local file, without hitting the API server
kubectl set sa -f nginx-deployment.yaml serviceaccount1 --local --dry-run=client -o yaml
Options
--all |
| Select all resources, in the namespace of the specified resource types |
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-set" |
| Name of the manager used to track field ownership. |
-f, --filename strings |
| Filename, directory, or URL to files identifying the resource to get from a server. |
-h, --help |
| help for serviceaccount |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
--local |
| If true, set serviceaccount will NOT contact api-server but run locally. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.39.6 - kubectl set subject
Synopsis
Update the user, group, or service account in a role binding or cluster role binding.
kubectl set subject (-f FILENAME | TYPE NAME) [--user=username] [--group=groupname] [--serviceaccount=namespace:serviceaccountname] [--dry-run=server|client|none]
Examples
# Update a cluster role binding for serviceaccount1
kubectl set subject clusterrolebinding admin --serviceaccount=namespace:serviceaccount1
# Update a role binding for user1, user2, and group1
kubectl set subject rolebinding admin --user=user1 --user=user2 --group=group1
# Print the result (in YAML format) of updating rolebinding subjects from a local, without hitting the server
kubectl create rolebinding admin --role=admin --user=admin -o yaml --dry-run=client | kubectl set subject --local -f - --user=foo -o yaml
Options
--all |
| Select all resources, in the namespace of the specified resource types |
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-set" |
| Name of the manager used to track field ownership. |
-f, --filename strings |
| Filename, directory, or URL to files the resource to update the subjects |
--group strings |
| Groups to bind to the role |
-h, --help |
| help for subject |
-k, --kustomize string |
| Process the kustomization directory. This flag can't be used together with -f or -R. |
--local |
| If true, set subject will NOT contact api-server but run locally. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
-R, --recursive |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--serviceaccount strings |
| Service accounts to bind to the role |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--user strings |
| Usernames to bind to the role |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.40 - kubectl taint
Synopsis
Update the taints on one or more nodes.
- A taint consists of a key, value, and effect. As an argument here, it is expressed as key=value:effect.
- The key must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to 253 characters.
- Optionally, the key can begin with a DNS subdomain prefix and a single '/', like example.com/my-app.
- The value is optional. If given, it must begin with a letter or number, and may contain letters, numbers, hyphens, dots, and underscores, up to 63 characters.
- The effect must be NoSchedule, PreferNoSchedule or NoExecute.
- Currently taint can only apply to node.
kubectl taint NODE NAME KEY_1=VAL_1:TAINT_EFFECT_1 ... KEY_N=VAL_N:TAINT_EFFECT_N
Examples
# Update node 'foo' with a taint with key 'dedicated' and value 'special-user' and effect 'NoSchedule'
# If a taint with that key and effect already exists, its value is replaced as specified
kubectl taint nodes foo dedicated=special-user:NoSchedule
# Remove from node 'foo' the taint with key 'dedicated' and effect 'NoSchedule' if one exists
kubectl taint nodes foo dedicated:NoSchedule-
# Remove from node 'foo' all the taints with key 'dedicated'
kubectl taint nodes foo dedicated-
# Add a taint with key 'dedicated' on nodes having label myLabel=X
kubectl taint node -l myLabel=X dedicated=foo:PreferNoSchedule
# Add to node 'foo' a taint with key 'bar' and no value
kubectl taint nodes foo bar:NoSchedule
Options
--all |
| Select all nodes in the cluster |
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
--field-manager string Default: "kubectl-taint" |
| Name of the manager used to track field ownership. |
-h, --help |
| help for taint |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
--overwrite |
| If true, allow taints to be overwritten, otherwise reject taint updates that overwrite existing taints. |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--validate string[="strict"] Default: "strict" |
| Must be one of: strict (or true), warn, ignore (or false). "true" or "strict" will use a schema to validate the input and fail the request if invalid. It will perform server side validation if ServerSideFieldValidation is enabled on the api-server, but will fall back to less reliable client-side validation if not. "warn" will warn about unknown or duplicate fields without blocking the request if server-side field validation is enabled on the API server, and behave as "ignore" otherwise. "false" or "ignore" will not perform any schema validation, silently dropping any unknown or duplicate fields. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.41 - kubectl top
Synopsis
Display resource (CPU/memory) usage.
The top command allows you to see the resource consumption for nodes or pods.
This command requires Metrics Server to be correctly configured and working on the server.
kubectl top [flags]
Options
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.41.1 - kubectl top node
Synopsis
Display resource (CPU/memory) usage of nodes.
The top-node command allows you to see the resource consumption of nodes.
kubectl top node [NAME | -l label]
Examples
# Show metrics for all nodes
kubectl top node
# Show metrics for a given node
kubectl top node NODE_NAME
Options
-h, --help |
| help for node |
--no-headers |
| If present, print output without headers |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--show-capacity |
| Print node resources based on Capacity instead of Allocatable(default) of the nodes. |
--sort-by string |
| If non-empty, sort nodes list using specified field. The field can be either 'cpu' or 'memory'. |
--use-protocol-buffers Default: true |
| Enables using protocol-buffers to access Metrics API. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.41.2 - kubectl top pod
Synopsis
Display resource (CPU/memory) usage of pods.
The 'top pod' command allows you to see the resource consumption of pods.
Due to the metrics pipeline delay, they may be unavailable for a few minutes since pod creation.
kubectl top pod [NAME | -l label]
Examples
# Show metrics for all pods in the default namespace
kubectl top pod
# Show metrics for all pods in the given namespace
kubectl top pod --namespace=NAMESPACE
# Show metrics for a given pod and its containers
kubectl top pod POD_NAME --containers
# Show metrics for the pods defined by label name=myLabel
kubectl top pod -l name=myLabel
Options
-A, --all-namespaces |
| If present, list the requested object(s) across all namespaces. Namespace in current context is ignored even if specified with --namespace. |
--containers |
| If present, print usage of containers within a pod. |
--field-selector string |
| Selector (field query) to filter on, supports '=', '==', and '!='.(e.g. --field-selector key1=value1,key2=value2). The server only supports a limited number of field queries per type. |
-h, --help |
| help for pod |
--no-headers |
| If present, print output without headers. |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--sort-by string |
| If non-empty, sort pods list using specified field. The field can be either 'cpu' or 'memory'. |
--sum |
| Print the sum of the resource usage |
--use-protocol-buffers Default: true |
| Enables using protocol-buffers to access Metrics API. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
2.42 - kubectl uncordon
Synopsis
Mark node as schedulable.
kubectl uncordon NODE
Examples
# Mark node "foo" as schedulable
kubectl uncordon foo
Options
--dry-run string[="unchanged"] Default: "none" |
| Must be "none", "server", or "client". If client strategy, only print the object that would be sent, without sending it. If server strategy, submit server-side request without persisting the resource. |
-h, --help |
| help for uncordon |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2). Matching objects must satisfy all of the specified label constraints. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.43 - kubectl version
Synopsis
Print the client and server version information for the current context.
kubectl version [flags]
Examples
# Print the client and server versions for the current context
kubectl version
Options
--client |
| If true, shows client version only (no server required). |
-h, --help |
| help for version |
-o, --output string |
| One of 'yaml' or 'json'. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
2.44 - kubectl wait
Synopsis
Experimental: Wait for a specific condition on one or many resources.
The command takes multiple resources and waits until the specified condition is seen in the Status field of every given resource.
Alternatively, the command can wait for the given set of resources to be deleted by providing the "delete" keyword as the value to the --for flag.
A successful message will be printed to stdout indicating when the specified condition has been met. You can use -o option to change to output destination.
kubectl wait ([-f FILENAME] | resource.group/resource.name | resource.group [(-l label | --all)]) [--for=delete|--for condition=available|--for=jsonpath='{}'[=value]]
Examples
# Wait for the pod "busybox1" to contain the status condition of type "Ready"
kubectl wait --for=condition=Ready pod/busybox1
# The default value of status condition is true; you can wait for other targets after an equal delimiter (compared after Unicode simple case folding, which is a more general form of case-insensitivity)
kubectl wait --for=condition=Ready=false pod/busybox1
# Wait for the pod "busybox1" to contain the status phase to be "Running"
kubectl wait --for=jsonpath='{.status.phase}'=Running pod/busybox1
# Wait for pod "busybox1" to be Ready
kubectl wait --for='jsonpath={.status.conditions[?(@.type=="Ready")].status}=True' pod/busybox1
# Wait for the service "loadbalancer" to have ingress.
kubectl wait --for=jsonpath='{.status.loadBalancer.ingress}' service/loadbalancer
# Wait for the pod "busybox1" to be deleted, with a timeout of 60s, after having issued the "delete" command
kubectl delete pod/busybox1
kubectl wait --for=delete pod/busybox1 --timeout=60s
Options
--all |
| Select all resources in the namespace of the specified resource types |
-A, --all-namespaces |
| If present, list the requested object(s) across all namespaces. Namespace in current context is ignored even if specified with --namespace. |
--allow-missing-template-keys Default: true |
| If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats. |
--field-selector string |
| Selector (field query) to filter on, supports '=', '==', and '!='.(e.g. --field-selector key1=value1,key2=value2). The server only supports a limited number of field queries per type. |
-f, --filename strings |
| identifying the resource. |
--for string |
| The condition to wait on: [delete|condition=condition-name[=condition-value]|jsonpath='{JSONPath expression}'=[JSONPath value]]. The default condition-value is true. Condition values are compared after Unicode simple case folding, which is a more general form of case-insensitivity. |
-h, --help |
| help for wait |
--local |
| If true, annotation will NOT contact api-server but run locally. |
-o, --output string |
| Output format. One of: (json, yaml, name, go-template, go-template-file, template, templatefile, jsonpath, jsonpath-as-json, jsonpath-file). |
-R, --recursive Default: true |
| Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory. |
-l, --selector string |
| Selector (label query) to filter on, supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2) |
--show-managed-fields |
| If true, keep the managedFields when printing objects in JSON or YAML format. |
--template string |
| Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [http://golang.org/pkg/text/template/#pkg-overview]. |
--timeout duration Default: 30s |
| The length of time to wait before giving up. Zero means check once and don't wait, negative means wait for a week. |
--as string |
| Username to impersonate for the operation. User could be a regular user or a service account in a namespace. |
--as-group strings |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--as-uid string |
| UID to impersonate for the operation. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
--disable-compression |
| If true, opt-out of response compression for all requests to the server |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--storage-driver-buffer-duration duration Default: 1m0s |
| Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction |
--storage-driver-db string Default: "cadvisor" |
| database name |
--storage-driver-host string Default: "localhost:8086" |
| database host:port |
--storage-driver-password string Default: "root" |
| database password |
--storage-driver-secure |
| use secure connection with database |
--storage-driver-table string Default: "stats" |
| table name |
--storage-driver-user string Default: "root" |
| database username |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
--version version[=true] |
| --version, --version=raw prints version information and quits; --version=vX.Y.Z... sets the reported version |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
See Also
- kubectl - kubectl controls the Kubernetes cluster manager
4 - kubectl
Synopsis
kubectl controls the Kubernetes cluster manager.
Find more information in Command line tool (kubectl
).
Options
--add-dir-header |
| If true, adds the file directory to the header of the log messages |
--alsologtostderr |
| log to standard error as well as files |
--as string |
| Username to impersonate for the operation |
--as-group stringArray |
| Group to impersonate for the operation, this flag can be repeated to specify multiple groups. |
--azure-container-registry-config string |
| Path to the file containing Azure container registry configuration information. |
--cache-dir string Default: "$HOME/.kube/cache" |
| Default cache directory |
--certificate-authority string |
| Path to a cert file for the certificate authority |
--client-certificate string |
| Path to a client certificate file for TLS |
--client-key string |
| Path to a client key file for TLS |
--cloud-provider-gce-l7lb-src-cidrs cidrs Default: 130.211.0.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L7 LB traffic proxy & health checks |
--cloud-provider-gce-lb-src-cidrs cidrs Default: 130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16 |
| CIDRs opened in GCE firewall for L4 LB traffic proxy & health checks |
--cluster string |
| The name of the kubeconfig cluster to use |
--context string |
| The name of the kubeconfig context to use |
--default-not-ready-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration. |
--default-unreachable-toleration-seconds int Default: 300 |
| Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration. |
-h, --help |
| help for kubectl |
--insecure-skip-tls-verify |
| If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure |
--kubeconfig string |
| Path to the kubeconfig file to use for CLI requests. |
--log-backtrace-at traceLocation Default: :0 |
| when logging hits line file:N, emit a stack trace |
--log-dir string |
| If non-empty, write log files in this directory |
--log-file string |
| If non-empty, use this log file |
--log-file-max-size uint Default: 1800 |
| Defines the maximum size a log file can grow to. Unit is megabytes. If the value is 0, the maximum file size is unlimited. |
--log-flush-frequency duration Default: 5s |
| Maximum number of seconds between log flushes |
--logtostderr Default: true |
| log to standard error instead of files |
--match-server-version |
| Require server version to match client version |
-n, --namespace string |
| If present, the namespace scope for this CLI request |
--one-output |
| If true, only write logs to their native severity level (vs also writing to each lower severity level) |
--password string |
| Password for basic authentication to the API server |
--profile string Default: "none" |
| Name of profile to capture. One of (none|cpu|heap|goroutine|threadcreate|block|mutex) |
--profile-output string Default: "profile.pprof" |
| Name of the file to write the profile to |
--request-timeout string Default: "0" |
| The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. |
-s, --server string |
| The address and port of the Kubernetes API server |
--skip-headers |
| If true, avoid header prefixes in the log messages |
--skip-log-headers |
| If true, avoid headers when opening log files |
--stderrthreshold severity Default: 2 |
| logs at or above this threshold go to stderr |
--tls-server-name string |
| Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used |
--token string |
| Bearer token for authentication to the API server |
--user string |
| The name of the kubeconfig user to use |
--username string |
| Username for basic authentication to the API server |
-v, --v Level |
| number for the log level verbosity |
--version version[=true] |
| Print version information and quit |
--vmodule moduleSpec |
| comma-separated list of pattern=N settings for file-filtered logging |
--warnings-as-errors |
| Treat warnings received from the server as errors and exit with a non-zero exit code |
Environment variables
KUBECONFIG |
| Path to the kubectl configuration ("kubeconfig") file. Default: "$HOME/.kube/config" |
KUBECTL_COMMAND_HEADERS |
| When set to false, turns off extra HTTP headers detailing invoked kubectl command (Kubernetes version v1.22 or later) |
KUBECTL_EXPLAIN_OPENAPIV3 |
| Toggles whether calls to `kubectl explain` use the new OpenAPIv3 data source available. OpenAPIV3 is enabled by default since Kubernetes 1.24.
|
KUBECTL_ENABLE_CMD_SHADOW |
| When set to true, external plugins can be used as subcommands for builtin commands if subcommand does not exist. In alpha stage, this feature can only be used for create command(e.g. kubectl create networkpolicy).
|
KUBECTL_REMOTE_COMMAND_WEBSOCKETS |
| When set to true, the kubectl exec, cp, and attach commands will attempt to stream using the websockets protocol. If the upgrade to websockets fails, the commands will fallback to use the current SPDY protocol.
|
See Also
5 - JSONPath Support
Kubectl supports JSONPath template.
JSONPath template is composed of JSONPath expressions enclosed by curly braces {}.
Kubectl uses JSONPath expressions to filter on specific fields in the JSON object and format the output.
In addition to the original JSONPath template syntax, the following functions and syntax are valid:
- Use double quotes to quote text inside JSONPath expressions.
- Use the
range
, end
operators to iterate lists.
- Use negative slice indices to step backwards through a list. Negative indices do not "wrap around" a list and are valid as long as
-index + listLength >= 0
.
Given the JSON input:
{
"kind": "List",
"items":[
{
"kind":"None",
"metadata":{
"name":"127.0.0.1",
"labels":{
"kubernetes.io/hostname":"127.0.0.1"
}
},
"status":{
"capacity":{"cpu":"4"},
"addresses":[{"type": "LegacyHostIP", "address":"127.0.0.1"}]
}
},
{
"kind":"None",
"metadata":{"name":"127.0.0.2"},
"status":{
"capacity":{"cpu":"8"},
"addresses":[
{"type": "LegacyHostIP", "address":"127.0.0.2"},
{"type": "another", "address":"127.0.0.3"}
]
}
}
],
"users":[
{
"name": "myself",
"user": {}
},
{
"name": "e2e",
"user": {"username": "admin", "password": "secret"}
}
]
}
Function |
Description |
Example |
Result |
text |
the plain text |
kind is {.kind} |
kind is List |
@ |
the current object |
{@} |
the same as input |
. or [] |
child operator |
{.kind} , {['kind']} or {['name\.type']} |
List |
.. |
recursive descent |
{..name} |
127.0.0.1 127.0.0.2 myself e2e |
* |
wildcard. Get all objects |
{.items[*].metadata.name} |
[127.0.0.1 127.0.0.2] |
[start:end:step] |
subscript operator |
{.users[0].name} |
myself |
[,] |
union operator |
{.items[*]['metadata.name', 'status.capacity']} |
127.0.0.1 127.0.0.2 map[cpu:4] map[cpu:8] |
?() |
filter |
{.users[?(@.name=="e2e")].user.password} |
secret |
range , end |
iterate list |
{range .items[*]}[{.metadata.name}, {.status.capacity}] {end} |
[127.0.0.1, map[cpu:4]] [127.0.0.2, map[cpu:8]] |
'' |
quote interpreted string |
{range .items[*]}{.metadata.name}{'\t'}{end} |
127.0.0.1 127.0.0.2 |
\ |
escape termination character |
{.items[0].metadata.labels.kubernetes\.io/hostname} |
127.0.0.1 |
Examples using kubectl
and JSONPath expressions:
kubectl get pods -o json
kubectl get pods -o=jsonpath='{@}'
kubectl get pods -o=jsonpath='{.items[0]}'
kubectl get pods -o=jsonpath='{.items[0].metadata.name}'
kubectl get pods -o=jsonpath="{.items[*]['metadata.name', 'status.capacity']}"
kubectl get pods -o=jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.status.startTime}{"\n"}{end}'
kubectl get pods -o=jsonpath='{.items[0].metadata.labels.kubernetes\.io/hostname}'
Note: On Windows, you must double quote any JSONPath template that contains spaces (not single quote as shown above for bash). This in turn means that you must use a single quote or escaped double quote around any literals in the template. For example:
kubectl get pods -o=jsonpath="{range .items[*]}{.metadata.name}{'\t'}{.status.startTime}{'\n'}{end}"
kubectl get pods -o=jsonpath="{range .items[*]}{.metadata.name}{\"\t\"}{.status.startTime}{\"\n\"}{end}"
Note: JSONPath regular expressions are not supported. If you want to match using regular expressions, you can use a tool such as jq
.
# kubectl does not support regular expressions for JSONpath output
# The following command does not work
kubectl get pods -o jsonpath='{.items[?(@.metadata.name=~/^test$/)].metadata.name}'
# The following command achieves the desired result
kubectl get pods -o json | jq -r '.items[] | select(.metadata.name | test("test-")).metadata.name'
6 - kubectl for Docker Users
You can use the Kubernetes command line tool kubectl
to interact with the API Server. Using kubectl is straightforward if you are familiar with the Docker command line tool. However, there are a few differences between the Docker commands and the kubectl commands. The following sections show a Docker sub-command and describe the equivalent kubectl
command.
docker run
To run an nginx Deployment and expose the Deployment, see kubectl create deployment.
docker:
docker run -d --restart=always -e DOMAIN=cluster --name nginx-app -p 80:80 nginx
55c103fa129692154a7652490236fee9be47d70a8dd562281ae7d2f9a339a6db
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
55c103fa1296 nginx "nginx -g 'daemon of…" 9 seconds ago Up 9 seconds 0.0.0.0:80->80/tcp nginx-app
kubectl:
# start the pod running nginx
kubectl create deployment --image=nginx nginx-app
deployment.apps/nginx-app created
# add env to nginx-app
kubectl set env deployment/nginx-app DOMAIN=cluster
deployment.apps/nginx-app env updated
Note: kubectl
commands print the type and name of the resource created or mutated, which can then be used in subsequent commands. You can expose a new Service after a Deployment is created.
# expose a port through with a service
kubectl expose deployment nginx-app --port=80 --name=nginx-http
service "nginx-http" exposed
By using kubectl, you can create a Deployment to ensure that N pods are running nginx, where N is the number of replicas stated in the spec and defaults to 1. You can also create a service with a selector that matches the pod labels. For more information, see Use a Service to Access an Application in a Cluster.
By default images run in the background, similar to docker run -d ...
. To run things in the foreground, use kubectl run
to create pod:
kubectl run [-i] [--tty] --attach <name> --image=<image>
Unlike docker run ...
, if you specify --attach
, then you attach stdin
, stdout
and stderr
. You cannot control which streams are attached (docker -a ...
).
To detach from the container, you can type the escape sequence Ctrl+P followed by Ctrl+Q.
docker ps
To list what is currently running, see kubectl get.
docker:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
14636241935f ubuntu:16.04 "echo test" 5 seconds ago Exited (0) 5 seconds ago cocky_fermi
55c103fa1296 nginx "nginx -g 'daemon of…" About a minute ago Up About a minute 0.0.0.0:80->80/tcp nginx-app
kubectl:
NAME READY STATUS RESTARTS AGE
nginx-app-8df569cb7-4gd89 1/1 Running 0 3m
ubuntu 0/1 Completed 0 20s
docker attach
To attach a process that is already running in a container, see kubectl attach.
docker:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
55c103fa1296 nginx "nginx -g 'daemon of…" 5 minutes ago Up 5 minutes 0.0.0.0:80->80/tcp nginx-app
docker attach 55c103fa1296
...
kubectl:
NAME READY STATUS RESTARTS AGE
nginx-app-5jyvm 1/1 Running 0 10m
kubectl attach -it nginx-app-5jyvm
...
To detach from the container, you can type the escape sequence Ctrl+P followed by Ctrl+Q.
docker exec
To execute a command in a container, see kubectl exec.
docker:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
55c103fa1296 nginx "nginx -g 'daemon of…" 6 minutes ago Up 6 minutes 0.0.0.0:80->80/tcp nginx-app
docker exec 55c103fa1296 cat /etc/hostname
55c103fa1296
kubectl:
NAME READY STATUS RESTARTS AGE
nginx-app-5jyvm 1/1 Running 0 10m
kubectl exec nginx-app-5jyvm -- cat /etc/hostname
nginx-app-5jyvm
To use interactive commands.
docker:
docker exec -ti 55c103fa1296 /bin/sh
# exit
kubectl:
kubectl exec -ti nginx-app-5jyvm -- /bin/sh
# exit
For more information, see Get a Shell to a Running Container.
docker logs
To follow stdout/stderr of a process that is running, see kubectl logs.
docker:
192.168.9.1 - - [14/Jul/2015:01:04:02 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.35.0" "-"
192.168.9.1 - - [14/Jul/2015:01:04:03 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.35.0" "-"
kubectl:
kubectl logs -f nginx-app-zibvs
10.240.63.110 - - [14/Jul/2015:01:09:01 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.26.0" "-"
10.240.63.110 - - [14/Jul/2015:01:09:02 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.26.0" "-"
There is a slight difference between pods and containers; by default pods do not terminate if their processes exit. Instead the pods restart the process. This is similar to the docker run option --restart=always
with one major difference. In docker, the output for each invocation of the process is concatenated, but for Kubernetes, each invocation is separate. To see the output from a previous run in Kubernetes, do this:
kubectl logs --previous nginx-app-zibvs
10.240.63.110 - - [14/Jul/2015:01:09:01 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.26.0" "-"
10.240.63.110 - - [14/Jul/2015:01:09:02 +0000] "GET / HTTP/1.1" 200 612 "-" "curl/7.26.0" "-"
For more information, see Logging Architecture.
docker stop and docker rm
To stop and delete a running process, see kubectl delete.
docker:
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
a9ec34d98787 nginx "nginx -g 'daemon of" 22 hours ago Up 22 hours 0.0.0.0:80->80/tcp, 443/tcp nginx-app
a9ec34d98787
a9ec34d98787
kubectl:
kubectl get deployment nginx-app
NAME READY UP-TO-DATE AVAILABLE AGE
nginx-app 1/1 1 1 2m
kubectl get po -l app=nginx-app
NAME READY STATUS RESTARTS AGE
nginx-app-2883164633-aklf7 1/1 Running 0 2m
kubectl delete deployment nginx-app
deployment "nginx-app" deleted
kubectl get po -l app=nginx-app
# Return nothing
Note: When you use kubectl, you don't delete the pod directly. You have to first delete the Deployment that owns the pod. If you delete the pod directly, the Deployment recreates the pod.
docker login
There is no direct analog of docker login
in kubectl. If you are interested in using Kubernetes with a private registry, see Using a Private Registry.
docker version
To get the version of client and server, see kubectl version.
docker:
Client version: 1.7.0
Client API version: 1.19
Go version (client): go1.4.2
Git commit (client): 0baf609
OS/Arch (client): linux/amd64
Server version: 1.7.0
Server API version: 1.19
Go version (server): go1.4.2
Git commit (server): 0baf609
OS/Arch (server): linux/amd64
kubectl:
Client Version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.9+a3d1dfa6f4335", GitCommit:"9b77fed11a9843ce3780f70dd251e92901c43072", GitTreeState:"dirty", BuildDate:"2017-08-29T20:32:58Z", OpenPaasKubernetesVersion:"v1.03.02", GoVersion:"go1.7.5", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"6", GitVersion:"v1.6.9+a3d1dfa6f4335", GitCommit:"9b77fed11a9843ce3780f70dd251e92901c43072", GitTreeState:"dirty", BuildDate:"2017-08-29T20:32:58Z", OpenPaasKubernetesVersion:"v1.03.02", GoVersion:"go1.7.5", Compiler:"gc", Platform:"linux/amd64"}
docker info
To get miscellaneous information about the environment and configuration, see kubectl cluster-info.
docker:
Containers: 40
Images: 168
Storage Driver: aufs
Root Dir: /usr/local/google/docker/aufs
Backing Filesystem: extfs
Dirs: 248
Dirperm1 Supported: false
Execution Driver: native-0.2
Logging Driver: json-file
Kernel Version: 3.13.0-53-generic
Operating System: Ubuntu 14.04.2 LTS
CPUs: 12
Total Memory: 31.32 GiB
Name: k8s-is-fun.mtv.corp.google.com
ID: ADUV:GCYR:B3VJ:HMPO:LNPQ:KD5S:YKFQ:76VN:IANZ:7TFV:ZBF4:BYJO
WARNING: No swap limit support
kubectl:
Kubernetes master is running at https://203.0.113.141
KubeDNS is running at https://203.0.113.141/api/v1/namespaces/kube-system/services/kube-dns/proxy
kubernetes-dashboard is running at https://203.0.113.141/api/v1/namespaces/kube-system/services/kubernetes-dashboard/proxy
Grafana is running at https://203.0.113.141/api/v1/namespaces/kube-system/services/monitoring-grafana/proxy
Heapster is running at https://203.0.113.141/api/v1/namespaces/kube-system/services/monitoring-heapster/proxy
InfluxDB is running at https://203.0.113.141/api/v1/namespaces/kube-system/services/monitoring-influxdb/proxy
7 - kubectl Usage Conventions
Recommended usage conventions for kubectl
.
Using kubectl
in Reusable Scripts
For a stable output in a script:
- Request one of the machine-oriented output forms, such as
-o name
, -o json
, -o yaml
, -o go-template
, or -o jsonpath
.
- Fully-qualify the version. For example,
jobs.v1.batch/myjob
. This will ensure that kubectl does not use its default version that can change over time.
- Don't rely on context, preferences, or other implicit states.
Subresources
- You can use the
--subresource
beta flag for kubectl commands like get
, patch
,
edit
and replace
to fetch and update subresources for all resources that
support them. Currently, only the status
and scale
subresources are supported.
- For
kubectl edit
, the scale
subresource is not supported. If you use --subresource
with
kubectl edit
and specify scale
as the subresource, the command will error out.
- The API contract against a subresource is identical to a full resource. While updating the
status
subresource to a new value, keep in mind that the subresource could be potentially
reconciled by a controller to a different value.
Best Practices
kubectl run
For kubectl run
to satisfy infrastructure as code:
- Tag the image with a version-specific tag and don't move that tag to a new version. For example, use
:v1234
, v1.2.3
, r03062016-1-4
, rather than :latest
(For more information, see Best Practices for Configuration).
- Check in the script for an image that is heavily parameterized.
- Switch to configuration files checked into source control for features that are needed, but not expressible via
kubectl run
flags.
You can use the --dry-run=client
flag to preview the object that would be sent to your cluster, without really submitting it.
kubectl apply
- You can use
kubectl apply
to create or update resources. For more information about using kubectl apply to update resources, see Kubectl Book.