oc-policy-scc-subject-review - Man Page
Check whether a user or a ServiceAccount can create a Pod.
Synopsis
oc policy scc-subject-review [Options]
Description
Check whether a User, Service Account or a Group can create a Pod. It returns a list of Security Context Constraints that will admit the resource. If User is specified but not Groups, it is interpreted as "What if User is not a member of any groups". If User and Groups are empty, then the check is performed using the current user
Options
- --allow-missing-template-keys=true
If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.
- -f, --filename=[]
Filename, directory, or URL to files Filename, directory, or URL to a file identifying the resource to get from a server.
- -g, --groups=[]
Comma separated, list of groups. Review will be performed on behalf of these groups
- --no-headers=false
When using the default or custom-column output format, don't print headers (default print headers).
- -o, --output=""
Output format. One of: json|yaml|wide|name|custom-columns=...|custom-columns-file=...|go-template=...|go-template-file=...|jsonpath=...|jsonpath-file=... See custom columns [ ⟨http://kubernetes.io/docs/user-guide/kubectl-overview/#custom-columns⟩], golang template [ ⟨http://golang.org/pkg/text/template/#pkg-overview⟩] and jsonpath template [ ⟨http://kubernetes.io/docs/user-guide/jsonpath⟩].
- -R, --recursive=false
Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory.
- -z, --serviceaccount=""
service account in the current namespace to use as a user
- --show-labels=false
When printing, show all labels as the last column (default hide labels column)
- --sort-by=""
If non-empty, sort list types using this field specification. The field specification is expressed as a JSONPath expression (e.g. '{.metadata.name}'). The field in the API resource specified by this JSONPath expression must be an integer or a string.
- --template=""
Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [ ⟨http://golang.org/pkg/text/template/#pkg-overview⟩].
Options Inherited from Parent Commands
- --allow_verification_with_non_compliant_keys=false
Allow a SignatureVerifier to use keys which are technically non-compliant with RFC6962.
- --alsologtostderr=false
log to standard error as well as files
- --application_metrics_count_limit=100
Max number of application metrics to store (per container)
- --as=""
Username to impersonate for the operation
- --as-group=[]
Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
- --azure-container-registry-config=""
Path to the file containing Azure container registry configuration information.
- --boot_id_file="/proc/sys/kernel/random/boot_id"
Comma-separated list of files to check for boot-id. Use the first one that exists.
- --cache-dir="/builddir/.kube/http-cache"
Default HTTP cache directory
- --certificate-authority=""
Path to a cert file for the certificate authority
- --client-certificate=""
Path to a client certificate file for TLS
- --client-key=""
Path to a client key file for TLS
- --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
CIDRs opened in GCE firewall for LB traffic proxy health checks
- --cluster=""
The name of the kubeconfig cluster to use
- --container_hints="/etc/cadvisor/container_hints.json"
location of the container hints file
- --containerd="unix:///var/run/containerd.sock"
containerd endpoint
- --context=""
The name of the kubeconfig context to use
- --default-not-ready-toleration-seconds=300
Indicates the tolerationSeconds of the toleration for notReady:NoExecute that is added by default to every pod that does not already have such a toleration.
- --default-unreachable-toleration-seconds=300
Indicates the tolerationSeconds of the toleration for unreachable:NoExecute that is added by default to every pod that does not already have such a toleration.
- --docker="unix:///var/run/docker.sock"
docker endpoint
- --docker-tls=false
use TLS to connect to docker
- --docker-tls-ca="ca.pem"
path to trusted CA
- --docker-tls-cert="cert.pem"
path to client certificate
- --docker-tls-key="key.pem"
path to private key
- --docker_env_metadata_whitelist=""
a comma-separated list of environment variable keys that needs to be collected for docker containers
- --docker_only=false
Only report docker containers in addition to root stats
- --docker_root="/var/lib/docker"
DEPRECATED: docker root is read from docker info (this is a fallback, default: /var/lib/docker)
- --enable_load_reader=false
Whether to enable cpu load reader
- --event_storage_age_limit="default=24h"
Max length of time for which to store events (per type). Value is a comma separated list of key values, where the keys are event types (e.g.: creation, oom) or "default" and the value is a duration. Default is applied to all non-specified event types
- --event_storage_event_limit="default=100000"
Max number of events to store (per type). Value is a comma separated list of key values, where the keys are event types (e.g.: creation, oom) or "default" and the value is an integer. Default is applied to all non-specified event types
- --global_housekeeping_interval=0
Interval between global housekeepings
- --housekeeping_interval=0
Interval between container housekeepings
- --insecure-skip-tls-verify=false
If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
- --kubeconfig=""
Path to the kubeconfig file to use for CLI requests.
- --log-flush-frequency=0
Maximum number of seconds between log flushes
- --log_backtrace_at=:0
when logging hits line file:N, emit a stack trace
- --log_cadvisor_usage=false
Whether to log the usage of the cAdvisor container
- --log_dir=""
If non-empty, write log files in this directory
- --logtostderr=true
log to standard error instead of files
- --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
Comma-separated list of files to check for machine-id. Use the first one that exists.
- --match-server-version=false
Require server version to match client version
- -n, --namespace=""
If present, the namespace scope for this CLI request
- --request-timeout="0"
The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests.
- -s, --server=""
The address and port of the Kubernetes API server
- --stderrthreshold=2
logs at or above this threshold go to stderr
- --storage_driver_buffer_duration=0
Writes in the storage driver will be buffered for this duration, and committed to the non memory backends as a single transaction
- --storage_driver_db="cadvisor"
database name
- --storage_driver_host="localhost:8086"
database host:port
- --storage_driver_password="root"
database password
- --storage_driver_secure=false
use secure connection with database
- --storage_driver_table="stats"
table name
- --storage_driver_user="root"
database username
- --token=""
Bearer token for authentication to the API server
- --user=""
The name of the kubeconfig user to use
- -v, --v=0
log level for V logs
- --version=false
Print version information and quit
- --vmodule=
comma-separated list of pattern=N settings for file-filtered logging
Example
# Check whether user bob can create a pod specified in myresource.yaml $ oc policy scc-subject-review -u bob -f myresource.yaml # Check whether user bob who belongs to projectAdmin group can create a pod specified in myresource.yaml $ oc policy scc-subject-review -u bob -g projectAdmin -f myresource.yaml # Check whether ServiceAccount specified in podTemplateSpec in myresourcewithsa.yaml can create the Pod $ oc policy scc-subject-review -f myresourcewithsa.yaml
See Also
History
June 2016, Ported from the Kubernetes man-doc generator