openshift-cli-adm-policy-scc-subject-review man page

openshift cli adm policy scc-subject-review — Check whether a user or a ServiceAccount can create a Pod.

Synopsis

openshift cli adm policy scc-subject-review [Options]

Description

Check whether a User, Service Account or a Group can create a Pod. It returns a list of Security Context Constraints that will admit the resource. If User is specified but not Groups, it is interpreted as "What if User is not a member of any groups". If User and Groups are empty, then the check is performed using the current user

Options

--allow-missing-template-keys=true

If true, ignore any errors in templates when a field or map key is missing in the template. Only applies to golang and jsonpath output formats.

-f, --filename=[]

Filename, directory, or URL to files Filename, directory, or URL to a file identifying the resource to get from a server.

-g, --groups=[]

Comma separated, list of groups. Review will be performed on behalf of these groups

--no-headers=false

When using the default or custom-column output format, don't print headers (default print headers).

-o, --output=""

Output format. One of: json|yaml|wide|name|custom-columns=...|custom-columns-file=...|go-template=...|go-template-file=...|jsonpath=...|jsonpath-file=... See custom columns [ ⟨http://kubernetes.io/docs/user-guide/kubectl-overview/#custom-columns⟩], golang template [ ⟨http://golang.org/pkg/text/template/#pkg-overview⟩] and jsonpath template [ ⟨http://kubernetes.io/docs/user-guide/jsonpath⟩].

-R, --recursive=false

Process the directory used in -f, --filename recursively. Useful when you want to manage related manifests organized within the same directory.

-z, --serviceaccount=""

service account in the current namespace to use as a user

-a, --show-all=true

When printing, show all resources (false means hide terminated pods.)

--show-labels=false

When printing, show all labels as the last column (default hide labels column)

--sort-by=""

If non-empty, sort list types using this field specification.  The field specification is expressed as a JSONPath expression (e.g. '{.metadata.name}'). The field in the API resource specified by this JSONPath expression must be an integer or a string.

--template=""

Template string or path to template file to use when -o=go-template, -o=go-template-file. The template format is golang templates [ ⟨http://golang.org/pkg/text/template/#pkg-overview⟩].

-u, --user=""

Review will be performed on behalf of this user

Options Inherited from Parent Commands

--api-version=""

DEPRECATED: The API version to use when talking to the server

--as=""

Username to impersonate for the operation

--azure-container-registry-config=""

Path to the file container Azure container registry configuration information.

--certificate-authority=""

Path to a cert. file for the certificate authority

--client-certificate=""

Path to a client certificate file for TLS

--client-key=""

Path to a client key file for TLS

--cluster=""

The name of the kubeconfig cluster to use

--config=""

Path to the config file to use for CLI requests.

--context=""

The name of the kubeconfig context to use

--google-json-key=""

The Google Cloud Platform Service Account JSON Key to use for authentication.

--insecure-skip-tls-verify=false

If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure

--log-flush-frequency=0

Maximum number of seconds between log flushes

--match-server-version=false

Require server version to match client version

-n, --namespace=""

If present, the namespace scope for this CLI request

--request-timeout="0"

The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests.

--server=""

The address and port of the Kubernetes API server

--token=""

Bearer token for authentication to the API server

Example

  # Check whether user bob can create a pod specified in myresource.yaml
  $ openshift cli adm policy scc-subject-review -u bob -f myresource.yaml
  
  # Check whether user bob who belongs to projectAdmin group can create a pod specified in myresource.yaml
  $ openshift cli adm policy scc-subject-review -u bob -g projectAdmin -f myresource.yaml
  
  # Check whether ServiceAccount specified in podTemplateSpec in myresourcewithsa.yaml can create the Pod
  $  openshift cli adm policy scc-subject-review -f myresourcewithsa.yaml

See Also

openshift-cli-adm-policy(1),

History

June 2016, Ported from the Kubernetes man-doc generator

Referenced By

openshift-cli-adm-policy(1).

Openshift CLI User Manuals June 2016