Search

Chapter 8. roxctl CLI command reference

download PDF

8.1. roxctl

Display the available commands and optional parameters for roxctl CLI. You must have an account with administrator privileges to use these commands.

Usage

$ roxctl [command] [flags]

Table 8.1. Available commands
CommandDescription

central

Commands related to the Central service.

cluster

Commands related to a cluster.

collector

Commands related to the Collector service.

completion

Generate shell completion scripts.

declarative-config

Manage declarative configuration.

deployment

Commands related to deployments.

helm

Commands related to Red Hat Advanced Cluster Security for Kubernetes (RHACS) Helm Charts.

image

Commands that you can run on a specific image.

netpol

Commands related to network policies.

scanner

Commands related to the Scanner service.

sensor

Deploy RHACS services in secured clusters.

version

Display the current roxctl version.

8.1.1. roxctl command options

The roxctl command supports the following options:

OptionDescription

--ca string

Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the ROX_CA_CERT_FILE environment variable.

--direct-grpc

Set --direct-grpc for improved connection performance. Alternatively, by setting the ROX_DIRECT_GRPC_CLIENT environment variable to true, you can enable direct gRPC . The default value is false.

-e, --endpoint string

Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the ROX_ENDPOINT environment variable. The default value is localhost:8443.

--force-http1

Force the use of HTTP/1 for all connections. Alternatively, by setting the ROX_CLIENT_FORCE_HTTP1 environment variable to true, you can force the use of HTTP/1. The default value is false.

--insecure

Enable insecure connection options. Alternatively, by setting the ROX_INSECURE_CLIENT environment variable to true, you can enable insecure connection options. The default value is false.

--insecure-skip-tls-verify

Skip the TLS certificate validation. Alternatively, by setting the ROX_INSECURE_CLIENT_SKIP_TLS_VERIFY environment variable to true, you can skip the TLS certificate validation. The default value is false.

--no-color

Disable the color output. Alternatively, by setting the ROX_NO_COLOR environment variable to true, you can disable the color output. The default value is false.

-p, --password string

Specify the password for basic authentication. Alternatively, you can set the password by using the ROX_ADMIN_PASSWORD environment variable.

--plaintext

Use an unencrypted connection. Alternatively, by setting the ROX_PLAINTEXT environment variable to true, you can enable an unencrypted connection. The default value is false.

-s, --server-name string

Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the ROX_SERVER_NAME environment variable.

--token-file string

Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the ROX_API_TOKEN environment variable.

8.2. roxctl central

Commands related to the Central service.

Usage

$ roxctl central [command] [flags]

Table 8.2. Available commands
CommandDescription

backup

Create a backup of the Red Hat Advanced Cluster Security for Kubernetes (RHACS) database and the certificates.

cert

Download the certificate chain for the Central service.

db

Control the database operations.

debug

Debug the Central service.

generate

Generate the required YAML configuration files containing the orchestrator objects for the deployment of Central.

init-bundles

Initialize bundles for Central.

login

Log in to the Central instance to obtain a token.

userpki

Manage the user certificate authorization providers.

whoami

Display information about the current user and their authentication method.

8.2.1. roxctl central command options inherited from the parent command

The roxctl central command supports the following options inherited from the parent roxctl command:

OptionDescription

--ca string

Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the ROX_CA_CERT_FILE environment variable.

--direct-grpc

Set --direct-grpc for improved connection performance. Alternatively, by setting the ROX_DIRECT_GRPC_CLIENT environment variable to true, you can enable direct gRPC . The default value is false.

-e, --endpoint string

Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the ROX_ENDPOINT environment variable. The default value is localhost:8443.

--force-http1

Force the use of HTTP/1 for all connections. Alternatively, by setting the ROX_CLIENT_FORCE_HTTP1 environment variable to true, you can force the use of HTTP/1. The default value is false.

--insecure

Enable insecure connection options. Alternatively, by setting the ROX_INSECURE_CLIENT environment variable to true, you can enable insecure connection options. The default value is false.

--insecure-skip-tls-verify

Skip the TLS certificate validation. Alternatively, by setting the ROX_INSECURE_CLIENT_SKIP_TLS_VERIFY environment variable to true, you can skip the TLS certificate validation. The default value is false.

--no-color

Disable the color output. Alternatively, by setting the ROX_NO_COLOR environment variable to true, you can disable the color output. The default value is false.

-p, --password string

Specify the password for basic authentication. Alternatively, you can set the password by using the ROX_ADMIN_PASSWORD environment variable.

--plaintext

Use an unencrypted connection. Alternatively, by setting the ROX_PLAINTEXT environment variable to true, you can enable an unencrypted connection. The default value is false.

-s, --server-name string

Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the ROX_SERVER_NAME environment variable.

--token-file string

Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the ROX_API_TOKEN environment variable.

Note

These options are applicable to all the sub-commands of the roxctl central command.

8.2.2. roxctl central backup

Create a backup of the RHACS database and certificates.

Usage

$ roxctl central backup [flags]

Table 8.3. Options
OptionDescription

--certs-only

Specify to only back up the certificates. When using an external database, this option is used to generate a backup bundle with certificates. The default value is false.

--output string

Specify where you want to save the backup. The behavior depends on the specified path:

  • If the path is a file path, the backup is written to the file and overwrites it if it already exists. The directory must exist.
  • If the path is a directory, the backup is saved in this directory under the file name that the server specifies.
  • If this argument is omitted, the backup is saved in the current working directory under the file name that the server specifies.

-t, --timeout duration

Specify the timeout for API requests. It represents the maximum duration of a request. The default value is 1h0m0s.

8.2.3. roxctl central cert

Download the certificate chain for the Central service.

Usage

$ roxctl central cert [flags]

Table 8.4. Options
OptionDescription

--output string

Specify the file name to which you want to save the PEM certificate. You can generate a standard output by using -. The default value is -.

--retry-timeout duration

Specify the timeout after which API requests are retried. A value of zero means that the entire request duration is waited for without retrying. The default value is 20s.

-t, --timeout duration

Specify the timeout for API requests representing the maximum duration of a request. The default value is 1m0s.

8.2.4. roxctl central login

Login to the Central instance to obtain a token.

Usage

$ roxctl central login [flags]

Table 8.5. Options
OptionDescription

-t, --timeout duration

Specify the timeout for API requests representing the maximum duration of a request. The default value is 5m0s.

8.2.5. roxctl central whoami

Display information about the current user and their authentication method.

Usage

$ roxctl central whoami [flags]

Table 8.6. Options
OptionDescription

--retry-timeout duration

Specify the timeout after which API requests are retried. A value of zero means that the entire request duration is waited for without retrying. The default value is 20s.

-t, --timeout duration

Specify the timeout for API requests representing the maximum duration of a request. The default value is 1m0s.

8.2.6. roxctl central db

Control the database operations.

Usage

$ roxctl central db [flags]

Table 8.7. Options
OptionDescription

-t, --timeout duration

Specify the timeout for API requests representing the maximum duration of a request. The default value is 1h0m0s.

8.2.6.1. roxctl central db restore

Restore the RHACS database from a previous backup.

Usage

$ roxctl central db restore <file> [flags] 1

1
For <file>, specify the database backup file that you want to restore.
Table 8.8. Options
OptionDescription

-f, --force

If set to true, the restoration is performed without confirmation. The default value is false.

--interrupt

If set to true, it interrupts the running restore process to allow it to continue. The default value is false.

8.2.6.2. roxctl central db generate

Generate a Central database bundle.

Usage

$ roxctl central db generate [flags]

Table 8.9. Options
OptionDescription

--debug

If set to true, templates are read from the local file system. The default value is false.

--debug-path string

Specify the path to the Helm templates in your local file system. For more details, run the roxctl central db generate command.

--enable-pod-security-policies

If set to true, PodSecurityPolicy resources are created. The default value is true.

8.2.6.3. roxctl central db generate k8s

Generate Kubernetes YAML files for deploying Central’s database components.

Usage

$ roxctl central db generate k8s [flags]

Table 8.10. Options
OptionDescription

--central-db-image string

Specify the Central database image that you want to use. If not specified, a default value corresponding to the --image-defaults is used.

--image-defaults string

Specify the default settings for container images. It controls the repositories from which the images are downloaded, the image names and the format of the tags. The default value is development_build.

--output-dir output directory

Specify the directory to which you want to save the deployment bundle. The default value is central-db-bundle.

8.2.6.4. roxctl central db restore cancel

Cancel the ongoing Central database restore process.

Usage

$ roxctl central db restore cancel [flags]

Table 8.11. Options
OptionDescription

f, --force

If set to true, proceed with the cancellation without confirmation. The default value is false.

8.2.6.5. roxctl central db restore status

Display information about the ongoing database restore process.

Usage

$ roxctl central db restore status [flags]

8.2.6.6. roxctl central db generate k8s pvc

Generate Kubernetes YAML files for persistent volume claims (PVCs) in Central.

Usage

$ roxctl central db generate k8s pvc [flags]

Table 8.12. Options
OptionDescription

--name string

Specify the external volume name for the Central database. The default value is central-db.

--size uint32

Specify the external volume size in gigabytes for the Central database. The default value is 100.

--storage-class string

Specify the storage class name for the Central database. This is optional if you have a default storage class configured.

8.2.6.7. roxctl central db generate openshift

Generate an OpenShift YAML manifest for deploying a Central database instance on a Red Hat OpenShift cluster.

Usage

$ roxctl central db generate openshift [flags]

Table 8.13. Options
OptionDescription

--central-db-image string

Specify the Central database image that you want to use. If not specified, a default value corresponding to the --image-defaults is used.

--image-defaults string

Specify the default settings for container images. It controls the repositories from which the images are downloaded, the image names and the format of the tags. The default value is development_build.

--openshift-version int

Specify the Red Hat OpenShift major version 3 or 4 for the deployment. The default value is 3.

--output-dir output-directory

Specify the directory to which you want to save the deployment bundle. The default value is central-db-bundle.

8.2.6.8. roxctl central db generate k8s hostpath

Generate a Kubernetes YAML manifest for a database deployment with a hostpath volume type in Central.

Usage

$ roxctl central db generate k8s hostpath [flags]

Table 8.14. Options
OptionDescription

--hostpath string

Specify the path on the host. The default value is /var/lib/stackrox-central-db.

--node-selector-key string

Specify the node selector key. Valid values include kubernetes.io and hostname.

--node-selector-value string

Specify the node selector value.

8.2.6.9. roxctl central db generate openshift pvc

Generate an OpenShift YAML manifest for a database deployment with a persistent volume claim (PVC) in Central.

Usage

$ roxctl central db generate openshift pvc [flags]

Table 8.15. Options
OptionDescription

--name string

Specify the external volume name for the Central database. The default value is central-db.

--size uint32

Specify the external volume size in gigabytes for the Central database. The default value is 100.

--storage-class string

Specify the storage class name for the Central database. This is optional if you have a default storage class configured.

8.2.6.10. roxctl central db generate openshift hostpath

Add a hostpath external volume to the Central database.

Usage

$ roxctl central db generate openshift hostpath [flags]

Table 8.16. Options
OptionDescription

--hostpath string

Specify the path on the host. The default value is /var/lib/stackrox-central-db.

--node-selector-key string

Specify the node selector key. Valid values include kubernetes.io and hostname.

--node-selector-value string

Specify the node selector value.

8.2.7. roxctl central debug

Debug the Central service.

Usage

$ roxctl central debug [flags]

8.2.7.1. roxctl central debug db

Control the debugging of the database.

Usage

$ roxctl central debug db [flags]

Table 8.17. Options
OptionDescription

-t, --timeout duration

Specify the timeout for API requests representing the maximum duration of a request. The default value is 1m0s.

8.2.7.2. roxctl central debug log

Retrieve the current log level.

Usage

$ roxctl central debug log [flags]

Table 8.18. Options
OptionDescription

-l, --level string

Specify the log level to which you want to set the modules. Valid values include Debug, Info, Warn, Error, Panic, and Fatal.

-m, --modules strings

Specify the modules to which you want to apply the command.

--retry-timeout duration

Specify the timeout after which API requests are retried. A value of zero means that the entire request duration is waited for without retrying. The default value is 20s.

-t, --timeout duration

Specify the timeout for API requests, which is the maximum duration of a request. The default value is 1m0s.

8.2.7.3. roxctl central debug dump

Download a bundle containing the debug information for Central.

Usage

$ roxctl central debug dump [flags]

Table 8.19. Options
OptionDescription

--logs

If set to true, logs are included in the Central dump. The default value is false.

--output-dir string

Specify the output directory for the bundle content. The default value is an automatically generated directory name within the current directory.

-t, --timeout duration

Specify the timeout for API requests, which is the maximum duration of a request. The default value is 5m0s.

8.2.7.4. roxctl central debug db stats

Control the statistics of the Central database.

Usage

$ roxctl central debug db stats [flags]

8.2.7.5. roxctl central debug authz-trace

Enable or disable authorization tracing in Central for debugging purposes.

Usage

$ roxctl central debug authz-trace [flags]

Table 8.20. Options
OptionDescription

-t, --timeout duration

Specify the timeout for API requests representing the maximum duration of a request. The default value is 20m0s.

8.2.7.6. roxctl central debug db stats reset

Reset the statistics of the Central database.

Usage

$ roxctl central debug db stats reset [flags]

8.2.7.7. roxctl central debug download-diagnostics

Download a bundle containing a snapshot of diagnostic information about the platform.

Usage

$ roxctl central debug download-diagnostics [flags]

Table 8.21. Options
OptionDescription

--clusters strings

Specify a comma-separated list of the Sensor clusters from which you want to collect the logs.

--output-dir string

Specify the output directory in which you want to save the diagnostic bundle.

--since string

Specify the timestamp from which you want to collect the logs from the Sensor clusters.

-t, --timeout duration

Specify the timeout for API requests, which specifies the maximum duration of a request. The default value is 5m0s.

8.2.8. roxctl central generate

Generate the required YAML configuration files that contain the orchestrator objects to deploy Central.

Usage

$ roxctl central generate [flags]

Table 8.22. Options
OptionDescription

--backup-bundle string

Specify the path to the backup bundle from which you want to restore the keys and certificates.

--debug

If set to true, templates are read from the local file system. The default value is false.

--debug-path string

Specify the path to Helm templates on your local file system. For more details, run the roxctl central generate --help command.

--default-tls-certfile

Specify the PEM certificate bundle file that you want to use as the default.

--default-tls-keyfile

Specify the PEM private key file that you want to use as the default.

--enable-pod-security-policies

If set to true, PodSecurityPolicy resources are created. The default value is true.

-p, --password string

Specify the administrator password. The default value is automatically generated.

--plaintext-endpoints string

Specify the ports or endpoints you want to use for unencrypted exposure as a comma-separated list.

8.2.8.1. roxctl central generate k8s

Generate the required YAML configuration files to deploy Central into a Kubernetes cluster.

Usage

$ roxctl central generate k8s [flags]

Table 8.23. Options
OptionDescription

--central-db-image string

Specify the Central database image you want to use. If not specified, a default value corresponding to the --image-defaults is used.

--declarative-config-config-maps strings

Specify a list of configuration maps that you want to add as declarative configuration mounts in Central.

--declarative-config-secrets strings

Specify a list of secrets that you want to add as declarative configuration mounts in Central.

--enable-telemetry

Specify whether you want to enable telemetry. The default value is false.

--image-defaults string

Specify the default settings for container images. The specified settings control the repositories from which the images are downloaded, the image names and the format of the tags. The default value is development_build.

--istio-support version

Generate deployment files that support the specified Istio version. Valid values include 1.0, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, and 1.7.

--lb-type load balancer type

Specify the method in which you want to suspend Central. Valid values include lb, np and none. The default value is none.

-i, --main-image string

Specify the main image that you want to use. If not specified, a default value corresponding to the --image-defaults is used.

--offline

Specify whether you want to run RHACS in offline mode, avoiding a connection to the Internet. The default value is false.

--output-dir output directory

Specify the directory to which you want to save the deployment bundle. The default value is central-bundle.

--output-format output format

Specify the deployment tool that you want to use. Valid values include kubectl, helm, and helm-values. The default value is kubectl.

--scanner-db-image string

Specify the Scanner database image that you want to use. If not specified, a default value corresponding to the --image-defaults is used.

--scanner-image string

Specify the Scanner image that you want to use. If not specified, a default value corresponding to the `--image-defaults" is used.

8.2.8.2. roxctl central generate k8s pvc

Generate Kubernetes YAML files for persistent volume claims (PVCs) in Central.

Usage

$ roxctl central generate k8s pvc [flags]

Table 8.24. Options
OptionDescription

--db-name string

Specify the external volume name for the Central database. The default value is central-db.

--db-size uint32

Specify the external volume size in gigabytes for the Central database. The default value is 100.

--db-storage-class string

Specify the storage class name for the Central database. This is optional if you have a default storage class configured.

--name string

Specify the external volume name for Central. The default value is stackrox-db.

--size uint32

Specify the external volume size in gigabytes for Central. The default value is 100.

--storage-class string

Specify the storage class name for Central. This is optional if you have a default storage class configured.

8.2.8.3. roxctl central generate openshift

Generate the required YAML configuration files to deploy Central in a Red Hat OpenShift cluster.

Usage

$ roxctl central generate openshift [flags]

Table 8.25. Options
OptionDescription

--central-db-image string

Specify the Central database image that you want to use. If not specified, a default value is created corresponding to the --image-defaults.

--declarative-config-config-maps strings

Specify a list of configuration maps that you want to add as declarative configuration mounts in Central.

--declarative-config-secrets strings

Specify a list of secrets that you want to add as declarative configuration mounts in Central.

--enable-telemetry

Specify whether you want to enable telemetry. The default value is false.

--image-defaults string

Specify the default settings for container images. It controls the repositories from which the images are downloaded, the image names and the format of the tags. The default value is development_build.

--istio-support version

Generate deployment files that support the specified Istio version. Valid values include 1.0, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, and 1.7.

--lb-type load balancer type

Specify the method of exposing Central. Valid values include route, lb, np and none. The default value is none.

-i, --main-image string

Specify the main image that you want to use. If not specified, a default value corresponding to --image-defaults is used.

--offline

Specify whether you want to run RHACS in offline mode, avoiding a connection to the Internet. The default value is false.

--openshift-monitoring false|true|auto[=true]

Specify integration with Red Hat OpenShift 4 monitoring. The default value is auto.

--openshift-version int

Specify the Red Hat OpenShift major version 3 or 4 for the deployment.

--output-dir output directory

Specify the directory to which you want to save the deployment bundle. The default value is central-bundle.

--output-format output format

Specify the deployment tool that you want to use. Valid values include kubectl, helm and helm-values. The default value is kubectl.

--scanner-db-image string

Specify the Scanner database image that you want to use. If not specified, a default value corresponding to the --image-defaults is used.

--scanner-image string

Specify the Scanner image that you want to use. If not specified, a default value corresponding to --image-defaults is used.

8.2.8.4. roxctl central generate interactive

Generate interactive resources in Central.

Usage

$ roxctl central generate interactive [flags]

8.2.8.5. roxctl central generate k8s hostpath

Generate a Kubernetes YAML manifest for deploying a Central instance by using the hostpath volume type.

Usage

$ roxctl central generate k8s hostpath [flags]

Table 8.26. Options
OptionDescription

--db-hostpath string

Specify the path on the host for the Central database. The default value is /var/lib/stackrox-central.

--db-node-selector-key string

Specify the node selector key for the Central database. Valid values include kubernetes.io and hostname.

--db-node-selector-value string

Specify the node selector value for the Central database.

--hostpath string

Specify the path on the host. The default value is /var/lib/stackrox.

--node-selector-key string

Specify the node selector key. Valid values include kubernetes.io and hostname.

--node-selector-value string

Specify the node selector value.

8.2.8.6. roxctl central generate openshift pvc

Generate a OpenShift YAML manifest for deploying a persistent volume claim (PVC) in Central.

Usage

$ roxctl central generate openshift pvc [flags]

Table 8.27. Options
OptionDescription

--db-name string

Specify the external volume name for the Central database. The default value is central-db.

--db-size uint32

Specify the external volume size in gigabytes for the Central database. The default value is 100.

--db-storage-class string

Specify the storage class name for the Central database. This is optional if you have a default storage class configured.

--name string

Specify the external volume name for Central. The default value is stackrox-db.

--size uint32

Specify the external volume size in gigabytes for Central. The default value is 100.

--storage-class string

Specify the storage class name for Central. This is optional if you have a default storage class configured.

8.2.8.7. roxctl central generate openshift hostpath

Add a hostpath external volume to the deployment definition in Red Hat OpenShift.

Usage

$ roxctl central generate openshift hostpath [flags]

Table 8.28. Options
OptionDescription

--db-hostpath string

Specify the path on the host for the Central database. The default value is /var/lib/stackrox-central.

--db-node-selector-key string

Specify the node selector key. Valid values include kubernetes.io and hostname for the Central database.

--db-node-selector-value string

Specify the node selector value for the Central database.

--hostpath string

Specify the path on the host. The default value is /var/lib/stackrox.

--node-selector-key string

Specify the node selector key. Valid values include kubernetes.io and hostname.

--node-selector-value string

Specify the node selector value.

8.2.9. roxctl central init-bundles

Initialize bundles in Central.

Usage

$ roxctl central init-bundles [flag]

Table 8.29. Options
OptionDescription

--retry-timeout duration

Specify the timeout after which API requests are retried. A value of 0s means that the entire request duration is waited for without retrying. The default value is 20s.

-t, --timeout duration

Specify the timeout for API requests representing the maximum duration of a request. The default value is 1m0s.

8.2.9.1. roxctl central init-bundles list

List the available initialization bundles in Central.

Usage

$ roxctl central init-bundles list [flags]

8.2.9.2. roxctl central init-bundles revoke

Revoke one or more cluster initialization bundles in Central.

Usage

$ roxctl central init-bundles revoke <init_bundle_ID or name> [<init_bundle_ID or name> ...] [flags] 1

1
For <init_bundle_ID or name>, specify the ID or the name of the initialization bundle that you want to revoke. You can provide multiple IDs or names separated by using spaces.

8.2.9.3. roxctl central init-bundles fetch-ca

Fetch the certificate authority (CA) bundle from Central.

Usage

$ roxctl central init-bundles fetch-ca [flags]

Table 8.30. Options
OptionDescription

--output string

Specify the file that you want to use for storing the CA configuration.

8.2.9.4. roxctl central init-bundles generate

Generate a new cluster initialization bundle.

Usage

$ roxctl central init-bundles generate <init_bundle_name> [flags] 1

1
For <init_bundle_name>, specify the name for the initialization bundle you want to generate.
Table 8.31. Options
OptionDescription

--output string

Specify the file you want to use for storing the newly generated initialization bundle in the Helm configuration form. You can generate a standard output by using -.

--output-secrets string

Specify the file that you want to use for storing the newly generated initialization bundle in Kubernetes secret form. You can generate a standard by using -.

8.2.10. roxctl central userpki

Manage the user certificate authorization providers.

Usage

$ roxctl central userpki [flags]

8.2.10.1. roxctl central userpki list

Display all the user certificate authentication providers.

Usage

$ roxctl central userpki list [flags]

Table 8.32. Options
OptionDescription

-j, --json

Enable the JSON output. The default value is false.

--retry-timeout duration

Specify the timeout after which API requests are retried. A value of zero means that the entire request duration is waited for without retrying. The default value is 20s.

-t, --timeout duration

Specify the timeout for API requests representing the maximum duration of a request. The default value is 1m0s.

8.2.10.2. roxctl central userpki create

Create a new user certificate authentication provider.

Usage

$ roxctl central userpki create name [flags]

Table 8.33. Options
OptionDescription

-c, --cert strings

Specify the PEM files of the root CA certificates. You can specify several certificate files.

--retry-timeout duration

Specify the timeout after which API requests are retried. A value of zero means that the entire request duration is waited for without retrying. The default value is 20s.

-r, --role string

Specify the minimum access role for users of this provider.

-t, --timeout duration

Specify the timeout for API requests representing the maximum duration of a request. The default value is 1m0s.

8.2.10.3. roxctl central userpki delete

Delete a user certificate authentication provider.

Usage

$ roxctl central userpki delete id|name [flags]

Table 8.34. Options
OptionDescription

-f, --force

If set to true, proceed with the deletion without confirmation. The default value is false.

--retry-timeout duration

Specify the timeout after which API requests are retried. A value of zero means that the entire request duration is waited for without retrying. The default value is 20s.

-t, --timeout duration

Specify the timeout for API requests representing the maximum duration of a request. The default value is 1m0s.

8.3. roxctl cluster

Commands related to a cluster.

Usage

$ roxctl cluster [command] [flags]

Table 8.35. Available commands
CommandDescription

delete

Remove Sensor from Central.

Table 8.36. Options
OptionDescription

--retry-timeout duration

Set the retry timeout for API requests. A value of zero means the full request duration is awaited without retry. The default value is 20s.

-t, --timeout duration

Set the timeout for API requests representing the maximum duration of a request. The default value is 1m0s.

8.3.1. roxctl cluster command options inherited from the parent command

The roxctl cluster command supports the following options inherited from the parent roxctl command:

OptionDescription

--ca string

Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the ROX_CA_CERT_FILE environment variable.

--direct-grpc

Set --direct-grpc for improved connection performance. Alternatively, by setting the ROX_DIRECT_GRPC_CLIENT environment variable to true, you can enable direct gRPC . The default value is false.

-e, --endpoint string

Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the ROX_ENDPOINT environment variable. The default value is localhost:8443.

--force-http1

Force the use of HTTP/1 for all connections. Alternatively, by setting the ROX_CLIENT_FORCE_HTTP1 environment variable to true, you can force the use of HTTP/1. The default value is false.

--insecure

Enable insecure connection options. Alternatively, by setting the ROX_INSECURE_CLIENT environment variable to true, you can enable insecure connection options. The default value is false.

--insecure-skip-tls-verify

Skip the TLS certificate validation. Alternatively, by setting the ROX_INSECURE_CLIENT_SKIP_TLS_VERIFY environment variable to true, you can skip the TLS certificate validation. The default value is false.

--no-color

Disable the color output. Alternatively, by setting the ROX_NO_COLOR environment variable to true, you can disable the color output. The default value is false.

-p, --password string

Specify the password for basic authentication. Alternatively, you can set the password by using the ROX_ADMIN_PASSWORD environment variable.

--plaintext

Use an unencrypted connection. Alternatively, by setting the ROX_PLAINTEXT environment variable to true, you can enable an unencrypted connection. The default value is false.

-s, --server-name string

Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the ROX_SERVER_NAME environment variable.

--token-file string

Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the ROX_API_TOKEN environment variable.

Note

These options are applicable to all the sub-commands of the roxctl cluster command.

8.3.2. roxctl cluster delete

Remove Sensor from Central.

Usage

$ roxctl cluster delete [flags]

Table 8.37. Options
OptionDescription

--name string

Specify the cluster name to delete.

8.4. roxctl collector

Commands related to the Collector service.

Usage

$ roxctl collector [command] [flags]

Table 8.38. Available commands
CommandDescription

support-packages

Upload support packages for Collector.

8.4.1. roxctl collector command options inherited from the parent command

The roxctl collector command supports the following options inherited from the parent roxctl command:

OptionDescription

--ca string

Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the ROX_CA_CERT_FILE environment variable.

--direct-grpc

Set --direct-grpc for improved connection performance. Alternatively, by setting the ROX_DIRECT_GRPC_CLIENT environment variable to true, you can enable direct gRPC . The default value is false.

-e, --endpoint string

Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the ROX_ENDPOINT environment variable. The default value is localhost:8443.

--force-http1

Force the use of HTTP/1 for all connections. Alternatively, by setting the ROX_CLIENT_FORCE_HTTP1 environment variable to true, you can force the use of HTTP/1. The default value is false.

--insecure

Enable insecure connection options. Alternatively, by setting the ROX_INSECURE_CLIENT environment variable to true, you can enable insecure connection options. The default value is false.

--insecure-skip-tls-verify

Skip the TLS certificate validation. Alternatively, by setting the ROX_INSECURE_CLIENT_SKIP_TLS_VERIFY environment variable to true, you can skip the TLS certificate validation. The default value is false.

--no-color

Disable the color output. Alternatively, by setting the ROX_NO_COLOR environment variable to true, you can disable the color output. The default value is false.

-p, --password string

Specify the password for basic authentication. Alternatively, you can set the password by using the ROX_ADMIN_PASSWORD environment variable.

--plaintext

Use an unencrypted connection. Alternatively, by setting the ROX_PLAINTEXT environment variable to true, you can enable an unencrypted connection. The default value is false.

-s, --server-name string

Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the ROX_SERVER_NAME environment variable.

--token-file string

Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the ROX_API_TOKEN environment variable.

Note

These options are applicable to all the sub-commands of the roxctl collector command.

8.4.2. roxctl collector support-packages

Upload support packages for Collector.

Note

Support packages are deprecated and have no effect on secured clusters running version 4.5 or later. Support package uploads only affect secured clusters on version 4.4 and earlier.

Usage

$ roxctl collector support-packages [flags]

8.4.2.1. roxctl collector support-packages upload

Upload files from a Collector support package to Central.

Usage

$ roxctl collector support-packages upload [flags]

Table 8.39. Options
OptionDescription

--overwrite

Specify whether you want to overwrite existing but different files. The default value is false.

--retry-timeout duration

Set the timeout after which API requests are retried. A value of zero means that the entire request duration is waited for without retrying. The default value is 20s.

-t, --timeout duration

Set the timeout for API requests. This option represents the maximum duration of a request. The default value is 1m0s.

8.5. roxctl completion

Generate shell completion scripts.

Usage

$ roxctl completion [bash|zsh|fish|powershell]

Table 8.40. Supported shell types
Shell typeDescription

bash

Generate a completion script for the Bash shell.

zsh

Generate a completion script for the Zsh shell.

fish

Generate a completion script for the Fish shell.

powershell

Generate a completion script for the PowerShell shell.

8.5.1. roxctl completion command options inherited from the parent command

The roxctl completion command supports the following options inherited from the parent roxctl command:

OptionDescription

--ca string

Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the ROX_CA_CERT_FILE environment variable.

--direct-grpc

Set --direct-grpc for improved connection performance. Alternatively, by setting the ROX_DIRECT_GRPC_CLIENT environment variable to true, you can enable direct gRPC . The default value is false.

-e, --endpoint string

Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the ROX_ENDPOINT environment variable. The default value is localhost:8443.

--force-http1

Force the use of HTTP/1 for all connections. Alternatively, by setting the ROX_CLIENT_FORCE_HTTP1 environment variable to true, you can force the use of HTTP/1. The default value is false.

--insecure

Enable insecure connection options. Alternatively, by setting the ROX_INSECURE_CLIENT environment variable to true, you can enable insecure connection options. The default value is false.

--insecure-skip-tls-verify

Skip the TLS certificate validation. Alternatively, by setting the ROX_INSECURE_CLIENT_SKIP_TLS_VERIFY environment variable to true, you can skip the TLS certificate validation. The default value is false.

--no-color

Disable the color output. Alternatively, by setting the ROX_NO_COLOR environment variable to true, you can disable the color output. The default value is false.

-p, --password string

Specify the password for basic authentication. Alternatively, you can set the password by using the ROX_ADMIN_PASSWORD environment variable.

--plaintext

Use an unencrypted connection. Alternatively, by setting the ROX_PLAINTEXT environment variable to true, you can enable an unencrypted connection. The default value is false.

-s, --server-name string

Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the ROX_SERVER_NAME environment variable.

--token-file string

Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the ROX_API_TOKEN environment variable.

8.6. roxctl declarative-config

Manage the declarative configuration.

Usage

$ roxctl declarative-config [command] [flags]

Table 8.41. Available commands
CommandDescription

create

Create declarative configurations.

lint

Lint an existing declarative configuration YAML file.

8.6.1. roxctl declarative-config command options inherited from the parent command

The roxctl declarative-config command supports the following options inherited from the parent roxctl command:

OptionDescription

--ca string

Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the ROX_CA_CERT_FILE environment variable.

--direct-grpc

Set --direct-grpc for improved connection performance. Alternatively, by setting the ROX_DIRECT_GRPC_CLIENT environment variable to true, you can enable direct gRPC . The default value is false.

-e, --endpoint string

Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the ROX_ENDPOINT environment variable. The default value is localhost:8443.

--force-http1

Force the use of HTTP/1 for all connections. Alternatively, by setting the ROX_CLIENT_FORCE_HTTP1 environment variable to true, you can force the use of HTTP/1. The default value is false.

--insecure

Enable insecure connection options. Alternatively, by setting the ROX_INSECURE_CLIENT environment variable to true, you can enable insecure connection options. The default value is false.

--insecure-skip-tls-verify

Skip the TLS certificate validation. Alternatively, by setting the ROX_INSECURE_CLIENT_SKIP_TLS_VERIFY environment variable to true, you can skip the TLS certificate validation. The default value is false.

--no-color

Disable the color output. Alternatively, by setting the ROX_NO_COLOR environment variable to true, you can disable the color output. The default value is false.

-p, --password string

Specify the password for basic authentication. Alternatively, you can set the password by using the ROX_ADMIN_PASSWORD environment variable.

--plaintext

Use an unencrypted connection. Alternatively, by setting the ROX_PLAINTEXT environment variable to true, you can enable an unencrypted connection. The default value is false.

-s, --server-name string

Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the ROX_SERVER_NAME environment variable.

--token-file string

Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the ROX_API_TOKEN environment variable.

Note

These options are applicable to all the sub-commands of the roxctl declarative-config command.

8.6.2. roxctl declarative-config lint

Lint an existing declarative configuration YAML file.

Usage

$ roxctl declarative-config lint [flags]

Table 8.42. Options
OptionDescription

--config-map string

Read the declarative configuration from the --config-map string. If not specified, the configuration is read from the YAML file specified by using the --file flag.

-f, --file string

File containing the declarative configuration in YAML format.

--namespace string

Read the declarative configuration from the --namespace string of the configuration map. If not specified, the namespace specified in the current Kubernetes configuration context is used.

--secret string

Read the declarative configuration from the specified --secret string. If not specified, the configuration is read from the YAML file specified by using the --file flag.

8.6.3. roxctl declarative-config create

Create declarative configurations.

Usage

$ roxctl declarative-config create [flags]

Table 8.43. Options
OptionDescription

--config-map string

Write the declarative configuration YAML in the configuration map. If not specified and the --secret flag is also not specified, the generated YAML is printed in the standard output format.

--namespace string

Required if you want to write the declarative configuration YAML to a configuration map or secret. If not specified, the default namespace in the current Kubernetes configuration is used.

--secret string

Write the declarative configuration YAML in the Secret. You must use secrets for sensitive data. If not specified and the --config-map flag is also not specified, the generated YAML is printed in the standard output format.

8.6.3.1. roxctl declarative-config create role

Create a declarative configuration for a role.

Usage

$ roxctl declarative-config create role [flags]

Table 8.44. Options
OptionDescription

--access-scope string

By providing the name, you can specify the referenced access scope.

--description string

Set a description for the role.

--name string

Specify the name of the role.

--permission-set string

By providing the name, you can specify the referenced permission set.

8.6.3.2. roxctl declarative-config create notifier

Create a declarative configuration for a notifier.

Usage

$ roxctl declarative-config create notifier [flags]

Table 8.45. Options
OptionDescription

--name string

Specify the name of the notifier.

8.6.3.3. roxctl declarative-config create access-scope

Create a declarative configuration for an access scope.

Usage

$ roxctl declarative-config create access-scope [flags]

Table 8.46. Options
OptionDescription

--cluster-label-selector requirement

Specify the criteria for creating a label selector based on the cluster’s labels. The key-value pairs represent requirements, and you can use this flag multiple times to create a combination of requirements. The default value is [ [ ] ]. For more details, run the roxctl declarative-config create access-scope --help command.

--description string

Set a description for the access scope.

--included included-object

Specify a list of clusters and their namespaces that you want to include in the access scope. The default value is [null].

--name string

Specify the name of the access scope.

--namespace-label-selector requirement

Specify the criteria for creating a label selector based on the namespace’s labels. Similar to the cluster-label-selector, you can use this flag multiple times for the combination of requirements. For more details, run the roxctl declarative-config create access-scope --help command.

8.6.3.4. roxctl declarative-config create auth-provider

Create a declarative configuration for an authentication provider.

Usage

$ roxctl declarative-config create auth-provider [flags]

Table 8.47. Options
OptionDescription

--extra-ui-endpoints strings

Specify additional user interface (UI) endpoints from which the authentication provider is used. The expected format is <endpoint>:<port>.

--groups-key strings

Set the keys of the groups that you want to add within the authentication provider. The tuples of key, value and role should have the same length. For more details, run the roxctl declarative-config create auth-provider --help command.

--groups-role strings

Set the role of the groups that you want to add within the authentication provider. The tuples of key, value and role should have the same length. For more details, run the roxctl declarative-config create auth-provider --help command.

--groups-value strings

Set the values of the groups that you want to add within the authentication provider. The tuples of key, value and role should have the same length. For more details, run the roxctl declarative-config create auth-provider --help command.

--minimum-access-role string

Set the minimum access role of the authentication provider. You can leave this field empty if you do not want to configure the minimum access role by using the declarative configuration.

--name string

Specify the name of the authentication provider.

--required-attributes stringToString

Set a list of attributes that the authentication provider must return during authentication. The default value is [].

--ui-endpoint string

Set the UI endpoint from which the authentication provider is used. This is usually the public endpoint where RHACS is available. The expected format is <endpoint>:<port>.

8.6.3.5. roxctl declarative-config create permission-set

Create a declarative configuration for a permission set.

Usage

$ roxctl declarative-config create permission-set [flags]

Table 8.48. Options
OptionDescription

--description string

Set the description of the permission set.

--name string

Specify the name of the permission set.

--resource-with-access stringToString

Set a list of resources with their respective access levels. The default value is []. For more details, run the roxctl declarative-config create permission-set --help command.

8.6.3.6. roxctl declarative-config create notifier splunk

Create a declarative configuration for a splunk notifier.

Usage

$ roxctl declarative-config create notifier splunk [flags]

Table 8.49. Options
OptionDescription

--audit-logging

Enable audit logging. The default value is false.

--source-types stringToString

Specify Splunk source types as comma-separated key=value pairs. The default value is [].

--splunk-endpoint string

Specify the Splunk HTTP endpoint. This is a mandatory option.

--splunk-skip-tls-verify

Use an insecure connection to Splunk. The default value is false.

--splunk-token string

Specify the Splunk HTTP token. This is a mandatory option.

--truncate int

Specify the Splunk truncate limit. The default value is 10000.

8.6.3.7. roxctl declarative-config create notifier generic

Create a declarative configuration for a generic notifier.

Usage

$ roxctl declarative-config create notifier generic [flags]

Table 8.50. Options
OptionDescription

--audit-logging

Enable audit logging. The default value is false.

--extra-fields stringToString

Specify additional fields as comma-separated key=value pairs. The default value is [].

--headers stringToString

Specify headers as comma-separated key=value pairs. The default value is [].

--webhook-cacert-file string

Specify the file name of the endpoint CA certificate in PEM format.

--webhook-endpoint string

Specify the URL of the webhook endpoint.

--webhook-password string

Specify the password for basic authentication of the webhook endpoint. No authentication if not specified. Requires --webhook-username.

--webhook-skip-tls-verify

Skip webhook TLS verification. The default value is false.

--webhook-username string

Specify the username for basic authentication of the webhook endpoint. No authentication occurs if not specified. Requires --webhook-password.

8.6.3.8. roxctl declarative-config create auth-provider iap

Create a declarative configuration for an authentication provider with the identity-aware proxy (IAP) identifier.

Usage

$ roxctl declarative-config create auth-provider iap [flags]

Table 8.51. Options
OptionDescription

--audience string

Specify the target group that you want to validate.

8.6.3.9. roxctl declarative-config create auth-provider oidc

Create a declarative configuration for an OpenID Connect (OIDC) authentication provider.

Usage

$ roxctl declarative-config create auth-provider oidc [flags]

Table 8.52. Options
OptionDescription

--claim-mappings stringToString

Specify a list of non-standard claims from the identity provider (IdP) token that you want to include in the authentication provider’s rules. The default value is [].

--client-id string

Specify the client ID of the OIDC client.

--client-secret string

Specify the client secret of the OIDC client.

--disable-offline-access

Disable the request for the offline_access from the OIDC IdP. You need to use this option if the OIDC IdP limits the number of sessions with the offline_access scope. The default value is false.

--issuer string

Specify the issuer of the OIDC client.

--mode string

Specify the callback mode that you want to use. Valid values include auto, post, query and fragment. The default value is auto.

8.6.3.10. roxctl declarative-config create auth-provider saml

Create a declarative configuration for a SAML authentication provider.

Usage

$ roxctl declarative-config create auth-provider saml [flags]

Table 8.53. Options
OptionDescription

--idp-cert string

Specify the file containing the SAML identity provider (IdP) certificate in PEM format.

--idp-issuer string

Specify the issuer of the IdP.

--metadata-url string

Specify the metadata URL of the service provider.

--name-id-format string

Specify the format of the name ID.

--sp-issuer string

Specify the issuer of the service provider.

--sso-url string

Specify the URL of the IdP for single sign-on (SSO).

8.6.3.11. roxctl declarative-config create auth-provider userpki

Create a declarative configuration for an user PKI authentication provider.

Usage

$ roxctl declarative-config create auth-provider userpki [flags]

Table 8.54. Options
OptionDescription

--ca-file string

Specify the file containing the certification authorities in PEM format.

8.6.3.12. roxctl declarative-config create auth-provider openshift-auth

Create a declarative configuration for an OpenShift Container Platform OAuth authentication provider.

Usage

$ roxctl declarative-config create auth-provider openshift-auth [flags]

8.7. roxctl deployment

Commands related to deployments.

Usage

$ roxctl deployment [command] [flags]

Table 8.55. Available commands
CommandDescription

check

Check the deployments for violations of the deployment time policy.

Table 8.56. Options
OptionDescription

-t, --timeout duration

Set the timeout for API requests. This option represents the maximum duration of a request. The default value is 10m0s.

8.7.1. roxctl deployment command options inherited from the parent command

The roxctl deployment command supports the following options inherited from the parent roxctl command:

OptionDescription

--ca string

Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the ROX_CA_CERT_FILE environment variable.

--direct-grpc

Set --direct-grpc for improved connection performance. Alternatively, by setting the ROX_DIRECT_GRPC_CLIENT environment variable to true, you can enable direct gRPC . The default value is false.

-e, --endpoint string

Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the ROX_ENDPOINT environment variable. The default value is localhost:8443.

--force-http1

Force the use of HTTP/1 for all connections. Alternatively, by setting the ROX_CLIENT_FORCE_HTTP1 environment variable to true, you can force the use of HTTP/1. The default value is false.

--insecure

Enable insecure connection options. Alternatively, by setting the ROX_INSECURE_CLIENT environment variable to true, you can enable insecure connection options. The default value is false.

--insecure-skip-tls-verify

Skip the TLS certificate validation. Alternatively, by setting the ROX_INSECURE_CLIENT_SKIP_TLS_VERIFY environment variable to true, you can skip the TLS certificate validation. The default value is false.

--no-color

Disable the color output. Alternatively, by setting the ROX_NO_COLOR environment variable to true, you can disable the color output. The default value is false.

-p, --password string

Specify the password for basic authentication. Alternatively, you can set the password by using the ROX_ADMIN_PASSWORD environment variable.

--plaintext

Use an unencrypted connection. Alternatively, by setting the ROX_PLAINTEXT environment variable to true, you can enable an unencrypted connection. The default value is false.

-s, --server-name string

Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the ROX_SERVER_NAME environment variable.

--token-file string

Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the ROX_API_TOKEN environment variable.

Note

These options are applicable to all the sub-commands of the roxctl deployment command.

8.7.2. roxctl deployment check

Check deployments for violations of the deployment time policy.

Usage

$ roxctl deployment check [flags]

Table 8.57. Options
OptionDescription

-c, --categories strings

Define the policy categories that you want to execute. By default, all policy categories are executed.

--cluster string

Set the cluster name or ID that you want to use as the context for the evaluation to enable extended deployments with cluster-specific information.

--compact-output

Print the JSON output in compact form. The default value is false.

-f, --file stringArray

Specify the YAML files to send to Central for policy evaluation.

--force

Bypass the Central cache for images and force a new pull from Scanner. The default value is false.

--headers strings

Define headers that you want to print in the tabular output. The default values include POLICY, SEVERITY, BREAKS DEPLOY, DEPLOYMENT, DESCRIPTION, VIOLATION, and REMEDIATION.

--headers-as-comments

Print headers as comments in the CSV tabular output. The default value is false.

--junit-suite-name string

Set the name of the JUnit test suite. The default value is deployment-check.

--merge-output

Merge duplicate cells in the tabular output. The default value is false.

-n, --namespace string

Specify a namespace to enhance deployments with context information such as network policies, RBACs and services for deployments that do not have a namespace in their specification. The namespace defined in the specification is not changed. The default value is default.

--no-header

Do not print headers for a tabular output. The default value is false.

-o, --output string

Choose the output format. Output formats include json, junit, sarif, table, and csv. The default value is table.

-r, --retries int

Set the number of retries before exiting as an error. The default value is 3.

-d, --retry-delay int

Set the time to wait between retries in seconds. The default value is 3.

--row-jsonpath-expressions string

Define the JSON path expressions to create a row from the JSON object. For more details, run the roxctl deployment check --help command.

8.8. roxctl helm

Commands related to Red Hat Advanced Cluster Security for Kubernetes (RHACS) Helm Charts.

Usage

$ roxctl helm [command] [flags]

Table 8.58. Available commands
CommandDescription

derive-local-values

Derive local Helm values from the cluster configuration.

output

Output a Helm chart.

8.8.1. roxctl helm command options inherited from the parent command

The roxctl helm command supports the following options inherited from the parent roxctl command:

OptionDescription

--ca string

Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the ROX_CA_CERT_FILE environment variable.

--direct-grpc

Set --direct-grpc for improved connection performance. Alternatively, by setting the ROX_DIRECT_GRPC_CLIENT environment variable to true, you can enable direct gRPC . The default value is false.

-e, --endpoint string

Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the ROX_ENDPOINT environment variable. The default value is localhost:8443.

--force-http1

Force the use of HTTP/1 for all connections. Alternatively, by setting the ROX_CLIENT_FORCE_HTTP1 environment variable to true, you can force the use of HTTP/1. The default value is false.

--insecure

Enable insecure connection options. Alternatively, by setting the ROX_INSECURE_CLIENT environment variable to true, you can enable insecure connection options. The default value is false.

--insecure-skip-tls-verify

Skip the TLS certificate validation. Alternatively, by setting the ROX_INSECURE_CLIENT_SKIP_TLS_VERIFY environment variable to true, you can skip the TLS certificate validation. The default value is false.

--no-color

Disable the color output. Alternatively, by setting the ROX_NO_COLOR environment variable to true, you can disable the color output. The default value is false.

-p, --password string

Specify the password for basic authentication. Alternatively, you can set the password by using the ROX_ADMIN_PASSWORD environment variable.

--plaintext

Use an unencrypted connection. Alternatively, by setting the ROX_PLAINTEXT environment variable to true, you can enable an unencrypted connection. The default value is false.

-s, --server-name string

Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the ROX_SERVER_NAME environment variable.

--token-file string

Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the ROX_API_TOKEN environment variable.

Note

These options are applicable to all the sub-commands of the roxctl helm command.

8.8.2. roxctl helm output

Output a Helm chart.

Usage

$ roxctl helm output <central_services or secured_cluster_services> [flags] 1

1
For <central_services or secured_cluster_services>, specify the path to either the central services or the secured cluster services to generate a Helm chart output.
Table 8.59. Options
OptionDescription

--debug

Read templates from the local filesystem. The default value is false.

--debug-path string

Specify the path to the Helm templates on your local filesystem. For more details, run the roxctl helm output --help command.

--image-defaults string

Set the default container image settings. Image settings include development_build, stackrox.io, rhacs, and opensource. It influences repositories for image downloads, image names, and tag formats. The default value is development_build.

--output-dir string

Define the path to the output directory for the Helm chart. The default path is ./stackrox-<chart name>-chart.

--remove

Remove the output directory if it already exists. The default value is false.

8.8.3. roxctl helm derive-local-values

Derive local Helm values from the cluster configuration.

Usage

$ roxctl helm derive-local-values --output <path> \1
<central_services> [flags] 2

1
For the <path>, specify the path where you want to save the generated local values file.
2
For the <central_services>, specify the path to the central services configuration file.
Table 8.60. Options
OptionDescription

--input string

Specify the path to the file or directory containing the YAML input.

--output string

Define the path to the output file.

--output-dir string

Define the path to the output directory.

--retry-timeout duration

Set the timeout after which API requests are retried. The timeout value indicates that the entire request duration is waited for without retrying. The default value is 20s.

-t, --timeout duration

Set the timeout for API requests representing the maximum duration of a request. The default value is 1m0s.

8.9. roxctl image

Commands that you can run on a specific image.

Usage

$ roxctl image [command] [flags]

Table 8.61. Available commands
CommandDescription

check

Check images for build time policy violations, and report them.

scan

Scan the specified image, and return the scan results.

Table 8.62. Options
-t, --timeout durationSet the timeout for API requests representing the maximum duration of a request. The default value is 10m0s.

8.9.1. roxctl image command options inherited from the parent command

The roxctl image command supports the following options inherited from the parent roxctl command:

OptionDescription

--ca string

Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the ROX_CA_CERT_FILE environment variable.

--direct-grpc

Set --direct-grpc for improved connection performance. Alternatively, by setting the ROX_DIRECT_GRPC_CLIENT environment variable to true, you can enable direct gRPC . The default value is false.

-e, --endpoint string

Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the ROX_ENDPOINT environment variable. The default value is localhost:8443.

--force-http1

Force the use of HTTP/1 for all connections. Alternatively, by setting the ROX_CLIENT_FORCE_HTTP1 environment variable to true, you can force the use of HTTP/1. The default value is false.

--insecure

Enable insecure connection options. Alternatively, by setting the ROX_INSECURE_CLIENT environment variable to true, you can enable insecure connection options. The default value is false.

--insecure-skip-tls-verify

Skip the TLS certificate validation. Alternatively, by setting the ROX_INSECURE_CLIENT_SKIP_TLS_VERIFY environment variable to true, you can skip the TLS certificate validation. The default value is false.

--no-color

Disable the color output. Alternatively, by setting the ROX_NO_COLOR environment variable to true, you can disable the color output. The default value is false.

-p, --password string

Specify the password for basic authentication. Alternatively, you can set the password by using the ROX_ADMIN_PASSWORD environment variable.

--plaintext

Use an unencrypted connection. Alternatively, by setting the ROX_PLAINTEXT environment variable to true, you can enable an unencrypted connection. The default value is false.

-s, --server-name string

Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the ROX_SERVER_NAME environment variable.

--token-file string

Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the ROX_API_TOKEN environment variable.

Note

These options are applicable to all the sub-commands of the roxctl image command.

8.9.2. roxctl image scan

Scan the specified image, and return the scan results.

Usage

$ roxctl image scan [flags]

Table 8.63. Options
OptionDescription

--cluster string

Specify the cluster name or ID to which you want to delegate the image scan.

--compact-output

Print JSON output in a compact format. The default value is false.

--fail

Fail if vulnerabilities have been found. The default value is false.

-f, --force

Ignore Central’s cache and force a fresh re-pull from Scanner. The default value is false.

--headers strings

Specify the headers to print in a tabular output. The default values include COMPONENT, VERSION,CVE,SEVERITY, and LINK.

--headers-as-comments

Print headers as comments in a CSV tabular output. The default value is false.

-i, --image string

Specify the image name and reference to scan. For example, nginx:latest or nginx@sha256:…​.

-a, --include-snoozed

Include snoozed and unsnoozed CVEs in the scan results. The default value is false.

--merge-output

Merge duplicate cells in a tabular output. The default value is true.

--no-header

Do not print headers for a tabular output. The default value is false.

-o, --output string

Specify the output format. Output formats include table, csv, json, and sarif.

-r, --retries int

Specify the number of retries before exiting as an error. The default value is 3.

-d, --retry-delay int

Set the time to wait between retries in seconds. The default value is 3.

--row-jsonpath-expressions string

Specify JSON path expressions to create a row from the JSON object. For more details, run the roxctl image scan --help command.

--severity strings

List of severities to include in the output. Use this to filter for specific severities. The default values include LOW, MODERATE, IMPORTANT, and CRITICAL.

8.9.3. roxctl image check

Check images for build time policy violations, and report them.

Usage

$ roxctl image check [flags]

Table 8.64. Options
OptionDescription

-c, --categories strings

List of the policy categories that you want to execute. By default, all the policy categories are used.

--cluster string

Define the cluster name or ID that you want to use as the context for evaluation.

--compact-output

Print JSON output in a compact format. The default value is false.

-f, --force

Bypass the Central cache for the image and force a new pull from the Scanner. The default value is false.

--headers strings

Define headers to print in a tabular output. The default values include POLICY, SEVERITY, BREAKS BUILD, DESCRIPTION, VIOLATION, and REMEDIATION.

--headers-as-comments

Print headers as comments in a CSV tabular output. The default value is false.

-i, --image string

Specify the image name and reference. For example, nginx:latest or nginx@sha256:…​).

--junit-suite-name string

Set the name of the JUnit test suite. Default value is image-check.

--merge-output

Merge duplicate cells in a tabular output. The default value is false.

--no-header

Do not print headers for a tabular output. The default value is false.

-o, --output string

Choose the output format. Output formats include junit, sarif, table, csv, and json. The default value is table.

-r, --retries int

Set the number of retries before exiting as an error. The default value is 3.

-d, --retry-delay int

Set the time to wait between retries in seconds. The default value is 3.

--row-jsonpath-expressions string

Create a row from the JSON object by using JSON path expression. For more details, run the roxctl image check --help command.

--send-notifications

Define whether you want to send notifications in the event of violations. The default value is false.

8.10. roxctl netpol

Commands related to the network policies.

Usage

$ roxctl netpol [command] [flags]

Table 8.65. Available commands
CommandDescription

connectivity

Connectivity analysis of the network policy resources.

generate

Recommend network policies based on the deployment information.

8.10.1. roxctl netpol command options inherited from the parent command

The roxctl netpol command supports the following options inherited from the parent roxctl command:

OptionDescription

--ca string

Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the ROX_CA_CERT_FILE environment variable.

--direct-grpc

Set --direct-grpc for improved connection performance. Alternatively, by setting the ROX_DIRECT_GRPC_CLIENT environment variable to true, you can enable direct gRPC . The default value is false.

-e, --endpoint string

Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the ROX_ENDPOINT environment variable. The default value is localhost:8443.

--force-http1

Force the use of HTTP/1 for all connections. Alternatively, by setting the ROX_CLIENT_FORCE_HTTP1 environment variable to true, you can force the use of HTTP/1. The default value is false.

--insecure

Enable insecure connection options. Alternatively, by setting the ROX_INSECURE_CLIENT environment variable to true, you can enable insecure connection options. The default value is false.

--insecure-skip-tls-verify

Skip the TLS certificate validation. Alternatively, by setting the ROX_INSECURE_CLIENT_SKIP_TLS_VERIFY environment variable to true, you can skip the TLS certificate validation. The default value is false.

--no-color

Disable the color output. Alternatively, by setting the ROX_NO_COLOR environment variable to true, you can disable the color output. The default value is false.

-p, --password string

Specify the password for basic authentication. Alternatively, you can set the password by using the ROX_ADMIN_PASSWORD environment variable.

--plaintext

Use an unencrypted connection. Alternatively, by setting the ROX_PLAINTEXT environment variable to true, you can enable an unencrypted connection. The default value is false.

-s, --server-name string

Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the ROX_SERVER_NAME environment variable.

--token-file string

Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the ROX_API_TOKEN environment variable.

Note

These options are applicable to all the sub-commands of the roxctl netpol command.

8.10.2. roxctl netpol generate

Recommend network policies based on the deployment information.

Usage

$ roxctl netpol generate <folder_path> [flags] 1

1
For <folder_path>, specify the path to the directory containing your Kubernetes deployment and service configuration files.
Table 8.66. Options
OptionDescription

--fail

Fail on the first encountered error. The default value is false.

-d, --output-dir string

Save generated policies into the target folder.

-f, --output-file string

Save and merge generated policies into a single YAML file.

--remove

Remove the output path if it already exists. The default value is false.

--strict

Treat warnings as errors. The default value is false.

8.10.3. roxctl netpol connectivity

Commands related to the connectivity analysis of the network policy resources.

Usage

$ roxctl netpol connectivity [flags]

8.10.3.1. roxctl netpol connectivity map

Analyze connectivity based on the network policies and other resources.

Usage

$ roxctl netpol connectivity map <folder_path> [flags] 1

1
For <folder_path>, specify the path to the directory containing your Kubernetes deployment and service configuration files.
Table 8.67. Options
OptionDescription

--fail

Fail on the first encountered error. The default value is false.

--focus-workload string

Focus on connections of the specified workload name in the output.

-f, --output-file string

Save the connections list output into a specific file.

-o, --output-format string

Configure the connections list in a specific format. Supported formats include txt, json, md, dot, and csv. The default value is txt.

--remove

Remove the output path if it already exists. The default value is false.

--save-to-file

Define whether you want to save the output of the connection list in the default file. The default value is false.

--strict

Treat warnings as errors. The default value is false.

8.10.3.2. roxctl netpol connectivity diff

Report connectivity differences based on two network policy directories and YAML manifests with workload resources.

Usage

$ roxctl netpol connectivity diff [flags]

Table 8.68. Options
OptionDescription

--dir1 string

Specify the first directory path of the input resources. This value is mandatory.

--dir2 string

Specify the second directory path of the input resources that you want to compare with the first directory path. This value is mandatory.

--fail

Fail on the first encounter. The default value is false.

-f, --output-file string

Save the output of the connectivity difference command into a specific file.

-o, --output-format string

Configure the output of the connectivity difference command in a specific format. Supported formats include txt, md, csv. The default value is txt..

--remove

Remove the output path if it already exists. The default value is false.

--save-to-file

Define whether you want to store the output of the connectivity differences in the default file. The default value is false.

--strict

Treat warnings as errors. The default value is false.

8.11. roxctl scanner

Commands related to the StackRox Scanner and Scanner V4 services.

Usage

$ roxctl scanner [command] [flags]

Table 8.69. Available commands
CommandDescription

download-db

Download the offline vulnerability database for StackRox Scanner and Scanner V4.

generate

Generate the required YAML configuration files to deploy the StackRox Scanner and Scanner V4.

upload-db

Upload a vulnerability database for the StackRox Scanner and Scanner V4.

8.11.1. roxctl scanner command options inherited from the parent command

The roxctl scanner command supports the following options inherited from the parent roxctl command:

OptionDescription

--ca string

Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the ROX_CA_CERT_FILE environment variable.

--direct-grpc

Set --direct-grpc for improved connection performance. Alternatively, by setting the ROX_DIRECT_GRPC_CLIENT environment variable to true, you can enable direct gRPC . The default value is false.

-e, --endpoint string

Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the ROX_ENDPOINT environment variable. The default value is localhost:8443.

--force-http1

Force the use of HTTP/1 for all connections. Alternatively, by setting the ROX_CLIENT_FORCE_HTTP1 environment variable to true, you can force the use of HTTP/1. The default value is false.

--insecure

Enable insecure connection options. Alternatively, by setting the ROX_INSECURE_CLIENT environment variable to true, you can enable insecure connection options. The default value is false.

--insecure-skip-tls-verify

Skip the TLS certificate validation. Alternatively, by setting the ROX_INSECURE_CLIENT_SKIP_TLS_VERIFY environment variable to true, you can skip the TLS certificate validation. The default value is false.

--no-color

Disable the color output. Alternatively, by setting the ROX_NO_COLOR environment variable to true, you can disable the color output. The default value is false.

-p, --password string

Specify the password for basic authentication. Alternatively, you can set the password by using the ROX_ADMIN_PASSWORD environment variable.

--plaintext

Use an unencrypted connection. Alternatively, by setting the ROX_PLAINTEXT environment variable to true, you can enable an unencrypted connection. The default value is false.

-s, --server-name string

Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the ROX_SERVER_NAME environment variable.

--token-file string

Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the ROX_API_TOKEN environment variable.

Note

These options are applicable to all the sub-commands of the roxctl scanner command.

8.11.2. roxctl scanner generate

Generate the required YAML configuration files to deploy Scanner.

Usage

$ roxctl scanner generate [flags]

Table 8.70. Options
OptionDescription

--cluster-type cluster type

Specify the type of cluster on which you want to run Scanner. Cluster types include k8s and openshift. The default value is k8s.

--enable-pod-security-policies

Create PodSecurityPolicy resources. The default value is true.

--istio-support string

Generate deployment files that support the specified Istio version. Valid versions include 1.0, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, and 1.7.

--output-dir string

Specify the output directory for the Scanner bundle. Leave blank to use the default value.

--retry-timeout duration

Set the timeout after which API requests are retried. A value of zero means that the entire request duration is waited for without retrying. The default value is 20s.

--scanner-image string

Specify the Scanner image that you want to use. Leave blank to use the server default.

-t, --timeout duration

Set the timeout for API requests representing the maximum duration of a request. The default value is 1m0s.

8.11.3. roxctl scanner upload-db

Upload a vulnerability database for Scanner.

Usage

$ roxctl scanner upload-db [flags]

Table 8.71. Options
OptionDescription

--scanner-db-file string

Specify the file containing the dumped Scanner definitions DB.

-t, --timeout duration

Set the timeout for API requests representing the maximum duration of a request. The default value is 10m0s.

8.11.4. roxctl scanner download-db

Download the offline vulnerability database for StackRox Scanner or Scanner V4.

This command downloads version-specific offline vulnerability bundles. The system contacts Central to determine the version if one is not specified. If communication fails, the download defaults to the version embedded within roxctl.

By default, it will attempt to download the database for the determined version and less-specific variants. For example, if version 4.4.1-extra is specified, downloads will be attempted for the following version variants:

  • 4.4.1-extra
  • 4.4.1
  • 4.4

Usage

$ roxctl scanner download-db [flags]

Table 8.72. Options
OptionDescription

--force

Force overwriting the output file if it already exists. The default value is false.

--scanner-db-file string

Output file to save the vulnerability database to. The default value is the name and path of the remote file that is downloaded.

--skip-central

Do not contact Central when detecting the version. The default value is false.

--skip-variants

Do not attempt to process variants of the determined version. The default value is false.

-t, --timeout duration

Set the timeout for API requests representing the maximum duration of a request. The default value is 10m0s.

--version string

Download a specific version or version variant of the vulnerability database. By default, the version is automatically detected.

8.12. roxctl sensor

Deploy Red Hat Advanced Cluster Security for Kubernetes (RHACS) services in secured clusters.

Usage

$ roxctl sensor [command] [flags]

Table 8.73. Available commands
CommandDescription

generate

Generate files to deploy RHACS services in secured clusters.

generate-certs

Download a YAML file with renewed certificates for Sensor, Collector, and Admission controller.

get-bundle

Download a bundle with the files to deploy RHACS services in a cluster.

Table 8.74. Options
OptionDescription

--retry-timeout duration

Set the timeout after which API requests are retried. A value of zero means that the entire request duration is waited for without retrying. The default value is 20s.

-t, --timeout duration

Set the timeout for API requests representing the maximum duration of a request. The default value is 1m0s.

8.12.1. roxctl sensor command options inherited from the parent command

The roxctl sensor command supports the following options inherited from the parent roxctl command:

OptionDescription

--ca string

Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the ROX_CA_CERT_FILE environment variable.

--direct-grpc

Set --direct-grpc for improved connection performance. Alternatively, by setting the ROX_DIRECT_GRPC_CLIENT environment variable to true, you can enable direct gRPC . The default value is false.

-e, --endpoint string

Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the ROX_ENDPOINT environment variable. The default value is localhost:8443.

--force-http1

Force the use of HTTP/1 for all connections. Alternatively, by setting the ROX_CLIENT_FORCE_HTTP1 environment variable to true, you can force the use of HTTP/1. The default value is false.

--insecure

Enable insecure connection options. Alternatively, by setting the ROX_INSECURE_CLIENT environment variable to true, you can enable insecure connection options. The default value is false.

--insecure-skip-tls-verify

Skip the TLS certificate validation. Alternatively, by setting the ROX_INSECURE_CLIENT_SKIP_TLS_VERIFY environment variable to true, you can skip the TLS certificate validation. The default value is false.

--no-color

Disable the color output. Alternatively, by setting the ROX_NO_COLOR environment variable to true, you can disable the color output. The default value is false.

-p, --password string

Specify the password for basic authentication. Alternatively, you can set the password by using the ROX_ADMIN_PASSWORD environment variable.

--plaintext

Use an unencrypted connection. Alternatively, by setting the ROX_PLAINTEXT environment variable to true, you can enable an unencrypted connection. The default value is false.

-s, --server-name string

Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the ROX_SERVER_NAME environment variable.

--token-file string

Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the ROX_API_TOKEN environment variable.

Note

These options are applicable to all the sub-commands of the roxctl sensor command.

8.12.2. roxctl sensor generate

Generate files to deploy RHACS services in secured clusters.

Usage

$ roxctl sensor generate [flags]

Table 8.75. Options
OptionDescription

--admission-controller-disable-bypass

Disable the bypass annotations for the admission controller. The default value is false.

--admission-controller-enforce-on-creates

Dynamic enable for enforcing on object creation in the admission controller. The default value is false.

--admission-controller-enforce-on-updates

Enable dynamic enforcement of object updates in the admission controller. The default value is false.

--admission-controller-listen-on-creates

Configure the admission controller webhook to listen to deployment creation. The default value is false.

--admission-controller-listen-on-updates

Configure the admission controller webhook to listen to deployment updates. The default value is false.

--admission-controller-scan-inline

Get scans inline when using the admission controller. The default value is false.

--admission-controller-timeout int32

Set the timeout in seconds for the admission controller. The default value is 3.

--central string

Set the endpoint to which you want to connect Sensor. The default value is central.stackrox:443.

--collection-method collection method

Specify the collection method that you want to use for runtime support. Collection methods include none, default, ebpf and core_bpf. The default value is default.

--collector-image-repository string

Set the image repository that you want to use to deploy Collector. If not specified, a default value corresponding to the effective --main-image repository value is derived.

--continue-if-exists

Continue with downloading the sensor bundle even if the cluster already exists. The default value is false.

--create-upgrader-sa

Decide whether to create the upgrader service account with cluster-admin privileges to facilitate automated sensor upgrades. The default value is true.

--disable-tolerations

Disable tolerations for tainted nodes. The default value is false.

--enable-pod-security-policies

Create PodSecurityPolicy resources. The default value is true.

--istio-support string

Generate deployment files that support the specified Istio version. Valid versions include 1.0, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, 1.7.

--main-image-repository string

Specify the image repository that you want to use to deploy Sensor. If not specified, a default value is used.

--name string

Set the cluster name to identify the cluster.

--output-dir string

Set the output directory for the bundle contents. The default value is an automatically generated directory name inside the current directory.

--slim-collector string[="true"]

Use Collector-slim in the deployment bundle. Valid values include auto, true, and false. The default value is auto.

-t, --timeout duration

Set the timeout for API requests representing the maximum duration of a request. The default value is 5m0s.

8.12.2.1. roxctl sensor generate k8s

Generate the required files to deploy RHACS services in a Kubernetes cluster.

Usage

$ roxctl sensor generate k8s [flags]

Table 8.76. Options
OptionDescription

--admission-controller-listen-on-events

Enable admission controller webhook to listen to Kubernetes events. The default value is true.

8.12.2.2. roxctl sensor generate openshift

Generate the required files to deploy RHACS services in a Red Hat OpenShift cluster.

Usage

$ roxctl sensor generate openshift [flags]

Table 8.77. Options
OptionDescription

`--admission-controller-listen-on-events false

true

auto[=true]`

Enable or disable the admission controller webhook to listen to Kubernetes events. The default value is auto.

`--disable-audit-logs false

true

auto[=true]`

Enable or disable audit log collection for runtime detection. The default value is auto.

--openshift-version int

Specify the Red Hat OpenShift major version for which you want to generate the deployment files.

8.12.3. roxctl sensor get-bundle

Download a bundle with the files to deploy RHACS services into a cluster.

Usage

$ roxctl sensor get-bundle <cluster_details> [flags] 1

1
For <cluster_details>, specify the cluster name or ID.
Table 8.78. Options
OptionDescription

--create-upgrader-sa

Specify whether to create the upgrader service account with cluster-admin privileges for automated Sensor upgrades. The default value is true.

--istio-support string

Generate deployment files that support the specified Istio version. Valid versions include 1.0, 1.1, 1.2, 1.3, 1.4, 1.5, 1.6, and 1.7.

--output-dir string

Specify the output directory for the bundle contents. The default value is an automatically generated directory name inside the current directory.

--slim-collector string[="true"]

Use Collector-slim in the deployment bundle. Valid values include auto, true and false. The default value is auto.

-t, --timeout duration

Set the timeout for API requests representing the maximum duration of a request. The default value is 5m0s.

8.12.4. roxctl sensor generate-certs

Download a YAML file with renewed certificates for Sensor, Collector, and Admission controller.

Usage

$ roxctl sensor generate-certs <cluster_details> [flags] 1

1
For <cluster_details>, specify the cluster name or ID.
Table 8.79. Options
OptionDescription

--output-dir string

Specify the output directory for the YAML file. The default value is ..

8.13. roxctl version

Display the current roxctl version.

Usage

$ roxctl version [flags]

8.13.1. roxctl version command options

The roxctl version command supports the following option:

OptionDescription

--json

Display the extended version information as JSON. The default value is false.

8.13.2. roxctl version command options inherited from the parent command

The roxctl version command supports the following options inherited from the parent roxctl command:

OptionDescription

--ca string

Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the ROX_CA_CERT_FILE environment variable.

--direct-grpc

Set --direct-grpc for improved connection performance. Alternatively, by setting the ROX_DIRECT_GRPC_CLIENT environment variable to true, you can enable direct gRPC . The default value is false.

-e, --endpoint string

Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the ROX_ENDPOINT environment variable. The default value is localhost:8443.

--force-http1

Force the use of HTTP/1 for all connections. Alternatively, by setting the ROX_CLIENT_FORCE_HTTP1 environment variable to true, you can force the use of HTTP/1. The default value is false.

--insecure

Enable insecure connection options. Alternatively, by setting the ROX_INSECURE_CLIENT environment variable to true, you can enable insecure connection options. The default value is false.

--insecure-skip-tls-verify

Skip the TLS certificate validation. Alternatively, by setting the ROX_INSECURE_CLIENT_SKIP_TLS_VERIFY environment variable to true, you can skip the TLS certificate validation. The default value is false.

--no-color

Disable the color output. Alternatively, by setting the ROX_NO_COLOR environment variable to true, you can disable the color output. The default value is false.

-p, --password string

Specify the password for basic authentication. Alternatively, you can set the password by using the ROX_ADMIN_PASSWORD environment variable.

--plaintext

Use an unencrypted connection. Alternatively, by setting the ROX_PLAINTEXT environment variable to true, you can enable an unencrypted connection. The default value is false.

-s, --server-name string

Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the ROX_SERVER_NAME environment variable.

--token-file string

Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the ROX_API_TOKEN environment variable.

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.