mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
1057 lines
31 KiB
Plaintext
1057 lines
31 KiB
Plaintext
// NOTE: The contents of this file are auto-generated
|
|
// This template is for admin ('oc adm ...') commands
|
|
// Uses 'source,bash' for proper syntax highlighting for comments in examples
|
|
|
|
:_mod-docs-content-type: REFERENCE
|
|
[id="openshift-cli-admin_{context}"]
|
|
= OpenShift CLI (oc) administrator commands
|
|
|
|
|
|
|
|
== oc adm build-chain
|
|
Output the inputs and dependencies of your builds
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Build the dependency tree for the 'latest' tag in <image-stream>
|
|
oc adm build-chain <image-stream>
|
|
|
|
# Build the dependency tree for the 'v2' tag in dot format and visualize it via the dot utility
|
|
oc adm build-chain <image-stream>:v2 -o dot | dot -T svg -o deps.svg
|
|
|
|
# Build the dependency tree across all namespaces for the specified image stream tag found in the 'test' namespace
|
|
oc adm build-chain <image-stream> -n test --all
|
|
----
|
|
|
|
|
|
|
|
== oc adm catalog mirror
|
|
Mirror an operator-registry catalog
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Mirror an operator-registry image and its contents to a registry
|
|
oc adm catalog mirror quay.io/my/image:latest myregistry.com
|
|
|
|
# Mirror an operator-registry image and its contents to a particular namespace in a registry
|
|
oc adm catalog mirror quay.io/my/image:latest myregistry.com/my-namespace
|
|
|
|
# Mirror to an airgapped registry by first mirroring to files
|
|
oc adm catalog mirror quay.io/my/image:latest file:///local/index
|
|
oc adm catalog mirror file:///local/index/my/image:latest my-airgapped-registry.com
|
|
|
|
# Configure a cluster to use a mirrored registry
|
|
oc apply -f manifests/imageDigestMirrorSet.yaml
|
|
|
|
# Edit the mirroring mappings and mirror with "oc image mirror" manually
|
|
oc adm catalog mirror --manifests-only quay.io/my/image:latest myregistry.com
|
|
oc image mirror -f manifests/mapping.txt
|
|
|
|
# Delete all ImageDigestMirrorSets generated by oc adm catalog mirror
|
|
oc delete imagedigestmirrorset -l operators.openshift.org/catalog=true
|
|
----
|
|
|
|
|
|
|
|
== oc adm certificate approve
|
|
Approve a certificate signing request
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Approve CSR 'csr-sqgzp'
|
|
oc adm certificate approve csr-sqgzp
|
|
----
|
|
|
|
|
|
|
|
== oc adm certificate deny
|
|
Deny a certificate signing request
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Deny CSR 'csr-sqgzp'
|
|
oc adm certificate deny csr-sqgzp
|
|
----
|
|
|
|
|
|
|
|
== oc adm copy-to-node
|
|
Copy specified files to the node
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Copy a new bootstrap kubeconfig file to node-0
|
|
oc adm copy-to-node --copy=new-bootstrap-kubeconfig=/etc/kubernetes/kubeconfig node/node-0
|
|
----
|
|
|
|
|
|
|
|
== oc adm cordon
|
|
Mark node as unschedulable
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Mark node "foo" as unschedulable
|
|
oc adm cordon foo
|
|
----
|
|
|
|
|
|
|
|
== oc adm create-bootstrap-project-template
|
|
Create a bootstrap project template
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Output a bootstrap project template in YAML format to stdout
|
|
oc adm create-bootstrap-project-template -o yaml
|
|
----
|
|
|
|
|
|
|
|
== oc adm create-error-template
|
|
Create an error page template
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Output a template for the error page to stdout
|
|
oc adm create-error-template
|
|
----
|
|
|
|
|
|
|
|
== oc adm create-login-template
|
|
Create a login template
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Output a template for the login page to stdout
|
|
oc adm create-login-template
|
|
----
|
|
|
|
|
|
|
|
== oc adm create-provider-selection-template
|
|
Create a provider selection template
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Output a template for the provider selection page to stdout
|
|
oc adm create-provider-selection-template
|
|
----
|
|
|
|
|
|
|
|
== oc adm drain
|
|
Drain node in preparation for maintenance
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Drain node "foo", even if there are pods not managed by a replication controller, replica set, job, daemon set, or stateful set on it
|
|
oc adm drain foo --force
|
|
|
|
# As above, but abort if there are pods not managed by a replication controller, replica set, job, daemon set, or stateful set, and use a grace period of 15 minutes
|
|
oc adm drain foo --grace-period=900
|
|
----
|
|
|
|
|
|
|
|
== oc adm groups add-users
|
|
Add users to a group
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Add user1 and user2 to my-group
|
|
oc adm groups add-users my-group user1 user2
|
|
----
|
|
|
|
|
|
|
|
== oc adm groups new
|
|
Create a new group
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Add a group with no users
|
|
oc adm groups new my-group
|
|
|
|
# Add a group with two users
|
|
oc adm groups new my-group user1 user2
|
|
|
|
# Add a group with one user and shorter output
|
|
oc adm groups new my-group user1 -o name
|
|
----
|
|
|
|
|
|
|
|
== oc adm groups prune
|
|
Remove old OpenShift groups referencing missing records from an external provider
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Prune all orphaned groups
|
|
oc adm groups prune --sync-config=/path/to/ldap-sync-config.yaml --confirm
|
|
|
|
# Prune all orphaned groups except the ones from the denylist file
|
|
oc adm groups prune --blacklist=/path/to/denylist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm
|
|
|
|
# Prune all orphaned groups from a list of specific groups specified in an allowlist file
|
|
oc adm groups prune --whitelist=/path/to/allowlist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm
|
|
|
|
# Prune all orphaned groups from a list of specific groups specified in a list
|
|
oc adm groups prune groups/group_name groups/other_name --sync-config=/path/to/ldap-sync-config.yaml --confirm
|
|
----
|
|
|
|
|
|
|
|
== oc adm groups remove-users
|
|
Remove users from a group
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Remove user1 and user2 from my-group
|
|
oc adm groups remove-users my-group user1 user2
|
|
----
|
|
|
|
|
|
|
|
== oc adm groups sync
|
|
Sync OpenShift groups with records from an external provider
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Sync all groups with an LDAP server
|
|
oc adm groups sync --sync-config=/path/to/ldap-sync-config.yaml --confirm
|
|
|
|
# Sync all groups except the ones from the blacklist file with an LDAP server
|
|
oc adm groups sync --blacklist=/path/to/blacklist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm
|
|
|
|
# Sync specific groups specified in an allowlist file with an LDAP server
|
|
oc adm groups sync --whitelist=/path/to/allowlist.txt --sync-config=/path/to/sync-config.yaml --confirm
|
|
|
|
# Sync all OpenShift groups that have been synced previously with an LDAP server
|
|
oc adm groups sync --type=openshift --sync-config=/path/to/ldap-sync-config.yaml --confirm
|
|
|
|
# Sync specific OpenShift groups if they have been synced previously with an LDAP server
|
|
oc adm groups sync groups/group1 groups/group2 groups/group3 --sync-config=/path/to/sync-config.yaml --confirm
|
|
----
|
|
|
|
|
|
|
|
== oc adm inspect
|
|
Collect debugging data for a given resource
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Collect debugging data for the "openshift-apiserver" clusteroperator
|
|
oc adm inspect clusteroperator/openshift-apiserver
|
|
|
|
# Collect debugging data for the "openshift-apiserver" and "kube-apiserver" clusteroperators
|
|
oc adm inspect clusteroperator/openshift-apiserver clusteroperator/kube-apiserver
|
|
|
|
# Collect debugging data for all clusteroperators
|
|
oc adm inspect clusteroperator
|
|
|
|
# Collect debugging data for all clusteroperators and clusterversions
|
|
oc adm inspect clusteroperators,clusterversions
|
|
----
|
|
|
|
|
|
|
|
== oc adm migrate icsp
|
|
Update imagecontentsourcepolicy file(s) to imagedigestmirrorset file(s)
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Update the imagecontentsourcepolicy.yaml file to a new imagedigestmirrorset file under the mydir directory
|
|
oc adm migrate icsp imagecontentsourcepolicy.yaml --dest-dir mydir
|
|
----
|
|
|
|
|
|
|
|
== oc adm migrate template-instances
|
|
Update template instances to point to the latest group-version-kinds
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Perform a dry-run of updating all objects
|
|
oc adm migrate template-instances
|
|
|
|
# To actually perform the update, the confirm flag must be appended
|
|
oc adm migrate template-instances --confirm
|
|
----
|
|
|
|
|
|
|
|
== oc adm must-gather
|
|
Launch a new instance of a pod for gathering debug information
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Gather information using the default plug-in image and command, writing into ./must-gather.local.<rand>
|
|
oc adm must-gather
|
|
|
|
# Gather information with a specific local folder to copy to
|
|
oc adm must-gather --dest-dir=/local/directory
|
|
|
|
# Gather audit information
|
|
oc adm must-gather -- /usr/bin/gather_audit_logs
|
|
|
|
# Gather information using multiple plug-in images
|
|
oc adm must-gather --image=quay.io/kubevirt/must-gather --image=quay.io/openshift/origin-must-gather
|
|
|
|
# Gather information using a specific image stream plug-in
|
|
oc adm must-gather --image-stream=openshift/must-gather:latest
|
|
|
|
# Gather information using a specific image, command, and pod directory
|
|
oc adm must-gather --image=my/image:tag --source-dir=/pod/directory -- myspecial-command.sh
|
|
----
|
|
|
|
|
|
|
|
== oc adm new-project
|
|
Create a new project
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Create a new project using a node selector
|
|
oc adm new-project myproject --node-selector='type=user-node,region=east'
|
|
----
|
|
|
|
|
|
|
|
== oc adm node-image create
|
|
Create an ISO image for booting the nodes to be added to the target cluster
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Create the ISO image and download it in the current folder
|
|
oc adm node-image create
|
|
|
|
# Use a different assets folder
|
|
oc adm node-image create --dir=/tmp/assets
|
|
|
|
# Specify a custom image name
|
|
oc adm node-image create -o=my-node.iso
|
|
|
|
# In place of an ISO, creates files that can be used for PXE boot
|
|
oc adm node-image create --pxe
|
|
|
|
# Create an ISO to add a single node without using the configuration file
|
|
oc adm node-image create --mac-address=00:d8:e7:c7:4b:bb
|
|
|
|
# Create an ISO to add a single node with a root device hint and without
|
|
# using the configuration file
|
|
oc adm node-image create --mac-address=00:d8:e7:c7:4b:bb --root-device-hint=deviceName:/dev/sda
|
|
----
|
|
|
|
|
|
|
|
== oc adm node-image monitor
|
|
Monitor new nodes being added to an OpenShift cluster
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Monitor a single node being added to a cluster
|
|
oc adm node-image monitor --ip-addresses 192.168.111.83
|
|
|
|
# Monitor multiple nodes being added to a cluster by separating each
|
|
# IP address with a comma
|
|
oc adm node-image monitor --ip-addresses 192.168.111.83,192.168.111.84
|
|
----
|
|
|
|
|
|
|
|
== oc adm node-logs
|
|
Display and filter node logs
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Show kubelet logs from all control plane nodes
|
|
oc adm node-logs --role master -u kubelet
|
|
|
|
# See what logs are available in control plane nodes in /var/log
|
|
oc adm node-logs --role master --path=/
|
|
|
|
# Display cron log file from all control plane nodes
|
|
oc adm node-logs --role master --path=cron
|
|
----
|
|
|
|
|
|
|
|
== oc adm ocp-certificates monitor-certificates
|
|
Watch platform certificates
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Watch platform certificates
|
|
oc adm ocp-certificates monitor-certificates
|
|
----
|
|
|
|
|
|
|
|
== oc adm ocp-certificates regenerate-leaf
|
|
Regenerate client and serving certificates of an OpenShift cluster
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Regenerate a leaf certificate contained in a particular secret
|
|
oc adm ocp-certificates regenerate-leaf -n openshift-config-managed secret/kube-controller-manager-client-cert-key
|
|
----
|
|
|
|
|
|
|
|
== oc adm ocp-certificates regenerate-machine-config-server-serving-cert
|
|
Regenerate the machine config operator certificates in an OpenShift cluster
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Regenerate the MCO certs without modifying user-data secrets
|
|
oc adm ocp-certificates regenerate-machine-config-server-serving-cert --update-ignition=false
|
|
|
|
# Update the user-data secrets to use new MCS certs
|
|
oc adm ocp-certificates update-ignition-ca-bundle-for-machine-config-server
|
|
----
|
|
|
|
|
|
|
|
== oc adm ocp-certificates regenerate-top-level
|
|
Regenerate the top level certificates in an OpenShift cluster
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Regenerate the signing certificate contained in a particular secret
|
|
oc adm ocp-certificates regenerate-top-level -n openshift-kube-apiserver-operator secret/loadbalancer-serving-signer-key
|
|
----
|
|
|
|
|
|
|
|
== oc adm ocp-certificates remove-old-trust
|
|
Remove old CAs from ConfigMaps representing platform trust bundles in an OpenShift cluster
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Remove a trust bundled contained in a particular config map
|
|
oc adm ocp-certificates remove-old-trust -n openshift-config-managed configmaps/kube-apiserver-aggregator-client-ca --created-before 2023-06-05T14:44:06Z
|
|
|
|
# Remove only CA certificates created before a certain date from all trust bundles
|
|
oc adm ocp-certificates remove-old-trust configmaps -A --all --created-before 2023-06-05T14:44:06Z
|
|
----
|
|
|
|
|
|
|
|
== oc adm ocp-certificates update-ignition-ca-bundle-for-machine-config-server
|
|
Update user-data secrets in an OpenShift cluster to use updated MCO certfs
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Regenerate the MCO certs without modifying user-data secrets
|
|
oc adm ocp-certificates regenerate-machine-config-server-serving-cert --update-ignition=false
|
|
|
|
# Update the user-data secrets to use new MCS certs
|
|
oc adm ocp-certificates update-ignition-ca-bundle-for-machine-config-server
|
|
----
|
|
|
|
|
|
|
|
== oc adm policy add-cluster-role-to-group
|
|
Add a role to groups for all projects in the cluster
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Add the 'cluster-admin' cluster role to the 'cluster-admins' group
|
|
oc adm policy add-cluster-role-to-group cluster-admin cluster-admins
|
|
----
|
|
|
|
|
|
|
|
== oc adm policy add-cluster-role-to-user
|
|
Add a role to users for all projects in the cluster
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Add the 'system:build-strategy-docker' cluster role to the 'devuser' user
|
|
oc adm policy add-cluster-role-to-user system:build-strategy-docker devuser
|
|
----
|
|
|
|
|
|
|
|
== oc adm policy add-role-to-user
|
|
Add a role to users or service accounts for the current project
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Add the 'view' role to user1 for the current project
|
|
oc adm policy add-role-to-user view user1
|
|
|
|
# Add the 'edit' role to serviceaccount1 for the current project
|
|
oc adm policy add-role-to-user edit -z serviceaccount1
|
|
----
|
|
|
|
|
|
|
|
== oc adm policy add-scc-to-group
|
|
Add a security context constraint to groups
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Add the 'restricted' security context constraint to group1 and group2
|
|
oc adm policy add-scc-to-group restricted group1 group2
|
|
----
|
|
|
|
|
|
|
|
== oc adm policy add-scc-to-user
|
|
Add a security context constraint to users or a service account
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Add the 'restricted' security context constraint to user1 and user2
|
|
oc adm policy add-scc-to-user restricted user1 user2
|
|
|
|
# Add the 'privileged' security context constraint to serviceaccount1 in the current namespace
|
|
oc adm policy add-scc-to-user privileged -z serviceaccount1
|
|
----
|
|
|
|
|
|
|
|
== oc adm policy remove-cluster-role-from-group
|
|
Remove a role from groups for all projects in the cluster
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Remove the 'cluster-admin' cluster role from the 'cluster-admins' group
|
|
oc adm policy remove-cluster-role-from-group cluster-admin cluster-admins
|
|
----
|
|
|
|
|
|
|
|
== oc adm policy remove-cluster-role-from-user
|
|
Remove a role from users for all projects in the cluster
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Remove the 'system:build-strategy-docker' cluster role from the 'devuser' user
|
|
oc adm policy remove-cluster-role-from-user system:build-strategy-docker devuser
|
|
----
|
|
|
|
|
|
|
|
== oc adm policy scc-review
|
|
Check which service account can create a pod
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Check whether service accounts sa1 and sa2 can admit a pod with a template pod spec specified in my_resource.yaml
|
|
# Service Account specified in myresource.yaml file is ignored
|
|
oc adm policy scc-review -z sa1,sa2 -f my_resource.yaml
|
|
|
|
# Check whether service accounts system:serviceaccount:bob:default can admit a pod with a template pod spec specified in my_resource.yaml
|
|
oc adm policy scc-review -z system:serviceaccount:bob:default -f my_resource.yaml
|
|
|
|
# Check whether the service account specified in my_resource_with_sa.yaml can admit the pod
|
|
oc adm policy scc-review -f my_resource_with_sa.yaml
|
|
|
|
# Check whether the default service account can admit the pod; default is taken since no service account is defined in myresource_with_no_sa.yaml
|
|
oc adm policy scc-review -f myresource_with_no_sa.yaml
|
|
----
|
|
|
|
|
|
|
|
== oc adm policy scc-subject-review
|
|
Check whether a user or a service account can create a pod
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Check whether user bob can create a pod specified in myresource.yaml
|
|
oc adm policy scc-subject-review -u bob -f myresource.yaml
|
|
|
|
# Check whether user bob who belongs to projectAdmin group can create a pod specified in myresource.yaml
|
|
oc adm policy scc-subject-review -u bob -g projectAdmin -f myresource.yaml
|
|
|
|
# Check whether a service account specified in the pod template spec in myresourcewithsa.yaml can create the pod
|
|
oc adm policy scc-subject-review -f myresourcewithsa.yaml
|
|
----
|
|
|
|
|
|
|
|
== oc adm prune builds
|
|
Remove old completed and failed builds
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Dry run deleting older completed and failed builds and also including
|
|
# all builds whose associated build config no longer exists
|
|
oc adm prune builds --orphans
|
|
|
|
# To actually perform the prune operation, the confirm flag must be appended
|
|
oc adm prune builds --orphans --confirm
|
|
----
|
|
|
|
|
|
|
|
== oc adm prune deployments
|
|
Remove old completed and failed deployment configs
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Dry run deleting all but the last complete deployment for every deployment config
|
|
oc adm prune deployments --keep-complete=1
|
|
|
|
# To actually perform the prune operation, the confirm flag must be appended
|
|
oc adm prune deployments --keep-complete=1 --confirm
|
|
----
|
|
|
|
|
|
|
|
== oc adm prune groups
|
|
Remove old OpenShift groups referencing missing records from an external provider
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Prune all orphaned groups
|
|
oc adm prune groups --sync-config=/path/to/ldap-sync-config.yaml --confirm
|
|
|
|
# Prune all orphaned groups except the ones from the denylist file
|
|
oc adm prune groups --blacklist=/path/to/denylist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm
|
|
|
|
# Prune all orphaned groups from a list of specific groups specified in an allowlist file
|
|
oc adm prune groups --whitelist=/path/to/allowlist.txt --sync-config=/path/to/ldap-sync-config.yaml --confirm
|
|
|
|
# Prune all orphaned groups from a list of specific groups specified in a list
|
|
oc adm prune groups groups/group_name groups/other_name --sync-config=/path/to/ldap-sync-config.yaml --confirm
|
|
----
|
|
|
|
|
|
|
|
== oc adm prune images
|
|
Remove unreferenced images
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# See what the prune command would delete if only images and their referrers were more than an hour old
|
|
# and obsoleted by 3 newer revisions under the same tag were considered
|
|
oc adm prune images --keep-tag-revisions=3 --keep-younger-than=60m
|
|
|
|
# To actually perform the prune operation, the confirm flag must be appended
|
|
oc adm prune images --keep-tag-revisions=3 --keep-younger-than=60m --confirm
|
|
|
|
# See what the prune command would delete if we are interested in removing images
|
|
# exceeding currently set limit ranges ('openshift.io/Image')
|
|
oc adm prune images --prune-over-size-limit
|
|
|
|
# To actually perform the prune operation, the confirm flag must be appended
|
|
oc adm prune images --prune-over-size-limit --confirm
|
|
|
|
# Force the insecure HTTP protocol with the particular registry host name
|
|
oc adm prune images --registry-url=http://registry.example.org --confirm
|
|
|
|
# Force a secure connection with a custom certificate authority to the particular registry host name
|
|
oc adm prune images --registry-url=registry.example.org --certificate-authority=/path/to/custom/ca.crt --confirm
|
|
----
|
|
|
|
|
|
|
|
== oc adm prune renderedmachineconfigs
|
|
Prunes rendered MachineConfigs in an OpenShift cluster
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# See what the prune command would delete if run with no options
|
|
oc adm prune renderedmachineconfigs
|
|
|
|
# To actually perform the prune operation, the confirm flag must be appended
|
|
oc adm prune renderedmachineconfigs --confirm
|
|
|
|
# See what the prune command would delete if run on the worker MachineConfigPool
|
|
oc adm prune renderedmachineconfigs --pool-name=worker
|
|
|
|
# Prunes 10 oldest rendered MachineConfigs in the cluster
|
|
oc adm prune renderedmachineconfigs --count=10 --confirm
|
|
|
|
# Prunes 10 oldest rendered MachineConfigs in the cluster for the worker MachineConfigPool
|
|
oc adm prune renderedmachineconfigs --count=10 --pool-name=worker --confirm
|
|
----
|
|
|
|
|
|
|
|
== oc adm prune renderedmachineconfigs list
|
|
Lists rendered MachineConfigs in an OpenShift cluster
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# List all rendered MachineConfigs for the worker MachineConfigPool in the cluster
|
|
oc adm prune renderedmachineconfigs list --pool-name=worker
|
|
|
|
# List all rendered MachineConfigs in use by the cluster's MachineConfigPools
|
|
oc adm prune renderedmachineconfigs list --in-use
|
|
----
|
|
|
|
|
|
|
|
== oc adm reboot-machine-config-pool
|
|
Initiate reboot of the specified MachineConfigPool
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Reboot all MachineConfigPools
|
|
oc adm reboot-machine-config-pool mcp/worker mcp/master
|
|
|
|
# Reboot all MachineConfigPools that inherit from worker. This include all custom MachineConfigPools and infra.
|
|
oc adm reboot-machine-config-pool mcp/worker
|
|
|
|
# Reboot masters
|
|
oc adm reboot-machine-config-pool mcp/master
|
|
----
|
|
|
|
|
|
|
|
== oc adm release extract
|
|
Extract the contents of an update payload to disk
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Use git to check out the source code for the current cluster release to DIR
|
|
oc adm release extract --git=DIR
|
|
|
|
# Extract cloud credential requests for AWS
|
|
oc adm release extract --credentials-requests --cloud=aws
|
|
|
|
# Use git to check out the source code for the current cluster release to DIR from linux/s390x image
|
|
# Note: Wildcard filter is not supported; pass a single os/arch to extract
|
|
oc adm release extract --git=DIR quay.io/openshift-release-dev/ocp-release:4.11.2 --filter-by-os=linux/s390x
|
|
----
|
|
|
|
|
|
|
|
== oc adm release info
|
|
Display information about a release
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Show information about the cluster's current release
|
|
oc adm release info
|
|
|
|
# Show the source code that comprises a release
|
|
oc adm release info 4.11.2 --commit-urls
|
|
|
|
# Show the source code difference between two releases
|
|
oc adm release info 4.11.0 4.11.2 --commits
|
|
|
|
# Show where the images referenced by the release are located
|
|
oc adm release info quay.io/openshift-release-dev/ocp-release:4.11.2 --pullspecs
|
|
|
|
# Show information about linux/s390x image
|
|
# Note: Wildcard filter is not supported; pass a single os/arch to extract
|
|
oc adm release info quay.io/openshift-release-dev/ocp-release:4.11.2 --filter-by-os=linux/s390x
|
|
----
|
|
|
|
|
|
|
|
== oc adm release mirror
|
|
Mirror a release to a different image registry location
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Perform a dry run showing what would be mirrored, including the mirror objects
|
|
oc adm release mirror 4.11.0 --to myregistry.local/openshift/release \
|
|
--release-image-signature-to-dir /tmp/releases --dry-run
|
|
|
|
# Mirror a release into the current directory
|
|
oc adm release mirror 4.11.0 --to file://openshift/release \
|
|
--release-image-signature-to-dir /tmp/releases
|
|
|
|
# Mirror a release to another directory in the default location
|
|
oc adm release mirror 4.11.0 --to-dir /tmp/releases
|
|
|
|
# Upload a release from the current directory to another server
|
|
oc adm release mirror --from file://openshift/release --to myregistry.com/openshift/release \
|
|
--release-image-signature-to-dir /tmp/releases
|
|
|
|
# Mirror the 4.11.0 release to repository registry.example.com and apply signatures to connected cluster
|
|
oc adm release mirror --from=quay.io/openshift-release-dev/ocp-release:4.11.0-x86_64 \
|
|
--to=registry.example.com/your/repository --apply-release-image-signature
|
|
----
|
|
|
|
|
|
|
|
== oc adm release new
|
|
Create a new OpenShift release
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Create a release from the latest origin images and push to a DockerHub repository
|
|
oc adm release new --from-image-stream=4.11 -n origin --to-image docker.io/mycompany/myrepo:latest
|
|
|
|
# Create a new release with updated metadata from a previous release
|
|
oc adm release new --from-release registry.ci.openshift.org/origin/release:v4.11 --name 4.11.1 \
|
|
--previous 4.11.0 --metadata ... --to-image docker.io/mycompany/myrepo:latest
|
|
|
|
# Create a new release and override a single image
|
|
oc adm release new --from-release registry.ci.openshift.org/origin/release:v4.11 \
|
|
cli=docker.io/mycompany/cli:latest --to-image docker.io/mycompany/myrepo:latest
|
|
|
|
# Run a verification pass to ensure the release can be reproduced
|
|
oc adm release new --from-release registry.ci.openshift.org/origin/release:v4.11
|
|
----
|
|
|
|
|
|
|
|
== oc adm restart-kubelet
|
|
Restart kubelet on the specified nodes
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Restart all the nodes, 10% at a time
|
|
oc adm restart-kubelet nodes --all --directive=RemoveKubeletKubeconfig
|
|
|
|
# Restart all the nodes, 20 nodes at a time
|
|
oc adm restart-kubelet nodes --all --parallelism=20 --directive=RemoveKubeletKubeconfig
|
|
|
|
# Restart all the nodes, 15% at a time
|
|
oc adm restart-kubelet nodes --all --parallelism=15% --directive=RemoveKubeletKubeconfig
|
|
|
|
# Restart all the masters at the same time
|
|
oc adm restart-kubelet nodes -l node-role.kubernetes.io/master --parallelism=100% --directive=RemoveKubeletKubeconfig
|
|
----
|
|
|
|
|
|
|
|
== oc adm taint
|
|
Update the taints on one or more nodes
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Update node 'foo' with a taint with key 'dedicated' and value 'special-user' and effect 'NoSchedule'
|
|
# If a taint with that key and effect already exists, its value is replaced as specified
|
|
oc adm taint nodes foo dedicated=special-user:NoSchedule
|
|
|
|
# Remove from node 'foo' the taint with key 'dedicated' and effect 'NoSchedule' if one exists
|
|
oc adm taint nodes foo dedicated:NoSchedule-
|
|
|
|
# Remove from node 'foo' all the taints with key 'dedicated'
|
|
oc adm taint nodes foo dedicated-
|
|
|
|
# Add a taint with key 'dedicated' on nodes having label myLabel=X
|
|
oc adm taint node -l myLabel=X dedicated=foo:PreferNoSchedule
|
|
|
|
# Add to node 'foo' a taint with key 'bar' and no value
|
|
oc adm taint nodes foo bar:NoSchedule
|
|
----
|
|
|
|
|
|
|
|
== oc adm top images
|
|
Show usage statistics for images
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Show usage statistics for images
|
|
oc adm top images
|
|
----
|
|
|
|
|
|
|
|
== oc adm top imagestreams
|
|
Show usage statistics for image streams
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Show usage statistics for image streams
|
|
oc adm top imagestreams
|
|
----
|
|
|
|
|
|
|
|
== oc adm top node
|
|
Display resource (CPU/memory) usage of nodes
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Show metrics for all nodes
|
|
oc adm top node
|
|
|
|
# Show metrics for a given node
|
|
oc adm top node NODE_NAME
|
|
----
|
|
|
|
|
|
|
|
== oc adm top persistentvolumeclaims
|
|
Experimental: Show usage statistics for bound persistentvolumeclaims
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Show usage statistics for all the bound persistentvolumeclaims across the cluster
|
|
oc adm top persistentvolumeclaims -A
|
|
|
|
# Show usage statistics for all the bound persistentvolumeclaims in a specific namespace
|
|
oc adm top persistentvolumeclaims -n default
|
|
|
|
# Show usage statistics for specific bound persistentvolumeclaims
|
|
oc adm top persistentvolumeclaims database-pvc app-pvc -n default
|
|
----
|
|
|
|
|
|
|
|
== oc adm top pod
|
|
Display resource (CPU/memory) usage of pods
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Show metrics for all pods in the default namespace
|
|
oc adm top pod
|
|
|
|
# Show metrics for all pods in the given namespace
|
|
oc adm top pod --namespace=NAMESPACE
|
|
|
|
# Show metrics for a given pod and its containers
|
|
oc adm top pod POD_NAME --containers
|
|
|
|
# Show metrics for the pods defined by label name=myLabel
|
|
oc adm top pod -l name=myLabel
|
|
----
|
|
|
|
|
|
|
|
== oc adm uncordon
|
|
Mark node as schedulable
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Mark node "foo" as schedulable
|
|
oc adm uncordon foo
|
|
----
|
|
|
|
|
|
|
|
== oc adm upgrade
|
|
Upgrade a cluster or adjust the upgrade channel
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# View the update status and available cluster updates
|
|
oc adm upgrade
|
|
|
|
# Update to the latest version
|
|
oc adm upgrade --to-latest=true
|
|
----
|
|
|
|
|
|
|
|
== oc adm verify-image-signature
|
|
Verify the image identity contained in the image signature
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Verify the image signature and identity using the local GPG keychain
|
|
oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
|
|
--expected-identity=registry.local:5000/foo/bar:v1
|
|
|
|
# Verify the image signature and identity using the local GPG keychain and save the status
|
|
oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
|
|
--expected-identity=registry.local:5000/foo/bar:v1 --save
|
|
|
|
# Verify the image signature and identity via exposed registry route
|
|
oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 \
|
|
--expected-identity=registry.local:5000/foo/bar:v1 \
|
|
--registry-url=docker-registry.foo.com
|
|
|
|
# Remove all signature verifications from the image
|
|
oc adm verify-image-signature sha256:c841e9b64e4579bd56c794bdd7c36e1c257110fd2404bebbb8b613e4935228c4 --remove-all
|
|
----
|
|
|
|
|
|
|
|
== oc adm wait-for-node-reboot
|
|
Wait for nodes to reboot after running `oc adm reboot-machine-config-pool`
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Wait for all nodes to complete a requested reboot from 'oc adm reboot-machine-config-pool mcp/worker mcp/master'
|
|
oc adm wait-for-node-reboot nodes --all
|
|
|
|
# Wait for masters to complete a requested reboot from 'oc adm reboot-machine-config-pool mcp/master'
|
|
oc adm wait-for-node-reboot nodes -l node-role.kubernetes.io/master
|
|
|
|
# Wait for masters to complete a specific reboot
|
|
oc adm wait-for-node-reboot nodes -l node-role.kubernetes.io/master --reboot-number=4
|
|
----
|
|
|
|
|
|
|
|
== oc adm wait-for-stable-cluster
|
|
Wait for the platform operators to become stable
|
|
|
|
.Example usage
|
|
[source,bash,options="nowrap"]
|
|
----
|
|
# Wait for all cluster operators to become stable
|
|
oc adm wait-for-stable-cluster
|
|
|
|
# Consider operators to be stable if they report as such for 5 minutes straight
|
|
oc adm wait-for-stable-cluster --minimum-stable-period 5m
|
|
----
|
|
|
|
|