Chapter 5. Administrator CLI commands
5.1. Cluster management CLI commands
5.1.1. must-gather
Bulk collect data about the current state of your cluster to debug issues.
Example: Gather debugging information
$ oc adm must-gather
5.1.2. top
Show usage statistics of resources on the server.
Example: Show CPU and memory usage for Pods
$ oc adm top pods
Example: Show usage statistics for images
$ oc adm top images
5.2. Node management CLI commands
5.2.1. cordon
Mark a node as unschedulable. Manually marking a node as unschedulable blocks any new pods from being scheduled on the node, but does not affect existing pods on the node.
Example: Mark node1 as unschedulable
$ oc adm cordon node1
5.2.2. drain
Drain a node in preparation for maintenance.
Example: Drain node1
$ oc adm drain node1
5.2.3. node-logs
Display and filter node logs.
Example: Get logs for NetworkManager
$ oc adm node-logs --role master -u NetworkManager.service
5.2.4. taint
Update the taints on one or more nodes.
Example: Add a taint to dedicate a node for a set of users
$ oc adm taint nodes node1 dedicated=groupName:NoSchedule
Example: Remove the taints with key dedicated from node node1
$ oc adm taint nodes node1 dedicated-
5.2.5. uncordon
Mark a node as schedulable.
Example: Mark node1 as schedulable
$ oc adm uncordon node1
5.3. Security and policy CLI commands
5.3.1. certificate
Approve or reject certificate signing requests (CSRs).
Example: Approve a CSR
$ oc adm certificate approve csr-sqgzp
5.3.2. groups
Manage groups in your cluster.
Example: Create a new group
$ oc adm groups new my-group
5.3.3. new-project
Create a new project and specify administrative options.
Example: Create a new project using a node selector
$ oc adm new-project myproject --node-selector='type=user-node,region=east'
5.3.4. pod-network
Manage Pod networks in the cluster.
Example: Isolate project1 and project2 from other non-global projects
$ oc adm pod-network isolate-projects project1 project2
5.3.5. policy
Manage roles and policies on the cluster.
Example: Add the edit role to user1 for all projects
$ oc adm policy add-cluster-role-to-user edit user1
Example: Add the privileged security context constraint to a service account
$ oc adm policy add-scc-to-user privileged -z myserviceaccount
5.4. Maintenance CLI commands
5.4.1. migrate
Migrate resources on the cluster to a new version or format depending on the subcommand used.
Example: Perform an update of all stored objects
$ oc adm migrate storage
Example: Perform an update of only Pods
$ oc adm migrate storage --include=pods
5.4.2. prune
Remove older versions of resources from the server.
Example: Prune older builds including those whose BuildConfigs no longer exist
$ oc adm prune builds --orphans
5.5. Configuration CLI commands
5.5.1. create-api-client-config
Create a client configuration for connecting to the server. This creates a folder containing a client certificate, a client key, a server certificate authority, and a kubeconfig file for connecting to the master as the provided user.
Example: Generate a client certificate for a proxy
$ oc adm create-api-client-config \ --certificate-authority='/etc/origin/master/proxyca.crt' \ --client-dir='/etc/origin/master/proxy' \ --signer-cert='/etc/origin/master/proxyca.crt' \ --signer-key='/etc/origin/master/proxyca.key' \ --signer-serial='/etc/origin/master/proxyca.serial.txt' \ --user='system:proxy'
5.5.2. create-bootstrap-policy-file
Create the default bootstrap policy.
Example: Create a file called policy.json with the default bootstrap policy
$ oc adm create-bootstrap-policy-file --filename=policy.json
5.5.3. create-bootstrap-project-template
Create a bootstrap project template.
Example: Output a bootstrap project template in YAML format to stdout
$ oc adm create-bootstrap-project-template -o yaml
5.5.4. create-error-template
Create a template for customizing the error page.
Example: Output a template for the error page to stdout
$ oc adm create-error-template
5.5.5. create-kubeconfig
Creates a basic .kubeconfig file from client certificates.
Example: Create a .kubeconfig file with the provided client certificates
$ oc adm create-kubeconfig \ --client-certificate=/path/to/client.crt \ --client-key=/path/to/client.key \ --certificate-authority=/path/to/ca.crt
5.5.6. create-login-template
Create a template for customizing the login page.
Example: Output a template for the login page to stdout
$ oc adm create-login-template
5.5.7. create-provider-selection-template
Create a template for customizing the provider selection page.
Example: Output a template for the provider selection page to stdout
$ oc adm create-provider-selection-template
5.6. Other Administrator CLI commands
5.6.1. build-chain
Output the inputs and dependencies of any builds.
Example: Output dependencies for the perl imagestream
$ oc adm build-chain perl
5.6.2. completion
Output shell completion code for the oc adm commands for the specified shell.
Example: Display oc adm completion code for Bash
$ oc adm completion bash
5.6.3. config
Manage the client configuration files. This command has the same behavior as the oc config command.
Example: Display the current configuration
$ oc adm config view
Example: Switch to a different context
$ oc adm config use-context test-context
5.6.4. release
Manage various aspects of the OpenShift Container Platform release process, such as viewing information about a release or inspecting the contents of a release.
Example: Generate a changelog between two releases and save to changelog.md
$ oc adm release info --changelog=/tmp/git \
quay.io/openshift-release-dev/ocp-release:4.1.0-rc.7 \
quay.io/openshift-release-dev/ocp-release:4.1.0 \
> changelog.md
5.6.5. verify-image-signature
Verify the image signature of an image imported to the internal registry using the local public GPG key.
Example: Verify the nodejs image signature
$ oc adm verify-image-signature \
sha256:2bba968aedb7dd2aafe5fa8c7453f5ac36a0b9639f1bf5b03f95de325238b288 \
--expected-identity 172.30.1.1:5000/openshift/nodejs:latest \
--public-key /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release \
--save
